Merge pull request #3 from trussworks/mdawn-finagle-SCPs-to-bypass-AW…

…S-limit-173455007

Finagle scps to bypass aws limit

.circleci/config.yml

@@ -3,8 +3,6 @@ jobs:
   validate:
     docker:
       - image: trussworks/circleci-docker-primary:c542b22c7fb95db0a1bbe043928a457ae6fbeaca
-        environment:
-          - TEST_RESULTS: /tmp/test-results
     steps:
       - checkout
       - restore_cache:
@@ -28,8 +26,6 @@ jobs:
           key: go-mod-sources-v1-{{ checksum "go.sum" }}-{{ checksum "scripts/check-go-version" }}
           paths:
             - "~/go/pkg/mod"
-      - store_test_results:
-          path: /tmp/test-results/gotest
 
 workflows:
   version: 2

Makefile

@@ -10,9 +10,7 @@ pre_commit_tests: ensure_pre_commit ## Run pre-commit tests
 
 .PHONY: test
 test: pre_commit_tests
-	  bin/make-test
 
 .PHONY: clean
 clean:
 	rm -f .*.stamp
-	rm -rf bin

README.md

@@ -1,20 +1,25 @@
-# Truss Terraform Module template
+## AWS OU SCP Terraform Module
 
-This repository is meant to be a template repo we can just spin up new module repos from with our general format.
+Supports two main use cases:
 
-## Creating a new Terraform Module
+* Combines multiple Service Control Policy (SCP) statements based on the policies defined in [`terraform-aws-org-scp`](https://github.com/trussworks/terraform-aws-org-scp). Combining multiple policy statements into a single policy allows more than 5 policies to be be applied to a single Organizational Unit (OU).
+* Alternatively, creates a "Deny All Access" Service Control Policy.
 
-1. Clone this repo, renaming appropriately.
-1. Write your terraform code in the root dir.
-1. Create an example of the module in use in the `examples` dir.
-1. Ensure you've completed the [Developer Setup](#developer-setup).
-1. Write terratests in the `test` dir.
-1. [With slight modification from the Terratest docs](https://github.com/gruntwork-io/terratest#setting-up-your-project): In the root dir, run `go mod init MODULE_NAME` to get a new go.mod file. Then run `go mod tidy` to download terratest.
-1. Run your tests to ensure they work as expected using instructions below.
+ Alternatively, enables creation of a "Deny All Access" Service Control Policy.
 
-## Actual readme below  - Delete above here
+Policy options (listed by `sid`) are:
+
+* Deny leaving AWS Organizations (DenyLeavingOrgs)
+* Deny creating IAM users or access keys (DenyCreatingIAMUsers)
+* Deny deleting KMS Keys (DenyDeletingKMSKeys)
+* Deny deleting Route53 Hosted Zones (DenyDeletingRoute53Zones)
+* Deny deleting VPC Flow logs, Cloudwatch log groups, and Cloudwatch log streams (DenyDeletingCloudwatchLogs)
+* Deny root account (DenyRootAccount)
+* Protect S3 Buckets (ProtectS3Buckets)
+* Protect IAM Roles (ProtectIAMRoles)
+* Restrict Regional Operations (LimitRegions)
+* Require S3 encryption (DenyIncorrectEncryptionHeader + DenyUnEncryptedObjectUploads)
 
-Please put a description of what this module does here
 
 ## Terraform Versions
 
@@ -23,15 +28,60 @@ Terraform 0.12. Pin module version to ~> 2.0. Submit pull-requests to master bra
 
 Terraform 0.11. Pin module version to ~> 1.0. Submit pull-requests to terraform011 branch.
 
