From e3d28a6981c240050a5e3465221058f3d9983264 Mon Sep 17 00:00:00 2001 From: Matthew Pappas Date: Tue, 15 Oct 2024 22:29:23 -0700 Subject: [PATCH 01/19] cleansed org for just standalone --- README.md | 17 +++--- config.tf | 11 ---- guard_duty.tf | 155 ------------------------------------------------ org.tf | 2 +- security_hub.tf | 20 ------- variables.tf | 53 ++++------------- 6 files changed, 23 insertions(+), 235 deletions(-) delete mode 100644 config.tf delete mode 100644 guard_duty.tf delete mode 100644 security_hub.tf diff --git a/README.md b/README.md index 154f6cb..7521a20 100644 --- a/README.md +++ b/README.md @@ -9,16 +9,13 @@ FedRAMP Compliance: Moderate, High ## Dependencies -- region-setup +- Region Setup ## Resource List A high-level list of resources created as a part of this module. - AWS Organization with org level services - - Guard Duty - - Security Hub - - AWS Config - Cloudtrail - AWS Organization policy - IAM role and policy @@ -52,9 +49,16 @@ module "aws_org" { service_access_principals = [ "cloudtrail.amazonaws.com", "config.amazonaws.com", - "securityhub.amazonaws.com", + "config-multiaccountsetup.amazonaws.com", + "member.org.stacksets.cloudformation.amazonaws.com", + "sso.amazonaws.com", + "ssm.amazonaws.com", + "servicecatalog.amazonaws.com", "guardduty.amazonaws.com", - "config-multiaccountsetup.amazonaws.com" + "controltower.amazonaws.com", + "securityhub.amazonaws.com", + "ram.amazonaws.com", + "tagpolicies.tag.amazonaws.com" ] feature_set = "ALL" aws_new_member_account_email = ["example@email.com"] @@ -65,7 +69,6 @@ module "aws_org" { partition = var.partition resource_prefix = var.resource_prefix s3_kms_key_arn = data.terraform_remote_state.setup.outputs.s3_key_arn - aws_sec_hub_standards_arn = ["arn:${var.partition}:securityhub:${var.region}::standards/cis-aws-foundations-benchmark/v/1.4.0", "arn:${var.partition}:securityhub:${var.region}::standards/aws-foundational-security-best-practices/v/1.0.0"] } ``` diff --git a/config.tf b/config.tf deleted file mode 100644 index ecd115a..0000000 --- a/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -resource "aws_config_configuration_aggregator" "organization" { - count = var.create_org_config ? 1 : 0 - depends_on = [aws_iam_role_policy_attachment.organization] - - name = "${var.resource_prefix}-org-aggregator" # Required - - organization_aggregation_source { - all_regions = true - role_arn = aws_iam_role.aws_config_org_role.arn - } -} diff --git a/guard_duty.tf b/guard_duty.tf deleted file mode 100644 index 6c215a2..0000000 --- a/guard_duty.tf +++ /dev/null @@ -1,155 +0,0 @@ -resource "aws_guardduty_organization_admin_account" "gh_admin_account" { - count = var.create_org_guardduty ? 1 : 0 - - depends_on = [aws_organizations_organization.org] - - - admin_account_id = var.delegated_admin_account_id[count.index] -} - -resource "aws_guardduty_detector" "guardduty" { - count = var.create_org_guardduty ? 1 : 0 - - enable = true - finding_publishing_frequency = var.finding_publishing_frequency - - datasources { - s3_logs { - enable = var.aws_guardduty_datasources_enable_S3 - } - kubernetes { - audit_logs { - enable = var.aws_guardduty_datasources_enable_k8_audit_logs - } - } - malware_protection { - scan_ec2_instance_with_findings { - ebs_volumes { - enable = var.aws_guardduty_datasources_enable_malware_protection_ebs - } - } - } - } -} - -resource "aws_cloudwatch_log_group" "guardduty" { - count = var.create_org_guardduty ? 1 : 0 - - name = "/aws/guardduty/logs" -} - -resource "aws_guardduty_organization_configuration" "guardduty" { - count = var.create_org_guardduty ? 1 : 0 - - auto_enable_organization_members = "ALL" - detector_id = aws_guardduty_detector.guardduty[0].id -} - -data "aws_iam_policy_document" "bucket_pol" { - count = var.create_org_guardduty ? 1 : 0 - - statement { - sid = "Allow PutObject" - actions = [ - "s3:PutObject" - ] - - resources = [ - "${aws_s3_bucket.gd_bucket[0].arn}/*" - ] - - principals { - type = "Service" - identifiers = ["guardduty.amazonaws.com"] - } - } - - statement { - sid = "Allow GetBucketLocation" - actions = [ - "s3:GetBucketLocation" - ] - - resources = [ - aws_s3_bucket.gd_bucket[0].arn - ] - - principals { - type = "Service" - identifiers = ["guardduty.amazonaws.com"] - } - } -} - -data "aws_iam_policy_document" "kms_pol" { - count = var.create_org_guardduty ? 1 : 0 - - statement { - sid = "Allow GuardDuty to encrypt findings" - actions = [ - "kms:GenerateDataKey" - ] - - resources = [ - "arn:${data.aws_partition.current.partition}:kms:${var.aws_region}:${data.aws_caller_identity.current.account_id}:key/*" - ] - - principals { - type = "Service" - identifiers = ["guardduty.amazonaws.com"] - } - } - - statement { - sid = "Allow all users to modify/delete key" - actions = [ - "kms:*" - ] - - resources = [ - "arn:${data.aws_partition.current.partition}:kms:${var.aws_region}:${data.aws_caller_identity.current.account_id}:key/*" - ] - - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] - } - } - -} - -resource "aws_s3_bucket" "gd_bucket" { - count = var.create_org_guardduty ? 1 : 0 - - bucket = "${var.resource_prefix}-${var.aws_region}-guardduty-findings" - force_destroy = true -} - -resource "aws_s3_bucket_policy" "gd_bucket_policy" { - count = var.create_org_guardduty ? 1 : 0 - - bucket = aws_s3_bucket.gd_bucket[0].id - policy = data.aws_iam_policy_document.bucket_pol[0].json -} - -module "guardduty_kms_key" { - count = var.create_org_guardduty ? 1 : 0 - source = "github.com/Coalfire-CF/terraform-aws-kms" - - key_policy = data.aws_iam_policy_document.kms_pol[0].json - kms_key_resource_type = "backup" - resource_prefix = var.resource_prefix -} - - -resource "aws_guardduty_publishing_destination" "gd_pub_dest" { - count = var.create_org_guardduty ? 