tedilabs · posquit0 · May 9, 2024 · May 9, 2024
@@ -4,6 +4,7 @@ This module creates following resources.
 
 - `aws_ebs_encryption_by_default`
 - `aws_ebs_default_kms_key` (optional)
+- `aws_ec2_image_block_public_access`
 - `aws_ec2_serial_console_access`
 - `aws_macie2_organization_admin_account` (optional)
 - `aws_resourceexplorer2_index` (optional)
@@ -37,6 +38,7 @@ This module creates following resources.
 | [aws_ebs_default_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_default_kms_key) | resource |
 | [aws_ebs_encryption_by_default.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default) | resource |
 | [aws_ec2_availability_zone_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_availability_zone_group) | resource |
+| [aws_ec2_image_block_public_access.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_image_block_public_access) | resource |
 | [aws_ec2_serial_console_access.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_serial_console_access) | resource |
 | [aws_macie2_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_organization_admin_account) | resource |
 | [aws_resourceexplorer2_index.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourceexplorer2_index) | resource |
@@ -49,7 +51,7 @@ This module creates following resources.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_ebs_default_encryption"></a> [ebs\_default\_encryption](#input\_ebs\_default\_encryption) | (Optional) The configuration of the EBS default encryption. `ebs_default_encryption` as defined below.<br>    (Optional) `enabled` - Whether or not default EBS encryption is enabled.<br>    (Optional) `kms_key` - The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume. | <pre>object({<br>    enabled = optional(bool, false)<br>    kms_key = optional(string)<br>  })</pre> | `{}` | no |
-| <a name="input_ec2_serial_console_enabled"></a> [ec2\_serial\_console\_enabled](#input\_ec2\_serial\_console\_enabled) | (Optional) Whether serial console access is enabled for the current AWS region. | `bool` | `false` | no |
+| <a name="input_ec2"></a> [ec2](#input\_ec2) | (Optional) The configuration of EC2 in the current AWS region. `ec2` as defined below.<br>    (Optional) `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region. Defaults to `false`.<br>    (Optional) `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. Defaults to `false`. | <pre>object({<br>    ami_public_access_enabled = optional(bool, false)<br>    serial_console_enabled    = optional(bool, false)<br>  })</pre> | `{}` | no |
 | <a name="input_macie"></a> [macie](#input\_macie) | (Optional) The configuration of Macie in the current AWS region. `macie` as defined below.<br>    (Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. This can be configured only if Macie is enabled for the organization. The account must be a management account of the organization. | <pre>object({<br>    delegated_administrator = optional(string)<br>  })</pre> | `{}` | no |
 | <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
 | <a name="input_resource_explorer"></a> [resource\_explorer](#input\_resource\_explorer) | (Optional) The configuration of the Resource Explorer in the current AWS region. `resource_explorer` as defined below.<br>    (Optional) `enabled` - Whether or not to enable the Resource Explorer in the current AWS region. Defaults to `true`.<br>    (Optional) `index_type` - The type of the index. Valid values are `AGGREGATOR`, `LOCAL`. Defaults to `LOCAL`.<br>    (Optional) `views` - A list of views to create. `views` as defined below.<br>      (Required) `name` - The name of the view. The name must be no more than 64 characters long, and can include letters, digits, and the dash (-) character. The name must be unique within its AWS Region.<br>      (Optional) `is_default` - Whether the view is the default view for the AWS Region. Defaults to `false`.<br>      (Optional) `filter_queries` - A list of filter queries. Specify which resources are included in the results of queries made using this view. The filter string is combined using a logical AND operator. Defaults to `[]` (include all resources).<br>      (Optional) `additional_resource_attributes` - A list of additional resource attributes. By default, the results include ARN, owner account, Region, service, and resource type. Valid values are `tags`. Defaults to `[]`. | <pre>object({<br>    enabled    = optional(bool, true)<br>    index_type = optional(string, "LOCAL")<br>    views = optional(list(object({<br>      name           = string<br>      is_default     = optional(bool, false)<br>      filter_queries = optional(list(string), [])<br><br>      additional_resource_attributes = optional(set(string), [])<br>    })), [])<br>  })</pre> | `{}` | no |
@@ -68,7 +70,7 @@ This module creates following resources.
 | <a name="output_code"></a> [code](#output\_code) | The short code of the current region. |
 | <a name="output_description"></a> [description](#output\_description) | The description of the current region in this format: `Location (Region name)` |
 | <a name="output_ebs"></a> [ebs](#output\_ebs) | The region-level configurations of EBS service.<br>    `default_encryption` - The configurations for EBS Default Encryption. |
-| <a name="output_ec2"></a> [ec2](#output\_ec2) | The region-level configurations of EC2 service.<br>    `serial_console` - The configurations for EC2 Serial Console. |
+| <a name="output_ec2"></a> [ec2](#output\_ec2) | The region-level configurations of EC2 service.<br>    `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region.<br>    `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. |
 | <a name="output_id"></a> [id](#output\_id) | The ID of the current region. |
 | <a name="output_macie"></a> [macie](#output\_macie) | The region-level configurations of Macie service.<br>    `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. |
 | <a name="output_name"></a> [name](#output\_name) | The name of the current region. |

@@ -1,7 +1,19 @@
+###################################################
+# Public Access Block for EC2 AMI
+###################################################
+
+resource "aws_ec2_image_block_public_access" "this" {
+  state = (var.ec2.ami_public_access_enabled
+    ? "unblocked"
+    : "block-new-sharing"
+  )
+}
+
+
 ###################################################
 # Serial Consol Access for EC2
 ###################################################
 
 resource "aws_ec2_serial_console_access" "this" {
-  enabled = var.ec2_serial_console_enabled
+  enabled = var.ec2.serial_console_enabled
 }
@@ -34,12 +34,12 @@ output "ebs" {
 output "ec2" {
   description = <<EOF
   The region-level configurations of EC2 service.
-    `serial_console` - The configurations for EC2 Serial Console.
+    `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region.
+    `serial_console_enabled` - Whether serial console access is enabled for the current AWS region.
   EOF
   value = {
-    serial_console = {
-      enabled = aws_ec2_serial_console_access.this.enabled
-    }
+    ami_public_access_enabled = aws_ec2_image_block_public_access.this.state == "unblocked"
+    serial_console_enabled    = aws_ec2_serial_console_access.this.enabled
   }
 }
 

@@ -12,11 +12,18 @@ variable "ebs_default_encryption" {
   nullable = false
 }
 
-variable "ec2_serial_console_enabled" {
-  description = "(Optional) Whether serial console access is enabled for the current AWS region."
-  type        = bool
-  default     = false
-  nullable    = false
+variable "ec2" {
+  description = <<EOF
+  (Optional) The configuration of EC2 in the current AWS region. `ec2` as defined below.
+    (Optional) `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region. Defaults to `false`.
+    (Optional) `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. Defaults to `false`.
+  EOF
+  type = object({
+    ami_public_access_enabled = optional(bool, false)
+    serial_console_enabled    = optional(bool, false)
+  })
+  default  = {}
+  nullable = false
 }
 
 variable "macie" {