ScaleSec/terraform_aws_scpPublic

NotificationsYou must be signed in to change notification settings
Fork46
Star242

Commitfa01752

authored

Merge pull request#75 from ScaleSec/feature/issue-74_HTTP-module

Feature/issue 74 http module

2 parents1daaa77 +8794a18 commitfa01752Copy full SHA for fa01752

File tree

25 files changed

+122

-151

lines changed

.github/workflows
- terraform.yml
README.md
compliance_scp
- README.md
- dodCcSrgIl2Ew
  - main.tf
- dodCcSrgIl2Gc
  - main.tf
- dodCcSrgIl4Gc
  - main.tf
- dodCcSrgIl5Gc
  - main.tf
- fedrampHigh
  - main.tf
- fedrampMod
- hipaa
  - main.tf
- iso
  - main.tf
- pci
  - main.tf
- soc
  - main.tf
- templates

25 files changed

+122

-151

lines changed

`‎.github/workflows/terraform.yml`

Lines changed: 10 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`name:Terraform Validation`
`2`	`2`
`3`		`-on:`
	`3`	`+on:`
`4`	`4`	`pull_request`
`5`	`5`
`6`	`6`
`@@ -107,23 +107,23 @@ jobs:`
`107`	`107`	`TF_VAR_target_id:${{ secrets.TARGET_ID }}"'`
`108`	`108`
`109`	`109`	`# FedRAMP Medium Validation`
`110`		`- -name:Terraform fmt FedRAMPMed`
	`110`	`+ -name:Terraform fmt FedRAMPMod`
`111`	`111`	`run:terraform fmt`
`112`		`-working-directory:./compliance_scp/fedrampMed`
	`112`	`+working-directory:./compliance_scp/fedrampMod`
`113`	`113`	`continue-on-error:true`
`114`	`114`
`115`		`- -name:Terraform Init FedRAMPMed`
	`115`	`+ -name:Terraform Init FedRAMPMod`
`116`	`116`	`run:terraform init`
`117`		`-working-directory:./compliance_scp/fedrampMed`
	`117`	`+working-directory:./compliance_scp/fedrampMod`
`118`	`118`
`119`		`- -name:Terraform Validate FedRAMPMed`
	`119`	`+ -name:Terraform Validate FedRAMPMod`
`120`	`120`	`run:terraform validate -no-color`
`121`		`-working-directory:./compliance_scp/fedrampMed`
	`121`	`+working-directory:./compliance_scp/fedrampMod`
`122`	`122`
`123`		`- -name:Terraform Plan FedRAMPMed`
	`123`	`+ -name:Terraform Plan FedRAMPMod`
`124`	`124`	`run:terraform plan -no-color`
`125`	`125`	`continue-on-error:false`
`126`		`-working-directory:./compliance_scp/fedrampMed`
	`126`	`+working-directory:./compliance_scp/fedrampMod`
`127`	`127`	`env:`
`128`	`128`	`TF_VAR_target_id:${{ secrets.TARGET_ID }}"'`
`129`	`129`
`@@ -254,4 +254,4 @@ jobs:`
`254`	`254`	`TF_VAR_target_id:${{ secrets.TARGET_ID }}"'`
`255`	`255`	`TF_VAR_ami_creator_account:${{ secrets.AMI_CREATOR_ACCOUNT }}"'`
`256`	`256`	`TF_VAR_ami_tag_key:${{ secrets.AMI_TAG_KEY }}"'`
`257`		`-TF_VAR_ami_tag_value:${{ secrets.AMI_TAG_VALUE }}"'`
	`257`	`+TF_VAR_ami_tag_value:${{ secrets.AMI_TAG_VALUE }}"'`

