From 0ec50fd894a36292346be33d08ea015317f51105 Mon Sep 17 00:00:00 2001 From: Abhi Yerra Date: Tue, 27 Feb 2024 11:32:35 -0800 Subject: [PATCH 1/7] Added vanta --- cloudformation.tf | 18 ------------- opszero.tf | 6 +++++ vanta.tf | 65 +++++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 18 ++++++++----- 4 files changed, 82 insertions(+), 25 deletions(-) delete mode 100644 cloudformation.tf create mode 100644 opszero.tf create mode 100644 vanta.tf diff --git a/cloudformation.tf b/cloudformation.tf deleted file mode 100644 index 6dc44f5..0000000 --- a/cloudformation.tf +++ /dev/null @@ -1,18 +0,0 @@ -resource "aws_cloudformation_stack" "opszero_omyac" { - count = var.opszero_omyac_enabled ? 1 : 0 - name = "opszero-omyac" - template_url = "https://api.opszero.com/omyac/api/cloudformation" -} - -resource "aws_cloudformation_stack" "opszero_ri" { - count = var.opszero_ri_enabled ? 1 : 0 - name = "opszero-ri" - template_url = "https://api.opszero.com/ri/api/cloudformation" -} - -resource "aws_cloudformation_stack" "opszero_reseller" { - count = var.opszero_reseller_enabled ? 1 : 0 - name = "opszero-reseller" - template_url = "https://api.opszero.com/reseller/api/cloudformation" -} - diff --git a/opszero.tf b/opszero.tf new file mode 100644 index 0000000..64de06b --- /dev/null +++ b/opszero.tf @@ -0,0 +1,6 @@ +resource "aws_cloudformation_stack" "opszero" { + count = var.opszero_enabled ? 1 : 0 + + name = "opszero" + template_url = "https://api.opszero.com/cloudformation" +} diff --git a/vanta.tf b/vanta.tf new file mode 100644 index 0000000..5d4f633 --- /dev/null +++ b/vanta.tf @@ -0,0 +1,65 @@ +resource "aws_iam_role_policy" "vanta" { + count = var.vanta_enabled ? 1 : 0 + + name = "VantaAdditionalPermissions" + role = aws_iam_role.test_role.id + + policy = < Date: Tue, 27 Feb 2024 12:09:55 -0800 Subject: [PATCH 2/7] Added vanta --- vanta.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/vanta.tf b/vanta.tf index 5d4f633..c8205e5 100644 --- a/vanta.tf +++ b/vanta.tf @@ -2,7 +2,7 @@ resource "aws_iam_role_policy" "vanta" { count = var.vanta_enabled ? 1 : 0 name = "VantaAdditionalPermissions" - role = aws_iam_role.test_role.id + role = aws_iam_role.vanta-auditor.id policy = < Date: Tue, 27 Feb 2024 20:19:45 -0800 Subject: [PATCH 3/7] Removed module versions --- bitbucket.tf | 3 +-- github.tf | 3 +-- vanta.tf | 28 ++++++++++++++++++++++++++-- variables.tf | 8 ++++++++ 4 files changed, 36 insertions(+), 6 deletions(-) diff --git a/bitbucket.tf b/bitbucket.tf index 4717222..df88aaf 100644 --- a/bitbucket.tf +++ b/bitbucket.tf @@ -1,8 +1,7 @@ module "bitbucket" { for_each = var.bitbucket - source = "helecloud/bitbucket-oidc/aws" - version = "0.0.1" + source = "github.com/opszero/terraform-aws-bitbucket-oidc" workspace_name = each.value.workspace_name workspace_uuid = each.value.workspace_uuid diff --git a/github.tf b/github.tf index 2935e54..43d036b 100644 --- a/github.tf +++ b/github.tf @@ -1,8 +1,7 @@ module "oidc-github" { for_each = var.github - source = "unfunco/oidc-github/aws" - version = "1.5.0" + source = "github.com/opszero/terraform-aws-oidc-github" github_repositories = each.value.repos diff --git a/vanta.tf b/vanta.tf index c8205e5..bae979b 100644 --- a/vanta.tf +++ b/vanta.tf @@ -1,5 +1,5 @@ -resource "aws_iam_role_policy" "vanta" { - count = var.vanta_enabled ? 1 : 0 +resource "aws_iam_role_policy" "vanta_child" { + count = var.vanta_enabled && var.vanta_is_child_account ? 1 : 0 name = "VantaAdditionalPermissions" role = aws_iam_role.vanta-auditor.id @@ -39,6 +39,30 @@ resource "aws_iam_role_policy" "vanta" { EOF } +resource "aws_iam_role_policy" "vanta_management" { + count = var.vanta_enabled && var.vanta_is_management_account ? 1 : 0 + + name = "VantaManagementAccountPermissions" + role = aws_iam_role.vanta-auditor.id + + policy = < Date: Tue, 27 Feb 2024 20:31:25 -0800 Subject: [PATCH 4/7] Added --- vanta.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vanta.tf b/vanta.tf index bae979b..d3851f7 100644 --- a/vanta.tf +++ b/vanta.tf @@ -43,7 +43,7 @@ resource "aws_iam_role_policy" "vanta_management" { count = var.vanta_enabled && var.vanta_is_management_account ? 1 : 0 name = "VantaManagementAccountPermissions" - role = aws_iam_role.vanta-auditor.id + role = aws_iam_role.vanta-auditor[0].id policy = < Date: Tue, 27 Feb 2024 20:32:41 -0800 Subject: [PATCH 5/7] Fixed access for resource --- vanta.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/vanta.tf b/vanta.tf index d3851f7..0e62e2f 100644 --- a/vanta.tf +++ b/vanta.tf @@ -2,7 +2,7 @@ resource "aws_iam_role_policy" "vanta_child" { count = var.vanta_enabled && var.vanta_is_child_account ? 1 : 0 name = "VantaAdditionalPermissions" - role = aws_iam_role.vanta-auditor.id + role = aws_iam_role.vanta_auditor[0].id policy = < Date: Tue, 27 Feb 2024 20:49:45 -0800 Subject: [PATCH 6/7] Added description --- variables.tf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/variables.tf b/variables.tf index e3083db..684c5b3 100644 --- a/variables.tf +++ b/variables.tf @@ -81,11 +81,13 @@ variable "vanta_enabled" { } variable "vanta_is_management_account" { - default = false + description = "Is this an AWS management account that has child accounts?" + default = false } variable "vanta_is_child_account" { - default = false + description = "Is this an AWS child account?" + default = false } variable "vanta_account_id" { From bf08ee707595f5dedd1e2d42d3808e12c599883c Mon Sep 17 00:00:00 2001 From: Abhi Yerra Date: Tue, 27 Feb 2024 20:52:14 -0800 Subject: [PATCH 7/7] Added cloud --- opszero.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/opszero.tf b/opszero.tf index 64de06b..fe715b6 100644 --- a/opszero.tf +++ b/opszero.tf @@ -2,5 +2,5 @@ resource "aws_cloudformation_stack" "opszero" { count = var.opszero_enabled ? 1 : 0 name = "opszero" - template_url = "https://api.opszero.com/cloudformation" + template_url = "https://api.opszero.com/cloud/cloudformation" }