updated some vars, values and defaults. bc I ran into errors

README.md

@@ -82,11 +82,12 @@ No requirements.
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
-| <a name="provider_aws.root"></a> [aws.root](#provider\_aws.root) | n/a |
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_guardduty_kms_key"></a> [guardduty\_kms\_key](#module\_guardduty\_kms\_key) | github.com/Coalfire-CF/terraform-aws-kms | n/a |
 
 ## Resources
 
@@ -101,7 +102,6 @@ No modules.
 | [aws_guardduty_publishing_destination.gd_pub_dest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_publishing_destination) | resource |
 | [aws_iam_role.aws_config_org_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_kms_key.gd_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_organizations_account.account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account) | resource |
 | [aws_organizations_delegated_administrator.delegated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_delegated_administrator) | resource |
 | [aws_organizations_delegated_administrator.delegated_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_delegated_administrator) | resource |
@@ -120,6 +120,7 @@ No modules.
 | [aws_iam_policy_document.bucket_pol](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.kms_pol](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.scp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs
 
@@ -131,17 +132,16 @@ No modules.
 | <a name="input_aws_new_member_account_email"></a> [aws\_new\_member\_account\_email](#input\_aws\_new\_member\_account\_email) | The Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. | `any` | `null` | no |
 | <a name="input_aws_new_member_account_name"></a> [aws\_new\_member\_account\_name](#input\_aws\_new\_member\_account\_name) | The Friendly name for the member account. | `any` | `null` | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | n/a | `string` | n/a | yes |
-| <a name="input_aws_sec_hub_standards_arn"></a> [aws\_sec\_hub\_standards\_arn](#input\_aws\_sec\_hub\_standards\_arn) | n/a | `list[string]` | n/a | yes |
+| <a name="input_aws_sec_hub_standards_arn"></a> [aws\_sec\_hub\_standards\_arn](#input\_aws\_sec\_hub\_standards\_arn) | n/a | `list(string)` | n/a | yes |
 | <a name="input_create_org_cloudtrail"></a> [create\_org\_cloudtrail](#input\_create\_org\_cloudtrail) | True/False statement whether to enable AWS Cloudtrail in the Organization | `bool` | `true` | no |
 | <a name="input_create_org_config"></a> [create\_org\_config](#input\_create\_org\_config) | True/False statement whether to enable AWS Config in the Organization | `bool` | `true` | no |
 | <a name="input_create_org_guardduty"></a> [create\_org\_guardduty](#input\_create\_org\_guardduty) | True/False statement whether to enable AWS GuardDuty in the Organization | `bool` | `true` | no |
 | <a name="input_create_org_securityhub"></a> [create\_org\_securityhub](#input\_create\_org\_securityhub) | True/False statement whether to enable AWS Security Hub in the Organization | `bool` | `true` | no |
 | <a name="input_delegated_admin_account_id"></a> [delegated\_admin\_account\_id](#input\_delegated\_admin\_account\_id) | The account ID number of the member account in the organization to register as a delegated administrator. | `list(string)` | `null` | no |
-| <a name="input_delegated_service_principal"></a> [delegated\_service\_principal](#input\_delegated\_service\_principal) | The service principal of the AWS service for which you want to make the member account a delegated administrator. | `any` | `null` | no |
+| <a name="input_delegated_service_principal"></a> [delegated\_service\_principal](#input\_delegated\_service\_principal) | The service principal of the AWS service for which you want to make the member account a delegated administrator. | `string` | `"principal"` | no |
 | <a name="input_feature_set"></a> [feature\_set](#input\_feature\_set) | Feature set to be used with Org and member accounts Specify ALL(default) or CONSOLIDATED\_BILLING. | `string` | `"ALL"` | no |
 | <a name="input_finding_publishing_frequency"></a> [finding\_publishing\_frequency](#input\_finding\_publishing\_frequency) | n/a | `string` | `"ONE_HOUR"` | no |
 | <a name="input_ou_creation_info"></a> [ou\_creation\_info](#input\_ou\_creation\_info) | list of names of OU to create and their corresponding delegated admins | `any` | `null` | no |
-| <a name="input_partition"></a> [partition](#input\_partition) | n/a | `string` | n/a | yes |
 | <a name="input_resource_prefix"></a> [resource\_prefix](#input\_resource\_prefix) | n/a | `string` | n/a | yes |
 | <a name="input_s3_kms_key_arn"></a> [s3\_kms\_key\_arn](#input\_s3\_kms\_key\_arn) | n/a | `string` | n/a | yes |
 | <a name="input_service_access_principals"></a> [service\_access\_principals](#input\_service\_access\_principals) | List of AWS Service Access Principals that you want to enable for organization integration | `list(string)` | <pre>[<br>  "cloudtrail.amazonaws.com",<br>  "config.amazonaws.com",<br>  "securityhub.amazonaws.com",<br>  "guardduty.amazonaws.com",<br>  "config-multiaccountsetup.amazonaws.com"<br>]</pre> | no |

