├── .circleci
└── config.yml
├── .gitignore
├── .markdownlintrc
├── .pre-commit-config.yaml
├── LICENSE
├── README.md
├── main.tf
├── variables.tf
└── versions.tf
/.circleci/config.yml:
--------------------------------------------------------------------------------
1 | version: 2
2 | jobs:
3 | validate:
4 | docker:
5 | - image: trussworks/circleci-docker-primary:c542b22c7fb95db0a1bbe043928a457ae6fbeaca
6 | steps:
7 | - checkout
8 | - restore_cache:
9 | keys:
10 | - pre-commit-dot-cache-{{ checksum ".pre-commit-config.yaml" }}
11 | - run:
12 | name: Run pre-commit tests
13 | command: pre-commit run --all-files
14 | - save_cache:
15 | key: pre-commit-dot-cache-{{ checksum ".pre-commit-config.yaml" }}
16 | paths:
17 | - ~/.cache/pre-commit
18 |
19 | workflows:
20 | version: 2
21 | validate:
22 | jobs:
23 | - validate
24 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | .terraform
3 | terraform.tfstate
4 | terraform.tfstate.backup
5 | terraform.tfstate.*.backup
6 |
--------------------------------------------------------------------------------
/.markdownlintrc:
--------------------------------------------------------------------------------
1 | {
2 | "default": true,
3 | "first-header-h1": false,
4 | "first-line-h1": false,
5 | "line_length": false,
6 | "no-multiple-blanks": false,
7 | "no-inline-html": false
8 | }
9 |
--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
1 | repos:
2 | - repo: git://github.com/pre-commit/pre-commit-hooks
3 | rev: v2.5.0
4 | hooks:
5 | - id: check-json
6 | - id: check-merge-conflict
7 | - id: check-yaml
8 | - id: detect-private-key
9 | - id: pretty-format-json
10 | args:
11 | - --autofix
12 | - id: trailing-whitespace
13 |
14 | - repo: git://github.com/igorshubovych/markdownlint-cli
15 | rev: v0.22.0
16 | hooks:
17 | - id: markdownlint
18 |
19 | - repo: git://github.com/antonbabenko/pre-commit-terraform
20 | rev: v1.26.0
21 | hooks:
22 | - id: terraform_docs
23 | - id: terraform_fmt
24 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | BSD 3-Clause License
2 |
3 | Copyright (c) 2020, TrussWorks, Inc.
4 | All rights reserved.
5 |
6 | Redistribution and use in source and binary forms, with or without
7 | modification, are permitted provided that the following conditions are met:
8 |
9 | * Redistributions of source code must retain the above copyright notice, this
10 | list of conditions and the following disclaimer.
11 |
12 | * Redistributions in binary form must reproduce the above copyright notice,
13 | this list of conditions and the following disclaimer in the documentation
14 | and/or other materials provided with the distribution.
15 |
16 | * Neither the name of the copyright holder nor the names of its
17 | contributors may be used to endorse or promote products derived from
18 | this software without specific prior written permission.
19 |
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AWS Organization SCP Terraform Module
2 |
3 | **NOTE:** This module has been **ARCHIVED** and should not be used. Please switch to using the [terraform-aws-ou-scp](https://github.com/trussworks/terraform-aws-ou-scp) module instead.
