diff --git a/docs/reference/modules/terraform-aws-security/aws-config/aws-config.md b/docs/reference/modules/terraform-aws-security/aws-config/aws-config.md
index 5ad9c0def..7d54c0750 100644
--- a/docs/reference/modules/terraform-aws-security/aws-config/aws-config.md
+++ b/docs/reference/modules/terraform-aws-security/aws-config/aws-config.md
@@ -355,11 +355,6 @@ module "aws_config" {
# value is the tag value.
tags = {}
- # Toggle if the recording_group should be setup using the
- # var.global_recorder_region (true) or if the recording_group will be setup
- # for each entry in var.recording_groups (false). Defaults to true.
- use_global_record_region = true
-
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
@@ -652,11 +647,6 @@ inputs = {
# value is the tag value.
tags = {}
- # Toggle if the recording_group should be setup using the
- # var.global_recorder_region (true) or if the recording_group will be setup
- # for each entry in var.recording_groups (false). Defaults to true.
- use_global_record_region = true
-
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
@@ -1162,15 +1152,6 @@ A map of tags to apply to the S3 Bucket. The key is the tag name and the value i
-
-
-
-Toggle if the recording_group should be setup using the global_recorder_region (true) or if the recording_group will be setup for each entry in recording_groups (false). Defaults to true.
-
-
-
-
-
@@ -1242,6 +1223,6 @@ The ARN of the SNS topic to which Config delivers notifications.
"https://github.com/gruntwork-io/terraform-aws-security/tree/v0.75.0/modules/aws-config/outputs.tf"
],
"sourcePlugin": "module-catalog-api",
- "hash": "060bb9829be5d484272665e56ba36627"
+ "hash": "143af6018553da360f8e49cadf7c15fd"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/modules/terraform-aws-security/gitlab-pipelines-iam-role/gitlab-pipelines-iam-role.md b/docs/reference/modules/terraform-aws-security/gitlab-pipelines-iam-role/gitlab-pipelines-iam-role.md
new file mode 100644
index 000000000..9968ee010
--- /dev/null
+++ b/docs/reference/modules/terraform-aws-security/gitlab-pipelines-iam-role/gitlab-pipelines-iam-role.md
@@ -0,0 +1,491 @@
+---
+title: "IAM Role for GitLab Pipelines"
+hide_title: true
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
+import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
+import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
+
+
+
+# IAM Role for GitLab Pipelines
+
+View Source
+
+Release Notes
+
+This Terraform module can be used to create Assume Role policies and IAM Roles such that they can be used with
+GitLab Pipelines. This requires you to provision an IAM OpenID Connect Provider for GitLab Pipelines in your account. By
+using OpenID Connect, GitLab Pipelines can directly exchange credentials to access AWS without having to store and provide
+GitHub with permanent AWS access credentials. This is useful to prevent credential leaks from progressing undetected.
+
+## Creating the IAM Role
+
+```hcl
+module "iam_role" {
+ # Update with latest version of the module
+ source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/gitlab-pipelines-iam-role?ref="
+
+ github_actions_openid_connect_provider_arn = aws_iam_openid_connect_provider.github_actions.arn
+ github_actions_openid_connect_provider_url = aws_iam_openid_connect_provider.github_actions.url
+
+ allowed_sources = {
+ "gruntwork-io/terraform-aws-security" = ["main"]
+ }
+
+ iam_role_name = "example-iam-role"
+ permitted_full_access_services = ["ec2"]
+}
+```
+
+## Security Considerations
+
+The above example will configure the IAM role `example-iam-role` such that it is available to be assumed by GitHub
+Actions if it is run from the `main` branch of the `gruntwork-io/terraform-aws-security` repository. The IAM role would then
+have the ability to call any API in the `ec2` namespace.
+
+You can further customize the IAM role using the following variables:
+
+* `permitted_full_access_services`: List of AWS services that the IAM role will have full access to (set to
+ `SERVICE_NAME:*`).
+* `iam_policy`: IAM policy statements that should be directly attached (inline) to the IAM role.
+* `iam_policy_arns`: List of IAM Policy ARNs that should be attached to the IAM role.
