willfarrell
diff --git a/‎macie_baselines.tf
+298 b/‎macie_baselines.tf
+298
diff --git a/‎modules/macie-baseline/README.md
+48 b/‎modules/macie-baseline/README.md
+48
diff --git a/‎modules/macie-baseline/main.tf
+30 b/‎modules/macie-baseline/main.tf
+30
diff --git a/‎modules/macie-baseline/outputs.tf
+4 b/‎modules/macie-baseline/outputs.tf
+4
@@ -0,0 +1,298 @@
+# --------------------------------------------------------------------------------------------------
+# Macie Baseline
+# Needs to be set up in each region.
+# This is an extra configuration which is not included in CIS benchmark.
+# --------------------------------------------------------------------------------------------------
+locals {
+  macie_master_account_id = var.master_account_id
+  macie_member_accounts   = var.member_accounts
+}
+
+module "macie_baseline_ap-northeast-1" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.ap-northeast-1
+  }
+
+  enabled                      = contains(var.target_regions, "ap-northeast-1") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_ap-northeast-2" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.ap-northeast-2
+  }
+
+  enabled                      = contains(var.target_regions, "ap-northeast-2") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_ap-northeast-3" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.ap-northeast-3
+  }
+
+  enabled                      = contains(var.target_regions, "ap-northeast-3") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_ap-south-1" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.ap-south-1
+  }
+
+  enabled                      = contains(var.target_regions, "ap-south-1") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_ap-southeast-1" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.ap-southeast-1
+  }
+
+  enabled                      = contains(var.target_regions, "ap-southeast-1") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_ap-southeast-2" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.ap-southeast-2
+  }
+
+  enabled                      = contains(var.target_regions, "ap-southeast-2") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_ca-central-1" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.ca-central-1
+  }
+
+  enabled                      = contains(var.target_regions, "ca-central-1") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_eu-central-1" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.eu-central-1
+  }
+
+  enabled                      = contains(var.target_regions, "eu-central-1") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_eu-north-1" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.eu-north-1
+  }
+
+  enabled                      = contains(var.target_regions, "eu-north-1") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_eu-west-1" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.eu-west-1
+  }
+
+  enabled                      = contains(var.target_regions, "eu-west-1") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_eu-west-2" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.eu-west-2
+  }
+
+  enabled                      = contains(var.target_regions, "eu-west-2") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_eu-west-3" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.eu-west-3
+  }
+
+  enabled                      = contains(var.target_regions, "eu-west-3") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_sa-east-1" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.sa-east-1
+  }
+
+  enabled                      = contains(var.target_regions, "sa-east-1") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_us-east-1" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.us-east-1
+  }
+
+  enabled                      = contains(var.target_regions, "us-east-1") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_us-east-2" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.us-east-2
+  }
+
+  enabled                      = contains(var.target_regions, "us-east-2") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_us-west-1" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.us-west-1
+  }
+
+  enabled                      = contains(var.target_regions, "us-west-1") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
+
+module "macie_baseline_us-west-2" {
+  source = "./modules/macie-baseline"
+
+  providers = {
+    aws = aws.us-west-2
+  }
+
+  enabled                      = contains(var.target_regions, "us-west-2") && var.macie_enabled
+  disable_email_notification   = var.macie_disable_email_notification
+  finding_publishing_frequency = var.macie_finding_publishing_frequency
+  invitation_message           = var.macie_invitation_message
+  master_account_id            = local.macie_master_account_id
+  member_accounts              = local.macie_member_accounts
+
+  tags = var.tags
+}
@@ -0,0 +1,48 @@
+# macie-baseline
+
+Enable Macie in all regions.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_macie2_account.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_account) | resource |
+| [aws_macie2_invitation_accepter.master](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_invitation_accepter) | resource |
+| [aws_macie2_member.members](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_member) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_disable_email_notification"></a> [disable\_email\_notification](#input\_disable\_email\_notification) | Boolean whether an email notification is sent to the accounts. | `bool` | `false` | no |
+| <a name="input_enabled"></a> [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
+| <a name="input_finding_publishing_frequency"></a> [finding\_publishing\_frequency](#input\_finding\_publishing\_frequency) | Specifies the frequency of notifications sent for subsequent finding occurrences. | `string` | `"SIX_HOURS"` | no |
+| <a name="input_invitation_message"></a> [invitation\_message](#input\_invitation\_message) | Message for invitation. | `string` | `"This is an automatic invitation message from guardduty-baseline module."` | no |
+| <a name="input_master_account_id"></a> [master\_account\_id](#input\_master\_account\_id) | AWS account ID for master account. | `string` | `""` | no |
+| <a name="input_member_accounts"></a> [member\_accounts](#input\_member\_accounts) | A list of IDs and emails of AWS accounts which associated as member accounts. | <pre>list(object({<br>    account_id = string<br>    email      = string<br>  }))</pre> | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map` | <pre>{<br>  "Terraform": true<br>}</pre> | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_macie_account"></a> [macie\_account](#output\_macie\_account) | Macie Account |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -0,0 +1,30 @@
+# --------------------------------------------------------------------------------------------------
+# Enables GuardDuty.
+# --------------------------------------------------------------------------------------------------
+
+resource "aws_macie2_account" "default" {
+  count = var.enabled ? 1 : 0
+
+  status                       = "ENABLED"
+  finding_publishing_frequency = var.finding_publishing_frequency
+
+  tags = var.tags
+}
+
+resource "aws_macie2_member" "members" {
+  count = var.enabled ? length(var.member_accounts) : 0
+
+  status = "ENABLED"
+  invite = true
+
+  account_id                            = var.member_accounts[count.index].account_id
+  invitation_disable_email_notification = var.disable_email_notification
+  email                                 = var.member_accounts[count.index].email
+  invitation_message                    = var.invitation_message
+}
+
+resource "aws_macie2_invitation_accepter" "master" {
+  count = var.enabled && var.master_account_id != "" ? 1 : 0
+
+  administrator_account_id = var.master_account_id
+}
@@ -0,0 +1,4 @@
+output "aws_macie2_account" {
+  description = "Macie Account"
+  value       = var.enabled ? aws_macie2_account.default[0] : null
+}