4 |
5 | Inspired by the great work documenting AWS security practices in [asecure.cloud](https://asecure.cloud/whatsnew), this module is meant to define common Service Control Policies (SCP) to apply to accounts or Organizational Units (OU) in an AWS Organization. The following policies are supported
6 |
7 | ## Organizations
8 |
9 | * Deny the ability for an AWS account to leave an AWS organization
10 | * Deny all access to an AWS account
11 |
12 | ## IAM
13 |
14 | * Deny the root user from taking any action
15 | * Deny the ability to create IAM users and access keys in an AWS account
16 | * Protect sensitive IAM roles from modification or deletion
17 |
18 | ## S3
19 |
20 | * Protect sensitive S3 buckets from deletion
21 |
22 | ## KMS
23 |
24 | * Deny the ability to delete KMS keys
25 |
26 | ## Route53
27 |
28 | * Deny the ability to delete Route53 zones
29 |
30 | ## CloudWatch Logs
31 |
32 | * Deny the ability to delete CloudWatch Logs
33 |
34 | ## Usage
35 |
36 | ```hcl
37 | resource "aws_organizations_organizational_unit" "root" {
38 | name = "root"
39 | parent_id = aws_organizations_organization.main.roots.0.id
40 | }
41 |
42 | resource "aws_organizations_organizational_unit" "id_destination" {
43 | name = "id-destination"
44 | parent_id = aws_organizations_organizational_unit.root.id
45 | }
46 |
47 | resource "aws_organizations_organizational_unit" "prod" {
48 | name = "prod"
49 | parent_id = aws_organizations_organizational_unit.id_destination.id
50 | }
51 |
52 | resource "aws_organizations_organizational_unit" "suspended" {
53 | depends_on = [aws_organizations_organization.main]
54 |
55 | name = "suspended"
56 | parent_id = aws_organizations_organizational_unit.root.id
57 | }
58 |
59 | module "org_scps" {
60 | source = "trussworks/org-scp/aws"
61 | version = "~> 1.6.1"
62 |
63 | # applies to all accounts
64 | # - don't allow all accounts to be able to leave the org
65 | # - don't allow access to the root user
66 | # - require s3 objects be encrypted
67 | # - restrict region-specific operations to us-west-2
68 | deny_root_account_target_ids = [aws_organizations_organizational_unit.root.id]
69 | deny_leaving_orgs_target_ids = [aws_organizations_organizational_unit.root.id]
70 | require_s3_encryption_target_ids = [aws_organizations_organizational_unit.root.id]
71 | allowed_regions = ["us-west-2"]
72 | restrict_regions_target_ids = [aws_organizations_organizational_unit.root.id]
73 |
74 | # applies to accounts that are not managing IAM users
75 | # - don't allow creating IAM users or access keys
76 | deny_creating_iam_users_target_ids = [aws_organizations_organizational_unit.id_destination.id]
77 |
78 | # applies to all prod accounts
79 | # - don't allow deleting KMS keys
80 | # - don't allow deleting Route53 zones
81 | # - don't allow deleting CloudWatch logs
82 | # - protect terraform statefile bucket
83 | # - protect OrganizationAccountAccessRole
84 | deny_deleting_kms_keys_target_ids = [aws_organizations_organizational_unit.prod.id]
85 | deny_deleting_route53_zones_target_ids = [aws_organizations_organizational_unit.prod.id]
86 | deny_deleting_cloudwatch_logs_target_ids = [aws_organizations_organizational_unit.prod.id]
87 | protect_s3_bucket_target_ids = [aws_organizations_organizational_unit.prod.id]
88 | protect_iam_role_target_ids = [aws_organizations_organizational_unit.prod.id]
89 |
90 | protect_s3_bucket_resources = [
91 | "arn:aws:s3:::prod-terraform-state-us-west-2",
92 | "arn:aws:s3:::prod-terraform-state-us-west-2/*"
93 | ]
94 | protect_iam_role_resources = [
95 | "arn:aws:iam::*:role/OrganizationAccountAccessRole"
96 | ]
97 |
98 | # applies to all suspended accounts
99 | # - don't allow any access
100 | deny_all_access_target_ids = [aws_organizations_organizational_unit.suspended.id]
101 | }
102 | ```
103 |
104 |
105 | ## Requirements
106 |
107 | | Name | Version |
108 | |------|---------|
109 | | terraform | >= 0.12 |
110 |
111 | ## Providers
112 |
113 | | Name | Version |
114 | |------|---------|
115 | | aws | n/a |
116 |
117 | ## Inputs
118 |
119 | | Name | Description | Type | Default | Required |
120 | |------|-------------|------|---------|:--------:|
