diff --git a/README.md b/README.md
index 6bd2602..621ae76 100644
--- a/README.md
+++ b/README.md
@@ -31,6 +31,7 @@ No modules.
|------|------|
| [aws_cloudformation_stack.lacework_stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) | resource |
| [aws_cloudformation_stack_set.lacework_stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
+| [aws_cloudformation_stack_set_instance.lacework_stackset_instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
| [aws_iam_role.lacework_copy_zip_files_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.lacework_setup_function_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_kms_key.lacework_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
@@ -56,6 +57,7 @@ No modules.
| [aws_iam_policy_document.lacework_setup_function_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.sns_topic_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
@@ -74,7 +76,7 @@ No modules.
| [lacework\_secret\_key](#input\_lacework\_secret\_key) | n/a | `string` | n/a | yes |
| [lacework\_subaccount](#input\_lacework\_subaccount) | If Lacework Organizations is enabled, enter the sub-account. Leave blank if Lacework Organizations is not enabled. | `string` | `""` | no |
| [organization\_id](#input\_organization\_id) | AWS Organization ID where these resources are being deployed into | `string` | n/a | yes |
-| [organization\_unit](#input\_organization\_unit) | Organizational Unit ID that the stackset will be deployed into | `string` | n/a | yes |
+| [organization\_unit](#input\_organization\_unit) | Organizational Unit ID that the stackset will be deployed into | `list(string)` | n/a | yes |
## Outputs
diff --git a/main.tf b/main.tf
index 3544699..08f9cb4 100644
--- a/main.tf
+++ b/main.tf
@@ -247,6 +247,28 @@ data "aws_iam_policy_document" "kms_key_policy" {
actions = ["kms:*"]
resources = ["*"]
}
+ statement {
+ sid = "Enable Org member accounts to use key"
+ effect = "Allow"
+
+ principals {
+ type = "AWS"
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "aws:PrincipalOrgID"
+ values = [var.organization_id]
+ }
+
+ actions = [
+ "kms:GenerateDataKey",
+ "kms:Decrypt"
+ ]
+
+ resources = ["*"]
+ }
}
resource "aws_sns_topic_policy" "default" {
@@ -258,11 +280,13 @@ data "aws_iam_policy_document" "sns_topic_policy" {
policy_id = "lwSNStopicpolicy"
statement {
- actions = ["sns:Publish"]
+ actions = [
+ "sns:Publish",
+ ]
condition {
test = "StringEquals"
- variable = "aws:PrincipleOrgID"
+ variable = "aws:PrincipalOrgID"
values = [var.organization_id]
}
@@ -295,7 +319,15 @@ resource "aws_cloudformation_stack" "lacework_stack" {
template_url = "https://s3.amazonaws.com/${var.cf_s3_bucket}/${var.cf_s3_prefix}/templates/lacework-aws-cfg-member.template.yml"
timeout_in_minutes = 30
- depends_on = [aws_lambda_function.lacework_setup_function]
+ depends_on = [ // depending on all this ensures the stack can be torn down
+ aws_s3_bucket.lacework_org_lambda,
+ aws_sns_topic.lacework_sns_topic,
+ aws_sns_topic_subscription.lacework_sns_subscription,
+ aws_sns_topic_policy.default,
+ aws_lambda_permission.lacework_lambda_permission,
+ aws_secretsmanager_secret.lacework_api_credentials,
+ aws_lambda_function.lacework_setup_function
+ ]
}
resource "aws_cloudformation_stack_set" "lacework_stackset" {
@@ -321,5 +353,25 @@ resource "aws_cloudformation_stack_set" "lacework_stackset" {
permission_model = "SERVICE_MANAGED"
template_url = "https://s3.amazonaws.com/${var.cf_s3_bucket}/${var.cf_s3_prefix}/templates/lacework-aws-cfg-member.template.yml"
- depends_on = [aws_lambda_function.lacework_setup_function]
+
+ depends_on = [ // depending on all this ensures the stackinstances can be torn down
+ aws_s3_bucket.lacework_org_lambda,
+ aws_sns_topic.lacework_sns_topic,
+ aws_sns_topic_subscription.lacework_sns_subscription,
+ aws_sns_topic_policy.default,
+ aws_lambda_permission.lacework_lambda_permission,
+ aws_secretsmanager_secret.lacework_api_credentials,
+ aws_lambda_function.lacework_setup_function
+ ]
+}
+
+
+data "aws_region" "current" {}
+resource "aws_cloudformation_stack_set_instance" "lacework_stackset_instances" {
+ deployment_targets {
+ organizational_unit_ids = var.organization_unit
+ }
+
+ region = data.aws_region.current.name
+ stack_set_name = aws_cloudformation_stack_set.lacework_stackset.name
}
diff --git a/variables.tf b/variables.tf
index 970abc0..fbad015 100644
--- a/variables.tf
+++ b/variables.tf
@@ -41,7 +41,7 @@ variable "organization_id" {
}
variable "organization_unit" {
- type = string
+ type = list(string)
description = "Organizational Unit ID that the stackset will be deployed into"
}