+* `iam_customer_managed_policy_names`: List of customer managed IAM policies that should be attached to the IAM role.
+* `iam_aws_managed_policy_names`: List of AWS managed IAM policies that should be attached to the IAM role.
+
+Extend the `allowed_sources` map if you want to allow additional repositories or branches. For example, if you want to
+allow the `dev` branch on `terraform-aws-security`, as well as the `main` branch from `terraform-aws-service-catalog`:
+
+```hcl
+module "iam_role" {
+ # Update with latest version of the module
+ source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/gitlab-pipelines-iam-role?ref="
+
+ gitlab_pipelines_openid_connect_provider_arn = aws_iam_openid_connect_provider.gitlab_pipelines.arn
+ gitlab_pipelines_openid_connect_provider_url = aws_iam_openid_connect_provider.gitlab_pipelines.url
+
+ allowed_sources = {
+ "gruntwork-io/terraform-aws-security" = ["main", "dev"]
+ "gruntwork-io/terraform-aws-service-catalog" = ["main"]
+ }
+
+ iam_role_name = "example-iam-role"
+ permitted_full_access_services = ["ec2"]
+}
+```
+
+You can also use the module to only manage the assume role policy. This is useful if you want more control over the IAM
+role creation. For example:
+
+```hcl
+module "assume_role_policy" {
+ # Update with latest version of the module
+ source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/github-actions-iam-role?ref="
+
+ gitlab_pipelines_openid_connect_provider_arn = aws_iam_openid_connect_provider.gitlab_pipelines.arn
+ gitlab_pipelines_openid_connect_provider_url = aws_iam_openid_connect_provider.gitlab_pipelines.url
+
+ allowed_sources = {
+ "gruntwork-io/terraform-aws-security" = ["main", "dev"]
+ "gruntwork-io/terraform-aws-service-catalog" = ["main"]
+ }
+
+ create_iam_role = false
+}
+
+resource "aws_iam_role" "example" {
+ name = "example-iam-role"
+ assume_role_policy = module.assume_role_policy.assume_role_policy_json
+}
+```
+
+## Using created IAM Role in GitLab Pipelines Workflow
+
+TODO
+
+```yaml
+ id_tokens:
+ GITLAB_OIDC_TOKEN:
+ aud: https://gitlab.com/${CI_PROJECT_NAMESPACE}
+```
+
+## Sample Usage
+
+
+
+
+```hcl title="main.tf"
+
+# ------------------------------------------------------------------------------------------------------
+# DEPLOY GRUNTWORK'S GITLAB-PIPELINES-IAM-ROLE MODULE
+# ------------------------------------------------------------------------------------------------------
+
+module "gitlab_pipelines_iam_role" {
+
+ source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/gitlab-pipelines-iam-role?ref=v0.75.0"
+
+ # ----------------------------------------------------------------------------------------------------
+ # REQUIRED VARIABLES
+ # ----------------------------------------------------------------------------------------------------
+
+ # Map of GitLab project path to the list of branches that are allowed to
+ # assume the IAM role. The repository should be encoded as
+ # group/subgroup/repo-name (e.g., gruntwork-io/terrraform-aws-ci).
+ allowed_sources =
+
+ # ----------------------------------------------------------------------------------------------------
+ # OPTIONAL VARIABLES
+ # ----------------------------------------------------------------------------------------------------
+
+ # The string operator to use when evaluating the AWS IAM condition for
+ # determining which GitLab repos are allowed to assume the IAM role. Examples:
+ # StringEquals, StringLike, etc.
+ allowed_sources_condition_operator = "StringEquals"
+
+ # Whether to create the IAM role and attach permissions for GitLab Pipelines
+ # to assume.
+ create_iam_role = true
+
+ # The name to use for the custom inline IAM policy that is attached to the
+ # Role/Group when var.iam_policy is configured.
+ custom_iam_policy_name = "GrantCustomIAMPolicy"
+
+ # ARN of the OpenID Connect Provider provisioned for GitLab Pipelines.
+ gitlab_pipelines_openid_connect_provider_arn = ""
+
+ # URL of the OpenID Connect Provider provisioned for GitLab Pipelines.
+ gitlab_pipelines_openid_connect_provider_url = ""
+
+ # A list of IAM AWS Managed Policy names to attach to the group.
