Skip to content

Commit

Permalink
enhance(modular): handle deprecated resources and fix warnings (#20)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jose-pablo-camacho
jose-pablo-camacho authored Oct 17, 2024
1 parent 8cca4ab commit c583b0d
Show file tree
Hide file tree
Showing 4 changed files with 51 additions and 20 deletions.
18 changes: 13 additions & 5 deletions modules/agentless-scanning/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ resource "aws_iam_role" "scanning_stackset_admin_role" {
name = "AWSCloudFormationStackSetAdministrationRoleForScanning"
tags = var.tags

assume_role_policy = <<EOF
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
Expand All @@ -84,7 +84,12 @@ resource "aws_iam_role" "scanning_stackset_admin_role" {
]
}
EOF
managed_policy_arns = ["arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"]
}

resource "aws_iam_role_policy_attachments_exclusive" "scanning_stackset_admin_role_managed_policy" {
count = !var.auto_create_stackset_roles ? 0 : 1
role_name = aws_iam_role.scanning_stackset_admin_role[0].id
policy_arns = ["arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"]
}

resource "aws_iam_role_policy" "scanning_stackset_admin_role_policy" {
Expand Down Expand Up @@ -135,9 +140,12 @@ resource "aws_iam_role" "scanning_stackset_execution_role" {
]
}
EOF
managed_policy_arns = [
"arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"
]
}

resource "aws_iam_role_policy_attachments_exclusive" "scanning_stackset_execution_role_managed_policy" {
count = !var.auto_create_stackset_roles ? 0 : 1
role_name = aws_iam_role.scanning_stackset_execution_role[0].id
policy_arns = ["arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"]
}

resource "aws_iam_role_policy" "scanning_stackset_execution_role_policy" {
Expand Down
14 changes: 10 additions & 4 deletions modules/config-posture/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ data "sysdig_secure_tenant_external_id" "external_id" {}
# Since this is not an Organizational deploy, create role/polices directly
#----------------------------------------------------------
resource "aws_iam_role" "cspm_role" {
name = local.config_posture_role_name
tags = var.tags
assume_role_policy = <<EOF
name = local.config_posture_role_name
tags = var.tags
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
Expand All @@ -40,7 +40,13 @@ resource "aws_iam_role" "cspm_role" {
]
}
EOF
managed_policy_arns = ["arn:aws:iam::aws:policy/SecurityAudit"]
}

resource "aws_iam_role_policy_attachments_exclusive" "cspm_role_managed_policy" {
role_name = aws_iam_role.cspm_role.id
policy_arns = [
"arn:aws:iam::aws:policy/SecurityAudit"
]
}

resource "aws_iam_role_policy" "cspm_role_policy" {
Expand Down
18 changes: 15 additions & 3 deletions modules/integrations/event-bridge/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ resource "aws_iam_role" "event_bus_stackset_admin_role" {
name = "AWSCloudFormationStackSetAdministrationRoleForEB"
tags = var.tags

assume_role_policy = <<EOF
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
Expand All @@ -73,7 +73,14 @@ resource "aws_iam_role" "event_bus_stackset_admin_role" {
]
}
EOF
managed_policy_arns = ["arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"]
}

resource "aws_iam_role_policy_attachments_exclusive" "event_bus_stackset_admin_role_managed_policy" {
count = !var.auto_create_stackset_roles ? 0 : 1
role_name = aws_iam_role.event_bus_stackset_admin_role[0].id
policy_arns = [
"arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"
]
}

#-----------------------------------------------------------------------------------------------------------------------------------------
Expand Down Expand Up @@ -105,7 +112,12 @@ resource "aws_iam_role" "event_bus_stackset_execution_role" {
]
}
EOF
managed_policy_arns = [
}

resource "aws_iam_role_policy_attachments_exclusive" "event_bus_stackset_execution_role_managed_policy" {
count = !var.auto_create_stackset_roles ? 0 : 1
role_name = aws_iam_role.event_bus_stackset_execution_role[0].id
policy_arns = [
"arn:aws:iam::aws:policy/AWSCloudFormationFullAccess",
"arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess"
]
Expand Down
21 changes: 13 additions & 8 deletions modules/onboarding/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,23 +43,28 @@ resource "aws_iam_role" "onboarding_role" {
]
}
EOF
managed_policy_arns = compact([
"arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess",
var.is_organizational ? "arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess" : ""
])

lifecycle {
ignore_changes = [tags]
}
}

resource "aws_iam_role_policy_attachments_exclusive" "onboarding_role_managed_policy" {
role_name = aws_iam_role.onboarding_role.id
policy_arns = compact([
"arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess",
var.is_organizational ? "arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess" : ""
])
}

data "aws_caller_identity" "current" {}

resource "sysdig_secure_cloud_auth_account" "cloud_auth_account" {
enabled = true
provider_id = data.aws_caller_identity.current.account_id
provider_type = "PROVIDER_AWS"
provider_alias = var.account_alias
enabled = true
provider_id = data.aws_caller_identity.current.account_id
provider_type = "PROVIDER_AWS"
provider_alias = var.account_alias
regulatory_framework = "REGULATORY_FRAMEWORK_UNSPECIFIED"

component {
type = "COMPONENT_TRUSTED_ROLE"
Expand Down

0 comments on commit c583b0d

Please sign in to comment.