Skip to content

Commit ef7226a

Browse files
cgeerscgeers
committed
fix(agentless-scanning): stackset service roles
1 parent 0aa64fa commit ef7226a

File tree

2 files changed

+3
-28
lines changed

2 files changed

+3
-28
lines changed

modules/agentless-scanning/main.tf

Lines changed: 3 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ resource "random_id" "suffix" {
7474
resource "aws_iam_role" "scanning_stackset_admin_role" {
7575
count = !var.auto_create_stackset_roles ? 0 : 1
7676

77-
name = "AWSCloudFormationStackSetAdministrationRoleForScanning"
77+
name = "${local.scanning_resource_name}-AdministrationRole"
7878
tags = var.tags
7979

8080
assume_role_policy = <<EOF
@@ -93,25 +93,6 @@ resource "aws_iam_role" "scanning_stackset_admin_role" {
9393
EOF
9494
}
9595

96-
resource "aws_iam_role_policy" "scanning_stackset_admin_role_policy" {
97-
count = !var.auto_create_stackset_roles ? 0 : 1
98-
99-
name_prefix = "AssumeExecutionRole"
100-
role = aws_iam_role.scanning_stackset_admin_role[0].id
101-
policy = jsonencode({
102-
Statement = [
103-
{
104-
Sid = "AssumeExecutionRole"
105-
Action = [
106-
"sts:AssumeRole",
107-
]
108-
Effect = "Allow"
109-
Resource = "arn:aws:iam:::role/${local.scanning_resource_name}-ExecutionRole"
110-
},
111-
]
112-
})
113-
}
114-
11596
#-----------------------------------------------------------------------------------------------------------------------------------------
11697
# Self-managed stacksets require pair of StackSetAdministrationRole & StackSetExecutionRole IAM roles with self-managed permissions.
11798
#
@@ -133,10 +114,9 @@ resource "aws_iam_role" "scanning_stackset_execution_role" {
133114
{
134115
"Action": "sts:AssumeRole",
135116
"Principal": {
136-
"AWS": "arn:aws:iam::${local.account_id}:role/${aws_iam_role.scanning_stackset_admin_role[0].name}"
117+
"AWS": "${aws_iam_role.scanning_stackset_admin_role[0].arn}"
137118
},
138-
"Effect": "Allow",
139-
"Condition": {}
119+
"Effect": "Allow"
140120
}
141121
]
142122
}
@@ -324,7 +304,6 @@ TEMPLATE
324304

325305
depends_on = [
326306
aws_iam_role.scanning_stackset_admin_role,
327-
aws_iam_role_policy.scanning_stackset_admin_role_policy,
328307
aws_iam_role.scanning_stackset_execution_role,
329308
]
330309
}

modules/agentless-scanning/organizational.tf

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -40,10 +40,6 @@ resource "aws_cloudformation_stack_set" "ou_resources_stackset" {
4040
retain_stacks_on_account_removal = false
4141
}
4242

43-
lifecycle {
44-
ignore_changes = [administration_role_arn]
45-
}
46-
4743
template_body = <<TEMPLATE
4844
Resources:
4945
ScanningRole:

0 commit comments

Comments
 (0)