`‎README.md`

Lines changed: 6 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -34,8 +34,8 @@ This repo is a collection of AWS Service Control Policies (SCPs) written in Hash`
`34`	`34`	- Select the`aws_iam_policy_document` you want and combine into one large data document.
`35`	`35`	`- Pick and choose 5 modules to deploy and remove the others.`
`36`	`36`	- Remove`aws_organizations_policy_attachment` from the modules'`main.tf` file and apply. You would then need to manually attach the SCPs.
`37`		`-- The[hipaa_scp](compliance_scp/hipaa_scp/) folder is aservice control policy that whitelists HIPAA compliantAWS servicesbased off ofhttps://aws.amazon.com/compliance/hipaa-eligible-services-reference/.`
`38`		`-- The[pci_scp](compliance_scp/pci_scp/) folder is a service control policy that whitelists PCI compliant AWS services based off ofhttps://aws.amazon.com/compliance/services-in-scope/.`
	`37`	`+- The[compliance_scp](compliance_scp/) folder is acollection of compliance-flavored SCPs. These SCPs only allowAWS servicesthat are compliant with the respective compliance framework. All SCP JSON files are sourced from Salesforce's[aws-allowlister](https://github.com/salesforce/aws-allowlister) repository which updates via a weekly cronjob.`
	`38`	`+`
`39`	`39`
`40`	`40`	`##Usage`
`41`	`41`
`@@ -71,16 +71,16 @@ To Remove the SCPs:`
`71`	`71`	`- An AWS Organization`
`72`	`72`	`- An IAM user with Organization Admin Access`
`73`	`73`
`74`		`-##Common Errors`
	`74`	`+##Common Errors`
`75`	`75`
`76`	`76`	`####Enabled Policy Types`
`77`	`77`
`78`	`78`	```
`79`		`-error creating Organizations Policy Attachment: PolicyTypeNotEnabledException: This operation can be performed only for enabled policy types.`
	`79`	`+error creating Organizations Policy Attachment: PolicyTypeNotEnabledException: This operation can be performed only for enabled policy types.`
`80`	`80`	`status code: 400, request id: 2b8ecgeb-34h3-11e6-86fb-275c76986dec`
`81`	`81`	```
`82`	`82`
`83`		`-SCP functionality must be enabled on the root. Seehttps://github.com/terraform-providers/terraform-provider-aws/issues/4545 for more information`
	`83`	`+SCP functionality must be enabled on the root. Seehttps://github.com/terraform-providers/terraform-provider-aws/issues/4545 for more information`
`84`	`84`
`85`	`85`	`####Minimum SCP Requirement`
`86`	`86`
`@@ -101,5 +101,5 @@ Occasionally, if you try to assign many SCPs to one target at the same time, it`
`101`	`101`
`102`	`102`	`##Limitation of Liability`
`103`	`103`
`104`		`-Please view the[License](LICENSE) for limitations of liability.`
	`104`	`+Please view the[License](LICENSE) for limitations of liability.`
`105`	`105`

`‎compliance_scp/README.md`

Lines changed: 21 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,21 @@`
	`1`	`+#Compliance Service Control Policies`
	`2`	`+`
	`3`	`+When organizations need to meet specific compliance requirements they must be careful to only use AWS services that are also compliant with the target framework. For example, when you need to meet PCI-DSS, you must be sure to only use PCI-DSS compliant AWS services.`
	`4`	`+`
	`5`	`+To only use compliant AWS services at scale, and in a safe manner, we recommend Service Control policies.`
	`6`	`+`
	`7`	`+The following compliance frameworks are currently supported in terraform.`
	`8`	`+`
	`9`	`+*[SOC](soc)`
	`10`	`+*[PCI](pci)`
	`11`	`+*[HIPAA](hipaa)`
	`12`	`+*[ISO](iso)`
	`13`	`+*[FedRAMP High](fedrampHigh)`
	`14`	`+*[FedRAMP Moderate](fedrampMod)`
	`15`	`+*[Include DoD CC SRG IL2 East/West](dodCcSrgIl2Ew)`
	`16`	`+*[Include DoD CC SRG IL2 GovCloud](dodCcSrgIl2Gc)`
	`17`	`+*[Include DoD CC SRG IL4 GovCloud](dodCcSrgIl4Gc)`
	`18`	`+*[Include DoD CC SRG IL5 GovCloud](dodCcSrgIl5Gc)`
	`19`	`+`
	`20`	`+`
	`21`	`+All SCP JSON files are sourced from Salesforce's[aws-allowlister](https://github.com/salesforce/aws-allowlister) repository which updates via a weekly cronjob.`

`‎compliance_scp/dodCcSrgIl2Ew/main.tf`

Lines changed: 8 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,14 +1,18 @@`
`1`	`1`	`# The below approved services are based off the list located here: https://aws.amazon.com/compliance/services-in-scope/`
`2`	`2`
`3`		`-data"template_file""dodccsrgil2ew_policy" {`
`4`		`-template=file("../templates/dodccsrgIl2Ew.json")`
	`3`	`+data"http""dodccsrgil2ew_policy" {`
	`4`	`+url="https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/DOD_CC_SRG_IL2_EW-AllowList-SCP.json"`
	`5`	`+`
	`6`	`+request_headers={`
	`7`	`+ Accept="application/json"`
	`8`	`+ }`
`5`	`9`	`}`
`6`	`10`
`7`	`11`	`resource"aws_organizations_policy""allow_dodccsrgil2ew_services_policy" {`
`8`	`12`	`name="Allow DoD CC SRG IL2 (East/West) Services"`
`9`		`-description="Only allow DoD CC SRG IL2 (East/West) services as of 03/2021"`
	`13`	`+description="Only allow DoD CC SRG IL2 (East/West)."`
`10`	`14`
`11`		`-content=data.template_file.dodccsrgil2ew_policy.rendered`
	`15`	`+content=data.http.dodccsrgil2ew_policy.body`
`12`	`16`	`}`
`13`	`17`
`14`	`18`	`resource"aws_organizations_policy_attachment""allow_dodccsrgil2ew_services_attachment" {`

