42 | > Watch demo of using Atmos with Terraform
43 | > 
44 | > Example of running atmos to manage infrastructure from our Quick Start tutorial.
45 | >
46 |
47 |
48 | ## Introduction
49 |
50 | Service Control Policies are configured in YAML configuration files.
51 |
52 | We maintain a comprehensive [catalog](catalog) of SCP configurations and welcome contributions via pull request!
53 |
54 | The [example](examples/complete) in this module uses the catalog to provision the SCPs on AWS.
55 |
56 | The policies in the `catalog/*-templates` files require parameters supplied via the `parameters` input
57 | to [terraform-yaml-config](https://github.com/cloudposse/terraform-yaml-config).
58 |
59 |
60 |
61 |
62 | ## Usage
63 |
64 | For a complete example, see [examples/complete](examples/complete).
65 |
66 | For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest)
67 | (which tests and deploys the example on Datadog), see [test](test).
68 |
69 |
70 | ```hcl
71 | module "yaml_config" {
72 | source = "cloudposse/config/yaml"
73 | # Cloud Posse recommends pinning every module to a specific version
74 | # version = "x.x.x"
75 |
76 | list_config_local_base_path = path.module
77 | list_config_paths = ["catalog/*.yaml"]
78 |
79 | context = module.this.context
80 | }
81 |
82 | module "yaml_config_with_parameters" {
83 | source = "cloudposse/config/yaml"
84 | # Cloud Posse recommends pinning every module to a specific version
85 | # version = "x.x.x"
86 |
87 | list_config_local_base_path = path.module
88 | list_config_paths = ["https://raw.githubusercontent.com/cloudposse/terraform-aws-service-control-policies/0.12.0/catalog/s3-templates/DenyS3InNonSelectedRegion.yaml"]
89 |
90 | parameters = {
91 | "s3_regions_lockdown" = "us-*,eu-north-1"
92 | }
93 |
94 | context = module.this.context
95 | }
96 |
97 | data "aws_caller_identity" "this" {}
98 |
99 | module "service_control_policies" {
100 | source = "../../"
101 |
102 | service_control_policy_statements = concat(module.yaml_config.list_configs, module.yaml_config_with_parameters.list_configs)
103 | service_control_policy_description = var.service_control_policy_description
104 | target_id = data.aws_caller_identity.this.account_id
105 |
106 | context = module.this.context
107 | }
108 | ```
109 |
110 | > [!IMPORTANT]
111 | > In Cloud Posse's examples, we avoid pinning modules to specific versions to prevent discrepancies between the documentation
112 | > and the latest released versions. However, for your own projects, we strongly advise pinning each module to the exact version
113 | > you're using. This practice ensures the stability of your infrastructure. Additionally, we recommend implementing a systematic
114 | > approach for updating versions to avoid unexpected changes.
115 |
116 |
117 |
118 |
119 |
120 | ## Examples
121 |
122 | Review the [complete example](examples/complete) to see how to use this module.
123 |
124 |
125 |
126 |
127 |
128 | ## Requirements
129 |
130 | | Name | Version |
131 | |------|---------|
132 | | [terraform](#requirement\_terraform) | >= 1.3 |
133 | | [aws](#requirement\_aws) | >= 3.0 |
134 | | [local](#requirement\_local) | >= 1.3 |
135 |
136 | ## Providers
137 |
138 | | Name | Version |
139 | |------|---------|
140 | | [aws](#provider\_aws) | >= 3.0 |
141 |
142 | ## Modules
143 |
144 | | Name | Source | Version |
145 | |------|--------|---------|
146 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 |
147 |
148 | ## Resources
149 |
150 | | Name | Type |
151 | |------|------|
152 | | [aws_organizations_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
153 | | [aws_organizations_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource |
154 | | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
155 |
156 | ## Inputs
157 |
158 | | Name | Description | Type | Default | Required |
159 | |------|-------------|------|---------|:--------:|
160 | | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
161 | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no |
162 | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
} | no |
163 | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
164 | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
165 | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
166 | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
167 | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no |
168 | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no |
169 | | [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
170 | | [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no |
171 | | [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | [
"default"
]
| no |
172 | | [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
173 | | [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
174 | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
175 | | [service\_control\_policy\_description](#input\_service\_control\_policy\_description) | Description of the combined Service Control Policy | `string` | `null` | no |
176 | | [service\_control\_policy\_statements](#input\_service\_control\_policy\_statements) | List of Service Control Policy statements | `any` | n/a | yes |
177 | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
178 | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
179 | | [target\_id](#input\_target\_id) | The unique identifier (ID) of the organization root, organizational unit, or account number that you want to attach the policy to | `string` | n/a | yes |
180 | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
181 |
182 | ## Outputs
183 |
184 | | Name | Description |
185 | |------|-------------|
186 | | [organizations\_policy\_arn](#output\_organizations\_policy\_arn) | Amazon Resource Name (ARN) of the policy |
187 | | [organizations\_policy\_id](#output\_organizations\_policy\_id) | The unique identifier of the policy |
188 |
189 |
190 |
191 |
192 |
193 |
194 |
195 |
196 | ## Related Projects
197 |
198 | Check out these related projects.
199 |
200 | - [terraform-aws-iam-role](https://github.com/cloudposse/terraform-aws-iam-role) - A Terraform module that creates IAM role with provided JSON IAM polices documents.
201 | - [terraform-aws-iam-policy-document-aggregator](https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator) - Terraform module to aggregate multiple IAM policy documents into single policy document
202 | - [terraform-aws-iam-chamber-s3-role](https://github.com/cloudposse/terraform-aws-iam-chamber-s3-role) - Terraform module to provision an IAM role with configurable permissions to access S3 as chamber backend.
203 | - [terraform-yaml-config](https://github.com/cloudposse/terraform-yaml-config) - Terraform module to convert local and remote YAML configuration templates into Terraform lists and maps.
204 |
205 |
206 | ## References
207 |
208 | For additional context, refer to some of these links.
209 |
210 | - [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) - Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization.
211 | - [Example service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html) - Examples of Service Control Policies (SCPs).
212 | - [SCP syntax](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html) - Service control policies (SCPs) use a similar syntax to that used by AWS Identity and Access Management (IAM) permission policies and resource-based policies.
213 | - [Terraform Standard Module Structure](https://www.terraform.io/docs/modules/index.html#standard-module-structure) - HashiCorp's standard module structure is a file and directory layout we recommend for reusable modules distributed in separate repositories.
214 | - [Terraform Module Requirements](https://www.terraform.io/docs/registry/modules/publish.html#requirements) - HashiCorp's guidance on all the requirements for publishing a module. Meeting the requirements for publishing a module is extremely easy.
215 | - [Terraform `random_integer` Resource](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) - The resource random_integer generates random values from a given range, described by the min and max attributes of a given resource.
216 | - [Terraform Version Pinning](https://www.terraform.io/docs/configuration/terraform.html#specifying-a-required-terraform-version) - The required_version setting can be used to constrain which versions of the Terraform CLI can be used with your configuration
217 | - [SCPs size limits](https://github.com/hashicorp/terraform-provider-aws/issues/12597) - The SCP have a size limit and creating many policies at once can result in a POLICY_CONTENT_LIMIT_EXCEEDED error
218 |
219 |
220 |
221 | > [!TIP]
222 | > #### Use Terraform Reference Architectures for AWS
223 | >
224 | > Use Cloud Posse's ready-to-go [terraform architecture blueprints](https://cloudposse.com/reference-architecture/) for AWS to get up and running quickly.
225 | >
226 | > ✅ We build it together with your team.
227 | > ✅ Your team owns everything.
228 | > ✅ 100% Open Source and backed by fanatical support.
229 | >
230 | > 
231 | > 📚 Learn More
232 | >
233 | >
234 | >
235 | > Cloud Posse is the leading [**DevOps Accelerator**](https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-service-control-policies&utm_content=commercial_support) for funded startups and enterprises.
236 | >
237 | > *Your team can operate like a pro today.*
238 | >
239 | > Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed.
240 | > #### Day-0: Your Foundation for Success
241 | > - **Reference Architecture.** You'll get everything you need from the ground up built using 100% infrastructure as code.
242 | > - **Deployment Strategy.** Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases.
243 | > - **Site Reliability Engineering.** Gain total visibility into your applications and services with Datadog, ensuring high availability and performance.
244 | > - **Security Baseline.** Establish a secure environment from the start, with built-in governance, accountability, and comprehensive audit logs, safeguarding your operations.
245 | > - **GitOps.** Empower your team to manage infrastructure changes confidently and efficiently through Pull Requests, leveraging the full power of GitHub Actions.
246 | >
247 | >
248 | >
249 | > #### Day-2: Your Operational Mastery
250 | > - **Training.** Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency.
251 | > - **Support.** Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it.
252 | > - **Troubleshooting.** Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity.
253 | > - **Code Reviews.** Enhance your team’s code quality with our expert feedback, fostering continuous improvement and collaboration.
254 | > - **Bug Fixes.** Rely on our team to troubleshoot and resolve any issues, ensuring your systems run smoothly.
