Update DenyEC2InstancesWithoutEncryptionInTransit (#23)

cloudposse · Sep 27, 2022 · 60dea75 · 60dea75
1 parent ab08583
commit 60dea75
Show file tree

Hide file tree

Showing 17 changed files with 919 additions and 433 deletions.
diff --git a/.github/auto-release.yml b/.github/auto-release.yml
@@ -17,7 +17,6 @@ version-resolver:
  - 'bugfix'
  - 'bug'
  - 'hotfix'
- - 'no-release'
  default: 'minor'
 
 categories:

diff --git a/.github/renovate.json b/.github/renovate.json
@@ -4,9 +4,9 @@
  ":preserveSemverRanges"
  ],
  "labels": ["auto-update"],
+ "dependencyDashboardAutoclose": true,
  "enabledManagers": ["terraform"],
  "terraform": {
  "ignorePaths": ["**/context.tf", "examples/**"]
  }
 }
-
diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml
@@ -10,6 +10,7 @@ jobs:
  steps:
  - name: "Checkout source code at current commit"
  uses: actions/checkout@v2
+ # Leave pinned at 0.7.1 until https://github.com/mszostok/codeowners-validator/issues/173 is resolved
  - uses: mszostok/codeowners-validator@v0.7.1
  if: github.event.pull_request.head.repo.full_name == github.repository
  name: "Full check of CODEOWNERS"

diff --git a/README.md b/README.md
@@ -69,6 +69,9 @@ We maintain a comprehensive [catalog](catalog) of SCP configurations and welcome
 
 The [example](examples/complete) in this module uses the catalog to provision the SCPs on AWS.
 
+The policies in the `catalog/*-templates` files require parameters supplied via the `parameters` input
+to [terraform-yaml-config](https://github.com/cloudposse/terraform-yaml-config).
+
 
 ## Security & Compliance [<img src="https://cloudposse.com/wp-content/uploads/2020/11/bridgecrew.svg" width="250" align="right" />](https://bridgecrew.io/)
 
@@ -121,12 +124,27 @@ For automated tests of the complete example using [bats](https://github.com/bats
  context = module.this.context
  }
 
+ module "yaml_config_with_parameters" {
+ source = "cloudposse/config/yaml"
+ # Cloud Posse recommends pinning every module to a specific version
+ # version = "x.x.x"
+
+ list_config_local_base_path = path.module
+ list_config_paths = ["https://raw.githubusercontent.com/cloudposse/terraform-aws-service-control-policies/0.12.0/catalog/s3-templates/DenyS3InNonSelectedRegion.yaml"]
+
+ parameters = {
+ "s3_regions_lockdown" = "us-*,eu-north-1"
+ }
+
+ context = module.this.context
+ }
+
  data "aws_caller_identity" "this" {}
 
  module "service_control_policies" {
  source = "../../"
 
- service_control_policy_statements = module.yaml_config.list_configs
+ service_control_policy_statements = concat(module.yaml_config.list_configs, module.yaml_config_with_parameters.list_configs)
  service_control_policy_description = var.service_control_policy_description
  target_id = data.aws_caller_identity.this.account_id
 
@@ -397,7 +415,7 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
 
 [![README Footer][readme_footer_img]][readme_footer_link]
 [![Beacon][beacon]][website]
-
+<!-- markdownlint-disable -->
  [logo]: https://cloudposse.com/logo-300x69.svg
  [docs]: https://cpco.io/docs?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-service-control-policies&utm_content=docs
  [website]: https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-service-control-policies&utm_content=website
@@ -428,3 +446,4 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
  [share_googleplus]: https://plus.google.com/share?url=https://github.com/cloudposse/terraform-aws-service-control-policies
  [share_email]: mailto:?subject=terraform-aws-service-control-policies&body=https://github.com/cloudposse/terraform-aws-service-control-policies
  [beacon]: https://ga-beacon.cloudposse.com/UA-76589703-4/cloudposse/terraform-aws-service-control-policies?pixel&cs=github&cm=readme&an=terraform-aws-service-control-policies
+<!-- markdownlint-restore -->
diff --git a/README.yaml b/README.yaml
@@ -98,6 +98,10 @@ introduction: |-
 
  The [example](examples/complete) in this module uses the catalog to provision the SCPs on AWS.
 
+ The policies in the `catalog/*-templates` files require parameters supplied via the `parameters` input
+ to [terraform-yaml-config](https://github.com/cloudposse/terraform-yaml-config).
+
+
 # How to use this module. Should be an easy example to copy and paste.
 usage: |-
  For a complete example, see [examples/complete](examples/complete).
@@ -118,12 +122,27 @@ usage: |-
  context = module.this.context
  }
 
+ module "yaml_config_with_parameters" {
+ source = "cloudposse/config/yaml"
+ # Cloud Posse recommends pinning every module to a specific version
+ # version = "x.x.x"
+
+ list_config_local_base_path = path.module
+ list_config_paths = ["https://raw.githubusercontent.com/cloudposse/terraform-aws-service-control-policies/0.12.0/catalog/s3-templates/DenyS3InNonSelectedRegion.yaml"]
+
+ parameters = {
+ "s3_regions_lockdown" = "us-*,eu-north-1"
+ }
+
+ context = module.this.context
+ }
+
  data "aws_caller_identity" "this" {}
 
  module "service_control_policies" {
  source = "../../"
 
- service_control_policy_statements = module.yaml_config.list_configs
+ service_control_policy_statements = concat(module.yaml_config.list_configs, module.yaml_config_with_parameters.list_configs)
  service_control_policy_description = var.service_control_policy_description
  target_id = data.aws_caller_identity.this.account_id