From eefeb6adbddff578d65c5cc6b06cdc158f41fc31 Mon Sep 17 00:00:00 2001
From: sameer-in <sameer.inamdar@sysdig.com>
Date: Tue, 25 Apr 2023 18:09:34 -0700
Subject: [PATCH] adding inline policy for cspm role

---
 .../services/event-bridge/organizational.tf   | 18 +------
 modules/services/event-bridge/variables.tf    |  2 +-
 modules/services/trust-relationship/main.tf   | 52 ++++++++-----------
 3 files changed, 24 insertions(+), 48 deletions(-)

diff --git a/modules/services/event-bridge/organizational.tf b/modules/services/event-bridge/organizational.tf
index 5c8df03..821c7a1 100644
--- a/modules/services/event-bridge/organizational.tf
+++ b/modules/services/event-bridge/organizational.tf
@@ -11,7 +11,7 @@ data "aws_organizations_organization" "org" {
 data "aws_region" "current" {}
 
 locals {
-  organizational_unit_ids = var.is_organizational && length(var.organization_units) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : toset(var.organization_units)
+  organizational_unit_ids = var.is_organizational && length(var.org_units) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : toset(var.org_units)
   region_set              = length(var.regions) == 0 ? [data.aws_region.current.name] : toset(var.regions)
 }
 
@@ -19,14 +19,6 @@ locals {
 resource "aws_iam_role" "mgmt_stackset_admin_role" {
   count = var.is_organizational ? 1 : 0
 
-  # need to add local-exec block as role propagation is not instant. AWS needs some time to propagate role
-  # in every region inspiet of being a global resource. so we add a delay to make sure this role
-  # is available before creation of stackset
-  # https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
-  provisioner "local-exec" {
-    command = "sleep 3;"
-  }
-
   name = "AWSCloudFormationStackSetAdministrationRole"
   tags = var.tags
 
@@ -69,14 +61,6 @@ EOF
 resource "aws_iam_role" "mgmt_stackset_execution_role" {
   count = var.is_organizational ? 1 : 0
 
-  # need to add local-exec block as role propagation is not instant. AWS needs some time to propagate role
-  # in every region inspiet of being a global resource. so we add a delay to make sure this role
-  # is available before creation of stackset
-  # https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
-  provisioner "local-exec" {
-    command = "sleep 3;"
-  }
-
   name = "AWSCloudFormationStackSetExecutionRole"
   tags = var.tags
 
diff --git a/modules/services/event-bridge/variables.tf b/modules/services/event-bridge/variables.tf
index d2f2498..541eeb9 100644
--- a/modules/services/event-bridge/variables.tf
+++ b/modules/services/event-bridge/variables.tf
@@ -15,7 +15,7 @@ variable "deploy_global_resources" {
   default     = false
 }
 
-variable "organization_units" {
+variable "org_units" {
   description = "(Optional) List of Organization Unit IDs in which to setup EventBridge. By default, EventBridge will be setup in all accounts within the Organization. This field is ignored if `is_organizational = false`"
   type        = set(string)
   default     = []
diff --git a/modules/services/trust-relationship/main.tf b/modules/services/trust-relationship/main.tf
index fbcbe63..45ce7ae 100644
--- a/modules/services/trust-relationship/main.tf
+++ b/modules/services/trust-relationship/main.tf
@@ -17,40 +17,32 @@ locals {
 #----------------------------------------------------------
 # If this is not an Organizational deploy, create role/polices directly
 #----------------------------------------------------------
-
-data "aws_iam_policy" "security_audit" {
-  arn = "arn:aws:iam::aws:policy/SecurityAudit"
-}
-
-data "aws_iam_policy_document" "trust_relationship" {
-  statement {
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
-    principals {
-      type        = "AWS"
-      identifiers = [var.trusted_identity]
-    }
-    condition {
-      test     = "StringEquals"
-      variable = "sts:ExternalId"
-      values   = [var.external_id]
-    }
-  }
-}
-
 resource "aws_iam_role" "cspm_role" {
-  name               = var.role_name
-  assume_role_policy = data.aws_iam_policy_document.trust_relationship.json
-  tags               = var.tags
+  name                = var.role_name
+  tags                = var.tags
+  assume_role_policy  = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "${var.trusted_identity}"
+            },
+            "Action": "sts:AssumeRole",
+            "Condition": {
+                "StringEquals": {
+                    "sts:ExternalId": "${var.external_id}"
+                }
+            }
+        }
+    ]
 }
-
-
-resource "aws_iam_role_policy_attachment" "cspm_security_audit" {
-  role       = aws_iam_role.cspm_role.id
-  policy_arn = data.aws_iam_policy.security_audit.arn
+EOF
+  managed_policy_arns = ["arn:aws:iam::aws:policy/SecurityAudit"]
 }
 
-
 #----------------------------------------------------------
 # If this is an Organizational deploy, use a CloudFormation StackSet
 #----------------------------------------------------------