-## Usage
+### Usage for combined policy statements
 
-### Put an example usage of the module here
+To include a policy in your combined policy block, set it to `true`. Otherwise omit the policy variable.
 
 ```hcl
-module "example" {
-  source = "terraform/registry/path"
+module "github_terraform_aws_ou_scp" {
+  source = "trussworks/ou-scp/aws"
+  target =  aws_organizations_organizational_unit.my_ou
+
+  # don't allow all accounts to be able to leave the org
+  deny_leaving_orgs             = true
+  # applies to accounts that are not managing IAM users
+  deny_creating_iam_users       = true
+  # don't allow deleting KMS keys
+  deny_deleting_kms_keys        = true
+  # don't allow deleting Route53 zones
+  deny_deleting_route53_zones   = true
+  # don't allow deleting CloudWatch logs
+  deny_deleting_cloudwatch_logs = true
+  # don't allow access to the root user
+  deny_root_account             = true
+
+  protect_s3_buckets            = true
+  # protect terraform statefile bucket
+  protect_s3_bucket_resources   = [
+    "arn:aws:s3:::prod-terraform-state-us-west-2",
+    "arn:aws:s3:::prod-terraform-state-us-west-2/*"
+  ]
+
+  protect_iam_roles             = true
+  # - protect OrganizationAccountAccessRole
+  protect_iam_role_resources     = [
+    "arn:aws:iam::*:role/OrganizationAccountAccessRole"
+  ]
+
+  # restrict region-specific operations to us-west-2
+  limit_regions                 = true
+  # - restrict region-specific operations to us-west-2
+  allowed_regions               = ["us-west-2"]
+
+  # require s3 objects be encrypted
+  require_s3_encryption = true
+}
+```
 
-  <variables>
+### Usage for a policy which denies all access
+
+```hcl
+module "github_terraform_aws_ou_scp" {
+  source = "trussworks/ou-scp/aws"
+  target =  aws_organizations_organizational_unit.my_ou
+
+  # don't allow any access at all
+  deny_all=true
 }
 ```
 
@@ -44,11 +94,29 @@ module "example" {
 
 ## Providers
 
-No provider.
+| Name | Version |
+|------|---------|
+| aws | n/a |
 
 ## Inputs
 
-No input.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| allowed\_regions | AWS Regions allowed for use (for use with the restrict regions SCP) | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
+| deny\_all | If false, create a combined policy. If true, deny all access | `bool` | `false` | no |
+| deny\_creating\_iam\_users | DenyCreatingIAMUsers in the OU policy. | `bool` | `false` | no |
+| deny\_deleting\_cloudwatch\_logs | DenyDeletingCloudwatchLogs in the OU policy. | `bool` | `false` | no |
+| deny\_deleting\_kms\_keys | DenyDeletingKMSKeys in the OU policy. | `bool` | `false` | no |
+| deny\_deleting\_route53\_zones | DenyDeletingRoute53Zones in the OU policy. | `bool` | `false` | no |
+| deny\_leaving\_orgs | DenyLeavingOrgs in the OU policy. | `bool` | `false` | no |
+| deny\_root\_account | DenyRootAccount in the OU policy. | `bool` | `false` | no |
+| limit\_regions | LimitRegions in the OU policy. | `bool` | `false` | no |
+| protect\_iam\_role\_resources | IAM role resource ARNs to protect from modification and deletion | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
+| protect\_iam\_roles | ProtectIAMRoles in the OU policy. | `bool` | `false` | no |
+| protect\_s3\_bucket\_resources | S3 bucket resource ARNs to protect from bucket and object deletion | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
+| protect\_s3\_buckets | ProtectS3Buckets in the OU policy. | `bool` | `false` | no |
+| require\_s3\_encryption | DenyIncorrectEncryptionHeader and DenyUnEncryptedObjectUploads in the OU policy | `bool` | `false` | no |
+| target | OU resource to attach SCP | <pre>object({<br>    name = string<br>    id   = string<br>  })</pre> | n/a | yes |
 
 ## Outputs
 
@@ -64,24 +132,3 @@ Install dependencies (macOS)
 brew install pre-commit go terraform terraform-docs
 pre-commit install --install-hooks
 ```
-
-### Testing
-
-[Terratest](https://github.com/gruntwork-io/terratest) is being used for
-automated testing with this module. Tests in the `test` folder can be run
-locally by running the following command:
-
-```text
-make test
-```
-
-Or with aws-vault:
-
-```text
-AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test
-```
-
-### A Note About Golang and Imports
-
-In order to import the dependencies required to set up Terratest metadata in CircleCI, this repository contains initialized (and populated) `go.mod` and `go.sum` files. Delete these files to set up your own project, and run `go mod init YOUR_SHINY_NEW_REPO` as usual to create these files and pull in these initial dependencies for your own shiny new repository when you make your vendoring decisions.
-