From fc3dc5d27c57d6e626060752bbd4b30525e8b205 Mon Sep 17 00:00:00 2001 From: Chris Gilmer Date: Tue, 6 Oct 2020 15:46:09 -0700 Subject: [PATCH 1/9] Update to tf 0.13 --- .pre-commit-config.yaml | 6 +++--- README.md | 6 +++--- versions.tf | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 07915bd..7c1b284 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -20,18 +20,18 @@ repos: - id: trailing-whitespace - repo: git://github.com/igorshubovych/markdownlint-cli - rev: v0.23.2 + rev: v0.24.0 hooks: - id: markdownlint - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.31.0 + rev: v1.43.0 hooks: - id: terraform_docs - id: terraform_fmt - repo: git://github.com/golangci/golangci-lint - rev: v1.30.0 + rev: v1.31.0 hooks: - id: golangci-lint diff --git a/README.md b/README.md index 9cfc36b..4d38a2b 100644 --- a/README.md +++ b/README.md @@ -89,14 +89,14 @@ module "github_terraform_aws_ou_scp" { | Name | Version | |------|---------| -| terraform | ~> 0.12.0 | -| aws | ~> 2.70 | +| terraform | ~> 0.13 | +| aws | ~> 3.0 | ## Providers | Name | Version | |------|---------| -| aws | ~> 2.70 | +| aws | ~> 3.0 | ## Inputs diff --git a/versions.tf b/versions.tf index d7ce6c1..2c74b44 100644 --- a/versions.tf +++ b/versions.tf @@ -1,7 +1,7 @@ terraform { - required_version = "~> 0.12.0" + required_version = "~> 0.13" required_providers { - aws = "~> 2.70" + aws = "~> 3.0" } } From 680fce2e719bc276e73be35f3e67799be1be6556 Mon Sep 17 00:00:00 2001 From: Chris Gilmer Date: Wed, 7 Oct 2020 09:44:22 -0700 Subject: [PATCH 2/9] Update versions.tf Co-authored-by: Elizabeth <1760850+eeeady@users.noreply.github.com> --- versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.tf b/versions.tf index 2c74b44..3d90e8d 100644 --- a/versions.tf +++ b/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = "~> 0.13" + required_version = ">= 0.12.7, < 0.14" required_providers { aws = "~> 3.0" From 5c11d849ea339daff3340bfa309d9d49b1a12ded Mon Sep 17 00:00:00 2001 From: Chris Gilmer Date: Wed, 7 Oct 2020 09:44:28 -0700 Subject: [PATCH 3/9] Update versions.tf Co-authored-by: Elizabeth <1760850+eeeady@users.noreply.github.com> --- versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.tf b/versions.tf index 3d90e8d..178df14 100644 --- a/versions.tf +++ b/versions.tf @@ -2,6 +2,6 @@ terraform { required_version = ">= 0.12.7, < 0.14" required_providers { - aws = "~> 3.0" + aws = ">= 2.68, < 4.0" } } From b82a1c9cc833f860b7ed7c5ab40c43de16c18a28 Mon Sep 17 00:00:00 2001 From: Chris Gilmer Date: Wed, 7 Oct 2020 09:45:23 -0700 Subject: [PATCH 4/9] Update readme --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 4d38a2b..8143bf9 100644 --- a/README.md +++ b/README.md @@ -89,14 +89,14 @@ module "github_terraform_aws_ou_scp" { | Name | Version | |------|---------| -| terraform | ~> 0.13 | -| aws | ~> 3.0 | +| terraform | >= 0.12.7, < 0.14 | +| aws | >= 2.68, < 4.0 | ## Providers | Name | Version | |------|---------| -| aws | ~> 3.0 | +| aws | >= 2.68, < 4.0 | ## Inputs From cea5d5b27c8366d4e1f52455a478628511bfa8bf Mon Sep 17 00:00:00 2001 From: Lee Hicks Date: Wed, 7 Oct 2020 22:15:37 +0000 Subject: [PATCH 5/9] Adding S3 KMS as encryption option for S3 SCP --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index ba190af..5397bbd 100644 --- a/main.tf +++ b/main.tf @@ -239,7 +239,7 @@ data "aws_iam_policy_document" "combined_policy_block" { condition { test = "StringNotEquals" variable = "s3:x-amz-server-side-encryption" - values = ["AES256"] + values = ["AES256", "aws:kms"] } } } From a8635ef608eb9c152e272138f660a62018a2d8b9 Mon Sep 17 00:00:00 2001 From: Elizabeth Eady Date: Thu, 5 Nov 2020 14:46:13 -0800 Subject: [PATCH 6/9] Updating CircleCi config --- .circleci/config.yml | 65 ++++++++++++++++++++++++-------------------- 1 file changed, 36 insertions(+), 29 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index c783961..585b0bc 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,37 +1,44 @@ -version: 2.1 - -references: - circleci: &circleci trussworks/circleci:6986bb9022e5a83599feb66a7128a2d0fa12732a jobs: validate: docker: - - image: *circleci + - auth: + password: $DOCKER_PASSWORD + username: $DOCKER_USERNAME + image: trussworks/circleci:6986bb9022e5a83599feb66a7128a2d0fa12732a steps: - - checkout - - restore_cache: - keys: - - pre-commit-dot-cache-{{ checksum ".pre-commit-config.yaml" }} - - go-mod-sources-v1-{{ checksum "go.sum" }}-{{ checksum "scripts/check-go-version" }} - - run: - name: Adding go binaries to $PATH - command: | - echo 'export PATH=${PATH}:~/go/bin' >> $BASH_ENV - source $BASH_ENV - - run: go get github.com/jstemmer/go-junit-report - - run: - name: Run pre-commit - command: pre-commit run --all-files - - save_cache: - key: pre-commit-dot-cache-{{ checksum ".pre-commit-config.yaml" }} - paths: - - ~/.cache/pre-commit - - save_cache: - key: go-mod-sources-v1-{{ checksum "go.sum" }}-{{ checksum "scripts/check-go-version" }} - paths: - - "~/go/pkg/mod" + - checkout + - restore_cache: + keys: + - pre-commit-dot-cache-{{ checksum ".pre-commit-config.yaml" }} + - go-mod-sources-v1-{{ checksum "go.sum" }}-{{ checksum "scripts/check-go-version" + }} + - run: + command: 'echo ''export PATH=${PATH}:~/go/bin'' >> $BASH_ENV + + source $BASH_ENV + ' + name: Adding go binaries to $PATH + - run: go get github.com/jstemmer/go-junit-report + - run: + command: pre-commit run --all-files + name: Run pre-commit + - save_cache: + key: pre-commit-dot-cache-{{ checksum ".pre-commit-config.yaml" }} + paths: + - ~/.cache/pre-commit + - save_cache: + key: go-mod-sources-v1-{{ checksum "go.sum" }}-{{ checksum "scripts/check-go-version" + }} + paths: + - ~/go/pkg/mod +references: + circleci: trussworks/circleci:6986bb9022e5a83599feb66a7128a2d0fa12732a +version: 2.1 workflows: - version: 2.1 validate: jobs: - - validate + - validate: + context: + - org-global + version: 2.1 From ff3919b07b8da8e1710162c2a8c747b6ee76f097 Mon Sep 17 00:00:00 2001 From: Marko Bevc Date: Mon, 4 Jan 2021 15:08:02 +0000 Subject: [PATCH 7/9] Fix README typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8143bf9..80cb9c5 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ module "github_terraform_aws_ou_scp" { ] # don't allow public access to bucket - deny_s3_bucket_public_access = true + deny_s3_buckets_public_access = true deny_s3_bucket_public_access_resources = [ "arn:aws:s3:::log-delivery-august-2020" ] From b9e17488e27cb4a4ba5e6a64252036c1aaa3a587 Mon Sep 17 00:00:00 2001 From: Marko Bevc Date: Tue, 5 Jan 2021 15:54:51 +0000 Subject: [PATCH 8/9] Add resource tags --- README.md | 8 +++++++- main.tf | 4 +++- variables.tf | 8 +++++++- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 80cb9c5..a5ea25d 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Supports two main use cases: -* Combines multiple Service Control Policy (SCP) statements based on the policies defined in [`terraform-aws-org-scp`](https://github.com/trussworks/terraform-aws-org-scp). Combining multiple policy statements into a single policy allows more than 5 policies to be be applied to a single Organizational Unit (OU). +* Combines multiple Service Control Policy (SCP) statements - based on the module [`terraform-aws-org-scp`](https://github.com/trussworks/terraform-aws-org-scp) (_deprecated_). Combining multiple policy statements into a single policy allows more than 5 policies to be be applied to a single Organizational Unit (OU). * Alternatively, creates a "Deny All Access" Service Control Policy. Alternatively, enables creation of a "Deny All Access" Service Control Policy. @@ -69,6 +69,11 @@ module "github_terraform_aws_ou_scp" { # require s3 objects be encrypted require_s3_encryption = true + + # SCP policy tags + tags = { + managed_by = "terraform" + } } ``` @@ -119,6 +124,7 @@ module "github_terraform_aws_ou_scp" { | protect\_s3\_buckets | ProtectS3Buckets in the OU policy. | `bool` | `false` | no | | require\_s3\_encryption | DenyIncorrectEncryptionHeader and DenyUnEncryptedObjectUploads in the OU policy | `bool` | `false` | no | | target | OU resource to attach SCP | 
object({
    name = string
    id   = string
  })
| n/a | yes | +| tags | Tags to attach to the SCP policy resource | `map(string)` | 
[]
| no | ## Outputs diff --git a/main.tf b/main.tf index 5397bbd..9477ffe 100644 --- a/main.tf +++ b/main.tf @@ -279,9 +279,11 @@ resource "aws_organizations_policy" "generated" { name = "${var.target.name}-generated-ou-scp" description = "${var.target.name} SCP generated by ou-scp module" content = var.deny_all ? data.aws_iam_policy_document.deny_all_access.json : data.aws_iam_policy_document.combined_policy_block.json + + tags = var.tags } resource "aws_organizations_policy_attachment" "generated" { policy_id = aws_organizations_policy.generated.id target_id = var.target.id -} \ No newline at end of file +} diff --git a/variables.tf b/variables.tf index 8b6f6e7..fb93a53 100644 --- a/variables.tf +++ b/variables.tf @@ -104,4 +104,10 @@ variable "allowed_regions" { description = "AWS Regions allowed for use (for use with the restrict regions SCP)" type = list(string) default = [""] -} \ No newline at end of file +} + +variable "tags" { + description = "Tags applied to the SCP policy" + type = map(string) + default = [] +} From 0a869ba1f7eae0b5eaccd9afc18ddd0fea66cd1e Mon Sep 17 00:00:00 2001 From: Marko Bevc Date: Wed, 6 Jan 2021 09:27:34 +0000 Subject: [PATCH 9/9] Fix incorrect default value --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index fb93a53..848d72a 100644 --- a/variables.tf +++ b/variables.tf @@ -109,5 +109,5 @@ variable "allowed_regions" { variable "tags" { description = "Tags applied to the SCP policy" type = map(string) - default = [] + default = {} }