bocan · September 5, 2024 15:34
diff --git a/first-main.tf b/first-main.tf
 variable "external_id" {
  description = "External ID provided by the Secureframe application."
  type        = string
 }

 resource "aws_iam_role" "secureframe_read_only" {
  name                  = "secureframeOrgScanner"
  description           = "Admin Role that Secureframe will use to create member roles"
  force_detach_policies = true

  managed_policy_arns = [
    "arn:aws:iam::aws:policy/SecurityAudit"
  ]

  inline_policy {
    name = "inline_policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect   = "Allow"
          Resource = "*"
          Action = [
            "organizations:List*",
            "sts:AssumeRole"
          ]
        }
      ]
    })
  }

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::728997465891:root"
        }
        Condition = {
          StringEquals = {
            "sts:ExternalId" = var.external_id
          }
        }
        Action = [
          "sts:AssumeRole",
          "sts:TagSession"
        ]
      }
    ]
  })
 }

 resource "aws_cloudformation_stack_set" "secureframe_member_roles" {
  name        = "SecureframeOrgRoles"
  description = "secureframe org setup"
  capabilities = [
    "CAPABILITY_NAMED_IAM"
  ]
  auto_deployment {
    enabled                          = true
    retain_stacks_on_account_removal = false
  }
  permission_model = "SERVICE_MANAGED"
  managed_execution {
    active = true
  }
  parameters = {
    ParameterKey   = "ExternalID"
    ParameterValue = var.external_id
  }

  template_body = <<STACKSET
 {
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Create a cross account role called secureframe with permissions for the Secureframe AWS integration.",
    "Parameters": {
        "ExternalID": {
            "Type": "String",
            "Description": "external id created by secureframe"
        }
    },
    "Resources": {
        "Secureframe": {
            "Type": "AWS::IAM::ManagedPolicy",
            "Properties": {
                "ManagedPolicyName": "secureframe-org",
                "Description": "A Limited policy to allow secureframe to do its job",
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Resource": "*",
                            "Action": [
                                "ecr:Describe*",
                                "ecs:GetTaskProtection",
                                "elasticfilesystem:DescribeBackupPolicy",
                                "elastictranscoder:ListPipelines",
                                "es:ListVpcEndpoint*",
                                "ses:GetEmailIdentity",
                                "ses:ListEmailIdentities",
                                "wafv2:GetLoggingConfiguration",
                                "wafv2:GetWebACLForResource"
                            ]
                        }
                    ]
                }
            }
        },
        "SecureframeReadOnly": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "RoleName": "secureframeOrgScanner",
                "Description": "Read Only Access for secureframe to fetch resources from member accounts",
                "ManagedPolicyArns": [
                    {
                        "Ref": "Secureframe"
                    },
                    "arn:aws:iam::aws:policy/SecurityAudit"
                ],
                "MaxSessionDuration": 28800,
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "AWS": "arn:aws:iam::728997465891:root"
                            },
                            "Action": [
                                "sts:AssumeRole",
                                "sts:TagSession"
                            ],
                            "Condition": {
                                "StringEquals": {
                                    "sts:ExternalId": {
                                        "Ref": "ExternalID"
                                    }
                                }
                            }
                        }
                    ]
                }
            }
        }
    }
 }
 STACKSET
 }

 output "admin_role_arn" {
  value = aws_iam_role.secureframe_read_only.arn
 }
	variable "external_id" {
	description = "External ID provided by the Secureframe application."
	type = string
	}

	resource "aws_iam_role" "secureframe_read_only" {
	name = "secureframeOrgScanner"
	description = "Admin Role that Secureframe will use to create member roles"
	force_detach_policies = true

	managed_policy_arns = [
	"arn:aws:iam::aws:policy/SecurityAudit"
	]

	inline_policy {
	name = "inline_policy"
	policy = jsonencode({
	Version = "2012-10-17"
	Statement = [
	{
	Effect = "Allow"
	Resource = "*"
	Action = [
	"organizations:List*",
	"sts:AssumeRole"
	]
	}
	]
	})
	}

	assume_role_policy = jsonencode({
	Version = "2012-10-17"
	Statement = [
	{
	Effect = "Allow"
	Principal = {
	AWS = "arn:aws:iam::728997465891:root"
	}
	Condition = {
	StringEquals = {
	"sts:ExternalId" = var.external_id
	}
	}
	Action = [
	"sts:AssumeRole",
	"sts:TagSession"
	]
	}
	]
	})
	}

	resource "aws_cloudformation_stack_set" "secureframe_member_roles" {
	name = "SecureframeOrgRoles"
	description = "secureframe org setup"
	capabilities = [
	"CAPABILITY_NAMED_IAM"
	]
	auto_deployment {
	enabled = true
	retain_stacks_on_account_removal = false
	}
	permission_model = "SERVICE_MANAGED"
	managed_execution {
	active = true
	}
	parameters = {
	ParameterKey = "ExternalID"
	ParameterValue = var.external_id
	}

	template_body = <<STACKSET
	{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Create a cross account role called secureframe with permissions for the Secureframe AWS integration.",
	"Parameters": {
	"ExternalID": {
	"Type": "String",
	"Description": "external id created by secureframe"
	}
	},
	"Resources": {
	"Secureframe": {
	"Type": "AWS::IAM::ManagedPolicy",
	"Properties": {
	"ManagedPolicyName": "secureframe-org",
	"Description": "A Limited policy to allow secureframe to do its job",
	"PolicyDocument": {
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Resource": "*",
	"Action": [
	"ecr:Describe*",
	"ecs:GetTaskProtection",
	"elasticfilesystem:DescribeBackupPolicy",
	"elastictranscoder:ListPipelines",
	"es:ListVpcEndpoint*",
	"ses:GetEmailIdentity",
	"ses:ListEmailIdentities",
	"wafv2:GetLoggingConfiguration",
	"wafv2:GetWebACLForResource"
	]
	}
	]
	}
	}
	},
	"SecureframeReadOnly": {
	"Type": "AWS::IAM::Role",
	"Properties": {
	"RoleName": "secureframeOrgScanner",
	"Description": "Read Only Access for secureframe to fetch resources from member accounts",
	"ManagedPolicyArns": [
	{
	"Ref": "Secureframe"
	},
	"arn:aws:iam::aws:policy/SecurityAudit"
	],
	"MaxSessionDuration": 28800,
	"AssumeRolePolicyDocument": {
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"AWS": "arn:aws:iam::728997465891:root"
	},
	"Action": [
	"sts:AssumeRole",
	"sts:TagSession"
	],
	"Condition": {
	"StringEquals": {
	"sts:ExternalId": {
	"Ref": "ExternalID"
	}
	}
	}
	}
	]
	}
	}
	}
	}
	}
	STACKSET
	}

	output "admin_role_arn" {
	value = aws_iam_role.secureframe_read_only.arn
	}
No results found