255 | > - **Migration Assistance.** Accelerate your migration process with our dedicated support, minimizing disruption and speeding up time-to-value.
256 | > - **Customer Workshops.** Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate.
257 | >
258 | >
259 | > 
271 |
272 |
273 | For 🐛 bug reports & feature requests, please use the [issue tracker](https://github.com/cloudposse/terraform-aws-service-control-policies/issues).
274 |
275 | In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
276 | 1. Review our [Code of Conduct](https://github.com/cloudposse/terraform-aws-service-control-policies/?tab=coc-ov-file#code-of-conduct) and [Contributor Guidelines](https://github.com/cloudposse/.github/blob/main/CONTRIBUTING.md).
277 | 2. **Fork** the repo on GitHub
278 | 3. **Clone** the project to your own machine
279 | 4. **Commit** changes to your own branch
280 | 5. **Push** your work back up to your fork
281 | 6. Submit a **Pull Request** so that we can review your changes
282 |
283 | **NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request!## Running Terraform Tests
284 |
285 | We use [Atmos](https://atmos.tools) to streamline how Terraform tests are run. It centralizes configuration and wraps common test workflows with easy-to-use commands.
286 |
287 | All tests are located in the [`test/`](test) folder.
288 |
289 | Under the hood, tests are powered by Terratest together with our internal [Test Helpers](https://github.com/cloudposse/test-helpers) library, providing robust infrastructure validation.
290 |
291 | Setup dependencies:
292 | - Install Atmos ([installation guide](https://atmos.tools/install/))
293 | - Install Go [1.24+ or newer](https://go.dev/doc/install)
294 | - Install Terraform or OpenTofu
295 |
296 | To run tests:
297 |
298 | - Run all tests:
299 | ```sh
300 | atmos test run
301 | ```
302 | - Clean up test artifacts:
303 | ```sh
304 | atmos test clean
305 | ```
306 | - Explore additional test options:
307 | ```sh
308 | atmos test --help
309 | ```
310 | The configuration for test commands is centrally managed. To review what's being imported, see the [`atmos.yaml`](https://raw.githubusercontent.com/cloudposse/.github/refs/heads/main/.github/atmos/terraform-module.yaml) file.
311 |
312 | Learn more about our [automated testing in our documentation](https://docs.cloudposse.com/community/contribute/automated-testing/) or implementing [custom commands](https://atmos.tools/core-concepts/custom-commands/) with atmos.
313 |
314 | ### 🌎 Slack Community
315 |
316 | Join our [Open Source Community](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-service-control-policies&utm_content=slack) on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure.
317 |
318 | ### 📰 Newsletter
319 |
320 | Sign up for [our newsletter](https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-service-control-policies&utm_content=newsletter) and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know.
321 | Dropped straight into your Inbox every week — and usually a 5-minute read.
322 |
323 | ### 📆 Office Hours 
324 |
325 | [Join us every Wednesday via Zoom](https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-service-control-policies&utm_content=office_hours) for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a _live Q&A_ that you can’t find anywhere else.
326 | It's **FREE** for everyone!
327 | ## License
328 |
329 | 
330 |
331 |
332 | Preamble to the Apache License, Version 2.0
333 |
334 |
335 |
336 | Complete license is available in the [`LICENSE`](LICENSE) file.
337 |
338 | ```text
339 | Licensed to the Apache Software Foundation (ASF) under one
340 | or more contributor license agreements. See the NOTICE file
341 | distributed with this work for additional information
342 | regarding copyright ownership. The ASF licenses this file
343 | to you under the Apache License, Version 2.0 (the
344 | "License"); you may not use this file except in compliance
345 | with the License. You may obtain a copy of the License at
346 |
347 | https://www.apache.org/licenses/LICENSE-2.0
348 |
349 | Unless required by applicable law or agreed to in writing,
350 | software distributed under the License is distributed on an
351 | "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
352 | KIND, either express or implied. See the License for the
353 | specific language governing permissions and limitations
354 | under the License.
355 | ```
356 |
357 |
358 | ## Trademarks
359 |
360 | All other trademarks referenced herein are the property of their respective owners.
361 |
362 |
363 | ## Copyrights
364 |
365 | Copyright © 2020-2025 [Cloud Posse, LLC](https://cloudposse.com)
366 |
367 |
368 |
369 | 
370 |
371 | 
372 |
--------------------------------------------------------------------------------
/README.yaml:
--------------------------------------------------------------------------------
1 | #
2 | # This is the canonical configuration for the `README.md`
3 | # Run `make readme` to rebuild the `README.md`
4 | #
5 |
6 | # Name of this project
7 | name: terraform-aws-service-control-policies
8 |
9 | # Logo for this project
10 | #logo: docs/logo.png
11 |
12 | # License of this project
13 | license: "APACHE2"
14 |
15 | # Copyrights
16 | copyrights:
17 | - name: "Cloud Posse, LLC"
18 | url: "https://cloudposse.com"
19 | year: "2020"
20 |
21 | # Canonical GitHub repo
22 | github_repo: cloudposse/terraform-aws-service-control-policies
23 |
24 | # Badges to display
25 | badges:
26 | - name: Latest Release
27 | image: https://img.shields.io/github/release/cloudposse/terraform-aws-service-control-policies.svg?style=for-the-badge
28 | url: https://github.com/cloudposse/terraform-aws-service-control-policies/releases/latest
29 | - name: Last Updated
30 | image: https://img.shields.io/github/last-commit/cloudposse/terraform-aws-service-control-policies.svg?style=for-the-badge
31 | url: https://github.com/cloudposse/terraform-aws-service-control-policies/commits
32 | - name: Slack Community
33 | image: https://slack.cloudposse.com/for-the-badge.svg
34 | url: https://cloudposse.com/slack
35 | categories:
36 | - scp
37 | - policy
38 | - policies
39 | - service-control-policy
40 | - service-control-policies
41 | - aws
42 | - organization
43 | - ou
44 | - organizational-unit
45 | - iam
46 | - iam-role
47 | - account
48 |
49 | # List any related terraform modules that this module may be used with or that this module depends on.
50 |
51 | # List any related terraform modules that this module may be used with or that this module depends on.
52 |
53 | # List any related terraform modules that this module may be used with or that this module depends on.
54 |
55 | # List any related terraform modules that this module may be used with or that this module depends on.
56 |
57 | # List any related terraform modules that this module may be used with or that this module depends on.
58 |
59 | # List any related terraform modules that this module may be used with or that this module depends on.
60 |
61 | # List any related terraform modules that this module may be used with or that this module depends on.
62 |
63 | # List any related terraform modules that this module may be used with or that this module depends on.
64 | related:
65 | - name: "terraform-aws-iam-role"
66 | description: "A Terraform module that creates IAM role with provided JSON IAM polices documents."
67 | url: "https://github.com/cloudposse/terraform-aws-iam-role"
68 | - name: "terraform-aws-iam-policy-document-aggregator"
69 | description: "Terraform module to aggregate multiple IAM policy documents into single policy document"
70 | url: "https://github.com/cloudposse/terraform-aws-iam-policy-document-aggregator"
71 | - name: "terraform-aws-iam-chamber-s3-role"
72 | description: "Terraform module to provision an IAM role with configurable permissions to access S3 as chamber backend."
73 | url: "https://github.com/cloudposse/terraform-aws-iam-chamber-s3-role"
74 | - name: "terraform-yaml-config"
75 | description: "Terraform module to convert local and remote YAML configuration templates into Terraform lists and maps."
76 | url: "https://github.com/cloudposse/terraform-yaml-config"
77 |
78 | # List any resources helpful for someone to get started. For example, link to the hashicorp documentation or AWS documentation.
79 | references:
80 | - name: "Service control policies"
81 | description: "Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization."
82 | url: "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html"
83 | - name: "Example service control policies"
84 | description: "Examples of Service Control Policies (SCPs)."
85 | url: "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html"
86 | - name: "SCP syntax"
87 | description: "Service control policies (SCPs) use a similar syntax to that used by AWS Identity and Access Management (IAM) permission policies and resource-based policies."
88 | url: "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html"
89 | - name: "Terraform Standard Module Structure"
90 | description: "HashiCorp's standard module structure is a file and directory layout we recommend for reusable modules distributed in separate repositories."
91 | url: "https://www.terraform.io/docs/modules/index.html#standard-module-structure"
92 | - name: "Terraform Module Requirements"
93 | description: "HashiCorp's guidance on all the requirements for publishing a module. Meeting the requirements for publishing a module is extremely easy."
94 | url: "https://www.terraform.io/docs/registry/modules/publish.html#requirements"
95 | - name: "Terraform `random_integer` Resource"
96 | description: "The resource random_integer generates random values from a given range, described by the min and max attributes of a given resource."