data.tf

@@ -0,0 +1,3 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_partition" "current" {}

guard_duty.tf

@@ -94,7 +94,7 @@ data "aws_iam_policy_document" "kms_pol" {
     ]
 
     resources = [
-      "arn:${var.partition}:kms:${var.aws_region}:${data.aws_caller_identity.current.account_id}:key/*"
+      "arn:${data.aws_partition.current.partition}:kms:${var.aws_region}:${data.aws_caller_identity.current.account_id}:key/*"
     ]
 
     principals {
@@ -110,7 +110,7 @@ data "aws_iam_policy_document" "kms_pol" {
     ]
 
     resources = [
-      "arn:${var.partition}:kms:${var.aws_region}:${data.aws_caller_identity.current.account_id}:key/*"
+      "arn:${data.aws_partition.current.partition}:kms:${var.aws_region}:${data.aws_caller_identity.current.account_id}:key/*"
     ]
 
     principals {
@@ -135,20 +135,22 @@ resource "aws_s3_bucket_policy" "gd_bucket_policy" {
   policy = data.aws_iam_policy_document.bucket_pol.json
 }
 
-resource "aws_kms_key" "gd_key" {
+module "guardduty_kms_key" {
   count = var.create_org_guardduty ? 1 : 0
+  source = "github.com/Coalfire-CF/terraform-aws-kms"
 
-  description             = "kms key for guardduty"
-  deletion_window_in_days = 7
-  policy                  = data.aws_iam_policy_document.kms_pol.json
+  key_policy            = data.aws_iam_policy_document.kms_pol.json
+  kms_key_resource_type = "backup"
+  resource_prefix       = var.resource_prefix
 }
 
+
 resource "aws_guardduty_publishing_destination" "gd_pub_dest" {
   count = var.create_org_guardduty ? 1 : 0
 
   detector_id     = aws_guardduty_detector.guardduty[0].id
   destination_arn = aws_s3_bucket.gd_bucket[0].arn
-  kms_key_arn     = aws_kms_key.gd_key.arn
+  kms_key_arn     = module.guardduty_kms_key.arn
 
   depends_on = [
     aws_s3_bucket_policy.gd_bucket_policy[0],

iam.tf

@@ -18,7 +18,7 @@ resource "aws_iam_role" "aws_config_org_role" {
 
 resource "aws_iam_role_policy_attachment" "organization" {
   role       = aws_iam_role.aws_config_org_role.name
-  policy_arn = "arn:${var.partition}:iam::aws:policy/service-role/AWSConfigRoleForOrganizations"
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSConfigRoleForOrganizations"
 }
 
