From 5df011fea69afb02bbf71f8287cf43880c136eaa Mon Sep 17 00:00:00 2001
From: ipcrm <matthew.cadorette@lacework.net>
Date: Tue, 14 Nov 2023 18:17:02 -0500
Subject: [PATCH 1/2] fix: update kms key policy, sns policy, stackset instance
 creation

---
 README.md |  2 ++
 main.tf   | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 58 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 6bd2602..372d9e3 100644
--- a/README.md
+++ b/README.md
@@ -31,6 +31,7 @@ No modules.
 |------|------|
 | [aws_cloudformation_stack.lacework_stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) | resource |
 | [aws_cloudformation_stack_set.lacework_stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource |
+| [aws_cloudformation_stack_set_instance.lacework_stackset_instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
 | [aws_iam_role.lacework_copy_zip_files_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.lacework_setup_function_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_kms_key.lacework_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
@@ -56,6 +57,7 @@ No modules.
 | [aws_iam_policy_document.lacework_setup_function_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sns_topic_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
diff --git a/main.tf b/main.tf
index 3544699..1c842d7 100644
--- a/main.tf
+++ b/main.tf
@@ -247,6 +247,28 @@ data "aws_iam_policy_document" "kms_key_policy" {
     actions   = ["kms:*"]
     resources = ["*"]
   }
+  statement {
+    sid    = "Enable Org member accounts to use key"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:PrincipalOrgID"
+      values   = [var.organization_id]
+    }
+
+    actions = [
+      "kms:GenerateDataKey",
+      "kms:Decrypt"
+    ]
+
+    resources = ["*"]
+  }
 }
 
 resource "aws_sns_topic_policy" "default" {
@@ -258,11 +280,13 @@ data "aws_iam_policy_document" "sns_topic_policy" {
   policy_id = "lwSNStopicpolicy"
 
   statement {
-    actions = ["sns:Publish"]
+    actions = [
+      "sns:Publish",
+    ]
 
     condition {
       test     = "StringEquals"
-      variable = "aws:PrincipleOrgID"
+      variable = "aws:PrincipalOrgID"
       values   = [var.organization_id]
     }
 
@@ -295,7 +319,15 @@ resource "aws_cloudformation_stack" "lacework_stack" {
   template_url       = "https://s3.amazonaws.com/${var.cf_s3_bucket}/${var.cf_s3_prefix}/templates/lacework-aws-cfg-member.template.yml"
   timeout_in_minutes = 30
 
-  depends_on = [aws_lambda_function.lacework_setup_function]
+  depends_on = [ // depending on all this ensures the stack can be torn down
+    aws_s3_bucket.lacework_org_lambda,
+    aws_sns_topic.lacework_sns_topic,
+    aws_sns_topic_subscription.lacework_sns_subscription,
+    aws_sns_topic_policy.default,
+    aws_lambda_permission.lacework_lambda_permission,
+    aws_secretsmanager_secret.lacework_api_credentials,
+    aws_lambda_function.lacework_setup_function
+  ]
 }
 
 resource "aws_cloudformation_stack_set" "lacework_stackset" {
@@ -321,5 +353,25 @@ resource "aws_cloudformation_stack_set" "lacework_stackset" {
   permission_model = "SERVICE_MANAGED"
   template_url     = "https://s3.amazonaws.com/${var.cf_s3_bucket}/${var.cf_s3_prefix}/templates/lacework-aws-cfg-member.template.yml"
 
-  depends_on = [aws_lambda_function.lacework_setup_function]
+
+  depends_on = [ // depending on all this ensures the stackinstances can be torn down
+    aws_s3_bucket.lacework_org_lambda,
+    aws_sns_topic.lacework_sns_topic,
+    aws_sns_topic_subscription.lacework_sns_subscription,
+    aws_sns_topic_policy.default,
+    aws_lambda_permission.lacework_lambda_permission,
+    aws_secretsmanager_secret.lacework_api_credentials,
+    aws_lambda_function.lacework_setup_function
+  ]
+}
+
+
+data "aws_region" "current" {}
+resource "aws_cloudformation_stack_set_instance" "lacework_stackset_instances" {
+  deployment_targets {
+    organizational_unit_ids = [var.organization_unit]
+  }
+
+  region         = data.aws_region.current.name
+  stack_set_name = aws_cloudformation_stack_set.lacework_stackset.name
 }

From 97dd3d829958149a9985c673e82f525dea2f102d Mon Sep 17 00:00:00 2001
From: ipcrm <matthew.cadorette@lacework.net>
Date: Wed, 15 Nov 2023 16:48:07 -0500
Subject: [PATCH 2/2] feat: support multiple org units

---
 README.md    | 2 +-
 main.tf      | 2 +-
 variables.tf | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 372d9e3..621ae76 100644
--- a/README.md
+++ b/README.md
@@ -76,7 +76,7 @@ No modules.
 | <a name="input_lacework_secret_key"></a> [lacework\_secret\_key](#input\_lacework\_secret\_key) | n/a | `string` | n/a | yes |
 | <a name="input_lacework_subaccount"></a> [lacework\_subaccount](#input\_lacework\_subaccount) | If Lacework Organizations is enabled, enter the sub-account.  Leave blank if Lacework Organizations is not enabled. | `string` | `""` | no |
 | <a name="input_organization_id"></a> [organization\_id](#input\_organization\_id) | AWS Organization ID where these resources are being deployed into | `string` | n/a | yes |
-| <a name="input_organization_unit"></a> [organization\_unit](#input\_organization\_unit) | Organizational Unit ID that the stackset will be deployed into | `string` | n/a | yes |
+| <a name="input_organization_unit"></a> [organization\_unit](#input\_organization\_unit) | Organizational Unit ID that the stackset will be deployed into | `list(string)` | n/a | yes |
 
 ## Outputs
 
diff --git a/main.tf b/main.tf
index 1c842d7..08f9cb4 100644
--- a/main.tf
+++ b/main.tf
@@ -369,7 +369,7 @@ resource "aws_cloudformation_stack_set" "lacework_stackset" {
 data "aws_region" "current" {}
 resource "aws_cloudformation_stack_set_instance" "lacework_stackset_instances" {
   deployment_targets {
-    organizational_unit_ids = [var.organization_unit]
+    organizational_unit_ids = var.organization_unit
   }
 
   region         = data.aws_region.current.name
diff --git a/variables.tf b/variables.tf
index 970abc0..fbad015 100644
--- a/variables.tf
+++ b/variables.tf
@@ -41,7 +41,7 @@ variable "organization_id" {
 }
 
 variable "organization_unit" {
-  type        = string
+  type        = list(string)
   description = "Organizational Unit ID that the stackset will be deployed into"
 }