OPS-6301: Terraform Module for SCP

README.md

@@ -1,4 +1,4 @@
-# terraform-module-template
+# Terraform Module for Service Control Policies
 Template for Terraform modules
 
 <!-- Uncomment and replace with your module name
@@ -18,7 +18,9 @@ For requirements regarding module structure: [style-guide-terraform.md](https://
 <!-- TFDOCS_PROVIDER_START -->
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 
 <!-- TFDOCS_PROVIDER_END -->
 
@@ -34,18 +36,44 @@ No providers.
 <!-- TFDOCS_INPUTS_START -->
 ## Required Inputs
 
-No required inputs.
+The following input variables are required:
+
+### <a name="input_policies"></a> [policies](#input\_policies)
+
+Description: List of policy configurations
+
+Type:
+
+```hcl
+list(object({
+    name        = string
+    description = string
+    statements  = string       # Path to the JSON file containing policy statements
+    target_ids  = list(string) # List of target account IDs or OU IDs
+  }))
+```
 
 ## Optional Inputs
 
-No optional inputs.
+The following input variables are optional (have default values):
+
+### <a name="input_tags"></a> [tags](#input\_tags)
+
+Description: Tags to apply to all resources created in this module
+
+Type: `map(string)`
+
+Default: `{}`
 
 <!-- TFDOCS_INPUTS_END -->
 
 <!-- TFDOCS_OUTPUTS_START -->
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_policy_arns"></a> [policy\_arns](#output\_policy\_arns) | Map of policy ARNs. |
+| <a name="output_policy_ids"></a> [policy\_ids](#output\_policy\_ids) | Map of policy IDs. |
 
 <!-- TFDOCS_OUTPUTS_END -->
 

main.tf

@@ -0,0 +1,40 @@
+# Loop over each policy to create policy documents dynamically
+data "aws_iam_policy_document" "scp_policies" {
+  for_each = { for p in var.policies : p.name => p }
+
+  dynamic "statement" {
+    for_each = jsondecode(file(each.value.statements))
+    content {
+      sid       = lookup(statement.value, "Sid", null)
+      effect    = lookup(statement.value, "Effect", "Deny")
+      actions   = statement.value.Action
+      resources = [lookup(statement.value, "Resource", "*")]
+
+      dynamic "condition" {
+        for_each = lookup(statement.value, "Condition", {})
+        content {
+          test     = condition.key
+          variable = condition.value[0]
+          values   = condition.value[1]
+        }
+      }
+    }
+  }
+}
+
+# Create policies with tags
+resource "aws_organizations_policy" "scp" {
+  for_each    = data.aws_iam_policy_document.scp_policies
+  name        = each.value.name
+  description = each.value.description
+  content     = each.value.json
+  tags        = var.tags
+}
+
+# Attach policies to targets with tags
+resource "aws_organizations_policy_attachment" "attach_scp" {
+  for_each  = { for p in var.policies : p.name => p }
+  count     = length(each.value.target_ids)
+  policy_id = aws_organizations_policy.scp[each.key].id
+  target_id = each.value.target_ids[count.index]
+}

outputs.tf

@@ -0,0 +1,9 @@
+output "policy_arns" {
+  value       = { for k, v in aws_organizations_policy.scp : k => v.arn }
+  description = "Map of policy ARNs."
+}
+
+output "policy_ids" {
+  value       = { for k, v in aws_organizations_policy.scp : k => v.id }
+  description = "Map of policy IDs."
+}

variables.tf

@@ -0,0 +1,15 @@
+variable "policies" {
+  description = "List of policy configurations"
+  type = list(object({
+    name        = string
+    description = string
+    statements  = string       # Path to the JSON file containing policy statements
+    target_ids  = list(string) # List of target account IDs or OU IDs
+  }))
+}
+
+variable "tags" {
+  description = "Tags to apply to all resources created in this module"
+  type        = map(string)
+  default     = {}
+}