 ### AWS ORG IAM
@@ -31,7 +31,7 @@ data "aws_iam_policy_document" "scp" {
       "ec2:CreateVpc",
       "ec2:AssociateVpcCidrBlock"]
     resources = [
-      "arn:${var.partition}:ec2:*:*:vpc/*"]
+      "arn:${data.aws_partition.current.partition}:ec2:*:*:vpc/*"]
     condition {
       test = "Null"
       values = [
@@ -59,8 +59,8 @@ data "aws_iam_policy_document" "scp" {
     effect = "Deny"
     actions = ["ec2:RunInstances"]
     resources = [
-      "arn:${var.partition}:ec2:*:*:instance/*",
-      "arn:${var.partition}:ec2:*:*:volume/*"
+      "arn:${data.aws_partition.current.partition}:ec2:*:*:instance/*",
+      "arn:${data.aws_partition.current.partition}:ec2:*:*:volume/*"
     ]
     condition {
       test = "Null"
@@ -73,10 +73,10 @@ data "aws_iam_policy_document" "scp" {
   statement {
     effect = "Deny"
     actions = ["iam:DeleteRole", "iam:DeleteRolePolicy"]
-    resources = ["arn:${var.partition}:iam::*:role/ops-stack-security-tooling"]
+    resources = ["arn:${data.aws_partition.current.partition}:iam::*:role/ops-stack-security-tooling"]
     condition {
       test = "StringNotLike"
-      values = ["arn:${var.partition}:iam::*:role/tfadmin"]
+      values = ["arn:${data.aws_partition.current.partition}:iam::*:role/tfadmin"]
       variable = "aws:PrincipalARN"
     }
   }

org.tf

@@ -20,18 +20,16 @@ resource "aws_organizations_account" "account" {
 
 resource "aws_organizations_organizational_unit" "ou" {
   for_each = var.ou_creation_info
-  name      = ou_creation_info.value["ou_name"]
-  parent_id = ou_creation_info.value["ou_parent_id"]
+  name      = each.value["ou_name"]
+  parent_id = each.value["ou_parent_id"]
 }
 
 resource "aws_organizations_policy" "scp" {
-  provider = aws.root
   content = data.aws_iam_policy_document.scp.json
   name = "FedModGovSCP"
 }
 
 resource "aws_organizations_policy_attachment" "scp" {
-  provider = aws.root
   policy_id = aws_organizations_policy.scp.id
   target_id = aws_organizations_organization.org.id
 }
@@ -45,7 +43,7 @@ resource "aws_organizations_resource_policy" "org_resource_policy" {
       "Sid": "Statement",
       "Effect": "Allow",
       "Principal": {
-        "AWS": "arn:${var.partition}:iam::${aws_organizations_organization.org.roots[0].id}:root"
+        "AWS": "arn:${data.aws_partition.current.partition}:iam::${aws_organizations_organization.org.roots[0].id}:root"
       },
       "Action": [
         "organizations:CreatePolicy",
@@ -72,7 +70,7 @@ resource "aws_organizations_resource_policy" "org_resource_policy" {
         "organizations:ListTagsForResource"
       ],
       "Resource": [
-        "arn:${var.partition}:organizations::${aws_organizations_organization.org.roots[0].id}:ou/${aws_organizations_organizational_unit.ou[*].id}/*"]
+        "arn:${data.aws_partition.current.partition}:organizations::${aws_organizations_organization.org.roots[0].id}:ou/${aws_organizations_organizational_unit.ou[*].id}/*"]
     }
   ]
 }

variables.tf

@@ -23,7 +23,7 @@ variable "delegated_admin_account_id" {
 
 variable "delegated_service_principal" {
   description = "The service principal of the AWS service for which you want to make the member account a delegated administrator."
-  default = null
+  default = "principal"
 }
 
 variable "aws_new_member_account_name" {
@@ -45,9 +45,6 @@ variable "aws_region" {
   type = string
 }
 
-variable "partition" {
-  type = string
-}
 
 variable "resource_prefix" {
   type = string
@@ -59,7 +56,7 @@ variable "finding_publishing_frequency" {
 }
 
 variable "aws_sec_hub_standards_arn" {
-  type = list[string]
+  type = list(string)
 }
 
 variable "aws_guardduty_datasources_enable_S3" {