97 | url: "https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer"
98 | - name: "Terraform Version Pinning"
99 | description: "The required_version setting can be used to constrain which versions of the Terraform CLI can be used with your configuration"
100 | url: "https://www.terraform.io/docs/configuration/terraform.html#specifying-a-required-terraform-version"
101 | - name: "SCPs size limits"
102 | description: "The SCP have a size limit and creating many policies at once can result in a POLICY_CONTENT_LIMIT_EXCEEDED error"
103 | url: "https://github.com/hashicorp/terraform-provider-aws/issues/12597"
104 | # Short description of this project
105 | description: |-
106 | Terraform module to provision Service Control Policies (SCP) for AWS Organizations, Organizational Units, and AWS accounts.
107 |
108 | # Introduction to the project
109 | introduction: |-
110 | Service Control Policies are configured in YAML configuration files.
111 |
112 | We maintain a comprehensive [catalog](catalog) of SCP configurations and welcome contributions via pull request!
113 |
114 | The [example](examples/complete) in this module uses the catalog to provision the SCPs on AWS.
115 |
116 | The policies in the `catalog/*-templates` files require parameters supplied via the `parameters` input
117 | to [terraform-yaml-config](https://github.com/cloudposse/terraform-yaml-config).
118 |
119 |
120 | # How to use this module. Should be an easy example to copy and paste.
121 | usage: |-
122 | For a complete example, see [examples/complete](examples/complete).
123 |
124 | For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest)
125 | (which tests and deploys the example on Datadog), see [test](test).
126 |
127 |
128 | ```hcl
129 | module "yaml_config" {
130 | source = "cloudposse/config/yaml"
131 | # Cloud Posse recommends pinning every module to a specific version
132 | # version = "x.x.x"
133 |
134 | list_config_local_base_path = path.module
135 | list_config_paths = ["catalog/*.yaml"]
136 |
137 | context = module.this.context
138 | }
139 |
140 | module "yaml_config_with_parameters" {
141 | source = "cloudposse/config/yaml"
142 | # Cloud Posse recommends pinning every module to a specific version
143 | # version = "x.x.x"
144 |
145 | list_config_local_base_path = path.module
146 | list_config_paths = ["https://raw.githubusercontent.com/cloudposse/terraform-aws-service-control-policies/0.12.0/catalog/s3-templates/DenyS3InNonSelectedRegion.yaml"]
147 |
148 | parameters = {
149 | "s3_regions_lockdown" = "us-*,eu-north-1"
150 | }
151 |
152 | context = module.this.context
153 | }
154 |
155 | data "aws_caller_identity" "this" {}
156 |
157 | module "service_control_policies" {
158 | source = "../../"
159 |
160 | service_control_policy_statements = concat(module.yaml_config.list_configs, module.yaml_config_with_parameters.list_configs)
161 | service_control_policy_description = var.service_control_policy_description
162 | target_id = data.aws_caller_identity.this.account_id
163 |
164 | context = module.this.context
165 | }
166 | ```
167 |
168 | # Example usage
169 | examples: |-
170 | Review the [complete example](examples/complete) to see how to use this module.
171 |
172 | # How to get started quickly
173 | #quickstart: |-
174 | # Here's how to get started...
175 |
176 | # Other files to include in this README from the project folder
177 | include: []
178 | contributors: []
179 |
--------------------------------------------------------------------------------
/atmos.yaml:
--------------------------------------------------------------------------------
1 | # Atmos Configuration — powered by https://atmos.tools
2 | #
3 | # This configuration enables centralized, DRY, and consistent project scaffolding using Atmos.
4 | #
5 | # Included features:
6 | # - Organizational custom commands: https://atmos.tools/core-concepts/custom-commands
7 | # - Automated README generation: https://atmos.tools/cli/commands/docs/generate
8 | #
9 |
10 | # Import shared configuration used by all modules
11 | import:
12 | - https://raw.githubusercontent.com/cloudposse/.github/refs/heads/main/.github/atmos/terraform-module.yaml
13 |
--------------------------------------------------------------------------------
/catalog/account-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenyAccountRegionDisableEnable"
2 | effect: "Deny"
3 | actions:
4 | - "account:EnableRegion"
5 | - "account:DisableRegion"
6 | resources:
7 | - "*"
8 |
--------------------------------------------------------------------------------
/catalog/cloudtrail-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenyCloudTrailActions"
2 | effect: "Deny"
3 | actions:
4 | - "cloudtrail:DeleteTrail"
5 | - "cloudtrail:PutEventSelectors"
6 | - "cloudtrail:StopLogging"
7 | - "cloudtrail:UpdateTrail"
8 | resources:
9 | - "*"
10 |
--------------------------------------------------------------------------------
/catalog/cloudwatch-logs-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenyCloudWatchDeletingLogs"
2 | effect: "Deny"
3 | actions:
4 | - "ec2:DeleteFlowLogs"
5 | - "logs:DeleteLogGroup"
6 | - "logs:DeleteLogStream"
7 | resources:
8 | - "*"
9 |
10 | - sid: "DenyDisablingCloudWatch"
11 | effect: "Deny"
12 | actions:
13 | - "cloudwatch:DeleteAlarms"
14 | - "cloudwatch:DeleteDashboards"
15 | - "cloudwatch:DisableAlarmActions"
16 | - "cloudwatch:PutDashboard"
17 | - "cloudwatch:PutMetricAlarm"
18 | - "cloudwatch:SetAlarmState"
19 | resources:
20 | - "*"
21 |
--------------------------------------------------------------------------------
/catalog/config-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenyConfigRulesDelete"
2 | effect: "Deny"
3 | actions:
4 | - "config:DeleteConfigRule"
5 | - "config:DeleteConfigurationRecorder"
6 | - "config:DeleteDeliveryChannel"
7 | - "config:StopConfigurationRecorder"
8 | - "config:DeleteRetentionConfiguration"
9 | - "config:DeleteEvaluationResults"
10 | - "config:DeleteConfigurationAggregator"
11 | resources:
12 | - "*"
13 |
--------------------------------------------------------------------------------
/catalog/deny-all-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenyAllAccess"
2 | effect: "Deny"
3 | actions:
4 | - "*"
5 | resources:
6 | - "*"
7 |
--------------------------------------------------------------------------------
/catalog/ec2-policies.yaml:
--------------------------------------------------------------------------------
1 | #
2 | ## WARNING AND HISTORICAL NOTE
3 | #
4 | # When the DenyEC2NonNitroInstances policy was first introduced, it was primarily intended
5 | # to ensure that network traffic was encrypted in transit, which was seen to be a feature
6 | # that all Nitro instances supported and all non-Nitro instances did not. However, this
7 | # is not the case, as instance families such as `a1`, `t3`, and `t4g` are Nitro based but
8 | # do not support network traffic encryption in transit.
9 | #
10 | # As such, the DenyEC2NonNitroInstances policy is no longer a reliable way to ensure that
11 | # network traffic is encrypted in transit. It is recommended that you use the
12 | # DenyEC2InstancesWithoutEncryptionInTransit policy (below) instead if that is your goal.
13 |
14 | # This policy denies instance families that aren't based on the Nitro system as documented in the following document:
15 | # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances
16 | # The listing below *are* Nitro-based instances. They are collected from the following CLI query:
17 | #
18 | # aws --region us-east-1 ec2 describe-instance-types \
19 | # --filters Name=hypervisor,Values=nitro \
20 | # --query "InstanceTypes[*].[InstanceType]" --output text | \
21 | # cut -f 1 -d. | sort | uniq | awk '{print " - " $0 ".*"}'
22 | #
23 | # However, that the command only lists instance types available in the specified region. To be
24 | # fully comprehensive, the command should be run in all regions where instances are launched.
25 | # As a shortcut, we only run the command in the default regions (those that do not require opt-in).
26 | # To date, it appears that the combination of us-east-1, us-east-2, us-west-2, and eu-west-1
27 | # regions combined appear to cover all instance types.
28 | #
29 | # In order to fit within the 5120-character limit for policies
30 | # (See https://docs.aws.amazon.com/organizations/latest/userguide/org_troubleshoot_policies.html )
31 | # only the instance family is checked, not the specific instance type. AWS support
32 | # has confirmed that this is in fact correct, and spot checking has failed to
33 | # find any instance families that have some sizes based on Nitro and some not.
