diff --git a/.circleci/config.yml b/.circleci/config.yml
index e110be0..d2320bb 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -37,7 +37,6 @@ jobs:
- ~/go/pkg/mod
references:
circleci: trussworks/circleci:6986bb9022e5a83599feb66a7128a2d0fa12732a
-version: 2.1
workflows:
validate:
jobs:
diff --git a/README.md b/README.md
index eadbf8b..bc94e62 100644
--- a/README.md
+++ b/README.md
@@ -94,43 +94,54 @@ module "github_terraform_aws_ou_scp" {
| Name | Version |
|------|---------|
-| terraform | >= 0.13.0 |
-| aws | >= 3.0 |
+| [terraform](#requirement\_terraform) | >= 0.13.0 |
+| [aws](#requirement\_aws) | >= 3.0 |
## Providers
| Name | Version |
|------|---------|
-| aws | >= 3.0 |
+| [aws](#provider\_aws) | >= 3.0 |
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_organizations_policy.generated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
+| [aws_organizations_policy_attachment.generated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource |
+| [aws_iam_policy_document.combined_policy_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.deny_all_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| allowed\_regions | AWS Regions allowed for use (for use with the restrict regions SCP) | `list(string)` | [
""
]
| no |
-| deny\_all | If false, create a combined policy. If true, deny all access | `bool` | `false` | no |
-| deny\_creating\_iam\_users | DenyCreatingIAMUsers in the OU policy. | `bool` | `false` | no |
-| deny\_deleting\_cloudwatch\_logs | DenyDeletingCloudwatchLogs in the OU policy. | `bool` | `false` | no |
-| deny\_deleting\_kms\_keys | DenyDeletingKMSKeys in the OU policy. | `bool` | `false` | no |
-| deny\_deleting\_route53\_zones | DenyDeletingRoute53Zones in the OU policy. | `bool` | `false` | no |
-| deny\_leaving\_orgs | DenyLeavingOrgs in the OU policy. | `bool` | `false` | no |
-| deny\_root\_account | DenyRootAccount in the OU policy. | `bool` | `false` | no |
-| deny\_s3\_bucket\_public\_access\_resources | S3 bucket resource ARNs to block public access | `list(string)` | [
""
]
| no |
-| deny\_s3\_buckets\_public\_access | DenyS3BucketsPublicAccess in the OU policy. | `bool` | `false` | no |
-| limit\_regions | LimitRegions in the OU policy. | `bool` | `false` | no |
-| protect\_iam\_role\_resources | IAM role resource ARNs to protect from modification and deletion | `list(string)` | [
""
]
| no |
-| protect\_iam\_roles | ProtectIAMRoles in the OU policy. | `bool` | `false` | no |
-| protect\_s3\_bucket\_resources | S3 bucket resource ARNs to protect from bucket and object deletion | `list(string)` | [
""
]
| no |
-| protect\_s3\_buckets | ProtectS3Buckets in the OU policy. | `bool` | `false` | no |
-| require\_s3\_encryption | DenyIncorrectEncryptionHeader and DenyUnEncryptedObjectUploads in the OU policy | `bool` | `false` | no |
-| target | OU resource to attach SCP | object({
name = string
id = string
}) | n/a | yes |
-| tags | Tags to attach to the SCP policy resource | `map(string)` | []
| no |
+| [allowed\_regions](#input\_allowed\_regions) | AWS Regions allowed for use (for use with the restrict regions SCP) | `list(string)` | [
""
]
| no |
+| [deny\_all](#input\_deny\_all) | If false, create a combined policy. If true, deny all access | `bool` | `false` | no |
+| [deny\_creating\_iam\_users](#input\_deny\_creating\_iam\_users) | DenyCreatingIAMUsers in the OU policy. | `bool` | `false` | no |
