Merge branch 'master' into am-updating-version-restraints-and-cleanup

.circleci/config.yml

@@ -7,32 +7,41 @@ jobs:
           password: $DOCKER_PASSWORD
           username: $DOCKER_USERNAME
       - image: trussworks/circleci:efb1042e31538677779971798e0912390f699e72
+
     steps:
-      - checkout
-      - restore_cache:
-          keys:
-            - pre-commit-dot-cache-{{ checksum ".pre-commit-config.yaml" }}
-            - go-mod-sources-v1-{{ checksum "go.sum" }}-{{ checksum "scripts/check-go-version" }}
-      - run:
-          name: Adding go binaries to $PATH
-          command: |
-            echo 'export PATH=${PATH}:~/go/bin' >> $BASH_ENV
-            source $BASH_ENV
-      - run: go get github.com/jstemmer/go-junit-report
-      - run:
-          name: Run pre-commit
-          command: pre-commit run --all-files
-      - save_cache:
-          key: pre-commit-dot-cache-{{ checksum ".pre-commit-config.yaml" }}
-          paths:
-            - ~/.cache/pre-commit
-      - save_cache:
-          key: go-mod-sources-v1-{{ checksum "go.sum" }}-{{ checksum "scripts/check-go-version" }}
-          paths:
-            - "~/go/pkg/mod"
+    - checkout
+    - restore_cache:
+        keys:
+        - pre-commit-dot-cache-{{ checksum ".pre-commit-config.yaml" }}
+        - go-mod-sources-v1-{{ checksum "go.sum" }}-{{ checksum "scripts/check-go-version"
+          }}
+    - run:
+        command: 'echo ''export PATH=${PATH}:~/go/bin'' >> $BASH_ENV
+
+          source $BASH_ENV
 
+          '
+        name: Adding go binaries to $PATH
+    - run: go get github.com/jstemmer/go-junit-report
+    - run:
+        command: pre-commit run --all-files
+        name: Run pre-commit
+    - save_cache:
+        key: pre-commit-dot-cache-{{ checksum ".pre-commit-config.yaml" }}
+        paths:
+        - ~/.cache/pre-commit
+    - save_cache:
+        key: go-mod-sources-v1-{{ checksum "go.sum" }}-{{ checksum "scripts/check-go-version"
+          }}
+        paths:
+        - ~/go/pkg/mod
+references:
+  circleci: trussworks/circleci:6986bb9022e5a83599feb66a7128a2d0fa12732a
+version: 2.1
 workflows:
-  version: 2.1
   validate:
     jobs:
-      - validate
+    - validate:
+        context:
+        - org-global
+  version: 2.1

.pre-commit-config.yaml

@@ -21,17 +21,20 @@ repos:
 
   - repo: git://github.com/igorshubovych/markdownlint-cli
     rev: v0.26.0
+
     hooks:
       - id: markdownlint
 
   - repo: git://github.com/antonbabenko/pre-commit-terraform
     rev: v1.45.0
+
     hooks:
       - id: terraform_docs
       - id: terraform_fmt
 
   - repo: git://github.com/golangci/golangci-lint
     rev: v1.33.0
+
     hooks:
       - id: golangci-lint
 

README.md

@@ -2,7 +2,7 @@
 
 Supports two main use cases:
 
-* Combines multiple Service Control Policy (SCP) statements based on the policies defined in [`terraform-aws-org-scp`](https://github.com/trussworks/terraform-aws-org-scp). Combining multiple policy statements into a single policy allows more than 5 policies to be be applied to a single Organizational Unit (OU).
+* Combines multiple Service Control Policy (SCP) statements - based on the module [`terraform-aws-org-scp`](https://github.com/trussworks/terraform-aws-org-scp) (_deprecated_). Combining multiple policy statements into a single policy allows more than 5 policies to be be applied to a single Organizational Unit (OU).
 * Alternatively, creates a "Deny All Access" Service Control Policy.
 
  Alternatively, enables creation of a "Deny All Access" Service Control Policy.
@@ -51,7 +51,7 @@ module "github_terraform_aws_ou_scp" {
   ]
 
   # don't allow public access to bucket
-  deny_s3_bucket_public_access = true
+  deny_s3_buckets_public_access = true
   deny_s3_bucket_public_access_resources = [
     "arn:aws:s3:::log-delivery-august-2020"
   ]
@@ -69,6 +69,11 @@ module "github_terraform_aws_ou_scp" {
 
   # require s3 objects be encrypted
   require_s3_encryption = true
+
+  # SCP policy tags
+  tags = {
+    managed_by = "terraform"
+  }
 }
 ```
 
@@ -98,6 +103,7 @@ module "github_terraform_aws_ou_scp" {
 |------|---------|
 | aws | >= 3.0 |
 
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -119,6 +125,7 @@ module "github_terraform_aws_ou_scp" {
 | protect\_s3\_buckets | ProtectS3Buckets in the OU policy. | `bool` | `false` | no |
 | require\_s3\_encryption | DenyIncorrectEncryptionHeader and DenyUnEncryptedObjectUploads in the OU policy | `bool` | `false` | no |
 | target | OU resource to attach SCP | <pre>object({<br>    name = string<br>    id   = string<br>  })</pre> | n/a | yes |
+| tags | Tags to attach to the SCP policy resource | `map(string)` | <pre>[]</pre> | no |
 
 ## Outputs
 

main.tf

@@ -239,7 +239,7 @@ data "aws_iam_policy_document" "combined_policy_block" {
       condition {
         test     = "StringNotEquals"
         variable = "s3:x-amz-server-side-encryption"
-        values   = ["AES256"]
+        values   = ["AES256", "aws:kms"]
       }
     }
   }
@@ -279,9 +279,11 @@ resource "aws_organizations_policy" "generated" {
   name        = "${var.target.name}-generated-ou-scp"
   description = "${var.target.name} SCP generated by ou-scp module"
   content     = var.deny_all ? data.aws_iam_policy_document.deny_all_access.json : data.aws_iam_policy_document.combined_policy_block.json
+
+  tags = var.tags
 }
 
 resource "aws_organizations_policy_attachment" "generated" {
   policy_id = aws_organizations_policy.generated.id
   target_id = var.target.id
-}
+}

variables.tf

@@ -104,4 +104,10 @@ variable "allowed_regions" {
   description = "AWS Regions allowed for use (for use with the restrict regions SCP)"
   type        = list(string)
   default     = [""]
-}
+}
+
+variable "tags" {
+  description = "Tags applied to the SCP policy"
+  type        = map(string)
+  default     = {}
+}