34 | #
35 | - sid: "DenyEC2NonNitroInstances"
36 | effect: "Deny"
37 | actions:
38 | - "ec2:RunInstances"
39 | condition:
40 | - test: "StringNotLike"
41 | variable: "ec2:InstanceType"
42 | values:
43 | # updated 2025-02-14
44 | - a1.*
45 | - c5.*
46 | - c5a.*
47 | - c5ad.*
48 | - c5d.*
49 | - c5n.*
50 | - c6a.*
51 | - c6g.*
52 | - c6gd.*
53 | - c6gn.*
54 | - c6i.*
55 | - c6id.*
56 | - c6in.*
57 | - c7a.*
58 | - c7g.*
59 | - c7gd.*
60 | - c7gn.*
61 | - c7i-flex.*
62 | - c7i.*
63 | - c8g.*
64 | - d3.*
65 | - d3en.*
66 | - dl1.*
67 | - dl2q.*
68 | - f2.*
69 | - g4ad.*
70 | - g4dn.*
71 | - g5.*
72 | - g5g.*
73 | - g6.*
74 | - g6e.*
75 | - gr6.*
76 | - hpc6a.*
77 | - hpc6id.*
78 | - hpc7a.*
79 | - hpc7g.*
80 | - i3en.*
81 | - i4g.*
82 | - i4i.*
83 | - i7ie.*
84 | - i8g.*
85 | - im4gn.*
86 | - inf1.*
87 | - inf2.*
88 | - is4gen.*
89 | - m5.*
90 | - m5a.*
91 | - m5ad.*
92 | - m5d.*
93 | - m5dn.*
94 | - m5n.*
95 | - m5zn.*
96 | - m6a.*
97 | - m6g.*
98 | - m6gd.*
99 | - m6i.*
100 | - m6id.*
101 | - m6idn.*
102 | - m6in.*
103 | - m7a.*
104 | - m7g.*
105 | - m7gd.*
106 | - m7i-flex.*
107 | - m7i.*
108 | - m8g.*
109 | - p3dn.*
110 | - p4d.*
111 | - p5.*
112 | - p5e.*
113 | - p5en.*
114 | - r5.*
115 | - r5a.*
116 | - r5ad.*
117 | - r5b.*
118 | - r5d.*
119 | - r5dn.*
120 | - r5n.*
121 | - r6a.*
122 | - r6g.*
123 | - r6gd.*
124 | - r6i.*
125 | - r6id.*
126 | - r6idn.*
127 | - r6in.*
128 | - r7a.*
129 | - r7g.*
130 | - r7gd.*
131 | - r7i.*
132 | - r7iz.*
133 | - r8g.*
134 | - t3.*
135 | - t3a.*
136 | - t4g.*
137 | - trn1.*
138 | - trn1n.*
139 | - trn2.*
140 | - u-12tb1.*
141 | - u-18tb1.*
142 | - u-24tb1.*
143 | - u-3tb1.*
144 | - u-6tb1.*
145 | - u-9tb1.*
146 | - u7i-12tb.*
147 | - u7i-6tb.*
148 | - u7i-8tb.*
149 | - u7in-16tb.*
150 | - u7in-24tb.*
151 | - u7in-32tb.*
152 | - vt1.*
153 | - x2gd.*
154 | - x2idn.*
155 | - x2iedn.*
156 | - x2iezn.*
157 | - x8g.*
158 | - z1d.*
159 |
160 | resources:
161 | - "arn:aws:ec2:*:*:instance/*"
162 |
163 | # This policy denies instance types that do not support Encryption-in-Transit as
164 | # described in the following document:
165 | # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html#encryption-transit
166 | # and enumerated by the following command (adapted from the command specified in the documentation):
167 | #
168 | # aws --region us-east-1 ec2 describe-instance-types \
169 | # --filters Name=network-info.encryption-in-transit-supported,Values=true \
170 | # --query "InstanceTypes[*].[InstanceType]" --output text | \
171 | # cut -f 1 -d. | sort | uniq | awk '{print " - " $0 ".*"}'
172 | #
173 | # However, that the command only lists instance types available in the specified region. To be
174 | # fully comprehensive, the command should be run in all regions where instances are launched.
175 | # As a shortcut, we only run the command in the default regions (those that do not require opt-in).
176 | # To date, it appears that the combination of us-east-1, us-east-2, us-west-2, and eu-west-1
177 | # regions combined appear to cover all instance types.
178 | #
179 | # In order to fit within the 5120-character limit for policies
180 | # (See https://docs.aws.amazon.com/organizations/latest/userguide/org_troubleshoot_policies.html )
181 | # only the instance family is checked, not the specific instance type. AWS support
182 | # has confirmed that this is in fact correct, and spot checking has failed to
183 | # find any instance families that have mixed support for encryption in transit based on size.
184 |
185 | - sid: "DenyEC2InstancesWithoutEncryptionInTransit"
186 | effect: "Deny"
187 | actions:
188 | - "ec2:RunInstances"
189 | condition:
190 | - test: "StringNotLike"
191 | variable: "ec2:InstanceType"
192 | values:
193 | # updated 2025-02-14
194 | - c5a.*
195 | - c5ad.*
196 | - c5n.*
197 | - c6a.*
198 | - c6gn.*
199 | - c6i.*
200 | - c6id.*
201 | - c6in.*
202 | - c7a.*
203 | - c7g.*
204 | - c7gd.*
205 | - c7gn.*
206 | - c7i-flex.*
207 | - c7i.*
208 | - c8g.*
209 | - d3.*
210 | - d3en.*
211 | - dl1.*
212 | - dl2q.*
213 | - f2.*
214 | - g4ad.*
215 | - g4dn.*
216 | - g5.*
217 | - g6.*
218 | - g6e.*
219 | - gr6.*
220 | - hpc6a.*
221 | - hpc6id.*
222 | - hpc7a.*
223 | - hpc7g.*
224 | - i3en.*
225 | - i4g.*
226 | - i4i.*
227 | - i7ie.*
228 | - i8g.*
229 | - im4gn.*
230 | - inf1.*
231 | - inf2.*
232 | - is4gen.*
233 | - m5dn.*
234 | - m5n.*
235 | - m5zn.*
236 | - m6a.*
237 | - m6i.*
238 | - m6id.*
239 | - m6idn.*
240 | - m6in.*
241 | - m7a.*
242 | - m7g.*
243 | - m7gd.*
244 | - m7i-flex.*
245 | - m7i.*
246 | - m8g.*
247 | - p3dn.*
248 | - p4d.*
249 | - p5.*
250 | - p5e.*
251 | - p5en.*
252 | - r5dn.*
253 | - r5n.*
254 | - r6a.*
255 | - r6i.*
256 | - r6id.*
257 | - r6idn.*
258 | - r6in.*
259 | - r7a.*
260 | - r7g.*
261 | - r7gd.*
262 | - r7i.*
263 | - r7iz.*
264 | - r8g.*
265 | - trn1.*
266 | - trn1n.*
267 | - trn2.*
268 | - u-12tb1.*
269 | - u-18tb1.*
270 | - u-24tb1.*
271 | - u-3tb1.*
272 | - u-6tb1.*
273 | - u-9tb1.*
274 | - u7i-12tb.*
275 | - u7i-6tb.*
276 | - u7i-8tb.*
277 | - u7in-16tb.*
278 | - u7in-24tb.*
279 | - u7in-32tb.*
280 | - vt1.*
281 | - x2idn.*
282 | - x2iedn.*
283 | - x2iezn.*
284 | - x8g.*
285 |
286 | resources:
287 | - "arn:aws:ec2:*:*:instance/*"
288 |
289 | - sid: "DenyEC2PublicAMI"
290 | effect: "Deny"
291 | actions:
292 | - "ec2:RunInstances"
293 | condition:
294 | - test: "Bool"
295 | variable: "ec2:Public"
296 | values:
297 | - true
298 | resources:
299 | - "arn:aws:ec2:*::image/*"
300 |
301 | - sid: "DenyEC2AssociatePublicIp"
302 | effect: "Deny"
303 | actions:
304 | - "ec2:RunInstances"
305 | condition:
306 | - test: "Bool"
307 | variable: "ec2:AssociatePublicIpAddress"
308 | values:
309 | - true
310 | resources:
311 | - "arn:aws:ec2:*:*:network-interface/*"
312 |
313 | - sid: "DenyEC2WithNoIMDSv2"
314 | effect: "Deny"
315 | actions:
316 | - "ec2:RunInstances"
317 | condition:
318 | - test: "StringNotEquals"
319 | variable: "ec2:MetadataHttpTokens"
320 | values:
321 | - "required"
322 | resources:
323 | - "arn:aws:ec2:*:*:instance/*"
324 |
325 | - sid: "DenyEC2ApiWithNoMFA"
326 | effect: "Deny"
327 | actions:
328 | - "ec2:StopInstances"
329 | - "ec2:TerminateInstances"
330 | - "ec2:SendDiagnosticInterrupt"
331 | condition:
332 | - test: "BoolIfExists"
333 | variable: "aws:MultiFactorAuthPresent"
334 | values:
335 | - false
336 | resources:
337 | - "*"
338 |
339 | - sid: "RequireEBSEncryption"
340 | effect: "Deny"
341 | actions:
342 | - "ec2:CreateVolume"
343 | condition:
344 | - test: "Bool"
345 | variable: "ec2:Encrypted"
346 | values:
347 | - false
348 | resources:
349 | - "*"
350 |
--------------------------------------------------------------------------------
/catalog/ec2-templates/DenyEC2AMINotCreatedBy.yaml:
--------------------------------------------------------------------------------
1 | # Requires parameter:
2 | # - ami_creator_account
3 |
4 | - sid: "DenyEC2AMINotCreatedBy"
5 | effect: "Deny"
6 | actions:
7 | - "ec2:RunInstances"
8 | condition:
9 | - test: "StringNotEquals"
10 | variable: "ec2:Owner"
11 | values:
12 | - "${ami_creator_account}"
13 | resources:
14 | - "arn:aws:ec2:*::image/ami-*"
15 |
--------------------------------------------------------------------------------
/catalog/ec2-templates/DenyEC2AMIWithNoResourceTag.yaml:
--------------------------------------------------------------------------------
1 | # Requires parameters:
2 | # - ami_tag_key
3 | # - ami_tag_value
4 |
5 | - sid: "DenyEC2AMIWithNoResourceTag"
6 | effect: "Deny"
7 | actions:
8 | - "ec2:RunInstances"
9 | condition:
10 | - test: "StringNotEqualsIgnoreCase"
11 | variable: "ec2:ResourceTag/${ami_tag_key}"
12 | values:
13 | - "${ami_tag_value}"
14 | resources:
15 | - "arn:aws:ec2:*::image/ami-*"
16 |
17 |
--------------------------------------------------------------------------------
/catalog/guardduty-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenyGuardDutyDisassociation"
2 | effect: "Deny"
3 | actions:
4 | - "guardduty:DisassociateFromMasterAccount"
5 | resources:
6 | - "*"
7 |
8 | - sid: "DenyDisablingGuardDuty"
9 | effect: "Deny"
10 | actions:
11 | - "guardduty:AcceptInvitation"
12 | - "guardduty:ArchiveFindings"
