A Terraform module to replace one scp with with another SCP for an account
The Lambda function is triggered for the account by an Event Rule that matches the CreateAccountResult or InviteAccountToOrganization events. The function then replaces the default policy for that account.
| Name | Version |
|---|---|
| terraform | >= 1.3 |
| aws | >= 4.9 |
| Name | Version |
|---|---|
| aws | >= 4.9 |
| Name | Type |
|---|---|
| aws_iam_policy_document.lambda | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| attach_scp_id | ID of the SCP to attach | string |
n/a | yes |
| detach_scp_id | ID of the SCP to detach | string |
n/a | yes |
| project_name | Project name to prefix resources with | string |
n/a | yes |
| event_bus_name | Event bus name to create event rules in | string |
"default" |
no |
| event_types | Event types that will trigger this lambda | set(string) |
[ |
no |
| lambda | Object of optional attributes passed on to the lambda module | object({ |
{} |
no |
| log_level | Log level for lambda | string |
"INFO" |
no |
| tags | Tags for resource | map(string) |
{} |
no |
No outputs.
Steps to run via the CLI
- Install and configure aws cli.
- Set AWS_PROFILE and AWS_DEFAULT_REGION (account and region that can run commands to attach and detach organizational policies)
- Review the options for the script and run
Supported Environment Variables:
'LOG_LEVEL': defaults to 'info'
- set the desired log level ('error', 'warning', 'info' or 'debug')
'DETACH_SCP_ID':
-sets id of the policy to detach
'ATTACH_SCP_ID':
-sets id of the new policy to attach
options:
-h, --help show this help message and exit
required arguments:
--target-id TARGET_ID
Target ID to replace policy in
usage: replace_scp.py [-h] --target-account-id TARGET_ACCOUNT_IDmkdir vpc_env
python3 -m venv vpc_env
source vpc_env/bin/activate
python3 -m pip install -U pip
pip3 install -r src/requirements.txt
python3 src/replace_scp.py --target-id=<TARGET ID>
deactivate
rm -rf vpc_env