diff --git a/modules/aws/identity/github-actions-role/main.tf b/modules/aws/identity/github-actions-role/main.tf index f2992c7..554bf9a 100644 --- a/modules/aws/identity/github-actions-role/main.tf +++ b/modules/aws/identity/github-actions-role/main.tf @@ -1,3 +1,5 @@ +data "aws_caller_identity" "current" {} + resource "aws_iam_role" "this" { name = var.name assume_role_policy = data.aws_iam_policy_document.assume_role.json diff --git a/modules/aws/identity/github-actions-role/oidc.tf b/modules/aws/identity/github-actions-role/oidc.tf index d8968ea..c00c069 100644 --- a/modules/aws/identity/github-actions-role/oidc.tf +++ b/modules/aws/identity/github-actions-role/oidc.tf @@ -1,6 +1,6 @@ data "aws_iam_openid_connect_provider" "github" { count = var.create_openid_connect_provider ? 0 : 1 - url = "https://token.actions.githubusercontent.com" + arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com" } data "tls_certificate" "github" { diff --git a/modules/aws/security/cloudformation-stackset/main.tf b/modules/aws/security/cloudformation-stackset/main.tf new file mode 100644 index 0000000..5cc09be --- /dev/null +++ b/modules/aws/security/cloudformation-stackset/main.tf @@ -0,0 +1,36 @@ +resource "aws_cloudformation_stack_set" "this" { + name = var.name + description = var.description + capabilities = var.capabilities + permission_model = "SERVICE_MANAGED" + + template_body = var.template_body + template_url = var.template_url + parameters = var.parameters + + auto_deployment { + enabled = true + } + + tags = var.tags_all +} + +resource "aws_cloudformation_stack_set_instance" "accounts" { + count = length(var.target_accounts) > 0 ? 1 : 0 + + stack_set_name = aws_cloudformation_stack_set.this.name + + deployment_targets { + accounts = var.target_accounts + } +} + +resource "aws_cloudformation_stack_set_instance" "this" { + count = length(var.target_org_units) > 0 ? 1 : 0 + + stack_set_name = aws_cloudformation_stack_set.this.name + + deployment_targets { + organizational_unit_ids = var.target_org_units + } +} diff --git a/modules/aws/security/cloudformation-stackset/variables.tf b/modules/aws/security/cloudformation-stackset/variables.tf new file mode 100644 index 0000000..112f3ac --- /dev/null +++ b/modules/aws/security/cloudformation-stackset/variables.tf @@ -0,0 +1,52 @@ +variable "name" { + description = "The name of the stackset" + type = string +} + +variable "description" { + description = "The description of the stackset" + type = string + default = null +} + +variable "capabilities" { + description = "A list of capabilities to pass to the stackset" + type = list(string) + default = ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM"] +} + +variable "template_body" { + description = "The template body" + type = string + default = null +} + +variable "template_url" { + description = "The URL of the template" + type = string + default = null +} + +variable "parameters" { + description = "A list of parameters to pass to the stackset" + type = map(string) + default = {} +} + +variable "tags_all" { + description = "A mapping of tags to assign to the resource" + type = map(string) + default = {} +} + +variable "target_accounts" { + description = "A list of account IDs to target" + type = list(string) + default = [] +} + +variable "target_org_units" { + description = "A list of organization unit IDs to target" + type = list(string) + default = [] +} diff --git a/modules/aws/security/cloudformation-stackset/versions.tf b/modules/aws/security/cloudformation-stackset/versions.tf new file mode 100644 index 0000000..9416453 --- /dev/null +++ b/modules/aws/security/cloudformation-stackset/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">=1.3" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">=4.0" + } + } +}