13 | - "guardduty:CreateDetector"
14 | - "guardduty:CreateFilter"
15 | - "guardduty:CreateIPSet"
16 | - "guardduty:CreateMembers"
17 | - "guardduty:CreatePublishingDestination"
18 | - "guardduty:CreateSampleFindings"
19 | - "guardduty:CreateThreatIntelSet"
20 | - "guardduty:DeclineInvitations"
21 | - "guardduty:DeleteDetector"
22 | - "guardduty:DeleteFilter"
23 | - "guardduty:DeleteInvitations"
24 | - "guardduty:DeleteIPSet"
25 | - "guardduty:DeleteMembers"
26 | - "guardduty:DeletePublishingDestination"
27 | - "guardduty:DeleteThreatIntelSet"
28 | - "guardduty:DisassociateFromMasterAccount"
29 | - "guardduty:DisassociateMembers"
30 | - "guardduty:InviteMembers"
31 | - "guardduty:StartMonitoringMembers"
32 | - "guardduty:StopMonitoringMembers"
33 | - "guardduty:TagResource"
34 | - "guardduty:UnarchiveFindings"
35 | - "guardduty:UntagResource"
36 | - "guardduty:UpdateDetector"
37 | - "guardduty:UpdateFilter"
38 | - "guardduty:UpdateFindingsFeedback"
39 | - "guardduty:UpdateIPSet"
40 | - "guardduty:UpdatePublishingDestination"
41 | - "guardduty:UpdateThreatIntelSet"
42 | resources:
43 | - "*"
44 |
--------------------------------------------------------------------------------
/catalog/iam-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenyIAMCreatingUsers"
2 | effect: "Deny"
3 | actions:
4 | - "iam:CreateUser"
5 | - "iam:CreateAccessKey"
6 | resources:
7 | - "*"
8 |
9 | - sid: "DenyIAMRolesChanges"
10 | effect: "Deny"
11 | actions:
12 | - "iam:AttachRolePolicy"
13 | - "iam:DeleteRole"
14 | - "iam:DeleteRolePermissionsBoundary"
15 | - "iam:DeleteRolePolicy"
16 | - "iam:DetachRolePolicy"
17 | - "iam:PutRolePermissionsBoundary"
18 | - "iam:PutRolePolicy"
19 | - "iam:UpdateAssumeRolePolicy"
20 | - "iam:UpdateRole"
21 | - "iam:UpdateRoleDescription"
22 | resources:
23 | - "*"
24 |
25 | - sid: "DenyIAMNoMFA"
26 | effect: "Deny"
27 | not_actions:
28 | - "iam:CreateVirtualMFADevice"
29 | - "iam:EnableMFADevice"
30 | - "iam:GetUser"
31 | - "iam:ListMFADevices"
32 | - "iam:ListVirtualMFADevices"
33 | - "iam:ResyncMFADevice"
34 | - "sts:GetSessionToken"
35 | condition:
36 | - test: "BoolIfExists"
37 | variable: "aws:MultiFactorAuthPresent"
38 | values:
39 | - false
40 | resources:
41 | - "*"
42 |
43 | - sid: "DenyIAMRootAccount"
44 | effect: "Deny"
45 | actions:
46 | - "*"
47 | condition:
48 | - test: "StringLike"
49 | variable: "aws:PrincipalArn"
50 | values:
51 | - "arn:aws:iam::*:root"
52 | resources:
53 | - "*"
54 |
--------------------------------------------------------------------------------
/catalog/kms-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenyDeletingKMSKeys"
2 | effect: "Deny"
3 | actions:
4 | - "kms:ScheduleKeyDeletion"
5 | - "kms:Delete*"
6 | resources:
7 | - "*"
8 |
--------------------------------------------------------------------------------
/catalog/lambda-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenyLambdaWithoutVpc"
2 | effect: "Deny"
3 | actions:
4 | - "lambda:CreateFunction"
5 | - "lambda:UpdateFunctionConfiguration"
6 | condition:
7 | - test: "Null"
8 | variable: "lambda:VpcIds"
9 | values:
10 | - true
11 | resources:
12 | - "*"
13 |
--------------------------------------------------------------------------------
/catalog/organization-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenyLeavingOrganization"
2 | effect: "Deny"
3 | actions:
4 | - "organizations:LeaveOrganization"
5 | resources:
6 | - "*"
7 |
8 | - sid: "DenyRootAccountAccess"
9 | effect: "Deny"
10 | actions:
11 | - "*"
12 | condition:
13 | - test: "StringLike"
14 | variable: "aws:PrincipalArn"
15 | values:
16 | - "arn:aws:iam::*:root"
17 | resources:
18 | - "*"
19 |
--------------------------------------------------------------------------------
/catalog/rds-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenyRDSUnencrypted"
2 | effect: "Deny"
3 | actions:
4 | - "rds:CreateDBCluster"
5 | - "rds:CreateDBInstance"
6 | - "rds:RestoreDBClusterFromS3"
7 | - "rds:RestoreDBInstanceFromS3"
8 | - "rds:RestoreDBClusterFromSnapshot"
9 | - "rds:RestoreDBClusterToPointInTime"
10 | condition:
11 | - test: "Bool"
12 | variable: "rds:StorageEncrypted"
13 | values:
14 | - false
15 | resources:
16 | - "*"
17 |
--------------------------------------------------------------------------------
/catalog/region-restriction-templates/DenyRegions.yaml:
--------------------------------------------------------------------------------
1 | # Requires parameter:
2 | # - denied_regions # Comma separated list of regions in which to prohibit operations
3 |
4 | # https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html#examples_general
5 | - sid: "DenyRegions"
6 | effect: "Deny"
7 | not_actions:
8 | - "a4b:*"
9 | - "account:*"
10 | - "acm:*"
11 | - "artifact:*"
12 | - "aws-marketplace-management:*"
13 | - "aws-marketplace:*"
14 | - "aws-portal:*"
15 | - "budgets:*"
16 | - "ce:*"
17 | - "chime:*"
18 | - "cloudfront:*"
19 | - "config:*"
20 | - "cur:*"
21 | - "directconnect:*"
22 | - "ec2:DescribeRegions"
23 | - "ec2:DescribeTransitGateways"
24 | - "ec2:DescribeVpnGateways"
25 | - "fms:*"
26 | - "globalaccelerator:*"
27 | - "health:*"
28 | - "iam:*"
29 | - "importexport:*"
30 | - "kms:*"
31 | - "mobileanalytics:*"
32 | - "networkmanager:*"
33 | - "organizations:*"
34 | - "pricing:*"
35 | - "route53:*"
36 | - "route53domains:*"
37 | - "s3:GetAccountPublic*"
38 | - "s3:ListAllMyBuckets"
39 | - "s3:PutAccountPublic*"
40 | - "shield:*"
41 | - "sts:*"
42 | - "support:*"
43 | - "supportplans:*"
44 | - "trustedadvisor:*"
45 | - "waf-regional:*"
46 | - "waf:*"
47 | - "wafv2:*"
48 | - "wellarchitected:*"
49 | condition:
50 | - test: "StringEqualsIgnoreCase"
51 | variable: "aws:RequestedRegion"
52 | # List of denied regions
53 | values:
54 | %{ for r in split(",", denied_regions) }
55 | - ${trimspace(r)}
56 | %{ endfor }
57 | resources:
58 | - "*"
59 |
--------------------------------------------------------------------------------
/catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml:
--------------------------------------------------------------------------------
1 | # Requires parameter:
2 | # - allowed_regions # Comma separated list of regions in which to allow operations
3 |
4 | # https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html#examples_general
5 | - sid: "RestrictToSpecifiedRegions"
6 | effect: "Deny"
7 | not_actions:
8 | - "a4b:*"
9 | - "account:*"
10 | - "acm:*"
11 | - "artifact:*"
12 | - "aws-marketplace-management:*"
13 | - "aws-marketplace:*"
14 | - "aws-portal:*"
15 | - "budgets:*"
16 | - "ce:*"
17 | - "chime:*"
18 | - "cloudfront:*"
19 | - "config:*"
20 | - "cur:*"
21 | - "directconnect:*"
22 | - "ec2:DescribeRegions"
23 | - "ec2:DescribeTransitGateways"
24 | - "ec2:DescribeVpnGateways"
25 | - "fms:*"
26 | - "globalaccelerator:*"
27 | - "health:*"
28 | - "iam:*"
29 | - "importexport:*"
30 | - "kms:*"
31 | - "mobileanalytics:*"
32 | - "networkmanager:*"
33 | - "organizations:*"
34 | - "pricing:*"
35 | - "route53:*"
36 | - "route53domains:*"
37 | - "s3:GetAccountPublic*"
38 | - "s3:ListAllMyBuckets"
39 | - "s3:PutAccountPublic*"
40 | - "shield:*"
41 | - "sts:*"
42 | - "support:*"
43 | - "supportplans:*"
44 | - "trustedadvisor:*"
45 | - "waf-regional:*"
46 | - "waf:*"
47 | - "wafv2:*"
48 | - "wellarchitected:*"
49 | condition:
50 | - test: "StringNotEqualsIgnoreCase"
51 | variable: "aws:RequestedRegion"
52 | # List of allowed regions
53 | values:
54 | %{ for r in split(",", allowed_regions) }
55 | - ${trimspace(r)}
56 | %{ endfor }
57 | resources:
58 | - "*"
59 |
--------------------------------------------------------------------------------
/catalog/route53-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenyRoute53DeletingZones"
2 | effect: "Deny"
3 | actions:
4 | - "route53:DeleteHostedZone"
5 | resources:
6 | - "*"
7 |
--------------------------------------------------------------------------------
/catalog/s3-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenyS3DeleteBucketsAndObjects"
2 | effect: "Deny"
3 | actions:
4 | - "s3:DeleteBucket"
5 | - "s3:DeleteObject"
6 | - "s3:DeleteObjectVersion"
7 | resources:
8 | - "*"
9 |
10 | - sid: "DenyS3BucketsPublicAccess"