121 | | allowed\_regions | AWS Regions allowed for use (for use with the restrict regions SCP) | `list(string)` | [
""
]
| no |
122 | | deny\_all\_access\_target\_ids | Target ids (AWS Account or Organizational Unit) to attach an SCP dening all access | `list(string)` | `[]` | no |
123 | | deny\_creating\_iam\_users\_target\_ids | Target ids (AWS Account or Organizational Unit) to attach an SCP denying the ability to create IAM users or Access Keys | `list(string)` | `[]` | no |
124 | | deny\_deleting\_cloudwatch\_logs\_target\_ids | Target ids (AWS Account or Organizational Unit) to attach an SCP denying deletion of CloudWatch, flowlogs, log groups, or log streams | `list(string)` | `[]` | no |
125 | | deny\_deleting\_kms\_keys\_target\_ids | Target ids (AWS Account or Organizational Unit) to attach an SCP denying deleting KMS keys | `list(string)` | `[]` | no |
126 | | deny\_deleting\_route53\_zones\_target\_ids | Target ids (AWS Account or Organizational Unit) to attach an SCP denying deleting Route53 Hosted Zones | `list(string)` | `[]` | no |
127 | | deny\_leaving\_orgs\_target\_ids | Target ids (AWS Account or Organizational Unit) to attach an SCP denying the ability to leave the AWS Organization | `list(string)` | `[]` | no |
128 | | deny\_root\_account\_target\_ids | Target ids (AWS Account or Organizational Unit) to attach an SCP denying the root user from taking any action | `list(string)` | `[]` | no |
129 | | protect\_iam\_role\_resources | IAM role resource ARNs to protect from modification and deletion | `list(string)` | `[]` | no |
130 | | protect\_iam\_role\_target\_ids | Target ids (AWS Account or Organizational Unit) to attach an SCP protecting IAM roles | `list(string)` | `[]` | no |
131 | | protect\_s3\_bucket\_resources | S3 bucket resource ARNs to protect from bucket and object deletion | `list(string)` | [
""
]
| no |
132 | | protect\_s3\_bucket\_target\_ids | Target ids (AWS Account or Organizational Unit) to attach an SCP protecting S3 buckets and objects | `list(string)` | `[]` | no |
133 | | require\_s3\_encryption\_target\_ids | Target ids (AWS Account or Organizational Unit) to attach an SCP requiring S3 encryption | `list(string)` | `[]` | no |
134 | | restrict\_regions\_target\_ids | Target ids (AWS Account or Organizational Unit) to attach an SCP restricting regions. | `list(string)` | `[]` | no |
135 |
136 | ## Outputs
137 |
138 | No output.
139 |
140 |
141 |
142 | ## Developer Setup
143 |
144 | Install dependencies (macOS)
145 |
146 | ```shell
147 | brew install pre-commit terraform terraform-docs
148 | pre-commit install --install-hooks
149 | ```
150 |
--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
1 | #
2 | # Deny root account
3 | #
4 |
5 | data "aws_iam_policy_document" "deny_root_account" {
6 | statement {
7 | actions = ["*"]
8 | resources = ["*"]
9 | effect = "Deny"
10 | condition {
11 | test = "StringLike"
12 | variable = "aws:PrincipalArn"
13 | values = ["arn:aws:iam::*:root"]
14 | }
15 | }
16 | }
17 |
18 | resource "aws_organizations_policy" "deny_root_account" {
19 | name = "deny-root-account"
20 | description = "Deny the root user from taking any action"
21 | content = data.aws_iam_policy_document.deny_root_account.json
22 | }
23 |
24 | resource "aws_organizations_policy_attachment" "deny_root_account" {
25 | count = length(var.deny_root_account_target_ids)
26 |
27 | policy_id = aws_organizations_policy.deny_root_account.id
28 | target_id = element(var.deny_root_account_target_ids.*, count.index)
29 | }
30 |
31 |
32 | #
33 | # Deny leaving AWS Organizations
34 | #
35 |
36 | data "aws_iam_policy_document" "deny_leaving_orgs" {
37 | statement {
38 | effect = "Deny"
39 | actions = ["organizations:LeaveOrganization"]
40 | resources = ["*"]
41 | }
42 | }
43 |
44 | resource "aws_organizations_policy" "deny_leaving_orgs" {
45 | name = "deny-leaving-orgs"
46 | description = "Deny the ability for an AWS account or Organizational Unit from leaving the AWS Organization"
47 | content = data.aws_iam_policy_document.deny_leaving_orgs.json
48 | }
49 |
50 | resource "aws_organizations_policy_attachment" "deny_leaving_orgs" {
