Merge pull request #18 from draios/fix-org-eb-module

adding inline policy for cspm role
draios · May 1, 2023 · ba4c212 · ba4c212
2 parents 8b999f2 + 740b177
commit ba4c212
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 32 deletions.
diff --git a/modules/services/event-bridge/organizational.tf b/modules/services/event-bridge/organizational.tf
@@ -11,7 +11,7 @@ data "aws_organizations_organization" "org" {
 data "aws_region" "current" {}
 
 locals {
-  organizational_unit_ids = var.is_organizational && length(var.organization_units) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : toset(var.organization_units)
+  organizational_unit_ids = var.is_organizational && length(var.org_units) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : toset(var.org_units)
   region_set              = toset(var.regions)
 }
 

diff --git a/modules/services/event-bridge/variables.tf b/modules/services/event-bridge/variables.tf
@@ -15,7 +15,7 @@ variable "deploy_global_resources" {
   default     = false
 }
 
-variable "organization_units" {
+variable "org_units" {
   description = "(Optional) List of Organization Unit IDs in which to setup EventBridge. By default, EventBridge will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false`"
   type        = set(string)
   default     = []

diff --git a/modules/services/trust-relationship/main.tf b/modules/services/trust-relationship/main.tf
@@ -17,40 +17,32 @@ locals {
 #----------------------------------------------------------
 # If this is not an Organizational deploy, create role/polices directly
 #----------------------------------------------------------
-
-data "aws_iam_policy" "security_audit" {
-  arn = "arn:aws:iam::aws:policy/SecurityAudit"
-}
-
-data "aws_iam_policy_document" "trust_relationship" {
-  statement {
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
-    principals {
-      type        = "AWS"
-      identifiers = [var.trusted_identity]
-    }
-    condition {
-      test     = "StringEquals"
-      variable = "sts:ExternalId"
-      values   = [var.external_id]
-    }
-  }
-}
-
 resource "aws_iam_role" "cspm_role" {
-  name               = var.role_name
-  assume_role_policy = data.aws_iam_policy_document.trust_relationship.json
-  tags               = var.tags
+  name                = var.role_name
+  tags                = var.tags
+  assume_role_policy  = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "${var.trusted_identity}"
+            },
+            "Action": "sts:AssumeRole",
+            "Condition": {
+                "StringEquals": {
+                    "sts:ExternalId": "${var.external_id}"
+                }
+            }
+        }
+    ]
 }
-
-
-resource "aws_iam_role_policy_attachment" "cspm_security_audit" {
-  role       = aws_iam_role.cspm_role.id
-  policy_arn = data.aws_iam_policy.security_audit.arn
+EOF
+  managed_policy_arns = ["arn:aws:iam::aws:policy/SecurityAudit"]
 }
 
-
 #----------------------------------------------------------
 # If this is an Organizational deploy, use a CloudFormation StackSet
 #----------------------------------------------------------