11 | effect: "Deny"
12 | actions:
13 | - "s3:PutBucketPublicAccessBlock"
14 | resources:
15 | - "*"
16 |
17 | - sid: "DenyS3IncorrectEncryptionHeader"
18 | effect: "Deny"
19 | actions:
20 | - "s3:PutObject"
21 | condition:
22 | - test: "StringNotEquals"
23 | variable: "s3:x-amz-server-side-encryption"
24 | values:
25 | - "AES256"
26 | - "aws:kms"
27 | resources:
28 | - "*"
29 |
30 | - sid: "DenyS3UnEncryptedObjectUploads"
31 | effect: "Deny"
32 | actions:
33 | - "s3:PutObject"
34 | condition:
35 | - test: "Bool"
36 | variable: "s3:x-amz-server-side-encryption"
37 | values:
38 | - true
39 | resources:
40 | - "*"
41 |
--------------------------------------------------------------------------------
/catalog/s3-templates/DenyS3InNonSelectedRegion.yaml:
--------------------------------------------------------------------------------
1 | # Requires parameter:
2 | # - s3_regions_lockdown # Comma separated list of regions or region patterns in which to allow S3 bucket creation
3 | #
4 | # NOTE: "us-east-1" is the default region, and is indicated by `s3:LocationConstraint`
5 | # being null. We allow "us-east-1" as a value because it is easier and does not
6 | # hurt, but it is not effective. We have to test for the presence of the value
7 | # (or lack thereof) to manage that region, which we do with a separate test.
8 |
9 | - sid: "DenyS3InNonSelectedRegion"
10 | effect: "Deny"
11 | actions:
12 | - "s3:CreateBucket"
13 | condition:
14 | - test: "StringNotLike"
15 | variable: "s3:LocationConstraint"
16 | # The regions where the creation of buckets will be allowed
17 | values:
18 | %{ for r in split(",", s3_regions_lockdown) }
19 | - ${trimspace(r)}
20 | %{ endfor }
21 | # Separate test for us-east-1, which is the default region
22 | %{ if contains(split(",", s3_regions_lockdown), "us-east-1") }
23 | - test: "Null"
24 | variable: "s3:LocationConstraint"
25 | # The regions where the creation of buckets will be allowed
26 | values:
27 | - false
28 | %{ endif }
29 |
30 | resources:
31 | - "arn:aws:s3:::*"
32 |
--------------------------------------------------------------------------------
/catalog/sagemaker-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenySagemakerDirectInternetNotebook"
2 | effect: "Deny"
3 | actions:
4 | - "sagemaker:CreateNotebookInstance"
5 | condition:
6 | - test: "StringNotEquals"
7 | variable: "sagemaker:DirectInternetAccess"
8 | values:
9 | - "Disabled"
10 | resources:
11 | - "*"
12 |
13 | - sid: "DenySagemakerWithoutRootAccess"
14 | effect: "Deny"
15 | actions:
16 | - "sagemaker:CreateNotebookInstance"
17 | - "sagemaker:UpdateNotebookInstance"
18 | condition:
19 | - test: "StringNotEquals"
20 | variable: "sagemaker:RootAccess"
21 | values:
22 | - "Enabled"
23 | resources:
24 | - "*"
25 |
26 | - sid: "DenySagemakerWithoutInterContainerEncrypt"
27 | effect: "Deny"
28 | actions:
29 | - "sagemaker:CreateAutoMLJob"
30 | - "sagemaker:CreateDataQualityJobDefinition"
31 | - "sagemaker:CreateHyperParameterTuningJob"
32 | - "sagemaker:CreateModelBiasJobDefinition"
33 | - "sagemaker:CreateModelExplainabilityJobDefinition"
34 | - "sagemaker:CreateModelQualityJobDefinition"
35 | - "sagemaker:CreateMonitoringSchedule"
36 | - "sagemaker:CreateProcessingJob"
37 | - "sagemaker:CreateTrainingJob"
38 | condition:
39 | - test: "Bool"
40 | variable: "sagemaker:InterContainerTrafficEncryption"
41 | values:
42 | - false
43 | resources:
44 | - "*"
45 |
46 | - sid: "DenyeSagemakerWithoutVpcDomain"
47 | effect: "Deny"
48 | actions:
49 | - "sagemaker:CreateDomain"
50 | condition:
51 | - test: "StringEquals"
52 | variable: "sagemaker:AppNetworkAccessType"
53 | values:
54 | - "PublicInternetOnly"
55 | resources:
56 | - "*"
57 |
--------------------------------------------------------------------------------
/catalog/shield-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenyShieldlRemoval"
2 | effect: "Deny"
3 | actions:
4 | - "shield:DeleteProtection"
5 | - "shield:DeleteSubscription"
6 | - "shield:DisassociateDRTLogBucket"
7 | - "shield:DisassociateDRTRole"
8 | - "shield:UpdateEmergencyContactSettings"
9 | resources:
10 | - "*"
11 |
--------------------------------------------------------------------------------
/catalog/vpc-policies.yaml:
--------------------------------------------------------------------------------
1 | - sid: "DenyVpcDeletingFlowLogs"
2 | effect: "Deny"
3 | actions:
4 | - "ec2:DeleteFlowLogs"
5 | - "logs:DeleteLogGroup"
6 | - "logs:DeleteLogStream"
7 | resources:
8 | - "*"
9 |
10 | - sid: "DenyVpcInternetAccess"
11 | effect: "Deny"
12 | actions:
13 | - "ec2:AttachInternetGateway"
14 | - "ec2:CreateInternetGateway"
15 | - "ec2:CreateEgressOnlyInternetGateway"
16 | - "ec2:CreateVpcPeeringConnection"
17 | - "ec2:AcceptVpcPeeringConnection"
18 | resources:
19 | - "*"
20 |
--------------------------------------------------------------------------------
/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/examples/complete/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/examples/complete/fixtures.us-east-2.tfvars:
--------------------------------------------------------------------------------
1 | enabled = true
2 |
3 | region = "us-east-2"
4 |
5 | namespace = "eg"
6 |
7 | stage = "test"
8 |
9 | name = "scp"
10 |
11 | service_control_policy_description = "Test Service Control Policy"
12 |
13 | parameters = {
14 | ami_creator_account = "account_creator"
15 | ami_tag_key = "ami_tag_key"
16 | ami_tag_value = "ami_tag_value"
17 | allowed_regions = "eu-central-1, eu-west-1"
18 | denied_regions = "sa-east-1"
19 | s3_regions_lockdown = "eu-central-1, eu-west-1"
20 | }
21 |
--------------------------------------------------------------------------------
/examples/complete/main.tf:
--------------------------------------------------------------------------------
1 | module "yaml_config" {
2 | source = "cloudposse/config/yaml"
3 | version = "1.0.2"
4 |
5 | list_config_local_base_path = path.module
6 | list_config_paths = var.list_config_paths
7 |
8 | parameters = var.parameters
9 |
10 | context = module.this.context
11 | }
12 |
13 | data "aws_caller_identity" "this" {}
14 |
15 | module "service_control_policies" {
16 | source = "../../"
17 |
18 | service_control_policy_statements = module.yaml_config.list_configs
19 | service_control_policy_description = var.service_control_policy_description
20 | target_id = data.aws_caller_identity.this.account_id
21 |
22 | context = module.this.context
23 | }
24 |
--------------------------------------------------------------------------------
/examples/complete/outputs.tf:
--------------------------------------------------------------------------------
1 | output "organizations_policy_id" {
2 | value = module.service_control_policies.organizations_policy_id
3 | description = "The unique identifier of the policy"
4 | }
5 |
6 | output "organizations_policy_arn" {
7 | value = module.service_control_policies.organizations_policy_arn
8 | description = "Amazon Resource Name (ARN) of the policy"
9 | }
10 |
--------------------------------------------------------------------------------
/examples/complete/providers.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
--------------------------------------------------------------------------------
/examples/complete/variables.tf:
--------------------------------------------------------------------------------
1 | variable "region" {
2 | type = string
3 | description = "AWS region"
4 | }
5 |
6 | variable "service_control_policy_description" {
7 | type = string
8 | default = null
9 | description = "Description of the combined Service Control Policy"
10 | }
11 |
12 | variable "parameters" {
13 | type = map(string)
14 | description = "Map of parameters for interpolation within the YAML config templates"
15 | default = {}
16 | }
17 | variable "list_config_paths" {
18 | type = list(string)
19 | description = "Paths to YAML configuration files of list type"
20 | default = []
21 | }
22 |
--------------------------------------------------------------------------------
/examples/complete/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 1.3"
3 |
4 | required_providers {
5 | aws = {
