Skip to content

Commit 22181f8

Browse files
miguelpaismiguelpais
committed
Merge branch 'main' of github.com:sysdiglabs/terraform-aws-secure
2 parents de5dfc5 + ed0c917 commit 22181f8

File tree

3 files changed

+11
-13
lines changed

3 files changed

+11
-13
lines changed

modules/agentless-scanning/organizational.tf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,10 @@ resource "aws_cloudformation_stack_set" "ou_resources_stackset" {
4040
retain_stacks_on_account_removal = false
4141
}
4242

43+
lifecycle {
44+
ignore_changes = [administration_role_arn] # https://github.com/hashicorp/terraform-provider-aws/issues/23464
45+
}
46+
4347
template_body = <<TEMPLATE
4448
Resources:
4549
ScanningRole:

modules/vm-workload-scanning/main.tf

Lines changed: 6 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -67,16 +67,14 @@ data "aws_iam_policy_document" "functions" {
6767
}
6868

6969
resource "aws_iam_policy" "ecr_scanning" {
70-
count = var.is_organizational ? 0 : 1
71-
7270
name = "${local.ecr_role_name}-ecr"
7371
description = "Grants Sysdig Secure access to ECR images"
7472
policy = data.aws_iam_policy_document.scanning.json
7573
tags = var.tags
7674
}
7775

7876
resource "aws_iam_policy" "functions_scanning" {
79-
count = var.lambda_scanning_enabled && !var.is_organizational? 1 : 0
77+
count = var.lambda_scanning_enabled ? 1 : 0
8078

8179
name = "${local.ecr_role_name}-functions"
8280
description = "Grants Sysdig Secure access to AWS Lambda"
@@ -108,26 +106,22 @@ data "aws_iam_policy_document" "scanning_assume_role_policy" {
108106
}
109107

110108
resource "aws_iam_role" "scanning" {
111-
count = var.is_organizational ? 0 : 1
112-
113109
name = local.ecr_role_name
114110
tags = var.tags
115111
assume_role_policy = data.aws_iam_policy_document.scanning_assume_role_policy.json
116112
}
117113

118114
resource "aws_iam_policy_attachment" "scanning" {
119-
count = var.is_organizational ? 0 : 1
120-
121115
name = local.ecr_role_name
122-
roles = [aws_iam_role.scanning[0].name]
123-
policy_arn = aws_iam_policy.ecr_scanning[0].arn
116+
roles = [aws_iam_role.scanning.name]
117+
policy_arn = aws_iam_policy.ecr_scanning.arn
124118
}
125119

126120
resource "aws_iam_policy_attachment" "functions" {
127-
count = var.lambda_scanning_enabled && !var.is_organizational ? 1 : 0
121+
count = var.lambda_scanning_enabled ? 1 : 0
128122

129123
name = local.ecr_role_name
130-
roles = [aws_iam_role.scanning[0].name]
124+
roles = [aws_iam_role.scanning.name]
131125
policy_arn = aws_iam_policy.functions_scanning[0].arn
132126
}
133127

@@ -145,7 +139,7 @@ resource "sysdig_secure_cloud_auth_account_component" "vm_workload_scanning_acco
145139
version = "v0.1.0"
146140
trusted_role_metadata = jsonencode({
147141
aws = {
148-
role_name = aws_iam_role.scanning[0].name
142+
role_name = aws_iam_role.scanning.name
149143
}
150144
})
151145

modules/vm-workload-scanning/outputs.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
output "role_arn" {
22
description = "Role used by Sysdig Platform for Agentless Workload Scanning"
3-
value = var.is_organizational ? null : aws_iam_role.scanning[0].arn
3+
value = var.is_organizational ? null : aws_iam_role.scanning.arn
44
depends_on = [aws_iam_role.scanning]
55
}
66

0 commit comments

Comments
 (0)