1 : 0 - - detector_id = aws_guardduty_detector.guardduty[0].id - destination_arn = aws_s3_bucket.gd_bucket[0].arn - kms_key_arn = module.guardduty_kms_key[0].kms_key_arn - - depends_on = [ - aws_s3_bucket_policy.gd_bucket_policy[0], - ] -} \ No newline at end of file diff --git a/org.tf b/org.tf index 62cad2d..2c16a59 100644 --- a/org.tf +++ b/org.tf @@ -78,4 +78,4 @@ resource "aws_organizations_resource_policy" "org_resource_policy" { ] } EOF -} \ No newline at end of file +} diff --git a/security_hub.tf b/security_hub.tf deleted file mode 100644 index d80d646..0000000 --- a/security_hub.tf +++ /dev/null @@ -1,20 +0,0 @@ -resource "aws_securityhub_organization_admin_account" "sechub_org_admin" { - count = var.create_org_securityhub ? 1 : 0 - depends_on = [aws_organizations_organization.org] - - admin_account_id = aws_organizations_organization.org.master_account_id -} - -resource "aws_securityhub_organization_configuration" "sechub_org_config" { - count = var.create_org_securityhub ? 1 : 0 - - auto_enable = true -} - -resource "aws_securityhub_standards_subscription" "cis" { - for_each = toset(var.aws_sec_hub_standards_arn) - - depends_on = [aws_securityhub_organization_admin_account.sechub_org_admin[0]] - standards_arn = each.value -} - diff --git a/variables.tf b/variables.tf index 44fc7a6..6f61bdc 100644 --- a/variables.tf +++ b/variables.tf @@ -4,9 +4,16 @@ variable "service_access_principals" { default = [ "cloudtrail.amazonaws.com", "config.amazonaws.com", - "securityhub.amazonaws.com", + "config-multiaccountsetup.amazonaws.com", + "member.org.stacksets.cloudformation.amazonaws.com", + "sso.amazonaws.com", + "ssm.amazonaws.com", + "servicecatalog.amazonaws.com", "guardduty.amazonaws.com", - "config-multiaccountsetup.amazonaws.com" + "controltower.amazonaws.com", + "securityhub.amazonaws.com", + "ram.amazonaws.com", + "tagpolicies.tag.amazonaws.com" ] } @@ -41,11 +48,11 @@ variable "ou_creation_info" { type = map(map(string)) default = { ou1 = { - ou_name = "app_ou1" + ou_name = "mgmt_ou" ou_parent_id = "parent_id1" }, ou2 = { - ou_name = "app_ou2" + ou_name = "app_ou" ou_parent_id = "parent_id2" } } @@ -55,60 +62,24 @@ variable "aws_region" { type = string } - variable "resource_prefix" { type = string } -variable "finding_publishing_frequency" { - type = string - default = "ONE_HOUR" -} - variable "aws_sec_hub_standards_arn" { type = list(string) } -variable "aws_guardduty_datasources_enable_S3" { - description = "Configuration for the collected datasources." - default = true -} - -variable "aws_guardduty_datasources_enable_k8_audit_logs" { - description = "Configuration for the collected datasources." - default = true -} - -variable "aws_guardduty_datasources_enable_malware_protection_ebs" { - description = "Configuration for the collected datasources." - default = true -} - variable "s3_kms_key_arn" { type = string } -variable "create_org_config" { - description = "True/False statement whether to enable AWS Config in the Organization" - default = true -} - -variable "create_org_guardduty" { - description = "True/False statement whether to enable AWS GuardDuty in the Organization" - default = true -} - variable "create_org_cloudtrail" { description = "True/False statement whether to enable AWS Cloudtrail in the Organization" default = true } -variable "create_org_securityhub" { - description = "True/False statement whether to enable AWS Security Hub in the Organization" - default = true -} - variable "org_account_name" { description = "value to be used for the org account name" type = string -} \ No newline at end of file +} From cda26f89475ecebf78618790697935830c0a6b7f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 16 Oct 2024 05:32:58 +0000 Subject: [PATCH 02/19] terraform-docs: automated action --- README.md | 28 +++------------------------- 1 file changed, 3 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 7521a20..0298252 100644 --- a/README.md +++ b/README.md @@ -85,21 +85,13 @@ No requirements. ## Modules -| Name | Source | Version | -|------|--------|---------| -| [guardduty\_kms\_key](#module\_guardduty\_kms\_key) | github.com/Coalfire-CF/terraform-aws-kms | n/a | +No modules. ## Resources | Name | Type | |------|------| | [aws_cloudtrail.org-trail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource | -| [aws_cloudwatch_log_group.guardduty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_config_configuration_aggregator.organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_aggregator) | resource | -| [aws_guardduty_detector.guardduty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector) | resource | -| [aws_guardduty_organization_admin_account.gh_admin_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_admin_account) | resource | -| [aws_guardduty_organization_configuration.guardduty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration) | resource | -| [aws_guardduty_publishing_destination.gd_pub_dest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_publishing_destination) | resource | | [aws_iam_role.aws_config_org_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_organizations_account.account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account) | resource | @@ -109,15 +101,8 @@ No requirements. | [aws_organizations_policy.scp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource | | [aws_organizations_policy_attachment.scp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource | | [aws_organizations_resource_policy.org_resource_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_resource_policy) | resource | -| [aws_s3_bucket.gd_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_policy.gd_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | -| [aws_securityhub_organization_admin_account.sechub_org_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_organization_admin_account) | resource | -| [aws_securityhub_organization_configuration.sechub_org_config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_organization_configuration) | resource | -| [aws_securityhub_standards_subscription.cis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.bucket_pol](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.kms_pol](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.scp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | @@ -125,26 +110,19 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_guardduty\_datasources\_enable\_S3](#input\_aws\_guardduty\_datasources\_enable\_S3) | Configuration for the collected datasources. | `bool` | `true` | no | -| [aws\_guardduty\_datasources\_enable\_k8\_audit\_logs](#input\_aws\_guardduty\_datasources\_enable\_k8\_audit\_logs) | Configuration for the collected datasources. | `bool` | `true` | no | -| [aws\_guardduty\_datasources\_enable\_malware\_protection\_ebs](#input\_aws\_guardduty\_datasources\_enable\_malware\_protection\_ebs) | Configuration for the collected datasources. | `bool` | `true` | no | | [aws\_new\_member\_account\_email](#input\_aws\_new\_member\_account\_email) | The Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. | `any` | `null` | no | | [aws\_new\_member\_account\_name](#input\_aws\_new\_member\_account\_name) | The Friendly name for the member account. | `any` | `null` | no | | [aws\_region](#input\_aws\_region) | n/a | `string` | n/a | yes | | [aws\_sec\_hub\_standards\_arn](#input\_aws\_sec\_hub\_standards\_arn) | n/a | `list(string)` | n/a | yes | | [create\_org\_cloudtrail](#input\_create\_org\_cloudtrail) | True/False statement whether to enable AWS Cloudtrail in the Organization | `bool` | `true` | no | -| [create\_org\_config](#input\_create\_org\_config) | True/False statement whether to enable AWS Config in the Organization | `bool` | `true` | no | -| [create\_org\_guardduty](#input\_create\_org\_guardduty) | True/False statement whether to enable AWS GuardDuty in the Organization | `bool` | `true` | no | -| [create\_org\_securityhub](#input\_create\_org\_securityhub) | True/False statement whether to enable AWS Security Hub in the Organization | `bool` | `true` | no | | [delegated\_admin\_account\_id](#input\_delegated\_admin\_account\_id) | The account ID number of the member account in the organization to register as a delegated administrator. | `list(string)` | `null` | no | | [delegated\_service\_principal](#input\_delegated\_service\_principal) | The service principal of the AWS service for which you want to make the member account a delegated administrator. | `string` | `"principal"` | no | | [feature\_set](#input\_feature\_set) | Feature set to be used with Org and member accounts Specify ALL(default) or CONSOLIDATED\_BILLING. | `string` | `"ALL"` | no | -| [finding\_publishing\_frequency](#input\_finding\_publishing\_frequency) | n/a | `string` | `"ONE_HOUR"` | no | | [org\_account\_name](#input\_org\_account\_name) | value to be used for the org account name | `string` | n/a | yes | -| [ou\_creation\_info](#input\_ou\_creation\_info) | list of names of OU to create and their corresponding delegated admins | `map(map(string))` | 
{
  "ou1": {
    "ou_name": "app_ou1",
    "ou_parent_id": "parent_id1"
  },
  "ou2": {
    "ou_name": "app_ou2",
    "ou_parent_id": "parent_id2"
  }
}
| no | +| [ou\_creation\_info](#input\_ou\_creation\_info) | list of names of OU to create and their corresponding delegated admins | `map(map(string))` | 
{
  "ou1": {
    "ou_name": "mgmt_ou",
    "ou_parent_id": "parent_id1"
  },
  "ou2": {
    "ou_name": "app_ou",
    "ou_parent_id": "parent_id2"
  }
}
| no | | [resource\_prefix](#input\_resource\_prefix) | n/a | `string` | n/a | yes | | [s3\_kms\_key\_arn](#input\_s3\_kms\_key\_arn) | n/a | `string` | n/a | yes | -| [service\_access\_principals](#input\_service\_access\_principals) | List of AWS Service Access Principals that you want to enable for organization integration | `list(string)` | 
[
  "cloudtrail.amazonaws.com",
  "config.amazonaws.com",
  "securityhub.amazonaws.com",
  "guardduty.amazonaws.com",
  "config-multiaccountsetup.amazonaws.com"
]
| no | +| [service\_access\_principals](#input\_service\_access\_principals) | List of AWS Service Access Principals that you want to enable for organization integration | `list(string)` | 
[
  "cloudtrail.amazonaws.com",
  "config.amazonaws.com",
  "config-multiaccountsetup.amazonaws.com",
  "member.org.stacksets.cloudformation.amazonaws.com",
  "sso.amazonaws.com",
  "ssm.amazonaws.com",
  "servicecatalog.amazonaws.com",
  "guardduty.amazonaws.com",
  "controltower.amazonaws.com",
  "securityhub.amazonaws.com",
  "ram.amazonaws.com",
  "tagpolicies.tag.amazonaws.com"
]
