diff --git a/.github/workflows/pull-request-sast.yaml b/.github/workflows/pull-request-sast.yaml index 4204ab2..ee1c002 100644 --- a/.github/workflows/pull-request-sast.yaml +++ b/.github/workflows/pull-request-sast.yaml @@ -11,7 +11,7 @@ permissions: jobs: RunTerraformValidation: - name: Run Terraform Validation + name: Run Terraform SAST runs-on: ubuntu-latest steps: @@ -19,7 +19,7 @@ jobs: uses: actions/checkout@v4 # Results have to be a table as the organisation does not have Advanced Security license. - - name: Run Trivy against Terraform + - name: Terraform Trivy Scan uses: aquasecurity/trivy-action@0.18.0 with: scan-type: 'config' diff --git a/modules/aws/group_account_assignments/.terraform.lock.hcl b/modules/aws/group_account_assignments/.terraform.lock.hcl index 4db245d..dead799 100644 --- a/modules/aws/group_account_assignments/.terraform.lock.hcl +++ b/modules/aws/group_account_assignments/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.40.0" - constraints = "~> 5.40.0" + version = "5.41.0" + constraints = ">= 5.0.0, < 6.0.0" hashes = [ - "h1:mLZbhNUyXQTWQXOCoHglI10XwcvqGqvnn21juy/Jk68=", - "zh:11f177a2385703740bd26d0652d3dba08575101d7639f386ce5637bdb0e29a13", - "zh:203fc43e69634f1bd487a9dc24b01944dfd568beac78e491f26677d103d343ed", - "zh:3697ebad4929da30ea98276a85d4ce5ebfc48508f4dd149e17e1dcdc7f306c6e", - "zh:421e0799756587e728f75a9024b8d4e38707cd6d65cf0710cb8d189062c85a58", - "zh:4be2adcd4c32a66159c532908f0d425d793c814b3686832e9af549b1515ae032", - "zh:55778b32470212ce6bbfd402529c88e7ea6ba34b0882f85d6ea001ff5c6255a5", - "zh:689a4c1fd1e1d5dab7b169759389c76f25e366f19a470971674321d6fca09791", - "zh:68a23eda608573a053e8738894457bd0c11766bc243e68826c78ab6b5a144710", + "h1:SgIWBDBA1uNB/Y7CaLFeNX/Ju2xboSSQmRv35Vbi46M=", + "zh:0553331a6287c146353b6daf6f71987d8c000f407b5e29d6e004ea88faec2e67", + "zh:1a11118984bb2950e8ee7ef17b0f91fc9eb4a42c8e7a9cafd7eb4aca771d06e4", + "zh:236fedd266d152a8233a7fe27ffdd99ca27d9e66a9618a988a4c3da1ac24a33f", + "zh:34bc482ea04cf30d4d216afa55eecf66854e1acf93892cb28a6b5af91d43c9b7", + "zh:39d7eb15832fe339bf46e3bab9852280762a1817bf1afc459eecd430e20e3ad5", + "zh:39fb07429c51556b05170ec2b6bd55e2487adfe1606761eaf1f2a43c4bb20e47", + "zh:71d7cd3013e2f3fa0f65194af29ee6f5fa905e0df2b72b723761dc953f4512ea", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a1580115c22564e5752e569dc40482503de6cced44da3e9431885cd9d4bf18ea", - "zh:b127756d7ee513691e76c211570580c10eaa2f7a7e4fd27c3566a48ec214991c", - "zh:b7ccea7a759940c8dcf8726272eed6653eed0b31f7223f71e829a344627afd39", - "zh:bb130fc50494fd45406e04b44d242da9a8f138a4a43feb65cf9e86d13aa13629", - "zh:cf1c972c90d5f22c9705274a33792275e284a0a3fcac12ce