`‎compliance_scp/dodCcSrgIl2Gc/main.tf`

Lines changed: 8 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,14 +1,18 @@`
`1`	`1`	`# The below approved services are based off the list located here: https://aws.amazon.com/compliance/services-in-scope/`
`2`	`2`
`3`		`-data"template_file""dodccsrgil2gc_policy" {`
`4`		`-template=file("../templates/dodccsrgIl2Gc.json")`
	`3`	`+data"http""dodccsrgil2gc_policy" {`
	`4`	`+url="https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/DOD_CC_SRG_IL2_GC-AllowList-SCP.json"`
	`5`	`+`
	`6`	`+request_headers={`
	`7`	`+ Accept="application/json"`
	`8`	`+ }`
`5`	`9`	`}`
`6`	`10`
`7`	`11`	`resource"aws_organizations_policy""allow_dodccsrgil2gc_services_policy" {`
`8`	`12`	`name="Allow DoD CC SRG IL2 (GovCloud) Services"`
`9`		`-description="Only allow DoD CC SRG IL2 (GovCloud) services as of 03/2021"`
	`13`	`+description="Only allow DoD CC SRG IL2 (GovCloud) services."`
`10`	`14`
`11`		`-content=data.template_file.dodccsrgil2gc_policy.rendered`
	`15`	`+content=data.http.dodccsrgil2gc_policy.body`
`12`	`16`	`}`
`13`	`17`
`14`	`18`	`resource"aws_organizations_policy_attachment""allow_dodccsrgil2gc_services_attachment" {`

`‎compliance_scp/dodCcSrgIl4Gc/main.tf`

Lines changed: 8 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,14 +1,18 @@`
`1`	`1`	`# The below approved services are based off the list located here: https://aws.amazon.com/compliance/services-in-scope/`
`2`	`2`
`3`		`-data"template_file""dodccsrgil4gc_policy" {`
`4`		`-template=file("../templates/dodccsrgIl4Gc.json")`
	`3`	`+data"http""dodccsrgil4gc_policy" {`
	`4`	`+url="https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/DOD_CC_SRG_IL4_GC-AllowList-SCP.json"`
	`5`	`+`
	`6`	`+request_headers={`
	`7`	`+ Accept="application/json"`
	`8`	`+ }`
`5`	`9`	`}`
`6`	`10`
`7`	`11`	`resource"aws_organizations_policy""allow_dodccsrgil4gc_services_policy" {`
`8`	`12`	`name="Allow DoD CC SRG IL4 (GovCloud) Services"`
`9`		`-description="Only allow DoD CC SRG IL4 (GovCloud) services as of 03/2021"`
	`13`	`+description="Only allow DoD CC SRG IL4 (GovCloud) services."`
`10`	`14`
`11`		`-content=data.template_file.dodccsrgil4gc_policy.rendered`
	`15`	`+content=data.http.dodccsrgil4gc_policy.body`
`12`	`16`	`}`
`13`	`17`
`14`	`18`	`resource"aws_organizations_policy_attachment""allow_dodccsrgil4gc_services_attachment" {`

`‎compliance_scp/dodCcSrgIl5Gc/main.tf`

Lines changed: 8 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,14 +1,18 @@`
`1`	`1`	`# The below approved services are based off the list located here: https://aws.amazon.com/compliance/services-in-scope/`
`2`	`2`
`3`		`-data"template_file""dodccsrgil5gc_policy" {`
`4`		`-template=file("../templates/dodccsrgIl5Gc.json")`
	`3`	`+data"http""dodccsrgil5gc_policy" {`
	`4`	`+url="https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/DOD_CC_SRG_IL5_GC-AllowList-SCP.json"`
	`5`	`+`
	`6`	`+request_headers={`
	`7`	`+ Accept="application/json"`
	`8`	`+ }`
`5`	`9`	`}`
`6`	`10`
`7`	`11`	`resource"aws_organizations_policy""allow_dodccsrgil5gc_services_policy" {`
`8`	`12`	`name="Allow DoD CC SRG IL5 (GovCloud) Services"`
`9`		`-description="Only allow DoD CC SRG IL5 (GovCloud) services as of 03/2021"`
	`13`	`+description="Only allow DoD CC SRG IL5 (GovCloud) services."`
`10`	`14`
`11`		`-content=data.template_file.dodccsrgil5gc_policy.rendered`
	`15`	`+content=data.http.dodccsrgil5gc_policy.body`
`12`	`16`	`}`
`13`	`17`
`14`	`18`	`resource"aws_organizations_policy_attachment""allow_dodccsrgil5gc_services_attachment" {`