+| [deny\_deleting\_cloudwatch\_logs](#input\_deny\_deleting\_cloudwatch\_logs) | DenyDeletingCloudwatchLogs in the OU policy. | `bool` | `false` | no |
+| [deny\_deleting\_kms\_keys](#input\_deny\_deleting\_kms\_keys) | DenyDeletingKMSKeys in the OU policy. | `bool` | `false` | no |
+| [deny\_deleting\_route53\_zones](#input\_deny\_deleting\_route53\_zones) | DenyDeletingRoute53Zones in the OU policy. | `bool` | `false` | no |
+| [deny\_leaving\_orgs](#input\_deny\_leaving\_orgs) | DenyLeavingOrgs in the OU policy. | `bool` | `false` | no |
+| [deny\_root\_account](#input\_deny\_root\_account) | DenyRootAccount in the OU policy. | `bool` | `false` | no |
+| [deny\_s3\_bucket\_public\_access\_resources](#input\_deny\_s3\_bucket\_public\_access\_resources) | S3 bucket resource ARNs to block public access | `list(string)` | [
""
]
| no |
+| [deny\_s3\_buckets\_public\_access](#input\_deny\_s3\_buckets\_public\_access) | DenyS3BucketsPublicAccess in the OU policy. | `bool` | `false` | no |
+| [limit\_regions](#input\_limit\_regions) | LimitRegions in the OU policy. | `bool` | `false` | no |
+| [protect\_iam\_role\_resources](#input\_protect\_iam\_role\_resources) | IAM role resource ARNs to protect from modification and deletion | `list(string)` | [
""
]
| no |
+| [protect\_iam\_roles](#input\_protect\_iam\_roles) | ProtectIAMRoles in the OU policy. | `bool` | `false` | no |
+| [protect\_s3\_bucket\_resources](#input\_protect\_s3\_bucket\_resources) | S3 bucket resource ARNs to protect from bucket and object deletion | `list(string)` | [
""
]
| no |
+| [protect\_s3\_buckets](#input\_protect\_s3\_buckets) | ProtectS3Buckets in the OU policy. | `bool` | `false` | no |
+| [require\_s3\_encryption](#input\_require\_s3\_encryption) | DenyIncorrectEncryptionHeader and DenyUnEncryptedObjectUploads in the OU policy | `bool` | `false` | no |
+| [tags](#input\_tags) | Tags applied to the SCP policy | `map(string)` | `{}` | no |
+| [target](#input\_target) | OU resource to attach SCP | object({
name = string
id = string
}) | n/a | yes |
## Outputs
-No output.
-
+No outputs.
## Developer Setup
diff --git a/main.tf b/main.tf
index f5f95ff..2fd8110 100644
--- a/main.tf
+++ b/main.tf
@@ -201,18 +201,48 @@ data "aws_iam_policy_document" "combined_policy_block" {
# These actions do not operate in a specific region, or only run in
# a single region, so we don't want to try restricting them by region.
+ # List of actions can be found in the following example:
+ # https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html
not_actions = [
+ "a4b:*",
"access-analyzer:*",
- "iam:*",
- "organizations:*",
- "route53:*",
+ "acm:*",
+ "aws-marketplace-management:*",
+ "aws-marketplace:*",
+ "aws-portal:*",
"budgets:*",
- "waf:*",
+ "ce:*",
+ "chime:*",
"cloudfront:*",
+ "config:*",
+ "cur:*",
+ "directconnect:*",
+ "ec2:DescribeRegions",
+ "ec2:DescribeTransitGateways",
+ "ec2:DescribeVpnGateways",
+ "fms:*",
"globalaccelerator:*",
+ "health:*",
+ "iam:*",
"importexport:*",
+ "kms:*",
+ "mobileanalytics:*",
+ "networkmanager:*",
+ "organizations:*",
+ "pricing:*",
+ "route53:*",
+ "route53domains:*",
+ "s3:GetAccountPublic*",
+ "s3:ListAllMyBuckets",
+ "s3:PutAccountPublic*",
+ "shield:*",
+ "sts:*",
"support:*",
- "sts:*"
+ "trustedadvisor:*",
+ "waf-regional:*",
+ "waf:*",
+ "wafv2:*",
+ "wellarchitected:*"
]
resources = ["*"]