Merge pull request #23 from trussworks/modify_not_actions

update regionless APIs list
trussworks · Jun 22, 2021 · 124d331 · 124d331
2 parents 4673a8f + c33b1f1
commit 124d331
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 29 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -37,7 +37,6 @@ jobs:
         - ~/go/pkg/mod
 references:
   circleci: trussworks/circleci:6986bb9022e5a83599feb66a7128a2d0fa12732a
-version: 2.1
 workflows:
   validate:
     jobs:

diff --git a/README.md b/README.md
@@ -94,43 +94,54 @@ module "github_terraform_aws_ou_scp" {
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.13.0 |
-| aws | >= 3.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | >= 3.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
 
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_organizations_policy.generated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) | resource |
+| [aws_organizations_policy_attachment.generated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource |
+| [aws_iam_policy_document.combined_policy_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.deny_all_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| allowed\_regions | AWS Regions allowed for use (for use with the restrict regions SCP) | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
-| deny\_all | If false, create a combined policy. If true, deny all access | `bool` | `false` | no |
-| deny\_creating\_iam\_users | DenyCreatingIAMUsers in the OU policy. | `bool` | `false` | no |
-| deny\_deleting\_cloudwatch\_logs | DenyDeletingCloudwatchLogs in the OU policy. | `bool` | `false` | no |
-| deny\_deleting\_kms\_keys | DenyDeletingKMSKeys in the OU policy. | `bool` | `false` | no |
-| deny\_deleting\_route53\_zones | DenyDeletingRoute53Zones in the OU policy. | `bool` | `false` | no |
-| deny\_leaving\_orgs | DenyLeavingOrgs in the OU policy. | `bool` | `false` | no |
-| deny\_root\_account | DenyRootAccount in the OU policy. | `bool` | `false` | no |
-| deny\_s3\_bucket\_public\_access\_resources | S3 bucket resource ARNs to block public access | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
-| deny\_s3\_buckets\_public\_access | DenyS3BucketsPublicAccess in the OU policy. | `bool` | `false` | no |
-| limit\_regions | LimitRegions in the OU policy. | `bool` | `false` | no |
-| protect\_iam\_role\_resources | IAM role resource ARNs to protect from modification and deletion | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
-| protect\_iam\_roles | ProtectIAMRoles in the OU policy. | `bool` | `false` | no |
-| protect\_s3\_bucket\_resources | S3 bucket resource ARNs to protect from bucket and object deletion | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
-| protect\_s3\_buckets | ProtectS3Buckets in the OU policy. | `bool` | `false` | no |
-| require\_s3\_encryption | DenyIncorrectEncryptionHeader and DenyUnEncryptedObjectUploads in the OU policy | `bool` | `false` | no |
-| target | OU resource to attach SCP | <pre>object({<br>    name = string<br>    id   = string<br>  })</pre> | n/a | yes |
-| tags | Tags to attach to the SCP policy resource | `map(string)` | <pre>[]</pre> | no |
+| <a name="input_allowed_regions"></a> [allowed\_regions](#input\_allowed\_regions) | AWS Regions allowed for use (for use with the restrict regions SCP) | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
+| <a name="input_deny_all"></a> [deny\_all](#input\_deny\_all) | If false, create a combined policy. If true, deny all access | `bool` | `false` | no |
+| <a name="input_deny_creating_iam_users"></a> [deny\_creating\_iam\_users](#input\_deny\_creating\_iam\_users) | DenyCreatingIAMUsers in the OU policy. | `bool` | `false` | no |
+| <a name="input_deny_deleting_cloudwatch_logs"></a> [deny\_deleting\_cloudwatch\_logs](#input\_deny\_deleting\_cloudwatch\_logs) | DenyDeletingCloudwatchLogs in the OU policy. | `bool` | `false` | no |
+| <a name="input_deny_deleting_kms_keys"></a> [deny\_deleting\_kms\_keys](#input\_deny\_deleting\_kms\_keys) | DenyDeletingKMSKeys in the OU policy. | `bool` | `false` | no |
+| <a name="input_deny_deleting_route53_zones"></a> [deny\_deleting\_route53\_zones](#input\_deny\_deleting\_route53\_zones) | DenyDeletingRoute53Zones in the OU policy. | `bool` | `false` | no |
+| <a name="input_deny_leaving_orgs"></a> [deny\_leaving\_orgs](#input\_deny\_leaving\_orgs) | DenyLeavingOrgs in the OU policy. | `bool` | `false` | no |
+| <a name="input_deny_root_account"></a> [deny\_root\_account](#input\_deny\_root\_account) | DenyRootAccount in the OU policy. | `bool` | `false` | no |
+| <a name="input_deny_s3_bucket_public_access_resources"></a> [deny\_s3\_bucket\_public\_access\_resources](#input\_deny\_s3\_bucket\_public\_access\_resources) | S3 bucket resource ARNs to block public access | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
+| <a name="input_deny_s3_buckets_public_access"></a> [deny\_s3\_buckets\_public\_access](#input\_deny\_s3\_buckets\_public\_access) | DenyS3BucketsPublicAccess in the OU policy. | `bool` | `false` | no |
+| <a name="input_limit_regions"></a> [limit\_regions](#input\_limit\_regions) | LimitRegions in the OU policy. | `bool` | `false` | no |
+| <a name="input_protect_iam_role_resources"></a> [protect\_iam\_role\_resources](#input\_protect\_iam\_role\_resources) | IAM role resource ARNs to protect from modification and deletion | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
+| <a name="input_protect_iam_roles"></a> [protect\_iam\_roles](#input\_protect\_iam\_roles) | ProtectIAMRoles in the OU policy. | `bool` | `false` | no |
+| <a name="input_protect_s3_bucket_resources"></a> [protect\_s3\_bucket\_resources](#input\_protect\_s3\_bucket\_resources) | S3 bucket resource ARNs to protect from bucket and object deletion | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
+| <a name="input_protect_s3_buckets"></a> [protect\_s3\_buckets](#input\_protect\_s3\_buckets) | ProtectS3Buckets in the OU policy. | `bool` | `false` | no |
+| <a name="input_require_s3_encryption"></a> [require\_s3\_encryption](#input\_require\_s3\_encryption) | DenyIncorrectEncryptionHeader and DenyUnEncryptedObjectUploads in the OU policy | `bool` | `false` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags applied to the SCP policy | `map(string)` | `{}` | no |
+| <a name="input_target"></a> [target](#input\_target) | OU resource to attach SCP | <pre>object({<br>    name = string<br>    id   = string<br>  })</pre> | n/a | yes |
 
