├── README.md
├── iam_cloudsploit_role.tf
├── iam_cloudsploit_role_gov.tf
├── iam_cloudsploit_supplemental_policy.tf
├── output.tf
├── provider.tf
└── variable.tf


/README.md:
--------------------------------------------------------------------------------
 1 | # CloudSploit Terraform Modules
 2 | 
 3 | This Terraform module is responsible for provisioning CloudSploit IAM resources(IAM trust/roles).
 4 | 
 5 | This module is considered a *Global* module and only needs to be provisioned 1 time per AWS Account.
 6 | 
 7 | ## Incorporating this Module
 8 | * Add this code to your provider file
 9 | * The **account_id** must be set & passed from the root module.
10 | * The **cloudsploit_external_id** must be obtained from CloudSploit and different AWS accounts have different external IDs.
11 | * The **use_aws_gov** can be set to a boolean value, it defaults to `false`
12 | 
13 | ```
14 | module "cloudsploit" {
15 |   source                  = "git@github.com:cloudsploit/cloudsploit-terraform-scans.git"
16 |   account_id              = "${var.account_id}"
17 |   cloudsploit_external_id = "${var.cloudsploit_external_id}"
18 | }
19 | ```
20 | 
21 | ## Outputs
22 | * **cloudsploit_cross_account_role_arn** - Cloudsploit cross account trust role. This is only output if `use_aws_gov` is set to `false`.
23 | * **cloudsploit_cross_account_role_arn-gov** - Cloudsploit cross account trust role for AWS gov. This is only output if `use_aws_gov` is set to `true`.
24 | 


--------------------------------------------------------------------------------
/iam_cloudsploit_role.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_role" "cloudsploit_cross_account_role" {
 2 |   name = "tf-cloudsploit"
 3 | 
 4 |   # disable this if use_aws_gov == true
 5 |   count = var.use_aws_gov ? 0 : 1
 6 | 
 7 |   assume_role_policy = <<EOF
 8 | {
 9 |   "Version": "2012-10-17",
10 |   "Statement": [
11 |     {
12 |       "Effect": "Allow",
13 |       "Principal": {
14 |         "AWS": "arn:aws:iam::057012691312:root"
15 |       },
16 |       "Action": "sts:AssumeRole",
17 |       "Condition": {
18 |         "StringEquals": {
19 |           "sts:ExternalId": "${var.cloudsploit_external_id}"
20 |         }
21 |       }
22 |     }
23 |   ]
24 | }
25 | EOF
26 | }
27 | 
28 | resource "aws_iam_role_policy_attachment" "cloudsploit_cross_account_attach" {
29 |   # disable this if use_aws_gov == true
30 |   count = var.use_aws_gov ? 0 : 1
31 | 
32 |   role       = aws_iam_role.cloudsploit_cross_account_role[count.index].name
33 |   policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
34 | }
35 | 


--------------------------------------------------------------------------------
/iam_cloudsploit_role_gov.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_role" "cloudsploit_cross_account_role-gov" {
 2 |   name = "tf-cloudsploit"
 3 | 
 4 |   # enable this if use_aws_gov == true
 5 |   count = var.use_aws_gov ? 1 : 0
 6 | 
 7 |   assume_role_policy = <<EOF
 8 | {
 9 |   "Version": "2012-10-17",
10 |   "Statement": [
11 |     {
12 |       "Effect": "Allow",
13 |       "Principal": {
14 |         "AWS": "arn:aws-us-gov:iam::099193770462:root"
15 |       },
16 |       "Action": "sts:AssumeRole",
17 |       "Condition": {
18 |         "StringEquals": {
19 |           "sts:ExternalId": "${var.cloudsploit_external_id}"
20 |         }
21 |       }
22 |     }
23 |   ]
24 | }
25 | EOF
26 | }
27 | 
28 | resource "aws_iam_role_policy_attachment" "cloudsploit_cross_account_attach-gov" {
29 |   # enable this if use_aws_gov == true
30 |   count = var.use_aws_gov ? 1 : 0
31 | 
32 |   role       = aws_iam_role.cloudsploit_cross_account_role-gov[count.index].name
33 |   policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
34 | }
35 | 


--------------------------------------------------------------------------------
/iam_cloudsploit_supplemental_policy.tf:
--------------------------------------------------------------------------------
 1 | data "aws_iam_policy_document" "cloudsploit_supplemental_iam_policy" {
 2 |   statement {
 3 |     sid       = "CloudSploitSupplemental"
 4 |     actions   = [
 5 |       "athena:GetWorkGroup",
 6 |       "cloudwatchlogs:DescribeLogGroups",
 7 |       "cloudwatchlogs:DescribeMetricFilters",
 8 |       "elastictranscoder:ListPipelines",
 9 |       "ses:DescribeActiveReceiptRuleSet"
10 |     ]
11 |     resources = ["*"]
12 |   }
13 | }
14 | 
15 | resource "aws_iam_policy" "cloudsploit_supplemental_iam_policy" {
16 |   name        = "cloudsploit-supplemental-policy"
17 |   description = "CloudSploit Supplemental IAM Policy for Additional Scans"
18 |   policy      = data.aws_iam_policy_document.cloudsploit_supplemental_iam_policy.json
19 | }
20 | 
21 | resource "aws_iam_role_policy_attachment" "cloudsploit_supplemental_attach" {
22 |   # disable this if use_aws_gov == true
23 |   count = var.use_aws_gov ? 0 : 1
24 | 
25 |   role = aws_iam_role.cloudsploit_cross_account_role[0].name
26 |   policy_arn = aws_iam_policy.cloudsploit_supplemental_iam_policy.arn
27 | }
28 | 
29 | resource "aws_iam_role_policy_attachment" "cloudsploit_supplemental_attach-gov" {
30 |   # enable this if use_aws_gov == true
31 |   count = var.use_aws_gov ? 1 : 0
32 | 
33 |   role = aws_iam_role.cloudsploit_cross_account_role-gov[0].name
34 |   policy_arn = aws_iam_policy.cloudsploit_supplemental_iam_policy.arn
35 | }


--------------------------------------------------------------------------------
/output.tf:
--------------------------------------------------------------------------------
1 | output "cloudsploit_cross_account_role_arn" {
2 |   value = "${aws_iam_role.cloudsploit_cross_account_role.*.arn}"
3 | }
4 | 
5 | output "cloudsploit_cross_account_role_arn-gov" {
6 |   value = "${aws_iam_role.cloudsploit_cross_account_role-gov.*.arn}"
7 | }
8 | 


--------------------------------------------------------------------------------
/provider.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     aws = {
 4 |       source  = "hashicorp/aws"
 5 |       version = ">= 4.5.0"
 6 |     }
 7 |   }
 8 | }
 9 | 
10 | provider "aws" {
11 |   region = var.region
12 | }
13 | 


--------------------------------------------------------------------------------
/variable.tf:
--------------------------------------------------------------------------------
 1 | variable "account_id" {}
 2 | 
 3 | variable cloudsploit_external_id {}
 4 | 
 5 | variable "use_aws_gov" {
 6 |   default     = false
 7 |   description = "This is used to toggle which role policy will be used, by default it assumes you are not in government cloud."
 8 | }
 9 | 
10 | variable "region" {
11 |   default = "us-east-1"
12 |   description = "aws account region"
13 | }
14 | 


--------------------------------------------------------------------------------