| no | ## Outputs From d3fda69816ce88038ca7bfbc10b7382e1ce3b0ca Mon Sep 17 00:00:00 2001 From: Matthew Pappas Date: Tue, 15 Oct 2024 22:37:22 -0700 Subject: [PATCH 03/19] cleansed org for just standalone --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 7521a20..72a2db1 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,14 @@ A high-level list of resources created as a part of this module. - AWS Organization policy - IAM role and policy +## Related Repos + +AWS resources that can be used with Organizations +- [AWS Config](https://github.com/Coalfire-CF/terraform-aws-config) +- [AWS Guardduty](https://github.com/Coalfire-CF/terraform-aws-guardduty) +- [AWS SecurityHub](https://github.com/Coalfire-CF/terraform-aws-security-hub) +- [AWS Control Tower](https://github.com/Coalfire-CF/terraform-aws-control-tower) + ## Deployment Steps This module can be called as outlined below. From 8c80c648b5d8e7497863b8764c45c96f473a6bf4 Mon Sep 17 00:00:00 2001 From: Matthew Pappas Date: Tue, 15 Oct 2024 22:38:16 -0700 Subject: [PATCH 04/19] readme update --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 72a2db1..cf5760b 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ A high-level list of resources created as a part of this module. ## Related Repos -AWS resources that can be used with Organizations +AWS resources that can be used with Organizations: - [AWS Config](https://github.com/Coalfire-CF/terraform-aws-config) - [AWS Guardduty](https://github.com/Coalfire-CF/terraform-aws-guardduty) - [AWS SecurityHub](https://github.com/Coalfire-CF/terraform-aws-security-hub) From 70a2a7ca72a16ad18f452113334d91efd094f7b2 Mon Sep 17 00:00:00 2001 From: Matthew Pappas Date: Wed, 16 Oct 2024 13:10:07 -0700 Subject: [PATCH 05/19] readme update --- variables.tf | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/variables.tf b/variables.tf index 6f61bdc..87a4211 100644 --- a/variables.tf +++ b/variables.tf @@ -66,17 +66,14 @@ variable "resource_prefix" { type = string } -variable "aws_sec_hub_standards_arn" { - type = list(string) -} - variable "s3_kms_key_arn" { - type = string + type = string + default = null } variable "create_org_cloudtrail" { description = "True/False statement whether to enable AWS Cloudtrail in the Organization" - default = true + default = false } variable "org_account_name" { From a026bc6e8b5ac8ad00b87587f52fd0ab9d518086 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 16 Oct 2024 20:10:58 +0000 Subject: [PATCH 06/19] terraform-docs: automated action --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 8f68b23..e137e60 100644 --- a/README.md +++ b/README.md @@ -121,15 +121,14 @@ No modules. | [aws\_new\_member\_account\_email](#input\_aws\_new\_member\_account\_email) | The Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. | `any` | `null` | no | | [aws\_new\_member\_account\_name](#input\_aws\_new\_member\_account\_name) | The Friendly name for the member account. | `any` | `null` | no | | [aws\_region](#input\_aws\_region) | n/a | `string` | n/a | yes | -| [aws\_sec\_hub\_standards\_arn](#input\_aws\_sec\_hub\_standards\_arn) | n/a | `list(string)` | n/a | yes | -| [create\_org\_cloudtrail](#input\_create\_org\_cloudtrail) | True/False statement whether to enable AWS Cloudtrail in the Organization | `bool` | `true` | no | +| [create\_org\_cloudtrail](#input\_create\_org\_cloudtrail) | True/False statement whether to enable AWS Cloudtrail in the Organization | `bool` | `false` | no | | [delegated\_admin\_account\_id](#input\_delegated\_admin\_account\_id) | The account ID number of the member account in the organization to register as a delegated administrator. | `list(string)` | `null` | no | | [delegated\_service\_principal](#input\_delegated\_service\_principal) | The service principal of the AWS service for which you want to make the member account a delegated administrator. | `string` | `"principal"` | no | | [feature\_set](#input\_feature\_set) | Feature set to be used with Org and member accounts Specify ALL(default) or CONSOLIDATED\_BILLING. | `string` | `"ALL"` | no | | [org\_account\_name](#input\_org\_account\_name) | value to be used for the org account name | `string` | n/a | yes | | [ou\_creation\_info](#input\_ou\_creation\_info) | list of names of OU to create and their corresponding delegated admins | `map(map(string))` | 
{
  "ou1": {
    "ou_name": "mgmt_ou",
    "ou_parent_id": "parent_id1"
  },
  "ou2": {
    "ou_name": "app_ou",
    "ou_parent_id": "parent_id2"
  }
}
| no | | [resource\_prefix](#input\_resource\_prefix) | n/a | `string` | n/a | yes | -| [s3\_kms\_key\_arn](#input\_s3\_kms\_key\_arn) | n/a | `string` | n/a | yes | +| [s3\_kms\_key\_arn](#input\_s3\_kms\_key\_arn) | n/a | `string` | `null` | no | | [service\_access\_principals](#input\_service\_access\_principals) | List of AWS Service Access Principals that you want to enable for organization integration | `list(string)` | 
[
  "cloudtrail.amazonaws.com",
  "config.amazonaws.com",
  "config-multiaccountsetup.amazonaws.com",
  "member.org.stacksets.cloudformation.amazonaws.com",
  "sso.amazonaws.com",
  "ssm.amazonaws.com",
  "servicecatalog.amazonaws.com",
  "guardduty.amazonaws.com",
  "controltower.amazonaws.com",
  "securityhub.amazonaws.com",
  "ram.amazonaws.com",
  "tagpolicies.tag.amazonaws.com"
]
| no | ## Outputs From 72d6925ab28b3218fefe20a25c6f008dfbd367c5 Mon Sep 17 00:00:00 2001 From: Matthew Pappas Date: Wed, 16 Oct 2024 13:14:02 -0700 Subject: [PATCH 07/19] updates --- org.tf | 30 ++++++++++++------------- variables.tf | 62 ++++++++++++++++++++++++++-------------------------- 2 files changed, 46 insertions(+), 46 deletions(-) diff --git a/org.tf b/org.tf index 2c16a59..ea64f10 100644 --- a/org.tf +++ b/org.tf @@ -6,26 +6,26 @@ resource "aws_organizations_organization" "org" { #enabled_policy_types = var.enabled_policy_types # I want to implement this based off a check of feature_set - if not set to ALL then this is null. } -resource "aws_organizations_delegated_administrator" "delegated_admin" { - for_each = toset(var.delegated_admin_account_id) +# resource "aws_organizations_delegated_administrator" "delegated_admin" { +# for_each = toset(var.delegated_admin_account_id) - account_id = each.key - service_principal = var.delegated_service_principal -} +# account_id = each.key +# service_principal = var.delegated_service_principal +# } -resource "aws_organizations_account" "account" { - for_each = toset(var.aws_new_member_account_email) +# resource "aws_organizations_account" "account" { +# for_each = toset(var.aws_new_member_account_email) - name = var.org_account_name - email = each.value -} +# name = var.org_account_name +# email = each.value +# } -resource "aws_organizations_organizational_unit" "ou" { - for_each = var.ou_creation_info +# resource "aws_organizations_organizational_unit" "ou" { +# for_each = var.ou_creation_info - name = each.value["ou_name"] - parent_id = each.value["ou_parent_id"] -} +# name = each.value["ou_name"] +# parent_id = each.value["ou_parent_id"] +# } resource "aws_organizations_policy" "scp" { content = data.aws_iam_policy_document.scp.json diff --git a/variables.tf b/variables.tf index 87a4211..73ab5fe 100644 --- a/variables.tf +++ b/variables.tf @@ -22,41 +22,41 @@ variable "feature_set" { default = "ALL" } -variable "delegated_admin_account_id" { - description = "The account ID number of the member account in the organization to register as a delegated administrator." - type = list(string) - default = null -} +# variable "delegated_admin_account_id" { +# description = "The account ID number of the member account in the organization to register as a delegated administrator." +# type = list(string) +# default = null +# } -variable "delegated_service_principal" { - description = "The service principal of the AWS service for which you want to make the member account a delegated administrator." - default = "principal" -} +# variable "delegated_service_principal" { +# description = "The service principal of the AWS service for which you want to make the member account a delegated administrator." +# default = "principal" +# } -variable "aws_new_member_account_name" { - description = "The Friendly name for the member account." - default = null -} +# variable "aws_new_member_account_name" { +# description = "The Friendly name for the member account." +# default = null +# } -variable "aws_new_member_account_email" { - description = "The Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account." - default = null -} +# variable "aws_new_member_account_email" { +# description = "The Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account." +# default = null +# } -variable "ou_creation_info" { - description = "list of names of OU to create and their corresponding delegated admins" - type = map(map(string)) - default = { - ou1 = { - ou_name = "mgmt_ou" - ou_parent_id = "parent_id1" - }, - ou2 = { - ou_name = "app_ou" - ou_parent_id = "parent_id2" - } - } -} +# variable "ou_creation_info" { +# description = "list of names of OU to create and their corresponding delegated admins" +# type = map(map(string)) +# default = { +# ou1 = { +# ou_name = "mgmt_ou" +# ou_parent_id = "parent_id1" +# }, +# ou2 = { +# ou_name = "app_ou" +# ou_parent_id = "parent_id2" +# } +# } +# } variable "aws_region" { type = string From ae6083ce0bc48e6a32ff28073d7dc8d625f1c038 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 16 Oct 2024 20:15:08 +0000 Subject: [PATCH 08/19] terraform-docs: automated action --- README.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/README.md b/README.md index e137e60..11eb4dc 100644 --- a/README.md +++ b/README.md @@ -102,10 +102,7 @@ No modules. | [aws_cloudtrail.org-trail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource | | [aws_iam_role.aws_config_org_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_organizations_account.account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account) | resource | -| [aws_organizations_delegated_administrator.delegated_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_delegated_administrator) | resource | | [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organization) | resource | -| [aws_organizations_organizational_unit.ou](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organizational_unit) | resource | | [aws_organizations_policy.scp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource | | [aws_organizations_policy_attachment.scp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource | | [aws_organizations_resource_policy.org_resource_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_resource_policy) | resource | @@ -118,15 +115,10 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_new\_member\_account\_email](#input\_aws\_new\_member\_account\_email) | The Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. | `any` | `null` | no | -| [aws\_new\_member\_account\_name](#input\_aws\_new\_member\_account\_name) | The Friendly name for the member account. | `any` | `null` | no | | [aws\_region](#input\_aws\_region) | n/a | `string` | n/a | yes | | [create\_org\_cloudtrail](#input\_create\_org\_cloudtrail) | True/False statement whether to enable AWS Cloudtrail in the Organization | `bool` | `false` | no | -| [delegated\_admin\_account\_id](#input\_delegated\_admin\_account\_id) | The account ID number of the member account in the organization to register as a delegated administrator. | `list(string)` | `null` | no | -| [delegated\_service\_principal](#input\_delegated\_service\_principal) | The service principal of the AWS service for which you want to make the member account a delegated administrator. | `string` | `"principal"` | no | | [feature\_set](#input\_feature\_set) | Feature set to be used with Org and member accounts Specify ALL(default) or CONSOLIDATED\_BILLING. | `string` | `"ALL"` | no | | [org\_account\_name](#input\_org\_account\_name) | value to be used for the org account name | `string` | n/a | yes | -| [ou\_creation\_info](#input\_ou\_creation\_info) | list of names of OU to create and their corresponding delegated admins | `map(map(string))` | 