 ## Outputs
 
-No output.
-
+No outputs.
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Developer Setup

diff --git a/main.tf b/main.tf
@@ -201,18 +201,48 @@ data "aws_iam_policy_document" "combined_policy_block" {
 
       # These actions do not operate in a specific region, or only run in
       # a single region, so we don't want to try restricting them by region.
+      # List of actions can be found in the following example:
+      # https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html
       not_actions = [
+        "a4b:*",
         "access-analyzer:*",
-        "iam:*",
-        "organizations:*",
-        "route53:*",
+        "acm:*",
+        "aws-marketplace-management:*",
+        "aws-marketplace:*",
+        "aws-portal:*",
         "budgets:*",
-        "waf:*",
+        "ce:*",
+        "chime:*",
         "cloudfront:*",
+        "config:*",
+        "cur:*",
+        "directconnect:*",
+        "ec2:DescribeRegions",
+        "ec2:DescribeTransitGateways",
+        "ec2:DescribeVpnGateways",
+        "fms:*",
         "globalaccelerator:*",
+        "health:*",
+        "iam:*",
         "importexport:*",
+        "kms:*",
+        "mobileanalytics:*",
+        "networkmanager:*",
+        "organizations:*",
+        "pricing:*",
+        "route53:*",
+        "route53domains:*",
+        "s3:GetAccountPublic*",
+        "s3:ListAllMyBuckets",
+        "s3:PutAccountPublic*",
+        "shield:*",
+        "sts:*",
         "support:*",
-        "sts:*"
+        "trustedadvisor:*",
+        "waf-regional:*",
+        "waf:*",
+        "wafv2:*",
+        "wellarchitected:*"
       ]
 
       resources = ["*"]