51 | count = length(var.deny_leaving_orgs_target_ids)
52 |
53 | policy_id = aws_organizations_policy.deny_leaving_orgs.id
54 | target_id = element(var.deny_leaving_orgs_target_ids.*, count.index)
55 | }
56 |
57 | #
58 | # Deny creating IAM users or access keys
59 | #
60 |
61 | data "aws_iam_policy_document" "deny_creating_iam_users" {
62 | statement {
63 | effect = "Deny"
64 | actions = [
65 | "iam:CreateUser",
66 | "iam:CreateAccessKey"
67 | ]
68 | resources = ["*"]
69 | }
70 | }
71 |
72 | resource "aws_organizations_policy" "deny_creating_iam_users" {
73 | name = "deny-creating-iam-users"
74 | description = "Deny the ability to create IAM users or Access Keys"
75 | content = data.aws_iam_policy_document.deny_creating_iam_users.json
76 | }
77 |
78 | resource "aws_organizations_policy_attachment" "deny_creating_iam_users" {
79 | count = length(var.deny_creating_iam_users_target_ids)
80 |
81 | policy_id = aws_organizations_policy.deny_creating_iam_users.id
82 | target_id = element(var.deny_creating_iam_users_target_ids.*, count.index)
83 | }
84 |
85 | #
86 | # Deny deleting KMS Keys
87 | #
88 |
89 | data "aws_iam_policy_document" "deny_deleting_kms_keys" {
90 | statement {
91 | effect = "Deny"
92 | actions = [
93 | "kms:ScheduleKeyDeletion",
94 | "kms:Delete*"
95 | ]
96 | resources = ["*"]
97 | }
98 | }
99 |
100 | resource "aws_organizations_policy" "deny_deleting_kms_keys" {
101 | name = "deny-deleting-kms-keys"
102 | description = "Deny deleting KMS keys"
103 | content = data.aws_iam_policy_document.deny_deleting_kms_keys.json
104 | }
105 |
106 | resource "aws_organizations_policy_attachment" "deny_deleting_kms_keys" {
107 | count = length(var.deny_deleting_kms_keys_target_ids)
108 |
109 | policy_id = aws_organizations_policy.deny_deleting_kms_keys.id
110 | target_id = element(var.deny_deleting_kms_keys_target_ids.*, count.index)
111 | }
112 |
113 | #
114 | # Deny deleting Route53 Hosted Zones
115 | #
116 |
117 | data "aws_iam_policy_document" "deny_deleting_route53_zones" {
118 | statement {
119 | effect = "Deny"
120 | actions = [
121 | "route53:DeleteHostedZone"
122 | ]
123 | resources = ["*"]
124 | }
125 | }
126 |
127 | resource "aws_organizations_policy" "deny_deleting_route53_zones" {
128 | name = "deny-deleting-route53-zones"
129 | description = "Deny deleting Route53 Hosted Zones"
130 | content = data.aws_iam_policy_document.deny_deleting_route53_zones.json
131 | }
132 |
133 | resource "aws_organizations_policy_attachment" "deny_deleting_route53_zones" {
134 | count = length(var.deny_deleting_route53_zones_target_ids)
135 |
136 | policy_id = aws_organizations_policy.deny_deleting_route53_zones.id
137 | target_id = element(var.deny_deleting_route53_zones_target_ids.*, count.index)
138 | }
139 |
140 | #
141 | # Deny all access
142 | #
143 |
144 | data "aws_iam_policy_document" "deny_all_access" {
145 | statement {
146 | effect = "Deny"
147 | actions = ["*"]
148 | resources = ["*"]
149 | }
150 | }
151 |
152 | resource "aws_organizations_policy" "deny_all_access" {
153 | name = "deny-all-access"
154 | description = "Deny all access"
155 | content = data.aws_iam_policy_document.deny_all_access.json
156 | }
157 |
158 | resource "aws_organizations_policy_attachment" "deny_all_access" {
159 | count = length(var.deny_all_access_target_ids)
160 |
161 | policy_id = aws_organizations_policy.deny_all_access.id
162 | target_id = element(var.deny_all_access_target_ids.*, count.index)
163 | }
164 |
165 | #
166 | # Require S3 encryption
167 | #
168 |
169 | # https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html#example-require-encryption
170 | data "aws_iam_policy_document" "require_s3_encryption" {
171 | statement {
172 | effect = "Deny"
173 | actions = ["s3:PutObject"]
174 | resources = ["*"]
175 | condition {
176 | test = "StringNotEquals"
177 | variable = "s3:x-amz-server-side-encryption"
178 | values = ["AES256"]
179 | }
180 | }
181 | statement {
182 | effect = "Deny"
183 | actions = ["s3:PutObject"]
184 | resources = ["*"]
185 | condition {
186 | test = "Null"
187 | variable = "s3:x-amz-server-side-encryption"
188 | values = [true]
189 | }
190 | }
191 | }
