Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support AWS IAM Access Analyzer #11102

Closed
3 tasks done
ewbankkit opened this issue Dec 3, 2019 · 14 comments · Fixed by #25514
Closed
3 tasks done

Support AWS IAM Access Analyzer #11102

ewbankkit opened this issue Dec 3, 2019 · 14 comments · Fixed by #25514
Assignees
@johnsonaj
Labels
new-resource Introduces a new resource. service/accessanalyzer Issues and PRs that pertain to the accessanalyzer service.
Milestone
v4.21.0

Comments

@ewbankkit
Copy link
Contributor

ewbankkit commented Dec 3, 2019
edited by johnsonaj
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

IAM Access Analyzer announced.

New or Affected Resource(s)

It looks like an initial set of resources could be:

  • aws_accessanalyzer_analyzer
  • aws_accessanalyzer_organization_admin_account
  • aws_accessanalyzer_archive_rule

References

Announcement.
Blog post.
User guide.
API reference.

Requires AWS SDK v1.25.45:
@ewbankkit ewbankkit added the enhancement Requests to existing resources that expand the functionality or scope. label Dec 3, 2019
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Dec 3, 2019
@ewbankkit ewbankkit mentioned this issue Dec 3, 2019
Merged
@bflad bflad added new-resource Introduces a new resource. service/accessanalyzer Issues and PRs that pertain to the accessanalyzer service. and removed enhancement Requests to existing resources that expand the functionality or scope. needs-triage Waiting for first response or review from a maintainer. labels Dec 6, 2019
bflad added a commit that referenced this issue Dec 6, 2019
@bflad
New Resource: aws_accessanalyzer_analyzer
2e50c0e 
Reference: #11102

Output from acceptance testing:

```
--- PASS: TestAccAWSAccessAnalyzer (62.76s)
    --- PASS: TestAccAWSAccessAnalyzer/Analyzer (62.76s)
        --- PASS: TestAccAWSAccessAnalyzer/Analyzer/disappears (12.93s)
        --- PASS: TestAccAWSAccessAnalyzer/Analyzer/Tags (34.06s)
        --- PASS: TestAccAWSAccessAnalyzer/Analyzer/basic (15.77s)
```
@bflad bflad mentioned this issue Dec 6, 2019
Merged
@bflad
Copy link
Contributor

bflad commented Dec 6, 2019

Submitted the aws_accessanalyzer_analyzer resource: #11169 🎉

I agree with keeping the archive rules as a separate resource even though the analyzers do support inline archive rules as we do not need more security group vs security group rule confusion/trouble. 😄

@lorengordon
Copy link
Contributor

I know I always appreciate having an option to enforce an exclusive configuration of something, where terraform removes anything not specified in the config... Not sure how that would work with separate resources, but maybe a consideration.

@bflad
Copy link
Contributor

bflad commented Dec 6, 2019

@lorengordon noted! We could not enforce exclusive management given Terraform's available functionality. We typically will want to lean towards being flexible for organizational/workflow boundaries (e.g. where rules may get defined in downstream Terraform modules with their associated resources) with API implementations that allow it, but we can certainly support both the separate and inline methods if its desirable for the community, by including the warnings about incompatibilities for managing them multiple ways.

@lorengordon
Copy link
Contributor

lorengordon commented Dec 6, 2019
edited
Loading

I was thinking the rule resource could be plural, aws_accessanalyzer_archive_rules, with a flag to mark the config as exclusive, if keeping the resource separate were strongly desired...

bflad added a commit that referenced this issue Dec 18, 2019
@bflad
New Resource: aws_accessanalyzer_analyzer (#11169)
3845ea4 
Reference: #11102

Output from acceptance testing:

```
--- PASS: TestAccAWSAccessAnalyzer (62.76s)
    --- PASS: TestAccAWSAccessAnalyzer/Analyzer (62.76s)
        --- PASS: TestAccAWSAccessAnalyzer/Analyzer/disappears (12.93s)
        --- PASS: TestAccAWSAccessAnalyzer/Analyzer/Tags (34.06s)
        --- PASS: TestAccAWSAccessAnalyzer/Analyzer/basic (15.77s)
```
@bflad
Copy link
Contributor

bflad commented Dec 18, 2019

Support for the new aws_accessanalyzer_analyzer resource has been merged and will release with version 2.43.0 of the Terraform AWS Provider, Thursday this week. 👍

@ewbankkit ewbankkit mentioned this issue Mar 31, 2020
Closed
@sutharshan-sharma
Copy link

@ewbankkit @bflad Any example usage available for aws_accessanalyzer_archive_rule resource in Terraform ?

@christophetd
Copy link
Contributor

It would also be very useful to be able to create delegated administrators for Access Analyzer from terraform, c.f. https://aws.amazon.com/blogs/aws/new-use-aws-iam-access-analyzer-in-aws-organizations/

@ina-stoyanova
Copy link

Hey all - thank you for adding the IAM Access Analyzer.

I was wondering (if my understanding is correct, the aws_accessanalyzer_archive_rule is not yet a supported resource), then what do people recommend or have found themselves doing to add these rules?

Thanks in advance!

@sutharshan-siva
Copy link

@ina-stoyanova you can do it via aws_cli command via shell script with for loop to add archive rules + you can call that shell script with Terraform null resource.

@ina-stoyanova
Copy link

Thank you @Sutharshansharma 👍

@dpowley
Copy link
Contributor

dpowley commented Feb 9, 2021

Adding another vote for supporting the aws_accessanalyzer_organization_admin_account. Similar to what has already been implemented for GuardDuty and Firewall Manager.

@mwarkentin
Copy link
Contributor

Access Analyzer recently released some new functionality to analyze AWS IAM policies: https://aws.amazon.com/blogs/aws/iam-access-analyzer-update-policy-validation/

It would be interesting if this API could be wired into and exposed during plans for the aws_iam_policy resource.

@sbldevnet sbldevnet mentioned this issue May 11, 2021
Closed
@johnsonaj johnsonaj self-assigned this Jun 17, 2022
@johnsonaj johnsonaj mentioned this issue Jun 21, 2022
Merged
@github-actions github-actions bot added this to the v4.21.0 milestone Jun 27, 2022
@github-actions
Copy link

github-actions bot commented Jul 1, 2022

This functionality has been released in v4.21.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 31, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@johnsonaj johnsonaj

Labels
new-resource Introduces a new resource. service/accessanalyzer Issues and PRs that pertain to the accessanalyzer service.
Projects
None yet
Milestone
v4.21.0
Development

Successfully merging a pull request may close this issue.

New Resource: aws_accessanayzer_archive_rule hashicorp/terraform-provider-aws
10 participants
@mwarkentin @christophetd @bflad @ewbankkit @lorengordon @johnsonaj @sutharshan-sharma @ina-stoyanova @dpowley @sutharshan-siva