6 | source = "hashicorp/aws"
7 | version = ">= 3.0"
8 | }
9 | local = {
10 | source = "hashicorp/local"
11 | version = ">= 1.3"
12 | }
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
1 | locals {
2 | service_control_policy_statements_map = { for i in var.service_control_policy_statements : i.sid => i }
3 |
4 | statements = flatten([for i in data.aws_iam_policy_document.this : jsondecode(i.json).Statement])
5 | version = try(jsondecode(values(data.aws_iam_policy_document.this)[0].json).Version, null)
6 |
7 | service_control_policy_json = jsonencode(
8 | {
9 | Version = local.version
10 | Statement = local.statements
11 | }
12 | )
13 | }
14 |
15 | data "aws_iam_policy_document" "this" {
16 | for_each = local.service_control_policy_statements_map
17 |
18 | statement {
19 | sid = each.value.sid
20 | effect = each.value.effect
21 | actions = try(each.value.actions, null)
22 | not_actions = try(each.value.not_actions, null)
23 | resources = each.value.resources
24 |
25 | dynamic "condition" {
26 | for_each = try(each.value.condition, null) != null ? each.value.condition : []
27 |
28 | content {
29 | test = condition.value.test
30 | variable = condition.value.variable
31 | values = condition.value.values
32 | }
33 | }
34 | }
35 | }
36 |
37 | resource "aws_organizations_policy" "this" {
38 | count = module.this.enabled && length(var.service_control_policy_statements) > 0 ? 1 : 0
39 | name = module.this.id
40 | description = var.service_control_policy_description
41 | content = local.service_control_policy_json
42 | tags = module.this.tags
43 | }
44 |
45 | resource "aws_organizations_policy_attachment" "this" {
46 | count = module.this.enabled && length(var.service_control_policy_statements) > 0 ? 1 : 0
47 | policy_id = join("", aws_organizations_policy.this[*].id)
48 | target_id = var.target_id
49 | }
50 |
--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
1 | output "organizations_policy_id" {
2 | value = join("", aws_organizations_policy.this[*].id)
3 | description = "The unique identifier of the policy"
4 | }
5 |
6 | output "organizations_policy_arn" {
7 | value = join("", aws_organizations_policy.this[*].arn)
8 | description = "Amazon Resource Name (ARN) of the policy"
9 | }
10 |
--------------------------------------------------------------------------------
/test/.gitignore:
--------------------------------------------------------------------------------
1 | .test-harness
2 | .envrc
3 |
--------------------------------------------------------------------------------
/test/Makefile:
--------------------------------------------------------------------------------
1 | TEST_HARNESS ?= https://github.com/cloudposse/test-harness.git
2 | TEST_HARNESS_BRANCH ?= master
3 | TEST_HARNESS_PATH = $(realpath .test-harness)
4 | BATS_ARGS ?= --tap
5 | BATS_LOG ?= test.log
6 |
7 | # Define a macro to run the tests
8 | define RUN_TESTS
9 | @echo "Running tests in $(1)"
10 | @cd $(1) && bats $(BATS_ARGS) $(addsuffix .bats,$(addprefix $(TEST_HARNESS_PATH)/test/terraform/,$(TESTS)))
11 | endef
12 |
13 | default: all
14 |
15 | -include Makefile.*
16 |
17 | ## Provision the test-harnesss
18 | .test-harness:
19 | [ -d $@ ] || git clone --depth=1 -b $(TEST_HARNESS_BRANCH) $(TEST_HARNESS) $@
20 |
21 | ## Initialize the tests
22 | init: .test-harness
23 |
24 | ## Install all dependencies (OS specific)
25 | deps::
26 | @exit 0
27 |
28 | ## Clean up the test harness
29 | clean:
30 | [ "$(TEST_HARNESS_PATH)" == "/" ] || rm -rf $(TEST_HARNESS_PATH)
31 |
32 | ## Run all tests
33 | all: module examples/complete
34 |
35 | ## Run basic sanity checks against the module itself
36 | module: export TESTS ?= installed lint module-pinning provider-pinning validate terraform-docs input-descriptions output-descriptions
37 | module: deps
38 | $(call RUN_TESTS, ../)
39 |
40 | ## Run tests against example
41 | examples/complete: export TESTS ?= installed lint validate
42 | examples/complete: deps
43 | $(call RUN_TESTS, ../$@)
44 |
--------------------------------------------------------------------------------
/test/Makefile.alpine:
--------------------------------------------------------------------------------
1 | ifneq (,$(wildcard /sbin/apk))
2 | ## Install all dependencies for alpine
3 | deps:: init
4 | @apk add --update terraform-docs@cloudposse json2hcl@cloudposse
5 | endif
6 |
--------------------------------------------------------------------------------
/test/src/.gitignore:
--------------------------------------------------------------------------------
1 | .gopath
2 | vendor/
3 |
--------------------------------------------------------------------------------
/test/src/Makefile:
--------------------------------------------------------------------------------
1 | export TERRAFORM_VERSION ?= $(shell curl -s https://checkpoint-api.hashicorp.com/v1/check/terraform | jq -r -M '.current_version' | cut -d. -f1)
2 |
3 | .DEFAULT_GOAL : all
4 | .PHONY: all
5 |
6 | ## Default target
7 | all: test
8 |
9 | .PHONY : init
10 | ## Initialize tests
11 | init:
12 | @exit 0
13 |
14 | .PHONY : test
15 | ## Run tests
16 | test: init
17 | go mod download
18 | go test -v -timeout 60m
19 |
20 | ## Run tests in docker container
21 | docker/test:
22 | docker run --name terratest --rm -it -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e GITHUB_TOKEN \
23 | -e PATH="/usr/local/terraform/$(TERRAFORM_VERSION)/bin:/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
24 | -v $(CURDIR)/../../:/module/ cloudposse/test-harness:latest -C /module/test/src test
25 |
26 | .PHONY : clean
27 | ## Clean up files
28 | clean:
29 | rm -rf ../../examples/complete/*.tfstate*
30 |
--------------------------------------------------------------------------------
/test/src/examples_complete_test.go:
--------------------------------------------------------------------------------
1 | package test
2 |
3 | import (
4 | "github.com/gruntwork-io/terratest/modules/logger"
5 | "github.com/gruntwork-io/terratest/modules/random"
6 | "github.com/gruntwork-io/terratest/modules/terraform"
7 | test_structure "github.com/gruntwork-io/terratest/modules/test-structure"
8 | "github.com/stretchr/testify/assert"
9 | "log"
10 | "os"
11 | "path"
12 | "path/filepath"
13 | "regexp"
14 | "strings"
15 | "testing"
16 | )
17 |
18 | func cleanup(t *testing.T, terraformOptions *terraform.Options, tempTestFolder string) {
19 | terraform.Destroy(t, terraformOptions)
20 | }
21 |
22 | func applyPolicies(t *testing.T, tempTestFolder string, policyFile string) {
23 | randID := strings.ToLower(random.UniqueId())
24 | attributes := []string{randID}
25 |
26 | varFiles := []string{"fixtures.us-east-2.tfvars"}
27 | terraformOptions := &terraform.Options{
28 | // The path to where our Terraform code is located
29 | TerraformDir: tempTestFolder,
30 | Upgrade: true,
31 | // Variables to pass to our Terraform code using -var-file options
32 | VarFiles: varFiles,
33 | Vars: map[string]interface{}{
34 | "attributes": attributes,
35 | "list_config_paths": []string{policyFile},
36 | },
37 | }
38 | // Keep the output quiet
39 | if !testing.Verbose() {
40 | terraformOptions.Logger = logger.Discard
41 | }
42 |
43 | // At the end of the test, run `terraform destroy` to clean up any resources that were created
44 | defer cleanup(t, terraformOptions, tempTestFolder)
45 |
46 | // This will run `terraform init` and `terraform apply` and fail the test if there are any errors
47 | terraform.InitAndApply(t, terraformOptions)
48 |
49 | // Run `terraform output` to get the value of an output variable
50 | organizationsPolicyId := terraform.Output(t, terraformOptions, "organizations_policy_id")
51 | // Verify we're getting back the outputs we expect
52 | assert.NotEmpty(t, organizationsPolicyId)
53 |
54 | // Run `terraform output` to get the value of an output variable
55 | organizationsPolicyArn := terraform.Output(t, terraformOptions, "organizations_policy_arn")
56 | // Verify we're getting back the outputs we expect
57 | assert.Contains(t, organizationsPolicyArn, "/service_control_policy/"+organizationsPolicyId)
58 | }
59 |
60 |
61 | // Test the Terraform module in examples/complete using Terratest.
