feat: change variables shape, add validations

martasusek007 · martasusek007 · commit c0bdf5a5abf4 · 2024-07-01T10:45:31.000+02:00
diff --git a/main.tf b/main.tf
@@ -49,14 +49,14 @@ resource "aws_guardduty_detector" "primary" {
 resource "aws_guardduty_detector_feature" "this" {
   for_each    = var.configuration_features
   detector_id = aws_guardduty_detector.primary.id
-  name        = each.name
-  status      = each.status ? "ENABLED" : "DISABLED"
+  name        = each.key
+  status      = each.enabled ? "ENABLED" : "DISABLED"
 
   dynamic "additional_configuration" {
     for_each = each.additional_configuration
     content {
-      name   = additional_configuration.name
-      status = each.status ? "ENABLED" : "DISABLED"
+      name   = additional_configuration.key
+      status = each.enabled ? "ENABLED" : "DISABLED"
     }
   }
 }
diff --git a/modules/organizations_admin/main.tf b/modules/organizations_admin/main.tf
@@ -38,13 +38,13 @@ resource "aws_guardduty_organization_configuration" "this" {
 resource "aws_guardduty_organization_configuration_feature" "this" {
   for_each    = var.organization_configuration_features
   detector_id = var.guardduty_detector_id
-  name        = each.name
+  name        = each.key
   auto_enable = each.auto_enable
 
   dynamic "additional_configuration" {
     for_each = each.additional_configuration
     content {
-      name        = additional_configuration.name
+      name        = additional_configuration.key
       auto_enable = additional_configuration.auto_enable
     }
   }
diff --git a/modules/organizations_admin/variables.tf b/modules/organizations_admin/variables.tf
@@ -43,12 +43,28 @@ variable "auto_enable_organization_members" {
 }
 
 variable "organization_configuration_features" {
+  description = "Enable new organization GuardDuty protections only available as features"
   type = map(object({
-    name        = string
-    auto_enable = string # NEW | ALL | NONE
-    additional_configuration = list(object({
-      name        = string # EKS_ADDON_MANAGEMENT | ECS_FARGATE_AGENT_MANAGEMENT | EC2_AGENT_MANAGEMENT
+    auto_enable = string
+    additional_configuration = map(object({
       auto_enable = string
     }))
   }))
-}
+  validation {
+    condition     = alltrue([for k in var.organization_configuration_features : contains(["S3_DATA_EVENTS", "EKS_AUDIT_LOGS", "EBS_MALWARE_PROTECTION", "RDS_LOGIN_EVENTS", "EKS_RUNTIME_MONITORING", "LAMBDA_NETWORK_LOGS", "RUNTIME_MONITORING"], k)])
+    error_message = "The organization_configuration_features key must be one of: S3_DATA_EVENTS, EKS_AUDIT_LOGS, EBS_MALWARE_PROTECTION, RDS_LOGIN_EVENTS, EKS_RUNTIME_MONITORING, LAMBDA_NETWORK_LOGS, RUNTIME_MONITORING."
+  }
+  validation {
+    condition     = alltrue([for k, v in var.organization_configuration_features : contains(["ALL", "NONE", "NEW"], v.auto_enable)])
+    error_message = "The auto_enable value must be one of: ALL, NONE, NEW."
+  }
+  validation {
+    condition     = alltrue([for k, v in var.organization_configuration_features : [for a in v.additional_configuration : contains(["EKS_ADDON_MANAGEMENT", "ECS_FARGATE_AGENT_MANAGEMENT", "EC2_AGENT_MANAGEMENT"], a)]])
+    error_message = "The additional_configuration key must be one of: EKS_ADDON_MANAGEMENT, ECS_FARGATE_AGENT_MANAGEMENT, EC2_AGENT_MANAGEMENT."
+  }
+  validation {
+    condition     = alltrue([for k, v in var.organization_configuration_features : [for a in v.additional_configuration : contains(["ALL", "NONE", "NEW"], a.auto_enable)]])
+    error_message = "The auto_enable value must be one of: ALL, NONE, NEW."
+  }
+  default = {}
+}
diff --git a/variables.tf b/variables.tf
@@ -46,13 +46,17 @@ variable "finding_publishing_frequency" {
 variable "configuration_features" {
   description = "Enable new GuardDuty protections only available as features"
   type = map(object({
-    name   = string # S3_DATA_EVENTS | EKS_AUDIT_LOGS | EBS_MALWARE_PROTECTION | RDS_LOGIN_EVENTS | EKS_RUNTIME_MONITORING | LAMBDA_NETWORK_LOGS | RUNTIME_MONITORING
-    enable = bool
-    additional_configuration = list(object({ # EKS_ADDON_MANAGEMENT | ECS_FARGATE_AGENT_MANAGEMENT | EC2_AGENT_MANAGEMENT
-      name   = string
-      enable = bool
-    }))
+    enabled                  = bool
+    additional_configuration = map(bool)
   }))
+  validation {
+    condition     = alltrue([for k in var.configuration_features : contains(["S3_DATA_EVENTS", "EKS_AUDIT_LOGS", "EBS_MALWARE_PROTECTION", "RDS_LOGIN_EVENTS", "EKS_RUNTIME_MONITORING", "LAMBDA_NETWORK_LOGS", "RUNTIME_MONITORING"], k)])
+    error_message = "The configuration_features key must be one of: S3_DATA_EVENTS, EKS_AUDIT_LOGS, EBS_MALWARE_PROTECTION, RDS_LOGIN_EVENTS, EKS_RUNTIME_MONITORING, LAMBDA_NETWORK_LOGS, RUNTIME_MONITORING."
+  }
+  validation {
+    condition     = alltrue([for k, v in var.configuration_features : [for a in v.additional_configuration : contains(["EKS_ADDON_MANAGEMENT", "ECS_FARGATE_AGENT_MANAGEMENT", "EC2_AGENT_MANAGEMENT"], a)]])
+    error_message = "The additional_configuration key must be one of: EKS_ADDON_MANAGEMENT, ECS_FARGATE_AGENT_MANAGEMENT, EC2_AGENT_MANAGEMENT."
+  }
   default = {}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -49,14 +49,14 @@ resource "aws_guardduty_detector" "primary" {`
`49`	`49`	`resource "aws_guardduty_detector_feature" "this" {`
`50`	`50`	`for_each = var.configuration_features`
`51`	`51`	`detector_id = aws_guardduty_detector.primary.id`
`52`		`- name = each.name`
`53`		`- status = each.status ? "ENABLED" : "DISABLED"`
	`52`	`+ name = each.key`
	`53`	`+ status = each.enabled ? "ENABLED" : "DISABLED"`
`54`	`54`
`55`	`55`	`dynamic "additional_configuration" {`
`56`	`56`	`for_each = each.additional_configuration`
`57`	`57`	`content {`
`58`		`- name = additional_configuration.name`
`59`		`- status = each.status ? "ENABLED" : "DISABLED"`
	`58`	`+ name = additional_configuration.key`
	`59`	`+ status = each.enabled ? "ENABLED" : "DISABLED"`
`60`	`60`	`}`
`61`	`61`	`}`
`62`	`62`	`}`