Skip to content

Commit c583b0d

Browse files
jose-pablo-camachojose-pablo-camacho
authored
enhance(modular): handle deprecated resources and fix warnings (#20)
1 parent 8cca4ab commit c583b0d

File tree

4 files changed

+51
-20
lines changed

4 files changed

+51
-20
lines changed

modules/agentless-scanning/main.tf

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ resource "aws_iam_role" "scanning_stackset_admin_role" {
7070
name = "AWSCloudFormationStackSetAdministrationRoleForScanning"
7171
tags = var.tags
7272

73-
assume_role_policy = <<EOF
73+
assume_role_policy = <<EOF
7474
{
7575
"Version": "2012-10-17",
7676
"Statement": [
@@ -84,7 +84,12 @@ resource "aws_iam_role" "scanning_stackset_admin_role" {
8484
]
8585
}
8686
EOF
87-
managed_policy_arns = ["arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"]
87+
}
88+
89+
resource "aws_iam_role_policy_attachments_exclusive" "scanning_stackset_admin_role_managed_policy" {
90+
count = !var.auto_create_stackset_roles ? 0 : 1
91+
role_name = aws_iam_role.scanning_stackset_admin_role[0].id
92+
policy_arns = ["arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"]
8893
}
8994

9095
resource "aws_iam_role_policy" "scanning_stackset_admin_role_policy" {
@@ -135,9 +140,12 @@ resource "aws_iam_role" "scanning_stackset_execution_role" {
135140
]
136141
}
137142
EOF
138-
managed_policy_arns = [
139-
"arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"
140-
]
143+
}
144+
145+
resource "aws_iam_role_policy_attachments_exclusive" "scanning_stackset_execution_role_managed_policy" {
146+
count = !var.auto_create_stackset_roles ? 0 : 1
147+
role_name = aws_iam_role.scanning_stackset_execution_role[0].id
148+
policy_arns = ["arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"]
141149
}
142150

143151
resource "aws_iam_role_policy" "scanning_stackset_execution_role_policy" {

modules/config-posture/main.tf

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,9 @@ data "sysdig_secure_tenant_external_id" "external_id" {}
1818
# Since this is not an Organizational deploy, create role/polices directly
1919
#----------------------------------------------------------
2020
resource "aws_iam_role" "cspm_role" {
21-
name = local.config_posture_role_name
22-
tags = var.tags
23-
assume_role_policy = <<EOF
21+
name = local.config_posture_role_name
22+
tags = var.tags
23+
assume_role_policy = <<EOF
2424
{
2525
"Version": "2012-10-17",
2626
"Statement": [
@@ -40,7 +40,13 @@ resource "aws_iam_role" "cspm_role" {
4040
]
4141
}
4242
EOF
43-
managed_policy_arns = ["arn:aws:iam::aws:policy/SecurityAudit"]
43+
}
44+
45+
resource "aws_iam_role_policy_attachments_exclusive" "cspm_role_managed_policy" {
46+
role_name = aws_iam_role.cspm_role.id
47+
policy_arns = [
48+
"arn:aws:iam::aws:policy/SecurityAudit"
49+
]
4450
}
4551

4652
resource "aws_iam_role_policy" "cspm_role_policy" {

modules/integrations/event-bridge/main.tf

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ resource "aws_iam_role" "event_bus_stackset_admin_role" {
5959
name = "AWSCloudFormationStackSetAdministrationRoleForEB"
6060
tags = var.tags
6161

62-
assume_role_policy = <<EOF
62+
assume_role_policy = <<EOF
6363
{
6464
"Version": "2012-10-17",
6565
"Statement": [
@@ -73,7 +73,14 @@ resource "aws_iam_role" "event_bus_stackset_admin_role" {
7373
]
7474
}
7575
EOF
76-
managed_policy_arns = ["arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"]
76+
}
77+
78+
resource "aws_iam_role_policy_attachments_exclusive" "event_bus_stackset_admin_role_managed_policy" {
79+
count = !var.auto_create_stackset_roles ? 0 : 1
80+
role_name = aws_iam_role.event_bus_stackset_admin_role[0].id
81+
policy_arns = [
82+
"arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"
83+
]
7784
}
7885

7986
#-----------------------------------------------------------------------------------------------------------------------------------------
@@ -105,7 +112,12 @@ resource "aws_iam_role" "event_bus_stackset_execution_role" {
105112
]
106113
}
107114
EOF
108-
managed_policy_arns = [
115+
}
116+
117+
resource "aws_iam_role_policy_attachments_exclusive" "event_bus_stackset_execution_role_managed_policy" {
118+
count = !var.auto_create_stackset_roles ? 0 : 1
119+
role_name = aws_iam_role.event_bus_stackset_execution_role[0].id
120+
policy_arns = [
109121
"arn:aws:iam::aws:policy/AWSCloudFormationFullAccess",
110122
"arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess"
111123
]

modules/onboarding/main.tf

Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -43,23 +43,28 @@ resource "aws_iam_role" "onboarding_role" {
4343
]
4444
}
4545
EOF
46-
managed_policy_arns = compact([
47-
"arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess",
48-
var.is_organizational ? "arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess" : ""
49-
])
5046

5147
lifecycle {
5248
ignore_changes = [tags]
5349
}
5450
}
5551

52+
resource "aws_iam_role_policy_attachments_exclusive" "onboarding_role_managed_policy" {
53+
role_name = aws_iam_role.onboarding_role.id
54+
policy_arns = compact([
55+
"arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess",
56+
var.is_organizational ? "arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess" : ""
57+
])
58+
}
59+
5660
data "aws_caller_identity" "current" {}
5761

5862
resource "sysdig_secure_cloud_auth_account" "cloud_auth_account" {
59-
enabled = true
60-
provider_id = data.aws_caller_identity.current.account_id
61-
provider_type = "PROVIDER_AWS"
62-
provider_alias = var.account_alias
63+
enabled = true
64+
provider_id = data.aws_caller_identity.current.account_id
65+
provider_type = "PROVIDER_AWS"
66+
provider_alias = var.account_alias
67+
regulatory_framework = "REGULATORY_FRAMEWORK_UNSPECIFIED"
6368

6469
component {
6570
type = "COMPONENT_TRUSTED_ROLE"

0 commit comments

Comments
 (0)