feat(macie-account): support aws v6

posquit0 · posquit0 · commit bf24db504d06 · 2025-09-25T00:09:14.000-07:00
diff --git a/modules/macie-account/README.md b/modules/macie-account/README.md
@@ -11,20 +11,20 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.14 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.48.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.13.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
+| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.12.0 |
 
 ## Resources
 
@@ -39,13 +39,12 @@ This module creates following resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_discovery_result_repository"></a> [discovery\_result\_repository](#input\_discovery\_result\_repository) | (Optional) The configuration for discovery result location and encryption of the macie account. A `discovery_result_repository` block as defined below.<br>    (Optional) `s3_bucket` - A configuration for the S3 bucket in which Amazon Macie exports the data discovery results. `s3_bucket` as defined below.<br>      (Required) `name` - The name of the S3 bucket in which Amazon Macie exports the data classification results.<br>      (Optional) `key_prefix` - The key prefix for the specified S3 bucket.<br>      (Required) `sse_kms_key` - The ARN of the AWS KMS key to be used to encrypt the data. | <pre>object({<br>    s3_bucket = optional(object({<br>      name        = string<br>      key_prefix  = optional(string, "")<br>      sse_kms_key = string<br>    }))<br>  })</pre> | `{}` | no |
+| <a name="input_discovery_result_repository"></a> [discovery\_result\_repository](#input\_discovery\_result\_repository) | (Optional) The configuration for discovery result location and encryption of the macie account. A `discovery_result_repository` block as defined below.<br/>    (Optional) `s3_bucket` - A configuration for the S3 bucket in which Amazon Macie exports the data discovery results. `s3_bucket` as defined below.<br/>      (Required) `name` - The name of the S3 bucket in which Amazon Macie exports the data classification results.<br/>      (Optional) `key_prefix` - The key prefix for the specified S3 bucket.<br/>      (Required) `sse_kms_key` - The ARN of the AWS KMS key to be used to encrypt the data. | <pre>object({<br/>    s3_bucket = optional(object({<br/>      name        = string<br/>      key_prefix  = optional(string, "")<br/>      sse_kms_key = string<br/>    }))<br/>  })</pre> | `{}` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | (Optional) Whether to enable Amazon Macie and start all Macie activities for the account. Defaults to `true`. Set `false` to suspend Macie, it stops monitoring your AWS environment and does not generate new findings. The existing findings remain intact and are not affected. Delete `aws_macie2_account` resource to disable Macie, it permanently deletes all of your existing findings, classification jobs, and other Macie resources. | `bool` | `true` | no |
-| <a name="input_member_accounts"></a> [member\_accounts](#input\_member\_accounts) | (Optional) A list of configurations for member accounts on the macie account. Each block of `member_accounts` as defined below.<br>    (Required) `account_id` - The AWS account ID for the account.<br>    (Required) `email` -  The email address for the account.<br>    (Optional) `enabled` - Whether to enable Amazon Macie and start all Macie activities for the member account. Defaults to `true`.<br>    (Optional) `tags` - A map of key-value pairs that specifies the tags to associate with the account in Amazon Macie. | <pre>list(object({<br>    account_id = string<br>    email      = string<br>    enabled    = optional(bool, true)<br>    tags       = optional(map(string), {})<br>  }))</pre> | `[]` | no |
+| <a name="input_member_accounts"></a> [member\_accounts](#input\_member\_accounts) | (Optional) A list of configurations for member accounts on the macie account. Each block of `member_accounts` as defined below.<br/>    (Required) `account_id` - The AWS account ID for the account.<br/>    (Required) `email` -  The email address for the account.<br/>    (Optional) `type` - The type of the member account. Valid values are `ORGANIZATION` or `INVITATION`. Defaults to `ORGANIZATION`.<br/>    (Optional) `enabled` - Whether to enable Amazon Macie and start all Macie activities for the member account. Defaults to `true`.<br/>    (Optional) `tags` - A map of key-value pairs that specifies the tags to associate with the account in Amazon Macie.<br/>    (Optional) `invitation` - A configuration for invitation to the member account. `invitation` as defined below.<br/>      (Optional) `message` - A custom message to include in the invitation to the account.<br/>      (Optional) `email_notification_enabled` - Whether to send an email notification to the account when you invite it to become a member of your Macie account. This notification is in addition to an alert that the root user receives in AWS Personal Health Dashboard. Defaults to `false`. | <pre>list(object({<br/>    account_id = string<br/>    email      = string<br/>    type       = optional(string, "ORGANIZATION")<br/>    enabled    = optional(bool, true)<br/>    tags       = optional(map(string), {})<br/>    invitation = optional(object({<br/>      message                    = optional(string, "")<br/>      email_notification_enabled = optional(bool, false)<br/>    }), {})<br/>  }))</pre> | `[]` | no |
 | <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
-| <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
-| <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
-| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
+| <a name="input_region"></a> [region](#input\_region) | (Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region. | `string` | `null` | no |
+| <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | (Optional) A configurations of Resource Group for this module. `resource_group` as defined below.<br/>    (Optional) `enabled` - Whether to create Resource Group to find and group AWS resources which are created by this module. Defaults to `true`.<br/>    (Optional) `name` - The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. If not provided, a name will be generated using the module name and instance name.<br/>    (Optional) `description` - The description of Resource Group. Defaults to `Managed by Terraform.`. | <pre>object({<br/>    enabled     = optional(bool, true)<br/>    name        = optional(string, "")<br/>    description = optional(string, "Managed by Terraform.")<br/>  })</pre> | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
 | <a name="input_update_frequency"></a> [update\_frequency](#input\_update\_frequency) | (Optional) How often to publish updates to policy findings for the account. This includes publishing updates to AWS Security Hub and Amazon EventBridge (formerly called Amazon CloudWatch Events). Valid values are `15m`, `1h` or `6h`. Defaults to `15m`. | `string` | `"15m"` | no |
 
