feat(macie-custom-data-identifier): add new module

Author: posquit0

.github/labeler.yaml

@@ -28,3 +28,8 @@
 - changed-files:
   - any-glob-to-any-file:
     - modules/macie-account/**/*
+
+":floppy_disk: macie-custom-data-identifier":
+- changed-files:
+  - any-glob-to-any-file:
+    - modules/macie-custom-data-identifier/**/*

.github/labels.yaml

@@ -58,3 +58,6 @@
 - color: "fbca04"
   description: "This issue or pull request is related to macie-account module."
   name: ":floppy_disk: macie-account"
+- color: "fbca04"
+  description: "This issue or pull request is related to macie-custom-data-identifier module."
+  name: ":floppy_disk: macie-custom-data-identifier"

README.md

@@ -12,6 +12,7 @@ Terraform module which creates security related resources on AWS.
 - [config-managed-rule](./modules/config-managed-rule)
 - [config-recorder](./modules/config-recorder)
 - [macie-account](./modules/macie-account)
+- [macie-custom-data-identifier](./modules/macie-custom-data-identifier)
 
 
 ## Target AWS Services
@@ -29,6 +30,9 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws-
     - Managed Rules
 - **AWS Macie**
   - Account
+    - Member Accounts
+    - Organization Configurations
+  - Custom Data Identifier
 
 
 ## Usage

modules/macie-custom-data-identifier/README.md

@@ -0,0 +1,63 @@
+# macie-custom-data-identifier
+
+This module creates following resources.
+
+- `aws_macie2_custom_data_identifier`
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.13.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.12.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_macie2_custom_data_identifier.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_custom_data_identifier) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | (Required) A name for the custom data identifier. The name can contain as many as 128 characters. | `string` | n/a | yes |
+| <a name="input_regex"></a> [regex](#input\_regex) | (Required) The regular expression (regex) that defines the pattern to match. The expression can contain as many as 512 characters. | `string` | n/a | yes |
+| <a name="input_description"></a> [description](#input\_description) | (Optional) A description of the custom data identifier. Defaults to `Managed by Terraform.`. | `string` | `"Managed by Terraform."` | no |
+| <a name="input_ignore_words"></a> [ignore\_words](#input\_ignore\_words) | (Optional) An array that lists specific character sequences (ignore words) to exclude from the results. If the text matched by the regular expression is the same as any string in this array, Amazon Macie ignores it. The array can contain as many as 10 ignore words. Each ignore word can contain 4 - 90 characters. Ignore words are case sensitive. | `set(string)` | `[]` | no |
+| <a name="input_keywords"></a> [keywords](#input\_keywords) | (Optional) An array that lists specific character sequences (keywords), one of which must be within proximity (maximum\_match\_distance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3 - 90 characters. Keywords aren't case sensitive. | `set(string)` | `[]` | no |
+| <a name="input_maximum_match_distance"></a> [maximum\_match\_distance](#input\_maximum\_match\_distance) | (Optional) The maximum allowable distance between text that matches the regex pattern and the keywords. The distance can be 1 - 300 characters. Defaults to `50`. | `number` | `50` | no |
+| <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
+| <a name="input_region"></a> [region](#input\_region) | (Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region. | `string` | `null` | no |
+| <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | (Optional) A configurations of Resource Group for this module. `resource_group` as defined below.<br/>    (Optional) `enabled` - Whether to create Resource Group to find and group AWS resources which are created by this module. Defaults to `true`.<br/>    (Optional) `name` - The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. If not provided, a name will be generated using the module name and instance name.<br/>    (Optional) `description` - The description of Resource Group. Defaults to `Managed by Terraform.`. | <pre>object({<br/>    enabled     = optional(bool, true)<br/>    name        = optional(string, "")<br/>    description = optional(string, "Managed by Terraform.")<br/>  })</pre> | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | The ARN (Amazon Resource Name) for the macie custom data identifier. For example: `arn:aws:cloudfront::123456789012:distribution/EDFDVBD632BHDS5`. |
+| <a name="output_created_at"></a> [created\_at](#output\_created\_at) | The date and time, in UTC and extended RFC 3339 format, when the Amazon Macie custom data identifier was created. |
+| <a name="output_description"></a> [description](#output\_description) | The description of the macie custom data identifier. |
+| <a name="output_id"></a> [id](#output\_id) | The ID of the macie custom data identifier. |
+| <a name="output_ignore_words"></a> [ignore\_words](#output\_ignore\_words) | An array that lists specific character sequences (ignore words) to exclude from the results. |
+| <a name="output_keywords"></a> [keywords](#output\_keywords) | An array that lists specific character sequences (keywords), one of which must be within proximity (maximum\_match\_distance) of the regular expression to match. |
+| <a name="output_maximum_match_distance"></a> [maximum\_match\_distance](#output\_maximum\_match\_distance) | The maximum number of characters that can exist between text that matches the regex pattern and the character sequences specified by the keywords array. |
+| <a name="output_name"></a> [name](#output\_name) | The name of the macie custom data identifier. |
+| <a name="output_regex"></a> [regex](#output\_regex) | The regular expression (regex) that defines the pattern to match. |
+| <a name="output_region"></a> [region](#output\_region) | The AWS region this module resources resides in. |
+| <a name="output_resource_group"></a> [resource\_group](#output\_resource\_group) | The resource group created to manage resources in this module. |
+<!-- END_TF_DOCS -->