{
  "ou1": {
    "ou_name": "mgmt_ou",
    "ou_parent_id": "parent_id1"
  },
  "ou2": {
    "ou_name": "app_ou",
    "ou_parent_id": "parent_id2"
  }
}
| no | | [resource\_prefix](#input\_resource\_prefix) | n/a | `string` | n/a | yes | | [s3\_kms\_key\_arn](#input\_s3\_kms\_key\_arn) | n/a | `string` | `null` | no | | [service\_access\_principals](#input\_service\_access\_principals) | List of AWS Service Access Principals that you want to enable for organization integration | `list(string)` | 
[
  "cloudtrail.amazonaws.com",
  "config.amazonaws.com",
  "config-multiaccountsetup.amazonaws.com",
  "member.org.stacksets.cloudformation.amazonaws.com",
  "sso.amazonaws.com",
  "ssm.amazonaws.com",
  "servicecatalog.amazonaws.com",
  "guardduty.amazonaws.com",
  "controltower.amazonaws.com",
  "securityhub.amazonaws.com",
  "ram.amazonaws.com",
  "tagpolicies.tag.amazonaws.com"
]
| no | From 20b4e4187e1a5eb4be2ae7dae9cfbc16d5bae014 Mon Sep 17 00:00:00 2001 From: Matthew Pappas Date: Wed, 16 Oct 2024 13:19:53 -0700 Subject: [PATCH 09/19] up --- org.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/org.tf b/org.tf index ea64f10..4c9f7c2 100644 --- a/org.tf +++ b/org.tf @@ -73,7 +73,7 @@ resource "aws_organizations_resource_policy" "org_resource_policy" { "organizations:ListTagsForResource" ], "Resource": [ - "arn:${data.aws_partition.current.partition}:organizations::${aws_organizations_organization.org.roots[0].id}:ou/${aws_organizations_organizational_unit.ou[0].id}/*"] + "arn:${data.aws_partition.current.partition}:organizations::${aws_organizations_organization.org.roots[0].id}:ou/*"] } ] } From eb94bd47aa6f0325addaa76a8c46aea4f5a01ad6 Mon Sep 17 00:00:00 2001 From: Matthew Pappas Date: Mon, 28 Oct 2024 19:41:11 -0700 Subject: [PATCH 10/19] update --- iam.tf | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++-------- org.tf | 84 +++++++++++++++++++++++++++---------------------------- 2 files changed, 118 insertions(+), 54 deletions(-) diff --git a/iam.tf b/iam.tf index ff3ba66..091c7ac 100644 --- a/iam.tf +++ b/iam.tf @@ -24,19 +24,21 @@ resource "aws_iam_role_policy_attachment" "organization" { ### AWS ORG IAM data "aws_iam_policy_document" "scp" { + ## Enforce usage of IPAM for creating a VPC statement { effect = "Deny" actions = [ "ec2:CreateVpc", - "ec2:AssociateVpcCidrBlock"] + "ec2:AssociateVpcCidrBlock" + ] resources = [ - "arn:${data.aws_partition.current.partition}:ec2:*:*:vpc/*"] + "arn:${data.aws_partition.current.partition}:ec2:*:*:vpc/*" + ] condition { - test = "Null" - values = [ - "true"] + test = "Null" variable = "ec2:Ipv4IpamPoolId" + values = ["true"] } } @@ -47,7 +49,7 @@ data "aws_iam_policy_document" "scp" { resources = ["*"] } - ## Enforce enabling of flowlogs for VPC + ## Enforce enabling of flow logs for VPC statement { effect = "Deny" actions = ["ec2:DeleteFlowLogs"] @@ -64,20 +66,82 @@ data "aws_iam_policy_document" "scp" { ] condition { test = "Null" - values = ["true"] variable = "aws:RequestTag/OSType" + values = ["true"] } } ## Deny changing of security tooling IAM role statement { - effect = "Deny" - actions = ["iam:DeleteRole", "iam:DeleteRolePolicy"] - resources = ["arn:${data.aws_partition.current.partition}:iam::*:role/ops-stack-security-tooling"] + effect = "Deny" + actions = ["iam:DeleteRole", "iam:DeleteRolePolicy"] + resources = [ + "arn:${data.aws_partition.current.partition}:iam::*:role/ops-stack-security-tooling" + ] condition { test = "StringNotLike" - values = ["arn:${data.aws_partition.current.partition}:iam::*:role/tfadmin"] variable = "aws:PrincipalARN" + values = ["arn:${data.aws_partition.current.partition}:iam::*:role/tfadmin"] } } -} \ No newline at end of file +} + + +# data "aws_iam_policy_document" "scp" { +# ## Enforce usage of IPAM for creating a VPC +# statement { +# effect = "Deny" +# actions = [ +# "ec2:CreateVpc", +# "ec2:AssociateVpcCidrBlock"] +# resources = [ +# "arn:${data.aws_partition.current.partition}:ec2:*:*:vpc/*"] +# condition { +# test = "Null" +# values = [ +# "true"] +# variable = "ec2:Ipv4IpamPoolId" +# } +# } + +# ## Prevent member accounts from leaving Org +# statement { +# effect = "Deny" +# actions = ["organizations:LeaveOrganization"] +# resources = ["*"] +# } + +# ## Enforce enabling of flowlogs for VPC +# statement { +# effect = "Deny" +# actions = ["ec2:DeleteFlowLogs"] +# resources = ["*"] +# } + +# ## Enforce EC2 tagging for Ansible inventory +# statement { +# effect = "Deny" +# actions = ["ec2:RunInstances"] +# resources = [ +# "arn:${data.aws_partition.current.partition}:ec2:*:*:instance/*", +# "arn:${data.aws_partition.current.partition}:ec2:*:*:volume/*" +# ] +# condition { +# test = "Null" +# values = ["true"] +# variable = "aws:RequestTag/OSType" +# } +# } + +# ## Deny changing of security tooling IAM role +# statement { +# effect = "Deny" +# actions = ["iam:DeleteRole", "iam:DeleteRolePolicy"] +# resources = ["arn:${data.aws_partition.current.partition}:iam::*:role/ops-stack-security-tooling"] +# condition { +# test = "StringNotLike" +# values = ["arn:${data.aws_partition.current.partition}:iam::*:role/tfadmin"] +# variable = "aws:PrincipalARN" +# } +# } +# } diff --git a/org.tf b/org.tf index 4c9f7c2..0b789f0 100644 --- a/org.tf +++ b/org.tf @@ -37,45 +37,45 @@ resource "aws_organizations_policy_attachment" "scp" { target_id = aws_organizations_organization.org.id } -resource "aws_organizations_resource_policy" "org_resource_policy" { - content = < Date: Tue, 29 Oct 2024 02:41:35 +0000 Subject: [PATCH 11/19] terraform-docs: automated action --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 11eb4dc..9220863 100644 --- a/README.md +++ b/README.md @@ -105,7 +105,6 @@ No modules. | [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organization) | resource | | [aws_organizations_policy.scp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource | | [aws_organizations_policy_attachment.scp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource | -| [aws_organizations_resource_policy.org_resource_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_resource_policy) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.scp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | From 8981ce25d456250c67f12b6963959336968d233b Mon Sep 17 00:00:00 2001 From: Matthew Pappas Date: Mon, 28 Oct 2024 19:45:46 -0700 Subject: [PATCH 12/19] update --- iam.tf | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/iam.tf b/iam.tf index 091c7ac..4fed458 100644 --- a/iam.tf +++ b/iam.tf @@ -61,8 +61,7 @@ data "aws_iam_policy_document" "scp" { effect = "Deny" actions = ["ec2:RunInstances"] resources = [ - "arn:${data.aws_partition.current.partition}:ec2:*:*:instance/*", - "arn:${data.aws_partition.current.partition}:ec2:*:*:volume/*" + "arn:${data.aws_partition.current.partition}:ec2:*:*:instance/*" ] condition { test = "Null" @@ -70,20 +69,6 @@ data "aws_iam_policy_document" "scp" { values = ["true"] } } - - ## Deny changing of security tooling IAM role - statement { - effect = "Deny" - actions = ["iam:DeleteRole", "iam:DeleteRolePolicy"] - resources = [ - "arn:${data.aws_partition.current.partition}:iam::*:role/ops-stack-security-tooling" - ] - condition { - test = "StringNotLike" - variable = "aws:PrincipalARN" - values = ["arn:${data.aws_partition.current.partition}:iam::*:role/tfadmin"] - } - } } From 51ef1cf2dffccbbc542660012b90eea257f36023 Mon Sep 17 00:00:00 2001 From: Matthew Pappas Date: Mon, 28 Oct 2024 19:51:58 -0700 Subject: [PATCH 13/19] update iam --- iam.tf | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/iam.tf b/iam.tf index 4fed458..581236f 100644 --- a/iam.tf +++ b/iam.tf @@ -32,9 +32,7 @@ data "aws_iam_policy_document" "scp" { "ec2:CreateVpc", "ec2:AssociateVpcCidrBlock" ] - resources = [ - "arn:${data.aws_partition.current.partition}:ec2:*:*:vpc/*" - ] + resources = ["*"] condition { test = "Null" variable = "ec2:Ipv4IpamPoolId" @@ -58,11 +56,9 @@ data "aws_iam_policy_document" "scp" { ## Enforce EC2 tagging for Ansible inventory statement { - effect = "Deny" - actions = ["ec2:RunInstances"] - resources = [ - "arn:${data.aws_partition.current.partition}:ec2:*:*:instance/*" - ] + effect = "Deny" + actions = ["ec2:RunInstances"] + resources = ["*"] condition { test = "Null" variable = "aws:RequestTag/OSType" @@ -71,7 +67,6 @@ data "aws_iam_policy_document" "scp" { } } - # data "aws_iam_policy_document" "scp" { # ## Enforce usage of IPAM for creating a VPC # statement { From fc403b0ebc722278b3dfa80fe481d8fcb2fae352 Mon Sep 17 00:00:00 2001 From: Matthew Pappas Date: Mon, 28 Oct 2024 19:54:00 -0700 Subject: [PATCH 14/19] update iam --- iam.tf | 105 --------------------------------------------------------- org.tf | 45 +------------------------ 2 files changed, 1 insertion(+), 149 deletions(-) diff --git a/iam.tf b/iam.tf index 581236f..3ab35ef 100644 --- a/iam.tf +++ b/iam.tf @@ -20,108 +20,3 @@ resource "aws_iam_role_policy_attachment" "organization" { role = aws_iam_role.aws_config_org_role.name policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSConfigRoleForOrganizations" } - -### AWS ORG IAM - -data "aws_iam_policy_document" "scp" { - - ## Enforce usage of IPAM for creating a VPC - statement { - effect = "Deny" - actions = [ - "ec2:CreateVpc", - "ec2:AssociateVpcCidrBlock" - ] - resources = ["*"] - condition { - test = "Null" - variable = "ec2:Ipv4IpamPoolId" - values = ["true"] - } - } - - ## Prevent member accounts from leaving Org - statement { - effect = "Deny" - actions = ["organizations:LeaveOrganization"] - resources = ["*"] - } - - ## Enforce enabling of flow logs for VPC - statement { - effect = "Deny" - actions = ["ec2:DeleteFlowLogs"] - resources = ["*"] - } - - ## Enforce EC2 tagging for Ansible inventory - statement { - effect = "Deny" - actions = ["ec2:RunInstances"] - resources = ["*"] - condition { - test = "Null" - variable = "aws:RequestTag/OSType" - values = ["true"] - } - } -} - -# data "aws_iam_policy_document" "scp" { -# ## Enforce usage of IPAM for creating a VPC -# statement { -# effect = "Deny" -# actions = [ -# "ec2:CreateVpc", -# "ec2:AssociateVpcCidrBlock"] -# resources = [ -# "arn:${data.aws_partition.current.partition}:ec2:*:*:vpc/*"] -# condition { -# test = "Null" -# values = [ -# "true"] -# variable = "ec2:Ipv4IpamPoolId" -# } -# } - -# ## Prevent member accounts from leaving Org -# statement { -# effect = "Deny" -# actions = ["organizations:LeaveOrganization"] -# resources = ["*"] -# } - -# ## Enforce enabling of flowlogs for VPC -# statement { -# effect = "Deny" -# actions = ["ec2:DeleteFlowLogs"] -# resources = ["*"] -# } - -# ## Enforce EC2 tagging for Ansible inventory -# statement { -# effect = "Deny" -# actions = ["ec2:RunInstances"] -# resources = [ -# "arn:${data.aws_partition.current.partition}:ec2:*:*:instance/*", -# "arn:${data.aws_partition.current.partition}:ec2:*:*:volume/*" -# ] -# condition { -# test = "Null" -# values = ["true"] -# variable = "aws:RequestTag/OSType" -# } -# } - -# ## Deny changing of security tooling IAM role -# statement { -# effect = "Deny" -# actions = ["iam:DeleteRole", "iam:DeleteRolePolicy"] -# resources = ["arn:${data.aws_partition.current.partition}:iam::*:role/ops-stack-security-tooling"] -# condition { -# test = "StringNotLike" -# values = ["arn:${data.aws_partition.current.partition}:iam::*:role/tfadmin"] -# variable = "aws:PrincipalARN" -# } -# } -# } diff --git a/org.tf b/org.tf index 0b789f0..0aafe4e 100644 --- a/org.tf +++ b/org.tf @@ -2,8 +2,6 @@ resource "aws_organizations_organization" "org" { aws_service_access_principals = var.service_access_principals feature_set = var.feature_set - - #enabled_policy_types = var.enabled_policy_types # I want to implement this based off a check of feature_set - if not set to ALL then this is null. } # resource "aws_organizations_delegated_administrator" "delegated_admin" { @@ -37,45 +35,4 @@ resource "aws_organizations_policy_attachment" "scp" { target_id = aws_organizations_organization.org.id } -# resource "aws_organizations_resource_policy" "org_resource_policy" { -# content = < Date: Tue, 29 Oct 2024 02:54:21 +0000 Subject: [PATCH 15/19] terraform-docs: automated action --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 9220863..c9781a7 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,6 @@ No modules. | [aws_organizations_policy_attachment.scp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.scp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs From 3b1e9d063ad77472397ee913d61f064a98aa089f Mon Sep 17 00:00:00 2001 From: Matthew Pappas Date: Mon, 28 Oct 2024 19:54:42 -0700 Subject: [PATCH 16/19] update iam --- org.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/org.tf b/org.tf index 0aafe4e..e5b5d1a 100644 --- a/org.tf +++ b/org.tf @@ -25,14 +25,14 @@ resource "aws_organizations_organization" "org" { # parent_id = each.value["ou_parent_id"] # } -resource "aws_organizations_policy" "scp" { - content = data.aws_iam_policy_document.scp.json - name = "FedModGovSCP" -} +# resource "aws_organizations_policy" "scp" { +# content = data.aws_iam_policy_document.scp.json +# name = "FedModGovSCP" +# } -resource "aws_organizations_policy_attachment" "scp" { - policy_id = aws_organizations_policy.scp.id - target_id = aws_organizations_organization.org.id -} +# resource "aws_organizations_policy_attachment" "scp" { +# policy_id = aws_organizations_policy.scp.id +# target_id = aws_organizations_organization.org.id +# } From 5c9f50c434ffda9241d872ebccb92d6bfbbf78bb Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 29 Oct 2024 02:55:19 +0000 Subject: [PATCH 17/19] terraform-docs: automated action --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index c9781a7..ef08425 100644 --- a/README.md +++ b/README.md @@ -103,8 +103,6 @@ No modules. | [aws_iam_role.aws_config_org_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organization) | resource | -| [aws_organizations_policy.scp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource | -| [aws_organizations_policy_attachment.scp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | From 2b65f3cd9ec81a29d4cc9aeaeb59e9251710f2f9 Mon Sep 17 00:00:00 2001 From: Matthew Pappas Date: Mon, 4 Nov 2024 20:59:26 -0800 Subject: [PATCH 18/19] update var --- org.tf | 3 ++- variables.tf | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/org.tf b/org.tf index e5b5d1a..3b72e77 100644 --- a/org.tf +++ b/org.tf @@ -1,7 +1,8 @@ resource "aws_organizations_organization" "org" { aws_service_access_principals = var.service_access_principals - feature_set = var.feature_set + feature_set = var.feature_set + enabled_policy_types = var.enabled_policy_types } # resource "aws_organizations_delegated_administrator" "delegated_admin" { diff --git a/variables.tf b/variables.tf index 73ab5fe..7903b0c 100644 --- a/variables.tf +++ b/variables.tf @@ -22,6 +22,12 @@ variable "feature_set" { default = "ALL" } +variable "enabled_policy_types" { + description = "List of Organizations policy types to enable in the Organization Root. Organization must have feature_set set to ALL. For additional information about valid policy types (e.g., AISERVICES_OPT_OUT_POLICY, BACKUP_POLICY, SERVICE_CONTROL_POLICY, and TAG_POLICY)" + type = list(string) + default = [""] +} + # variable "delegated_admin_account_id" { # description = "The account ID number of the member account in the organization to register as a delegated administrator." # type = list(string) From 9d1d88f42f15f246a05ca2a6990514712c58e401 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 5 Nov 2024 05:00:17 +0000 Subject: [PATCH 19/19] terraform-docs: automated action --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ef08425..14cb762 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,7 @@ No modules. |------|-------------|------|---------|:--------:| | [aws\_region](#input\_aws\_region) | n/a | `string` | n/a | yes | | [create\_org\_cloudtrail](#input\_create\_org\_cloudtrail) | True/False statement whether to enable AWS Cloudtrail in the Organization | `bool` | `false` | no | +| [enabled\_policy\_types](#input\_enabled\_policy\_types) | List of Organizations policy types to enable in the Organization Root. Organization must have feature\_set set to ALL. For additional information about valid policy types (e.g., AISERVICES\_OPT\_OUT\_POLICY, BACKUP\_POLICY, SERVICE\_CONTROL\_POLICY, and TAG\_POLICY) | `list(string)` | 
[
  ""
]
| no | | [feature\_set](#input\_feature\_set) | Feature set to be used with Org and member accounts Specify ALL(default) or CONSOLIDATED\_BILLING. | `string` | `"ALL"` | no | | [org\_account\_name](#input\_org\_account\_name) | value to be used for the org account name | `string` | n/a | yes | | [resource\_prefix](#input\_resource\_prefix) | n/a | `string` | n/a | yes |