@@ -59,6 +58,8 @@ This module creates following resources.
 | <a name="output_id"></a> [id](#output\_id) | The ID of the macie account. |
 | <a name="output_member_accounts"></a> [member\_accounts](#output\_member\_accounts) | The list of configruations for member accounts on the macie account. |
 | <a name="output_name"></a> [name](#output\_name) | The account ID of the macie account. |
+| <a name="output_region"></a> [region](#output\_region) | The AWS region this module resources resides in. |
+| <a name="output_resource_group"></a> [resource\_group](#output\_resource\_group) | The resource group created to manage resources in this module. |
 | <a name="output_service_role"></a> [service\_role](#output\_service\_role) | The Amazon Resource Name (ARN) of the service-linked role that allows Macie to monitor and analyze data in AWS resources for the account. |
 | <a name="output_update_frequency"></a> [update\_frequency](#output\_update\_frequency) | How often to publish updates to policy findings for the macie account. |
 | <a name="output_updated_at"></a> [updated\_at](#output\_updated\_at) | The date and time, in UTC and extended RFC 3339 format, of the most recent change to the status of the Macie account. |
diff --git a/modules/macie-account/main.tf b/modules/macie-account/main.tf
@@ -24,13 +24,15 @@ locals {
   }
 }
 
+
 ###################################################
 # Macie Account
 ###################################################
 
 resource "aws_macie2_account" "this" {
-  status = var.enabled ? "ENABLED" : "PAUSED"
+  region = var.region
 
+  status                       = var.enabled ? "ENABLED" : "PAUSED"
   finding_publishing_frequency = local.update_frequency[var.update_frequency]
 }
 
@@ -51,15 +53,17 @@ resource "aws_macie2_member" "this" {
     account.account_id => account
   }
 
+  region = aws_macie2_account.this.region
+
   account_id = each.key
   email      = each.value.email
-  status     = try(each.value.enabled, true) ? "ENABLED" : "PAUSED"
+  status     = each.value.enabled ? "ENABLED" : "PAUSED"
 
 
   ## Invitation
-  # invite                                = true
-  # invitation_message                    = "Message of the invitation"
-  # invitation_disable_email_notification = true
+  invite                                = each.value.type == "INVITATION" ? true : null
+  invitation_message                    = each.value.invitation.message
+  invitation_disable_email_notification = !each.value.invitation.email_notification_enabled
 
 
   tags = merge(
@@ -78,10 +82,6 @@ resource "aws_macie2_member" "this" {
       email,
     ]
   }
-
-  depends_on = [
-    aws_macie2_account.this
-  ]
 }
 
 
@@ -92,13 +92,11 @@ resource "aws_macie2_member" "this" {
 resource "aws_macie2_classification_export_configuration" "this" {
   count = var.discovery_result_repository.s3_bucket != null ? 1 : 0
 