+ iam_aws_managed_policy_names = null
+
+ # A list of IAM AWS Customer Managed policy names to attach to the group.
+ iam_customer_managed_policy_names = null
+
+ # An object defining the IAM policy statements that should be attached
+ # directly to the IAM role/group. The input is a map of objects where the map
+ # keys are SIDs for IAM policy statements, and the object fields are the
+ # resources, actions, and the effect of the statement.
+ iam_policy = {}
+
+ # A list of policies (by ARN) to attach to this group.
+ iam_policy_arns = null
+
+ # The name of an IAM role to create. Required when var.create_iam_role is
+ # true.
+ iam_role_name = null
+
+ # The maximum allowable session duration, in seconds, for the credentials you
+ # get when assuming the IAM roles created by this module.
+ max_session_duration = 43200
+
+ # A list of AWS services for which the IAM role will receive full permissions.
+ # See
+ # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html
+ # to find the service name. For example, to grant developers access only to
+ # EC2 and Amazon Machine Learning, use the value ["ec2","machinelearning"].
+ permitted_full_access_services = []
+
+}
+
+
+```
+
+
+
+
+```hcl title="terragrunt.hcl"
+
+# ------------------------------------------------------------------------------------------------------
+# DEPLOY GRUNTWORK'S GITLAB-PIPELINES-IAM-ROLE MODULE
+# ------------------------------------------------------------------------------------------------------
+
+terraform {
+ source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/gitlab-pipelines-iam-role?ref=v0.75.0"
+}
+
+inputs = {
+
+ # ----------------------------------------------------------------------------------------------------
+ # REQUIRED VARIABLES
+ # ----------------------------------------------------------------------------------------------------
+
+ # Map of GitLab project path to the list of branches that are allowed to
+ # assume the IAM role. The repository should be encoded as
+ # group/subgroup/repo-name (e.g., gruntwork-io/terrraform-aws-ci).
+ allowed_sources =
+
+ # ----------------------------------------------------------------------------------------------------
+ # OPTIONAL VARIABLES
+ # ----------------------------------------------------------------------------------------------------
+
+ # The string operator to use when evaluating the AWS IAM condition for
+ # determining which GitLab repos are allowed to assume the IAM role. Examples:
+ # StringEquals, StringLike, etc.
+ allowed_sources_condition_operator = "StringEquals"
+
+ # Whether to create the IAM role and attach permissions for GitLab Pipelines
+ # to assume.
+ create_iam_role = true
+
+ # The name to use for the custom inline IAM policy that is attached to the
+ # Role/Group when var.iam_policy is configured.
+ custom_iam_policy_name = "GrantCustomIAMPolicy"
+
+ # ARN of the OpenID Connect Provider provisioned for GitLab Pipelines.
+ gitlab_pipelines_openid_connect_provider_arn = ""
+
+ # URL of the OpenID Connect Provider provisioned for GitLab Pipelines.
+ gitlab_pipelines_openid_connect_provider_url = ""
+
+ # A list of IAM AWS Managed Policy names to attach to the group.
+ iam_aws_managed_policy_names = null
+
+ # A list of IAM AWS Customer Managed policy names to attach to the group.
+ iam_customer_managed_policy_names = null
+
+ # An object defining the IAM policy statements that should be attached
+ # directly to the IAM role/group. The input is a map of objects where the map
+ # keys are SIDs for IAM policy statements, and the object fields are the
+ # resources, actions, and the effect of the statement.
+ iam_policy = {}
+
+ # A list of policies (by ARN) to attach to this group.
+ iam_policy_arns = null
+
+ # The name of an IAM role to create. Required when var.create_iam_role is
+ # true.
+ iam_role_name = null
+
+ # The maximum allowable session duration, in seconds, for the credentials you
+ # get when assuming the IAM roles created by this module.
+ max_session_duration = 43200
+
+ # A list of AWS services for which the IAM role will receive full permissions.
+ # See
+ # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html
+ # to find the service name. For example, to grant developers access only to
+ # EC2 and Amazon Machine Learning, use the value ["ec2","machinelearning"].