modules/macie-custom-data-identifier/main.tf

@@ -0,0 +1,42 @@
+locals {
+  metadata = {
+    package = "terraform-aws-security"
+    version = trimspace(file("${path.module}/../../VERSION"))
+    module  = basename(path.module)
+    name    = var.name
+  }
+  module_tags = var.module_tags_enabled ? {
+    "module.terraform.io/package"   = local.metadata.package
+    "module.terraform.io/version"   = local.metadata.version
+    "module.terraform.io/name"      = local.metadata.module
+    "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}"
+    "module.terraform.io/instance"  = local.metadata.name
+  } : {}
+}
+
+
+###################################################
+# Custom Data Identifier for Macie Account
+###################################################
+
+# INFO: Not supported attributes
+# - `name_prefix`
+resource "aws_macie2_custom_data_identifier" "this" {
+  region = var.region
+
+  name        = var.name
+  description = var.description
+
+  regex                  = var.regex
+  keywords               = length(var.keywords) > 0 ? var.keywords : null
+  ignore_words           = length(var.ignore_words) > 0 ? var.ignore_words : null
+  maximum_match_distance = var.maximum_match_distance
+
+  tags = merge(
+    {
+      "Name" = local.metadata.name
+    },
+    local.module_tags,
+    var.tags,
+  )
+}

modules/macie-custom-data-identifier/outputs.tf

@@ -0,0 +1,65 @@
+output "region" {
+  description = "The AWS region this module resources resides in."
+  value       = aws_macie2_custom_data_identifier.this.region
+}
+
+output "arn" {
+  description = "The ARN (Amazon Resource Name) for the macie custom data identifier. For example: `arn:aws:cloudfront::123456789012:distribution/EDFDVBD632BHDS5`."
+  value       = aws_macie2_custom_data_identifier.this.arn
+}
+
+output "id" {
+  description = "The ID of the macie custom data identifier."
+  value       = aws_macie2_custom_data_identifier.this.id
+}
+
+output "name" {
+  description = "The name of the macie custom data identifier."
+  value       = local.metadata.name
+}
+
+output "description" {
+  description = "The description of the macie custom data identifier."
+  value       = aws_macie2_custom_data_identifier.this.description
+}
+
+output "regex" {
+  description = "The regular expression (regex) that defines the pattern to match."
+  value       = aws_macie2_custom_data_identifier.this.regex
+}
+
+output "keywords" {
+  description = "An array that lists specific character sequences (keywords), one of which must be within proximity (maximum_match_distance) of the regular expression to match."
+  value       = aws_macie2_custom_data_identifier.this.keywords
+}
+
+output "ignore_words" {
+  description = "An array that lists specific character sequences (ignore words) to exclude from the results."
+  value       = aws_macie2_custom_data_identifier.this.ignore_words
+}
+
+output "maximum_match_distance" {
+  description = "The maximum number of characters that can exist between text that matches the regex pattern and the character sequences specified by the keywords array."
+  value       = aws_macie2_custom_data_identifier.this.maximum_match_distance
+}
+
+output "created_at" {
+  description = "The date and time, in UTC and extended RFC 3339 format, when the Amazon Macie custom data identifier was created."
+  value       = aws_macie2_custom_data_identifier.this.created_at
+}
+
+output "resource_group" {
+  description = "The resource group created to manage resources in this module."
+  value = merge(
+    {
+      enabled = var.resource_group.enabled && var.module_tags_enabled
+    },
+    (var.resource_group.enabled && var.module_tags_enabled
+      ? {
+        arn  = module.resource_group[0].arn
+        name = module.resource_group[0].name
+      }
+      : {}
+    )
+  )
+}

