├── README.md ├── iam_cloudsploit_role.tf ├── iam_cloudsploit_role_gov.tf ├── iam_cloudsploit_supplemental_policy.tf ├── output.tf ├── provider.tf └── variable.tf /README.md: -------------------------------------------------------------------------------- 1 | # CloudSploit Terraform Modules 2 | 3 | This Terraform module is responsible for provisioning CloudSploit IAM resources(IAM trust/roles). 4 | 5 | This module is considered a *Global* module and only needs to be provisioned 1 time per AWS Account. 6 | 7 | ## Incorporating this Module 8 | * Add this code to your provider file 9 | * The **account_id** must be set & passed from the root module. 10 | * The **cloudsploit_external_id** must be obtained from CloudSploit and different AWS accounts have different external IDs. 11 | * The **use_aws_gov** can be set to a boolean value, it defaults to `false` 12 | 13 | ``` 14 | module "cloudsploit" { 15 | source = "git@github.com:cloudsploit/cloudsploit-terraform-scans.git" 16 | account_id = "${var.account_id}" 17 | cloudsploit_external_id = "${var.cloudsploit_external_id}" 18 | } 19 | ``` 20 | 21 | ## Outputs 22 | * **cloudsploit_cross_account_role_arn** - Cloudsploit cross account trust role. This is only output if `use_aws_gov` is set to `false`. 23 | * **cloudsploit_cross_account_role_arn-gov** - Cloudsploit cross account trust role for AWS gov. This is only output if `use_aws_gov` is set to `true`. 24 | -------------------------------------------------------------------------------- /iam_cloudsploit_role.tf: -------------------------------------------------------------------------------- 1 | resource "aws_iam_role" "cloudsploit_cross_account_role" { 2 | name = "tf-cloudsploit" 3 | 4 | # disable this if use_aws_gov == true 5 | count = var.use_aws_gov ? 0 : 1 6 | 7 | assume_role_policy = <