`‎compliance_scp/fedrampHigh/main.tf`

Lines changed: 9 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,17 +1,21 @@`
`1`	`1`	`# The below approved services are based off the list located here: https://aws.amazon.com/compliance/services-in-scope/`
`2`	`2`
`3`		`-data"template_file""fedramph_policy" {`
`4`		`-template=file("../templates/fedramph.json")`
	`3`	`+data"http""fedramph_policy" {`
	`4`	`+url="https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/FedRAMP_High-AllowList-SCP.json"`
	`5`	`+`
	`6`	`+request_headers={`
	`7`	`+ Accept="application/json"`
	`8`	`+ }`
`5`	`9`	`}`
`6`	`10`
`7`	`11`	`resource"aws_organizations_policy""allow_fedramph_services_policy" {`
`8`	`12`	`name="Allow FedRAMP High Services"`
`9`		`-description="Only allow FedRAMP High services as of 03/2021"`
	`13`	`+description="Only allow FedRAMP High services"`
`10`	`14`
`11`		`-content=data.template_file.fedramph_policy.rendered`
	`15`	`+content=data.http.fedramph_policy.body`
`12`	`16`	`}`
`13`	`17`
`14`	`18`	`resource"aws_organizations_policy_attachment""allow_fedramph_services_attachment" {`
`15`	`19`	`policy_id=aws_organizations_policy.allow_fedramph_services_policy.id`
`16`	`20`	`target_id=var.target_id`
`17`		`-}`
	`21`	`+}`

`‎compliance_scp/fedrampMed/main.tfrenamed to ‎compliance_scp/fedrampMod/main.tf`

Lines changed: 10 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,17 +1,21 @@`
`1`	`1`	`# The below approved services are based off the list located here: https://aws.amazon.com/compliance/services-in-scope/`
`2`	`2`
`3`		`-data"template_file""fedrampm_policy" {`
`4`		`-template=file("../templates/fedrampm.json")`
	`3`	`+data"http""fedrampm_policy" {`
	`4`	`+url="https://raw.githubusercontent.com/salesforce/aws-allowlister/main/examples/latest/FedRAMP_Moderate-AllowList-SCP.json"`
	`5`	`+`
	`6`	`+request_headers={`
	`7`	`+ Accept="application/json"`
	`8`	`+ }`
`5`	`9`	`}`
`6`	`10`
`7`	`11`	`resource"aws_organizations_policy""allow_fedrampm_services_policy" {`
`8`		`-name="Allow FedRAMPMed Services"`
`9`		`-description="Only allow FedRAMPMedium services as of 03/2021"`
	`12`	`+name="Allow FedRAMPMod Services"`
	`13`	`+description="Only allow FedRAMPModerate services"`
`10`	`14`
`11`		`-content=data.template_file.fedrampm_policy.rendered`
	`15`	`+content=data.http.fedrampm_policy.body`
`12`	`16`	`}`
`13`	`17`
`14`	`18`	`resource"aws_organizations_policy_attachment""allow_fedrampm_services_attachment" {`
`15`	`19`	`policy_id=aws_organizations_policy.allow_fedrampm_services_policy.id`
`16`	`20`	`target_id=var.target_id`
`17`		`-}`
	`21`	`+}`

`‎compliance_scp/fedrampMed/variables.tfrenamed to ‎compliance_scp/fedrampMod/variables.tf`

File renamed without changes.

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitfa01752

File tree

25 files changed

25 files changed

`‎.github/workflows/terraform.yml`

`‎README.md`

`‎compliance_scp/README.md`

`‎compliance_scp/dodCcSrgIl2Ew/main.tf`

`‎compliance_scp/dodCcSrgIl2Gc/main.tf`

`‎compliance_scp/dodCcSrgIl4Gc/main.tf`

`‎compliance_scp/dodCcSrgIl5Gc/main.tf`

`‎compliance_scp/fedrampHigh/main.tf`

`‎compliance_scp/fedrampMed/main.tfrenamed to ‎compliance_scp/fedrampMod/main.tf`

`‎compliance_scp/fedrampMed/variables.tfrenamed to ‎compliance_scp/fedrampMod/variables.tf`

0 commit comments