192 |
193 | resource "aws_organizations_policy" "require_s3_encryption" {
194 | name = "require-s3-encryption"
195 | description = "Require that all Amazon S3 buckets use AES256 encryption"
196 | content = data.aws_iam_policy_document.require_s3_encryption.json
197 | }
198 |
199 | resource "aws_organizations_policy_attachment" "require_s3_encryption" {
200 | count = length(var.require_s3_encryption_target_ids)
201 |
202 | policy_id = aws_organizations_policy.require_s3_encryption.id
203 | target_id = element(var.require_s3_encryption_target_ids.*, count.index)
204 | }
205 |
206 | #
207 | # Deny deleting VPC Flow logs, cloudwatch log groups, and cloudwatch log streams
208 | #
209 |
210 | data "aws_iam_policy_document" "deny_deleting_cloudwatch_logs" {
211 | statement {
212 | effect = "Deny"
213 | actions = [
214 | "ec2:DeleteFlowLogs",
215 | "logs:DeleteLogGroup",
216 | "logs:DeleteLogStream"
217 | ]
218 | resources = ["*"]
219 | }
220 | }
221 |
222 | resource "aws_organizations_policy" "deny_deleting_cloudwatch_logs" {
223 | name = "deny-deleting-cloudwatch-logs"
224 | description = "Deny deleting Cloudwatch log groups, log streams, and VPC flow logs"
225 | content = data.aws_iam_policy_document.deny_deleting_cloudwatch_logs.json
226 | }
227 |
228 | resource "aws_organizations_policy_attachment" "deny_deleting_cloudwatch_logs" {
229 | count = length(var.deny_deleting_cloudwatch_logs_target_ids)
230 |
231 | policy_id = aws_organizations_policy.deny_deleting_cloudwatch_logs.id
232 | target_id = element(var.deny_deleting_cloudwatch_logs_target_ids.*, count.index)
233 | }
234 |
235 | #
236 | # Protect S3 Buckets
237 | #
238 |
239 | data "aws_iam_policy_document" "protect_s3_buckets" {
240 | statement {
241 | effect = "Deny"
242 | actions = [
243 | "s3:DeleteBucket",
244 | "s3:DeleteObject",
245 | "s3:DeleteObjectVersion",
246 | ]
247 | resources = var.protect_s3_bucket_resources
248 | }
249 | }
250 |
251 | resource "aws_organizations_policy" "protect_s3_buckets" {
252 | count = length(var.protect_s3_bucket_target_ids)
253 | name = "protect-s3-buckets"
254 | description = "Protect S3 buckets form bucket and object deletion"
255 | content = data.aws_iam_policy_document.protect_s3_buckets.json
256 | }
257 |
258 | resource "aws_organizations_policy_attachment" "protect_s3_buckets" {
259 | count = length(var.protect_s3_bucket_target_ids)
260 |
261 | policy_id = aws_organizations_policy.protect_s3_buckets[0].id
262 | target_id = element(var.protect_s3_bucket_target_ids.*, count.index)
263 | }
264 |
265 | #
266 | # Protect IAM roles
267 | #
268 |
269 | data "aws_iam_policy_document" "protect_iam_roles" {
270 | count = length(var.protect_iam_role_resources) != 0 ? 1 : 0
271 |
272 | statement {
273 | effect = "Deny"
274 | actions = [
275 | "iam:AttachRolePolicy",
276 | "iam:DeleteRole",
277 | "iam:DeleteRolePermissionsBoundary",
278 | "iam:DeleteRolePolicy",
279 | "iam:DetachRolePolicy",
280 | "iam:PutRolePermissionsBoundary",
281 | "iam:PutRolePolicy",
282 | "iam:UpdateAssumeRolePolicy",
283 | "iam:UpdateRole",
284 | "iam:UpdateRoleDescription"
285 | ]
286 | resources = var.protect_iam_role_resources
287 | }
288 | }
289 |
290 | resource "aws_organizations_policy" "protect_iam_roles" {
291 | count = length(var.protect_iam_role_resources) != 0 ? 1 : 0
292 |
293 | name = "protect-iam-roles"
294 | description = "Protect IAM roles from modification or deletion"
295 | content = data.aws_iam_policy_document.protect_iam_roles[0].json
296 | }
297 |
298 | resource "aws_organizations_policy_attachment" "protect_iam_roles" {
299 | count = var.protect_iam_role_resources != [""] ? length(var.protect_iam_role_target_ids) : 0
300 |
301 | policy_id = aws_organizations_policy.protect_iam_roles[0].id
302 | target_id = element(var.protect_iam_role_target_ids.*, count.index)
303 | }
304 |
305 | #
306 | # Restrict Regional Operations
307 | #
308 |
309 | data "aws_iam_policy_document" "restrict_regions" {
310 | statement {
311 | effect = "Deny"
312 |
313 | # These actions do not operate in a specific region, or only run in
314 | # a single region, so we don't want to try restricting them by region.