+ permitted_full_access_services = []
+
+}
+
+
+```
+
+
+
+
+
+
+
+## Reference
+
+
+
+
+### Required
+
+
+
+
+Map of GitLab project path to the list of branches that are allowed to assume the IAM role. The repository should be encoded as group/subgroup/repo-name (e.g., gruntwork-io/terrraform-aws-ci).
+
+
+
+
+```hcl
+map(list(string))
+```
+
+
+
+
+### Optional
+
+
+
+
+The string operator to use when evaluating the AWS IAM condition for determining which GitLab repos are allowed to assume the IAM role. Examples: StringEquals, StringLike, etc.
+
+
+
+
+
+
+
+
+Whether to create the IAM role and attach permissions for GitLab Pipelines to assume.
+
+
+
+
+
+
+
+
+The name to use for the custom inline IAM policy that is attached to the Role/Group when iam_policy is configured.
+
+
+
+
+
+
+
+
+ARN of the OpenID Connect Provider provisioned for GitLab Pipelines.
+
+
+
+
+
+
+
+
+URL of the OpenID Connect Provider provisioned for GitLab Pipelines.
+
+
+
+
+
+
+
+
+A list of IAM AWS Managed Policy names to attach to the group.
+
+
+
+
+
+
+
+
+A list of IAM AWS Customer Managed policy names to attach to the group.
+
+
+
+
+
+
+
+
+An object defining the IAM policy statements that should be attached directly to the IAM role/group. The input is a map of objects where the map keys are SIDs for IAM policy statements, and the object fields are the resources, actions, and the effect of the statement.
+
+
+
+
+```hcl
+map(object({
+ resources = list(string)
+ actions = list(string)
+ effect = string
+ }))
+```
+
+
+
+
+
+ Example
+
+
+```hcl
+ iam_policy = {
+ S3Access = {
+ actions = ["s3:*"]
+ resources = ["arn:aws:s3:::mybucket"]
+ effect = "Allow"
+ },
+ EC2Access = {
+ actions = ["ec2:*"]
+ resources = ["*"]
+ effect = "Allow"
+ }
+ }
+
+```
+
+
+
+
+
+
+
+
+A list of policies (by ARN) to attach to this group.
+
+
+
+
+
+
+
+
+The name of an IAM role to create. Required when create_iam_role is true.
+
+
+
+
+
+
+
+
+The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module.
+
+
+
+
+
+
+
+
+A list of AWS services for which the IAM role will receive full permissions. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html to find the service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ['ec2','machinelearning'].
+
+
+
+
+
+
+
+
+
+
+
+JSON value for IAM Role Assume Role Policy that allows GitLab Pipelines to inherit IAM Role.
+
+
+
+
+
+
+
+The ARN of the IAM role.
+
+
+
+
+
+
+
+The name of the IAM role.
+
+
+
+
+
+
+
+
diff --git a/docs/reference/modules/terraform-aws-security/gitlab-pipelines-openid-connect-provider/gitlab-pipelines-openid-connect-provider.md b/docs/reference/modules/terraform-aws-security/gitlab-pipelines-openid-connect-provider/gitlab-pipelines-openid-connect-provider.md
new file mode 100644
index 000000000..f691f98e7
--- /dev/null
+++ b/docs/reference/modules/terraform-aws-security/gitlab-pipelines-openid-connect-provider/gitlab-pipelines-openid-connect-provider.md
@@ -0,0 +1,182 @@
+---
+title: "OpenID Connect Provider for GitLab Pipelines"
+hide_title: true
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
+import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
+import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
+
+
+
+# OpenID Connect Provider for GitLab Pipelines
+
+View Source
+
+Release Notes
+
+This module creates an OpenID Connect Provider for GitLab Pipelines. This allows you to use GitLab Pipelines as an identity
+provider for your AWS account. This is useful if you want to use GitLab Pipelines to deploy your infrastructure. By
+using OpenID Connect, GitLab Pipelines can directly exchange credentials to access AWS without having to store and provide
+GitHub with permanent AWS access credentials. This is useful to prevent credential leaks from progressing undetected.