+  region = aws_macie2_account.this.region
+
   s3_destination {
     bucket_name = var.discovery_result_repository.s3_bucket.name
     key_prefix  = var.discovery_result_repository.s3_bucket.key_prefix
     kms_key_arn = var.discovery_result_repository.s3_bucket.sse_kms_key
   }
-
-  depends_on = [
-    aws_macie2_account.this,
-  ]
 }
diff --git a/modules/macie-account/outputs.tf b/modules/macie-account/outputs.tf
@@ -1,3 +1,8 @@
+output "region" {
+  description = "The AWS region this module resources resides in."
+  value       = aws_macie2_account.this.region
+}
+
 output "id" {
   description = "The ID of the macie account."
   value       = aws_macie2_account.this.id
@@ -46,9 +51,11 @@ output "member_accounts" {
       id                  = account.id
       arn                 = account.arn
       email               = account.email
+      type                = timecmp(account.invited_at, "1999-01-01T00:00:00Z") < 0 ? "ORGANIZATION" : "INVITATION"
       enabled             = account.status == "ENABLED"
       relationship_status = account.relationship_status
 
+      invited_at = timecmp(account.invited_at, "1999-01-01T00:00:00Z") < 0 ? null : account.invited_at
       updated_at = account.updated_at
     }
   }
diff --git a/modules/macie-account/resource-group.tf b/modules/macie-account/resource-group.tf
@@ -16,6 +16,8 @@ module "resource_group" {
 
   count = (var.resource_group.enabled && var.module_tags_enabled) ? 1 : 0
 
+  region = var.region
+
   name        = local.resource_group_name
   description = var.resource_group.description
 
diff --git a/modules/macie-account/variables.tf b/modules/macie-account/variables.tf
@@ -1,3 +1,10 @@
+variable "region" {
+  description = "(Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region."
+  type        = string
+  default     = null
+  nullable    = true
+}
+
 variable "enabled" {
   description = "(Optional) Whether to enable Amazon Macie and start all Macie activities for the account. Defaults to `true`. Set `false` to suspend Macie, it stops monitoring your AWS environment and does not generate new findings. The existing findings remain intact and are not affected. Delete `aws_macie2_account` resource to disable Macie, it permanently deletes all of your existing findings, classification jobs, and other Macie resources."
   type        = bool
@@ -22,17 +29,35 @@ variable "member_accounts" {
   (Optional) A list of configurations for member accounts on the macie account. Each block of `member_accounts` as defined below.
     (Required) `account_id` - The AWS account ID for the account.
     (Required) `email` -  The email address for the account.
+    (Optional) `type` - The type of the member account. Valid values are `ORGANIZATION` or `INVITATION`. Defaults to `ORGANIZATION`.
     (Optional) `enabled` - Whether to enable Amazon Macie and start all Macie activities for the member account. Defaults to `true`.
     (Optional) `tags` - A map of key-value pairs that specifies the tags to associate with the account in Amazon Macie.
+    (Optional) `invitation` - A configuration for invitation to the member account. `invitation` as defined below.
+      (Optional) `message` - A custom message to include in the invitation to the account.
+      (Optional) `email_notification_enabled` - Whether to send an email notification to the account when you invite it to become a member of your Macie account. This notification is in addition to an alert that the root user receives in AWS Personal Health Dashboard. Defaults to `false`.
   EOF
   type = list(object({
     account_id = string
     email      = string
+    type       = optional(string, "ORGANIZATION")
     enabled    = optional(bool, true)
     tags       = optional(map(string), {})
+    invitation = optional(object({
+      message                    = optional(string, "")
+      email_notification_enabled = optional(bool, false)
+    }), {})
   }))
   default  = []
   nullable = false
+
+  validation {
+    condition = alltrue([
+      for member in var.member_accounts :
+      contains(["ORGANIZATION", "INVITATION"], member.type)
+    ])
+
+    error_message = "Valid values for `type` in `member_accounts` are `ORGANIZATION` or `INVITATION`."
+  }
 }
 
 variable "discovery_result_repository" {
@@ -73,9 +98,6 @@ variable "module_tags_enabled" {
 # Resource Group
 ###################################################
 
-
-
-
 variable "resource_group" {
   description = <<EOF
   (Optional) A configurations of Resource Group for this module. `resource_group` as defined below.
diff --git a/modules/macie-account/versions.tf b/modules/macie-account/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.5"
+  required_version = ">= 1.12"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.14"
+      version = ">= 6.12"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,10 @@`
`1`	`1`	`terraform {`
`2`		`- required_version = ">= 1.5"`
	`2`	`+ required_version = ">= 1.12"`
`3`	`3`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 4.14"`
	`7`	`+ version = ">= 6.12"`
`8`	`8`	`}`
`9`	`9`	`}`
`10`	`10`	`}`