315 | not_actions = [
316 | "iam:*",
317 | "organizations:*",
318 | "route53:*",
319 | "budgets:*",
320 | "waf:*",
321 | "cloudfront:*",
322 | "globalaccelerator:*",
323 | "importexport:*",
324 | "support:*",
325 | "sts:*"
326 | ]
327 |
328 | resources = ["*"]
329 | sid = "LimitRegionsSCP"
330 |
331 | condition {
332 | test = "StringNotEquals"
333 | variable = "aws:RequestedRegion"
334 | values = var.allowed_regions
335 | }
336 | }
337 | }
338 |
339 | resource "aws_organizations_policy" "restrict_regions" {
340 | name = "restrict-regions"
341 | description = "Restrict regions for deployable resources"
342 | content = data.aws_iam_policy_document.restrict_regions.json
343 | }
344 |
345 | resource "aws_organizations_policy_attachment" "restrict_regions" {
346 | count = length(var.restrict_regions_target_ids)
347 |
348 | policy_id = aws_organizations_policy.restrict_regions.id
349 | target_id = element(var.restrict_regions_target_ids.*, count.index)
350 | }
351 |
--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
1 | variable "deny_root_account_target_ids" {
2 | description = "Target ids (AWS Account or Organizational Unit) to attach an SCP denying the root user from taking any action"
3 | type = list(string)
4 | default = []
5 | }
6 |
7 | variable "deny_leaving_orgs_target_ids" {
8 | description = "Target ids (AWS Account or Organizational Unit) to attach an SCP denying the ability to leave the AWS Organization"
9 | type = list(string)
10 | default = []
11 | }
12 |
13 | variable "deny_creating_iam_users_target_ids" {
14 | description = "Target ids (AWS Account or Organizational Unit) to attach an SCP denying the ability to create IAM users or Access Keys"
15 | type = list(string)
16 | default = []
17 | }
18 |
19 | variable "deny_deleting_kms_keys_target_ids" {
20 | description = "Target ids (AWS Account or Organizational Unit) to attach an SCP denying deleting KMS keys"
21 | type = list(string)
22 | default = []
23 | }
24 |
25 | variable "deny_deleting_route53_zones_target_ids" {
26 | description = "Target ids (AWS Account or Organizational Unit) to attach an SCP denying deleting Route53 Hosted Zones"
27 | type = list(string)
28 | default = []
29 | }
30 |
31 | variable "deny_all_access_target_ids" {
32 | description = "Target ids (AWS Account or Organizational Unit) to attach an SCP dening all access"
33 | type = list(string)
34 | default = []
35 | }
36 |
37 | variable "require_s3_encryption_target_ids" {
38 | description = "Target ids (AWS Account or Organizational Unit) to attach an SCP requiring S3 encryption"
39 | type = list(string)
40 | default = []
41 | }
42 |
43 | variable "deny_deleting_cloudwatch_logs_target_ids" {
44 | description = "Target ids (AWS Account or Organizational Unit) to attach an SCP denying deletion of CloudWatch, flowlogs, log groups, or log streams"
45 | type = list(string)
46 | default = []
47 | }
48 |
49 | variable "protect_s3_bucket_target_ids" {
50 | description = "Target ids (AWS Account or Organizational Unit) to attach an SCP protecting S3 buckets and objects"
51 | type = list(string)
52 | default = []
53 | }
54 |
55 | variable "protect_s3_bucket_resources" {
56 | description = "S3 bucket resource ARNs to protect from bucket and object deletion"
57 | type = list(string)
58 | default = [""]
59 | }
60 |
61 | variable "protect_iam_role_target_ids" {
62 | description = "Target ids (AWS Account or Organizational Unit) to attach an SCP protecting IAM roles"
63 | type = list(string)
64 | default = []
65 | }
66 |
67 | variable "protect_iam_role_resources" {
68 | description = "IAM role resource ARNs to protect from modification and deletion"
69 | type = list(string)
70 | default = []
71 | }
72 |
73 | variable "restrict_regions_target_ids" {
74 | description = "Target ids (AWS Account or Organizational Unit) to attach an SCP restricting regions."
75 | type = list(string)
76 | default = []
77 | }
78 |
79 | variable "allowed_regions" {
80 | description = "AWS Regions allowed for use (for use with the restrict regions SCP)"
81 | type = list(string)
82 | default = [""]
83 | }
84 |
--------------------------------------------------------------------------------
/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.12"
3 | }
4 |
--------------------------------------------------------------------------------