make access analyzer scope configurable

rhythmictech · Aug 7, 2024 · b69386c · b69386c
1 parent 23ea948
commit b69386c
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -99,7 +99,8 @@ We open source the vast majority of the resources we use to deliver our managed
 |------|-------------|------|---------|:--------:|
 | <a name="input_datadog_api_key_secret_arn"></a> [datadog\_api\_key\_secret\_arn](#input\_datadog\_api\_key\_secret\_arn) | ARN of the AWS Secret containing the Datadog API key | `string` | n/a | yes |
 | <a name="input_enable_iam_access_analyzer"></a> [enable\_iam\_access\_analyzer](#input\_enable\_iam\_access\_analyzer) | A boolean flag to enable/disable IAM Access Analyzer | `bool` | `false` | no |
-| <a name="input_iam_access_analyzer_unused_archive_rules"></a> [iam\_access\_analyzer\_unused\_archive\_rules](#input\_iam\_access\_analyzer\_unused\_archive\_rules) | List of IAM resources to auto-archive unused access findings for | <pre>list(object({<br>    finding_type  = string<br>    is_partial    = bool<br>    resource      = string<br>    resource_type = string<br>  }))</pre> | `[]` | no |
+| <a name="input_enable_iam_access_analyzer_organization"></a> [enable\_iam\_access\_analyzer\_organization](#input\_enable\_iam\_access\_analyzer\_organization) | A boolean flag to enable/disable IAM Access Analyzer at the organization level (requires enable\_iam\_access\_analyzer to be true and IAM Access Analyzer to be enabled at the organization level) | `bool` | `false` | no |
+| <a name="input_iam_access_analyzer_unused_archive_rules"></a> [iam\_access\_analyzer\_unused\_archive\_rules](#input\_iam\_access\_analyzer\_unused\_archive\_rules) | List of IAM resources to auto-archive unused access findings for | `list(any)` | `[]` | no |
 | <a name="input_iam_analyzer_unused_access_age"></a> [iam\_analyzer\_unused\_access\_age](#input\_iam\_analyzer\_unused\_access\_age) | The age in days after which IAM access is considered unused. | `number` | `90` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Prefix for all resource names | `string` | `"rhythmic-"` | no |
 | <a name="input_notify_ec2_missing_ami"></a> [notify\_ec2\_missing\_ami](#input\_notify\_ec2\_missing\_ami) | Whether to notify when EC2 instances are using missing AMIs | `bool` | `false` | no |

diff --git a/iam.tf b/iam.tf
@@ -2,7 +2,7 @@ resource "aws_accessanalyzer_analyzer" "unused_access_analyzer" {
   count = var.enable_iam_access_analyzer ? 1 : 0
 
   analyzer_name = "${var.name_prefix}unused-access-analyzer"
-  type          = "ORGANIZATION_UNUSED_ACCESS"
+  type          = var.enable_iam_access_analyzer_organization ? "ORGANIZATION_UNUSED_ACCESS" : "ACCOUNT_UNUSED_ACCESS"
   tags          = local.tags
 
   configuration {
@@ -19,18 +19,32 @@ resource "aws_accessanalyzer_archive_rule" "archive_rules" {
   rule_name     = "archive-rule-${count.index}"
 
   filter {
-    criteria = "resourceType"
-    eq       = [var.iam_access_analyzer_unused_archive_rules[count.index].resource_type]
+    criteria = "findingType"
+    contains = [var.iam_access_analyzer_unused_archive_rules[count.index].finding_type]
   }
 
-  filter {
-    criteria = "resource"
-    contains = var.iam_access_analyzer_unused_archive_rules[count.index].is_partial ? [var.iam_access_analyzer_unused_archive_rules[count.index].resource] : null
-    eq       = !var.iam_access_analyzer_unused_archive_rules[count.index].is_partial ? [var.iam_access_analyzer_unused_archive_rules[count.index].resource] : null
+  dynamic "filter" {
+    for_each = var.iam_access_analyzer_unused_archive_rules[count.index].resource_type != null ? [1] : []
+    content {
+      criteria = "resourceType"
+      eq       = [var.iam_access_analyzer_unused_archive_rules[count.index].resource_type]
+    }
   }
 
-  filter {
-    criteria = "findingType"
-    eq       = [var.iam_access_analyzer_unused_archive_rules[count.index].finding_type]
+  dynamic "filter" {
+    for_each = var.iam_access_analyzer_unused_archive_rules[count.index].resource != null ? [1] : []
+    content {
+      criteria = "resource"
+      contains = var.iam_access_analyzer_unused_archive_rules[count.index].is_partial ? [var.iam_access_analyzer_unused_archive_rules[count.index].resource] : null
+      eq       = !var.iam_access_analyzer_unused_archive_rules[count.index].is_partial ? [var.iam_access_analyzer_unused_archive_rules[count.index].resource] : null
+    }
+  }
+
+  dynamic "filter" {
+    for_each = var.iam_access_analyzer_unused_archive_rules[count.index].account != null ? [1] : []
+    content {
+      criteria = "account"
+      eq       = [var.iam_access_analyzer_unused_archive_rules[count.index].account]
+    }
   }
 }
diff --git a/variables.tf b/variables.tf
@@ -9,15 +9,16 @@ variable "enable_iam_access_analyzer" {
   type        = bool
 }
 
+variable "enable_iam_access_analyzer_organization" {
+  default     = false
+  description = "A boolean flag to enable/disable IAM Access Analyzer at the organization level (requires enable_iam_access_analyzer to be true and IAM Access Analyzer to be enabled at the organization level)"
+  type        = bool
+}
+
 variable "iam_access_analyzer_unused_archive_rules" {
   default     = []
   description = "List of IAM resources to auto-archive unused access findings for"
-  type = list(object({
-    finding_type  = string
-    is_partial    = bool
-    resource      = string
-    resource_type = string
-  }))
+  type        = list(any)
 }
 
 variable "iam_analyzer_unused_access_age" {