4083b5a4480463f4", - "zh:ebe60d3887b23703ca6a4c65b15c6d7b8d93ba27a028d996d17882fe6e98d5c0", + "zh:9b271ae12394e7e2ce6da568b42226a146e90fd705e02a670fcb93618c4aa19f", + "zh:a884dd978859d001709681f9513ba0fbb0753d1d459a7f3434ecc5f1b8699c49", + "zh:b8c3c7dc10ae4f6143168042dcf8dee63527b103cc37abc238ea06150af38b6e", + "zh:ba94ffe0893ad60c0b70c402e163b4df2cf417e93474a9cc1a37535bba18f22d", + "zh:d5ba851d971ff8d796afd9a100acf55eaac0c197c6ab779787797ce66f419f0e", + "zh:e8c090d0c4f730c4a610dc4f0c22b177a0376d6f78679fc3f1d557b469e656f4", + "zh:ed7623acde26834672969dcb5befdb62900d9f216d32e7478a095d2b040a0ea7", ] } diff --git a/modules/aws/group_user_memberships/.terraform.lock.hcl b/modules/aws/group_user_memberships/.terraform.lock.hcl index 4db245d..dead799 100644 --- a/modules/aws/group_user_memberships/.terraform.lock.hcl +++ b/modules/aws/group_user_memberships/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.40.0" - constraints = "~> 5.40.0" + version = "5.41.0" + constraints = ">= 5.0.0, < 6.0.0" hashes = [ - "h1:mLZbhNUyXQTWQXOCoHglI10XwcvqGqvnn21juy/Jk68=", - "zh:11f177a2385703740bd26d0652d3dba08575101d7639f386ce5637bdb0e29a13", - "zh:203fc43e69634f1bd487a9dc24b01944dfd568beac78e491f26677d103d343ed", - "zh:3697ebad4929da30ea98276a85d4ce5ebfc48508f4dd149e17e1dcdc7f306c6e", - "zh:421e0799756587e728f75a9024b8d4e38707cd6d65cf0710cb8d189062c85a58", - "zh:4be2adcd4c32a66159c532908f0d425d793c814b3686832e9af549b1515ae032", - "zh:55778b32470212ce6bbfd402529c88e7ea6ba34b0882f85d6ea001ff5c6255a5", - "zh:689a4c1fd1e1d5dab7b169759389c76f25e366f19a470971674321d6fca09791", - "zh:68a23eda608573a053e8738894457bd0c11766bc243e68826c78ab6b5a144710", + "h1:SgIWBDBA1uNB/Y7CaLFeNX/Ju2xboSSQmRv35Vbi46M=", + "zh:0553331a6287c146353b6daf6f71987d8c000f407b5e29d6e004ea88faec2e67", + "zh:1a11118984bb2950e8ee7ef17b0f91fc9eb4a42c8e7a9cafd7eb4aca771d06e4", + "zh:236fedd266d152a8233a7fe27ffdd99ca27d9e66a9618a988a4c3da1ac24a33f", + "zh:34bc482ea04cf30d4d216afa55eecf66854e1acf93892cb28a6b5af91d43c9b7", + "zh:39d7eb15832fe339bf46e3bab9852280762a1817bf1afc459eecd430e20e3ad5", + "zh:39fb07429c51556b05170ec2b6bd55e2487adfe1606761eaf1f2a43c4bb20e47", + "zh:71d7cd3013e2f3fa0f65194af29ee6f5fa905e0df2b72b723761dc953f4512ea", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a1580115c22564e5752e569dc40482503de6cced44da3e9431885cd9d4bf18ea", - "zh:b127756d7ee513691e76c211570580c10eaa2f7a7e4fd27c3566a48ec214991c", - "zh:b7ccea7a759940c8dcf8726272eed6653eed0b31f7223f71e829a344627afd39", - "zh:bb130fc50494fd45406e04b44d242da9a8f138a4a43feb65cf9e86d13aa13629", - "zh:cf1c972c90d5f22c9705274a33792275e284a0a3fcac12ce4083b5a4480463f4", - "zh:ebe60d3887b23703ca6a4c65b15