-
Notifications
You must be signed in to change notification settings - Fork 22
/
organizations_policy.tf
85 lines (75 loc) · 3.53 KB
/
organizations_policy.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
locals {
enabled_root_policies = {
allowed_regions = {
enable = var.regions.allowed_regions != null ? true : false
policy = var.regions.allowed_regions != null ? templatefile("${path.module}/files/organizations/allowed_regions.json.tpl", {
allowed = var.regions.allowed_regions != null ? var.regions.allowed_regions : []
exceptions = local.aws_service_control_policies_principal_exceptions
}) : null
}
cloudtrail_log_stream = {
enable = true // This is not configurable and will be applied all the time.
policy = file("${path.module}/files/organizations/cloudtrail_log_stream.json")
}
deny_disabling_security_hub = {
enable = var.aws_service_control_policies.aws_deny_disabling_security_hub
policy = var.aws_service_control_policies.aws_deny_disabling_security_hub != false ? templatefile("${path.module}/files/organizations/deny_disabling_security_hub.json.tpl", {
exceptions = local.aws_service_control_policies_principal_exceptions
}) : null
}
deny_leaving_org = {
enable = var.aws_service_control_policies.aws_deny_leaving_org
policy = var.aws_service_control_policies.aws_deny_leaving_org != false ? templatefile("${path.module}/files/organizations/deny_leaving_org.json.tpl", {
exceptions = local.aws_service_control_policies_principal_exceptions
}) : null
}
// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-instance-metadata-requireIMDSv2
require_use_of_imdsv2 = {
enable = var.aws_service_control_policies.aws_require_imdsv2
policy = file("${path.module}/files/organizations/require_use_of_imdsv2.json")
}
}
root_policies_to_merge = [for key, value in local.enabled_root_policies : jsondecode(
value.enable == true ? value.policy : "{\"Statement\": []}"
)]
root_policies_merged = flatten([
for policy in local.root_policies_to_merge : policy.Statement
])
}
resource "aws_organizations_policy" "lz_root_policies" {
name = "LandingZone-RootPolicies"
content = jsonencode({
Version = "2012-10-17"
Statement = local.root_policies_merged
})
description = "LandingZone enabled Root OU policies"
tags = var.tags
}
resource "aws_organizations_policy_attachment" "lz_root_policies" {
policy_id = aws_organizations_policy.lz_root_policies.id
target_id = data.aws_organizations_organization.default.roots[0].id
}
// https://summitroute.com/blog/2020/03/25/aws_scp_best_practices/#deny-ability-to-leave-organization
resource "aws_organizations_policy" "deny_root_user" {
count = length(var.aws_service_control_policies.aws_deny_root_user_ous) > 0 ? 1 : 0
name = "LandingZone-DenyRootUser"
content = file("${path.module}/files/organizations/deny_root_user.json")
tags = var.tags
}
resource "aws_organizations_policy_attachment" "deny_root_user" {
for_each = {
for ou in data.aws_organizations_organizational_units.default.children : ou.name => ou if contains(var.aws_service_control_policies.aws_deny_root_user_ous, ou.name)
}
policy_id = aws_organizations_policy.deny_root_user[0].id
target_id = each.value.id
}
module "tag_policy_assignment" {
for_each = {
for ou in data.mcaf_aws_all_organizational_units.default.organizational_units : ou.path => ou if contains(keys(coalesce(var.aws_required_tags, {})), ou.path)
}
source = "./modules/tag-policy-assignment"
aws_ou_tags = { for k, v in var.aws_required_tags[each.key] : v.name => v }
target_id = each.value.id
ou_path = each.key
tags = var.tags
}