modules/macie-custom-data-identifier/resource-group.tf

@@ -0,0 +1,33 @@
+locals {
+  resource_group_name = (var.resource_group.name != ""
+    ? var.resource_group.name
+    : join(".", [
+      local.metadata.package,
+      local.metadata.module,
+      replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"),
+    ])
+  )
+}
+
+
+module "resource_group" {
+  source  = "tedilabs/misc/aws//modules/resource-group"
+  version = "~> 0.12.0"
+
+  count = (var.resource_group.enabled && var.module_tags_enabled) ? 1 : 0
+
+  region = var.region
+
+  name        = local.resource_group_name
+  description = var.resource_group.description
+
+  query = {
+    resource_tags = local.module_tags
+  }
+
+  module_tags_enabled = false
+  tags = merge(
+    local.module_tags,
+    var.tags,
+  )
+}

modules/macie-custom-data-identifier/variables.tf

@@ -0,0 +1,86 @@
+variable "region" {
+  description = "(Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region."
+  type        = string
+  default     = null
+  nullable    = true
+}
+
+variable "name" {
+  description = "(Required) A name for the custom data identifier. The name can contain as many as 128 characters."
+  type        = string
+  nullable    = false
+}
+
+variable "description" {
+  description = "(Optional) A description of the custom data identifier. Defaults to `Managed by Terraform.`."
+  type        = string
+  default     = "Managed by Terraform."
+  nullable    = false
+}
+
+variable "regex" {
+  description = "(Required) The regular expression (regex) that defines the pattern to match. The expression can contain as many as 512 characters."
+  type        = string
+  nullable    = false
+}
+
+variable "keywords" {
+  description = "(Optional) An array that lists specific character sequences (keywords), one of which must be within proximity (maximum_match_distance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3 - 90 characters. Keywords aren't case sensitive."
+  type        = set(string)
+  default     = []
+  nullable    = false
+}
+
+variable "ignore_words" {
+  description = "(Optional) An array that lists specific character sequences (ignore words) to exclude from the results. If the text matched by the regular expression is the same as any string in this array, Amazon Macie ignores it. The array can contain as many as 10 ignore words. Each ignore word can contain 4 - 90 characters. Ignore words are case sensitive."
+  type        = set(string)
+  default     = []
+  nullable    = false
+}
+
+variable "maximum_match_distance" {
+  description = "(Optional) The maximum allowable distance between text that matches the regex pattern and the keywords. The distance can be 1 - 300 characters. Defaults to `50`."
+  type        = number
+  default     = 50
+  nullable    = false
+
+  validation {
+    condition     = var.maximum_match_distance >= 1 && var.maximum_match_distance <= 300
+    error_message = "Value for `maximum_match_distance` must be between 1 and 300."
+  }
+}
+
+variable "tags" {
+  description = "(Optional) A map of tags to add to all resources."
+  type        = map(string)
+  default     = {}
+  nullable    = false
+}
+
+variable "module_tags_enabled" {
+  description = "(Optional) Whether to create AWS Resource Tags for the module informations."
+  type        = bool
+  default     = true
+  nullable    = false
+}
+
+
+###################################################
+# Resource Group
+###################################################
+
+variable "resource_group" {
+  description = <<EOF
+  (Optional) A configurations of Resource Group for this module. `resource_group` as defined below.
+    (Optional) `enabled` - Whether to create Resource Group to find and group AWS resources which are created by this module. Defaults to `true`.
+    (Optional) `name` - The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. If not provided, a name will be generated using the module name and instance name.
+    (Optional) `description` - The description of Resource Group. Defaults to `Managed by Terraform.`.
+  EOF
+  type = object({
+    enabled     = optional(bool, true)
+    name        = optional(string, "")
+    description = optional(string, "Managed by Terraform.")
+  })
+  default  = {}
+  nullable = false
+}

modules/macie-custom-data-identifier/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.12"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.12"
+    }
+  }
+}