c6d7b8d93ba27a028d996d17882fe6e98d5c0", + "zh:9b271ae12394e7e2ce6da568b42226a146e90fd705e02a670fcb93618c4aa19f", + "zh:a884dd978859d001709681f9513ba0fbb0753d1d459a7f3434ecc5f1b8699c49", + "zh:b8c3c7dc10ae4f6143168042dcf8dee63527b103cc37abc238ea06150af38b6e", + "zh:ba94ffe0893ad60c0b70c402e163b4df2cf417e93474a9cc1a37535bba18f22d", + "zh:d5ba851d971ff8d796afd9a100acf55eaac0c197c6ab779787797ce66f419f0e", + "zh:e8c090d0c4f730c4a610dc4f0c22b177a0376d6f78679fc3f1d557b469e656f4", + "zh:ed7623acde26834672969dcb5befdb62900d9f216d32e7478a095d2b040a0ea7", ] } diff --git a/modules/aws/groups/.terraform.lock.hcl b/modules/aws/groups/.terraform.lock.hcl index 4db245d..dead799 100644 --- a/modules/aws/groups/.terraform.lock.hcl +++ b/modules/aws/groups/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.40.0" - constraints = "~> 5.40.0" + version = "5.41.0" + constraints = ">= 5.0.0, < 6.0.0" hashes = [ - "h1:mLZbhNUyXQTWQXOCoHglI10XwcvqGqvnn21juy/Jk68=", - "zh:11f177a2385703740bd26d0652d3dba08575101d7639f386ce5637bdb0e29a13", - "zh:203fc43e69634f1bd487a9dc24b01944dfd568beac78e491f26677d103d343ed", - "zh:3697ebad4929da30ea98276a85d4ce5ebfc48508f4dd149e17e1dcdc7f306c6e", - "zh:421e0799756587e728f75a9024b8d4e38707cd6d65cf0710cb8d189062c85a58", - "zh:4be2adcd4c32a66159c532908f0d425d793c814b3686832e9af549b1515ae032", - "zh:55778b32470212ce6bbfd402529c88e7ea6ba34b0882f85d6ea001ff5c6255a5", - "zh:689a4c1fd1e1d5dab7b169759389c76f25e366f19a470971674321d6fca09791", - "zh:68a23eda608573a053e8738894457bd0c11766bc243e68826c78ab6b5a144710", + "h1:SgIWBDBA1uNB/Y7CaLFeNX/Ju2xboSSQmRv35Vbi46M=", + "zh:0553331a6287c146353b6daf6f71987d8c000f407b5e29d6e004ea88faec2e67", + "zh:1a11118984bb2950e8ee7ef17b0f91fc9eb4a42c8e7a9cafd7eb4aca771d06e4", + "zh:236fedd266d152a8233a7fe27ffdd99ca27d9e66a9618a988a4c3da1ac24a33f", + "zh:34bc482ea04cf30d4d216afa55eecf66854e1acf93892cb28a6b5af91d43c9b7", + "zh:39d7eb15832fe339bf46e3bab9852280762a1817bf1afc459eecd430e20e3ad5", + "zh:39fb07429c51556b05170ec2b6bd55e2487adfe1606761eaf1f2a43c4bb20e47", + "zh:71d7cd3013e2f3fa0f65194af29ee6f5fa905e0df2b72b723761dc953f4512ea", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a1580115c22564e5752e569dc40482503de6cced44da3e9431885cd9d4bf18ea", - "zh:b127756d7ee513691e76c211570580c10eaa2f7a7e4fd27c3566a48ec214991c", - "zh:b7ccea7a759940c8dcf8726272eed6653eed0b31f7223f71e829a344627afd39", - "zh:bb130fc50494fd45406e04b44d242da9a8f138a4a43feb65cf9e86d13aa13629", - "zh:cf1c972c90d5f22c9705274a33792275e284a0a3fcac12ce4083b5a4480463f4", - "zh:ebe60d3887b23703ca6a4c65b15c6d7b8d93ba27a028d996d17882fe6e98d5c0", + "zh:9b271ae12394e7e2ce6da568b42226a146e90fd705e02a670fcb93618c4aa19f", + "zh:a884dd978859d001709681f9513ba0fbb0753d1d459a7f3434ecc5f1b8699c49", + "zh:b8c3c7dc10ae4f6143168042dcf8dee63527b103cc37abc238ea06150af38b6e", + "zh:ba94ffe0893ad60c0b70c402e163b4df2cf417e93474a9cc1a37535bba18f22d", + "zh:d5ba851d971ff8d796afd9a100acf55eaac0c197c6ab779787797ce66f419f0e", + "zh:e8c090d0c4f730c4a610dc4f0c22b177a0376d6f78679fc3f1d557b469e656f4", + "zh:ed7623acde26834672969dcb5befdb62900d9f216d32e7478a095d2b040a0ea7", ] } diff --git a/modules/aws/permission_sets/README.md b/modules/aws/permission_sets/README.md index db7032d..37a8400 100644 --- a/modules/aws/permission_sets/README.md +++ b/modules/aws/permission_sets/README.md @@ -13,7 +13,8 @@ module "permission_sets" { name = description = identity_store_arn = - inline_policies = ARRAY() + inline_policies = OPTIONAL(ARRAY()) + managed_policies = OPTIONAL(ARRAY()) } ``` @@ -23,7 +24,8 @@ This module expects the variables to conform to the following: - `name` - Must be a string between 1 and 64 characters. - `description` - Must be a string between 1 and 256 characters. - `identity_store_arn` - Must be a valid Identity Store ARN. -- `inline_policies` - Must be a list of objects that conforms to [Inline Policy](#inline-policy) schema. +- `inline_policies` - Must be a list of objects that conforms to [Inline Policy](#inline-policy) schema. Can be empty. +- `managed_policies` - Must be a list of strings that are valid managed policy names. Can be empty. ### Inline Policy diff --git a/modules/aws/permission_sets/main.tf b/modules/aws/permission_sets/main.tf index 64e11ac..e4e50d1 100644 --- a/modules/aws/permission_sets/main.tf +++ b/modules/aws/permission_sets/main.tf @@ -26,7 +26,17 @@ data "aws_iam_policy_document" "iam_policy_document" { } resource "aws_ssoadmin_permission_set_inline_policy" "permission_set_inline_policy" { + count = length(var.inline_policies) + inline_policy = data.aws_iam_policy_document.iam_policy_document.json instance_arn = var.identity_store_arn permission_set_arn = aws_ssoadmin_permission_set.identity_store_permission_set.arn } + +resource "aws_ssoadmin_managed_policy_attachment" "permission_set_managed_policy" { + for_each = toset(var.managed_policies) + + managed_policy_arn = "arn:aws:iam::aws:policy/${each.value}" + permission_set_arn = aws_ssoadmin_permission_set.identity_store_permission_set.arn + instance_arn = var.identity_store_arn +} diff --git a/modules/aws/permission_sets/variables.tf b/modules/aws/permission_sets/variables.tf index 314acc0..5b77b9e 100644 --- a/modules/aws/permission_sets/variables.tf +++ b/modules/aws/permission_sets/variables.tf @@ -30,4 +30,11 @@ variable "inline_policies" { actions = list(string) resources = list(string) })) + default = [] +} + +variable "managed_policies" { + description = "The inline policy to attach to the permission set." + type = list(string) + default = [] } diff --git a/modules/aws/ssoadmin_instance/.terraform.lock.hcl b/modules/aws/ssoadmin_instance/.terraform.lock.hcl index 4db245d..dead799 100644 --- a/modules/aws/ssoadmin_instance/.terraform.lock.hcl +++ b/modules/aws/ssoadmin_instance/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.40.0" - constraints = "~> 5.40.0" + version = "5.41.0" + constraints = ">= 5.0.0, < 6.0.0" hashes = [ - "h1:mLZbhNUyXQTWQXOCoHglI10XwcvqGqvnn21juy/Jk68=", - "zh:11f177a2385703740bd26d0652d3dba08575101d7639f386ce5637bdb0e29a13", - "zh:203fc43e69634f1bd487a9dc24b01944dfd568beac78e491f26677d103d343ed", - "zh:3697ebad4929da30ea98276a85d4ce5ebfc48508f4dd149e17e1dcdc7f306c6e", - "zh:421e0799756587e728f75a9024b8d4e38707cd6d65cf0710cb8d189062c85a58", - "zh:4be2adcd4c32a66159c532908f0d425d793c814b3686832e9af549b1515ae032", - "zh:55778b32470212ce6bbfd402529c88e7ea6ba34b0882f85d6ea001ff5c6255a5", - "zh:689a4c1fd1e1d5dab7b169759389c76f25e366f19a470971674321d6fca09791", - "zh:68a23eda608573a053e8738894457bd0c11766bc243e68826c78ab6b5a144710", + "h1:SgIWBDBA1uNB/Y7CaLFeNX/Ju2xboSSQmRv35Vbi46M=", + "zh:0553331a6287c146353b6daf6f71987d8c000f407b5e29d6e004ea88faec2e67", + "zh:1a11118984bb2950e8ee7ef17b0f91fc9eb4a42c8e7a9cafd7eb4aca771d06e4", + "zh:236fedd266d152a8233a7fe27ffdd99ca27d9e66a9618a988a4c3da1ac24a33f", + "zh:34bc482ea04cf30d4d216afa55eecf66854e1acf93892cb28a6b5af91d43c9b7", + "zh:39d7eb15832fe339bf46e3bab9852280762a1817bf1afc459eecd430e20e3ad5", + "zh:39fb07429c51556b05170ec2b6bd55e2487adfe1606761eaf1f2a43c4bb20e47", + "zh:71d7cd3013e2f3fa0f65194af29ee6f5fa905e0df2b72b723761dc953f4512ea", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a1580115c22564e5752e569dc40482503de6cced44da3e9431885cd9d4bf18ea", - "zh:b127756d7ee513691e76c211570580c10eaa2f7a7e4fd27c3566a48ec214991c", - "zh:b7ccea7a759940c8dcf8726272eed6653eed0b31f7223f71e829a344627afd39", - "zh:bb130fc50494fd45406e04b44d242da9a8f138a4a43feb65cf9e86d13aa13629", - "zh:cf1c972c90d5f22c9705274a33792275e284a0a3fcac12ce4083b5a4480463f4", - "zh:ebe60d3887b23703ca6a4c65b15c6d7b8d93ba27a028d996d17882fe6e98d5c0", + "zh:9b271ae12394e7e2ce6da568b42226a146e90fd705e02a670fcb93618c4aa19f", + "zh:a884dd978859d001709681f9513ba0fbb0753d1d459a7f3434ecc5f1b8699c49", + "zh:b8c3c7dc10ae4f6143168042dcf8dee63527b103cc37abc238ea06150af38b6e", + "zh:ba94ffe0893ad60c0b70c402e163b4df2cf417e93474a9cc1a37535bba18f22d", + "zh:d5ba851d971ff8d796afd9a100acf55eaac0c197c6ab779787797ce66f419f0e", + "zh:e8c090d0c4f730c4a610dc4f0c22b177a0376d6f78679fc3f1d557b469e656f4", + "zh:ed7623acde26834672969dcb5befdb62900d9f216d32e7478a095d2b040a0ea7", ] } diff --git a/modules/aws/users/.terraform.lock.hcl b/modules/aws/users/.terraform.lock.hcl index 4db245d..dead799 100644 --- a/modules/aws/users/.terraform.lock.hcl +++ b/modules/aws/users/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.40.0" - constraints = "~> 5.40.0" + version = "5.41.0" + constraints = ">= 5.0.0, < 6.0.0" hashes = [ - "h1:mLZbhNUyXQTWQXOCoHglI10XwcvqGqvnn21juy/Jk68=", - "zh:11f177a2385703740bd26d0652d3dba08575101d7639f386ce5637bdb0e29a13", - "zh:203fc43e69634f1bd487a9dc24b01944dfd568beac78e491f26677d103d343ed", - "zh:3697ebad4929da30ea98276a85d4ce5ebfc48508f4dd149e17e1dcdc7f306c6e", - "zh:421e0799756587e728f75a9024b8d4e38707cd6d65cf0710cb8d189062c85a58", - "zh:4be2adcd4c32a66159c532908f0d425d793c814b3686832e9af549b1515ae032", - "zh:55778b32470212ce6bbfd402529c88e7ea6ba34b0882f85d6ea001ff5c6255a5", - "zh:689a4c1fd1e1d5dab7b169759389c76f25e366f19a470971674321d6fca09791", - "zh:68a23eda608573a053e8738894457bd0c11766bc243e68826c78ab6b5a144710", + "h1:SgIWBDBA1uNB/Y7CaLFeNX/Ju2xboSSQmRv35Vbi46M=", + "zh:0553331a6287c146353b6daf6f71987d8c000f407b5e29d6e004ea88faec2e67", + "zh:1a11118984bb2950e8ee7ef17b0f91fc9eb4a42c8e7a9cafd7eb4aca771d06e4", + "zh:236fedd266d152a8233a7fe27ffdd99ca27d9e66a9618a988a4c3da1ac24a33f", + "zh:34bc482ea04cf30d4d216afa55eecf66854e1acf93892cb28a6b5af91d43c9b7", + "zh:39d7eb15832fe339bf46e3bab9852280762a1817bf1afc459eecd430e20e3ad5", + "zh:39fb07429c51556b05170ec2b6bd55e2487adfe1606761eaf1f2a43c4bb20e47", + "zh:71d7cd3013e2f3fa0f65194af29ee6f5fa905e0df2b72b723761dc953f4512ea", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a1580115c22564e5752e569dc40482503de6cced44da3e9431885cd9d4bf18ea", - "zh:b127756d7ee513691e76c211570580c10eaa2f7a7e4fd27c3566a48ec214991c", - "zh:b7ccea7a759940c8dcf8726272eed6653eed0b31f7223f71e829a344627afd39", - "zh:bb130fc50494fd45406e04b44d242da9a8f138a4a43feb65cf9e86d13aa13629", - "zh:cf1c972c90d5f22c9705274a33792275e284a0a3fcac12ce4083b5a4480463f4", - "zh:ebe60d3887b23703ca6a4c65b15c6d7b8d93ba27a028d996d17882fe6e98d5c0", + "zh:9b271ae12394e7e2ce6da568b42226a146e90fd705e02a670fcb93618c4aa19f", + "zh:a884dd978859d001709681f9513ba0fbb0753d1d459a7f3434ecc5f1b8699c49", + "zh:b8c3c7dc10ae4f6143168042dcf8dee63527b103cc37abc238ea06150af38b6e", + "zh:ba94ffe0893ad60c0b70c402e163b4df2cf417e93474a9cc1a37535bba18f22d", + "zh:d5ba851d971ff8d796afd9a100acf55eaac0c197c6ab779787797ce66f419f0e", + "zh:e8c090d0c4f730c4a610dc4f0c22b177a0376d6f78679fc3f1d557b469e656f4", + "zh:ed7623acde26834672969dcb5befdb62900d9f216d32e7478a095d2b040a0ea7", ] }