62 | func TestExamplesComplete(t *testing.T) {
63 | rootFolder := "../../"
64 | terraformFolderRelativeToRoot := "examples/complete"
65 |
66 | tempTestFolder := test_structure.CopyTerraformFolderToTemp(t, rootFolder, terraformFolderRelativeToRoot)
67 | defer os.RemoveAll(tempTestFolder)
68 |
69 | catalogRegEx, e := regexp.Compile("^.+\\.(yaml)$")
70 | if e != nil {
71 | log.Fatal(e)
72 | }
73 |
74 | e = filepath.Walk(path.Join(path.Dir(rootFolder), "./catalog"), func(path string, info os.FileInfo, err error) error {
75 | if err == nil && catalogRegEx.MatchString(info.Name()) {
76 | applyPolicies(t, tempTestFolder, path)
77 | }
78 | return nil
79 | })
80 | if e != nil {
81 | log.Fatal(e)
82 | }
83 | }
84 |
--------------------------------------------------------------------------------
/test/src/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/cloudposse/terraform-aws-service-control-policies
2 |
3 | go 1.21
4 |
5 | require (
6 | github.com/gruntwork-io/terratest v0.46.13
7 | github.com/stretchr/testify v1.9.0
8 | )
9 |
10 | require (
11 | cloud.google.com/go v0.112.2 // indirect
12 | cloud.google.com/go/compute v1.25.1 // indirect
13 | cloud.google.com/go/compute/metadata v0.2.3 // indirect
14 | cloud.google.com/go/iam v1.1.7 // indirect
15 | cloud.google.com/go/storage v1.40.0 // indirect
16 | github.com/agext/levenshtein v1.2.3 // indirect
17 | github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
18 | github.com/aws/aws-sdk-go v1.51.20 // indirect
19 | github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
20 | github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
21 | github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
22 | github.com/davecgh/go-spew v1.1.1 // indirect
23 | github.com/emicklei/go-restful/v3 v3.9.0 // indirect
24 | github.com/felixge/httpsnoop v1.0.4 // indirect
25 | github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 // indirect
26 | github.com/go-logr/logr v1.4.1 // indirect
27 | github.com/go-logr/stdr v1.2.2 // indirect
28 | github.com/go-openapi/jsonpointer v0.19.6 // indirect
29 | github.com/go-openapi/jsonreference v0.20.2 // indirect
30 | github.com/go-openapi/swag v0.22.3 // indirect
31 | github.com/go-sql-driver/mysql v1.4.1 // indirect
32 | github.com/gogo/protobuf v1.3.2 // indirect
33 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
34 | github.com/golang/protobuf v1.5.4 // indirect
35 | github.com/google/gnostic-models v0.6.8 // indirect
36 | github.com/google/go-cmp v0.6.0 // indirect
37 | github.com/google/gofuzz v1.2.0 // indirect
38 | github.com/google/s2a-go v0.1.7 // indirect
39 | github.com/google/uuid v1.6.0 // indirect
40 | github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
41 | github.com/googleapis/gax-go/v2 v2.12.3 // indirect
42 | github.com/gruntwork-io/go-commons v0.8.0 // indirect
43 | github.com/hashicorp/errwrap v1.1.0 // indirect
44 | github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
45 | github.com/hashicorp/go-getter v1.7.5 // indirect
46 | github.com/hashicorp/go-multierror v1.1.1 // indirect
47 | github.com/hashicorp/go-safetemp v1.0.0 // indirect
48 | github.com/hashicorp/go-version v1.6.0 // indirect
49 | github.com/hashicorp/hcl/v2 v2.20.1 // indirect
50 | github.com/hashicorp/terraform-json v0.21.0 // indirect
51 | github.com/imdario/mergo v0.3.11 // indirect
52 | github.com/jinzhu/copier v0.4.0 // indirect
53 | github.com/jmespath/go-jmespath v0.4.0 // indirect
54 | github.com/josharian/intern v1.0.0 // indirect
55 | github.com/json-iterator/go v1.1.12 // indirect
56 | github.com/klauspost/compress v1.17.8 // indirect
57 | github.com/mailru/easyjson v0.7.7 // indirect
58 | github.com/mattn/go-zglob v0.0.4 // indirect
59 | github.com/mitchellh/go-homedir v1.1.0 // indirect
60 | github.com/mitchellh/go-testing-interface v1.14.1 // indirect
61 | github.com/mitchellh/go-wordwrap v1.0.1 // indirect
62 | github.com/moby/spdystream v0.2.0 // indirect
63 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
64 | github.com/modern-go/reflect2 v1.0.2 // indirect
65 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
66 | github.com/pmezard/go-difflib v1.0.0 // indirect
67 | github.com/pquerna/otp v1.2.0 // indirect
68 | github.com/russross/blackfriday/v2 v2.1.0 // indirect
69 | github.com/spf13/pflag v1.0.5 // indirect
70 | github.com/tmccombs/hcl2json v0.6.2 // indirect
71 | github.com/ulikunitz/xz v0.5.12 // indirect
72 | github.com/urfave/cli v1.22.2 // indirect
73 | github.com/zclconf/go-cty v1.14.4 // indirect
74 | go.opencensus.io v0.24.0 // indirect
75 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.50.0 // indirect
76 | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 // indirect
77 | go.opentelemetry.io/otel v1.25.0 // indirect
78 | go.opentelemetry.io/otel/metric v1.25.0 // indirect
79 | go.opentelemetry.io/otel/trace v1.25.0 // indirect
80 | golang.org/x/crypto v0.22.0 // indirect
81 | golang.org/x/mod v0.17.0 // indirect
82 | golang.org/x/net v0.24.0 // indirect
83 | golang.org/x/oauth2 v0.19.0 // indirect
84 | golang.org/x/sync v0.7.0 // indirect
85 | golang.org/x/sys v0.19.0 // indirect
86 | golang.org/x/term v0.19.0 // indirect
87 | golang.org/x/text v0.14.0 // indirect
88 | golang.org/x/time v0.5.0 // indirect
89 | golang.org/x/tools v0.20.0 // indirect
90 | google.golang.org/api v0.172.0 // indirect
91 | google.golang.org/appengine v1.6.8 // indirect
92 | google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda // indirect
93 | google.golang.org/genproto/googleapis/api v0.0.0-20240401170217-c3f982113cda // indirect
94 | google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda // indirect
95 | google.golang.org/grpc v1.63.2 // indirect
96 | google.golang.org/protobuf v1.33.0 // indirect
97 | gopkg.in/inf.v0 v0.9.1 // indirect
98 | gopkg.in/yaml.v2 v2.4.0 // indirect
99 | gopkg.in/yaml.v3 v3.0.1 // indirect
100 | k8s.io/api v0.28.4 // indirect
101 | k8s.io/apimachinery v0.28.4 // indirect
102 | k8s.io/client-go v0.28.4 // indirect
103 | k8s.io/klog/v2 v2.100.1 // indirect
104 | k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
105 | k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
106 | sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
107 | sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
108 | sigs.k8s.io/yaml v1.3.0 // indirect
109 | )
110 |
--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
1 | variable "service_control_policy_statements" {
2 | type = any
3 | description = "List of Service Control Policy statements"
4 | }
5 |
6 | variable "service_control_policy_description" {
7 | type = string
8 | default = null
9 | description = "Description of the combined Service Control Policy"
10 | }
11 |
12 | variable "target_id" {
13 | type = string
14 | description = "The unique identifier (ID) of the organization root, organizational unit, or account number that you want to attach the policy to"
15 | }
16 |
--------------------------------------------------------------------------------
/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 1.3"
3 |
4 | required_providers {
5 | aws = {
6 | source = "hashicorp/aws"
7 | version = ">= 3.0"
8 | }
9 | local = {
10 | source = "hashicorp/local"
11 | version = ">= 1.3"
12 | }
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
8 |
9 |