Skip to content

Commit

Permalink
fix(agentless-scanning): stackset service roles
Browse files Browse the repository at this point in the history
  • Loading branch information
@cgeers
cgeers committed Nov 12, 2024
1 parent 88f261e commit 5e10459
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 28 deletions.
27 changes: 3 additions & 24 deletions modules/agentless-scanning/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ resource "random_id" "suffix" {
resource "aws_iam_role" "scanning_stackset_admin_role" {
count = !var.auto_create_stackset_roles ? 0 : 1

name = "AWSCloudFormationStackSetAdministrationRoleForScanning"
name = "${local.scanning_resource_name}-AdministrationRole"
tags = var.tags

assume_role_policy = <<EOF
Expand All @@ -93,25 +93,6 @@ resource "aws_iam_role" "scanning_stackset_admin_role" {
EOF
}

resource "aws_iam_role_policy" "scanning_stackset_admin_role_policy" {
count = !var.auto_create_stackset_roles ? 0 : 1

name_prefix = "AssumeExecutionRole"
role = aws_iam_role.scanning_stackset_admin_role[0].id
policy = jsonencode({
Statement = [
{
Sid = "AssumeExecutionRole"
Action = [
"sts:AssumeRole",
]
Effect = "Allow"
Resource = "arn:aws:iam:::role/${local.scanning_resource_name}-ExecutionRole"
},
]
})
}

#-----------------------------------------------------------------------------------------------------------------------------------------
# Self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions.
#
Expand All @@ -133,10 +114,9 @@ resource "aws_iam_role" "scanning_stackset_execution_role" {
{
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::${local.account_id}:role/${aws_iam_role.scanning_stackset_admin_role[0].name}"
"AWS": "${aws_iam_role.scanning_stackset_admin_role[0].arn}"
},
"Effect": "Allow",
"Condition": {}
"Effect": "Allow"
}
]
}
Expand Down Expand Up @@ -324,7 +304,6 @@ TEMPLATE

depends_on = [
aws_iam_role.scanning_stackset_admin_role,
aws_iam_role_policy.scanning_stackset_admin_role_policy,
aws_iam_role.scanning_stackset_execution_role,
]
}
Expand Down
4 changes: 0 additions & 4 deletions modules/agentless-scanning/organizational.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,6 @@ resource "aws_cloudformation_stack_set" "ou_resources_stackset" {
retain_stacks_on_account_removal = false
}

lifecycle {
ignore_changes = [administration_role_arn]
}

template_body = <<TEMPLATE
Resources:
ScanningRole:
Expand Down

0 comments on commit 5e10459

Please sign in to comment.