feat: add access analyzer

Ic3w0lf · Ic3w0lf · commit c62b8992084a · 2023-06-02T11:52:50.000+02:00
diff --git a/.github/.templatesyncignore b/.github/.templatesyncignore
@@ -2,4 +2,8 @@ README.md
 .github/workflows/*
 .terraform-docs.yml
 docs/20-badges.md
+docs/assets/logo.svg
 *.tf
+test/*
+go.mod
+go.sum
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,16 +1,18 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.76.0
+    rev: v1.80.0
     hooks:
       - id: terraform_docs
       - id: terraform_fmt
       - id: terraform_validate
+        args:
+          - --hook-config=--retry-once-with-cleanup=true
         exclude: '^[^/]+$'
       - id: terraform_tflint
         exclude: ^examples/
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v4.4.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
diff --git a/README.md b/README.md
@@ -43,6 +43,7 @@ each module for more information. All modules are enabled by default.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_enable_cloudwatch_defaults"></a> [enable\_cloudwatch\_defaults](#input\_enable\_cloudwatch\_defaults) | Enable the Cloudwatch submodule. | `bool` | `true` | no |
+| <a name="input_enable_iam_access_analyzer"></a> [enable\_iam\_access\_analyzer](#input\_enable\_iam\_access\_analyzer) | Enable the IAM Access Analyzer submodule. | `bool` | `true` | no |
 | <a name="input_enable_iam_account_password_policy"></a> [enable\_iam\_account\_password\_policy](#input\_enable\_iam\_account\_password\_policy) | Enable the IAM Account Password Policy submodule. | `bool` | `true` | no |
 | <a name="input_enable_s3_defaults"></a> [enable\_s3\_defaults](#input\_enable\_s3\_defaults) | Enable the S3 submodule. | `bool` | `true` | no |
 
diff --git a/main.tf b/main.tf
@@ -18,3 +18,8 @@ module "iam_account_password_policy" {
   count  = var.enable_iam_account_password_policy ? 1 : 0
   source = "./modules/iam_password_policy"
 }
+
+module "iam_access_analyzer" {
+  count  = var.enable_iam_access_analyzer ? 1 : 0
+  source = "./modules/iam_access_analyzer"
+}
diff --git a/modules/iam_access_analyzer/.terraform-docs.yml b/modules/iam_access_analyzer/.terraform-docs.yml
@@ -0,0 +1,13 @@
+content: |-
+  {{ .Header }}
+
+  {{ .Inputs }}
+
+  {{ .Outputs }}
+
+  {{ .Providers }}
+
+  ## Resources
+  {{ range .Module.Resources }}
+  - {{ .GetMode }}.{{ .Spec }} ({{ .Position.Filename }}#{{ .Position.Line }})
+  {{- end }}
diff --git a/modules/iam_access_analyzer/README.md b/modules/iam_access_analyzer/README.md
@@ -0,0 +1,26 @@
+<!-- BEGIN_TF_DOCS -->
+# Terraform AWS Account Defaults Access Analyzer
+
+Creates an AWS Access Analyzer for the account or organization.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_access_analyzer_name"></a> [access\_analyzer\_name](#input\_access\_analyzer\_name) | The name of the analyzer. | `string` | `"account-default"` | no |
+| <a name="input_access_analyzer_type"></a> [access\_analyzer\_type](#input\_access\_analyzer\_type) | The type of analyzer, ACCOUNT or ORGANIZATION. | `string` | `"ACCOUNT"` | no |
+
+## Outputs
+
+No outputs.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
+
+## Resources
+
+- resource.aws_accessanalyzer_analyzer.main (modules/iam_access_analyzer/main.tf#6)
+<!-- END_TF_DOCS -->
diff --git a/modules/iam_access_analyzer/main.tf b/modules/iam_access_analyzer/main.tf
@@ -0,0 +1,9 @@
+/**
+* # Terraform AWS Account Defaults Access Analyzer
+*
+* Creates an AWS Access Analyzer for the account or organization.
+*/
+resource "aws_accessanalyzer_analyzer" "main" {
+  analyzer_name = var.access_analyzer_name
+  type          = var.access_analyzer_type
+}
diff --git a/modules/iam_access_analyzer/variables.tf b/modules/iam_access_analyzer/variables.tf
@@ -0,0 +1,11 @@
+variable "access_analyzer_name" {
+  description = "The name of the analyzer."
+  default     = "account-default"
+  type        = string
+}
+
+variable "access_analyzer_type" {
+  description = "The type of analyzer, ACCOUNT or ORGANIZATION."
+  default     = "ACCOUNT"
+  type        = string
+}
diff --git a/modules/iam_access_analyzer/versions.tf b/modules/iam_access_analyzer/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -18,3 +18,10 @@ variable "enable_iam_account_password_policy" {
   default     = true
   type        = bool
 }
+
+## IAM ACCESS ANALYZER
+variable "enable_iam_access_analyzer" {
+  description = "Enable the IAM Access Analyzer submodule."
+  default     = true
+  type        = bool
+}

Original file line number	Diff line number	Diff line change
`@@ -18,3 +18,8 @@ module "iam_account_password_policy" {`
`18`	`18`	`count = var.enable_iam_account_password_policy ? 1 : 0`
`19`	`19`	`source = "./modules/iam_password_policy"`
`20`	`20`	`}`
	`21`	`+`
	`22`	`+module "iam_access_analyzer" {`
	`23`	`+ count = var.enable_iam_access_analyzer ? 1 : 0`
	`24`	`+ source = "./modules/iam_access_analyzer"`
	`25`	`+}`