+
+## Creating the Provider
+
+```hcl
+module "github_actions_openid_connect_provider" {
+ # Update with latest version of the module
+ source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/gitlab-pipelines-openid-connect-provider?ref="
+
+ allowed_groups = [
+ "gruntwork-io",
+ ]
+}
+```
+
+## Security Considerations
+
+The `allowed_groups` parameter is a list of GitLab organizations that are allowed to authenticate with the OpenID
+Connect Provider. This is a security measure to ensure that only users from the specified organizations can authenticate
+with the OpenID Connect Provider. In addition to this security measure, you should also ensure that all IAM roles
+associated with the OpenID Connect Provider have the appropriate trust policy to only allow assumption of the role by
+the appropriate GitHub Repos on the appropriate refs.
+
+See the TODO [GitLab Pipelines IAM Role](https://github.com/gruntwork-io/terraform-aws-security/tree/v0.75.0/modules/gitlab-pipelines-iam-role/README.md) module for more information.
+
+## Sample Usage
+
+
+
+
+```hcl title="main.tf"
+
+# ------------------------------------------------------------------------------------------------------
+# DEPLOY GRUNTWORK'S GITLAB-PIPELINES-OPENID-CONNECT-PROVIDER MODULE
+# ------------------------------------------------------------------------------------------------------
+
+module "gitlab_pipelines_openid_connect_provider" {
+
+ source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/gitlab-pipelines-openid-connect-provider?ref=v0.75.0"
+
+ # ----------------------------------------------------------------------------------------------------
+ # REQUIRED VARIABLES
+ # ----------------------------------------------------------------------------------------------------
+
+ # List of GitLab top level groups that are allowed to assume IAM roles in the
+ # account.
+ allowed_groups =
+
+ # ----------------------------------------------------------------------------------------------------
+ # OPTIONAL VARIABLES
+ # ----------------------------------------------------------------------------------------------------
+
+ # List of additional thumbprints for the OIDC provider.
+ additional_thumbprints = null
+
+}
+
+
+```
+
+
+
+
+```hcl title="terragrunt.hcl"
+
+# ------------------------------------------------------------------------------------------------------
+# DEPLOY GRUNTWORK'S GITLAB-PIPELINES-OPENID-CONNECT-PROVIDER MODULE
+# ------------------------------------------------------------------------------------------------------
+
+terraform {
+ source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/gitlab-pipelines-openid-connect-provider?ref=v0.75.0"
+}
+
+inputs = {
+
+ # ----------------------------------------------------------------------------------------------------
+ # REQUIRED VARIABLES
+ # ----------------------------------------------------------------------------------------------------
+
+ # List of GitLab top level groups that are allowed to assume IAM roles in the
+ # account.
+ allowed_groups =
+
+ # ----------------------------------------------------------------------------------------------------
+ # OPTIONAL VARIABLES
+ # ----------------------------------------------------------------------------------------------------
+
+ # List of additional thumbprints for the OIDC provider.
+ additional_thumbprints = null
+
+}
+
+
+```
+
+
+
+
+
+
+
+## Reference
+
+
+
+
+### Required
+
+
+
+
+List of GitLab top level groups that are allowed to assume IAM roles in the account.
+
+
+
+
+### Optional
+
+
+
+
+List of additional thumbprints for the OIDC provider.
+
+
+
+
+
+
+
+
+
+
+
+ARN for the OIDC provider created for GitLab Pipelines
+
+
+
+
+
+
+
+Url used for the OIDC provider
+
+
+
+
+
+
+
+
diff --git a/docs/reference/modules/terraform-aws-security/private-s3-bucket/private-s3-bucket.md b/docs/reference/modules/terraform-aws-security/private-s3-bucket/private-s3-bucket.md
index 39d56ffe2..39ce247b0 100644
--- a/docs/reference/modules/terraform-aws-security/private-s3-bucket/private-s3-bucket.md
+++ b/docs/reference/modules/terraform-aws-security/private-s3-bucket/private-s3-bucket.md
@@ -137,10 +137,6 @@ module "private_s_3_bucket" {
# for more info.
bucket_ownership = "BucketOwnerEnforced"
- # Provides an IAM policy in JSON format to apply to S3 bucket. See more:
- # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
- bucket_policy_from_file = null
-
# The IAM policy to apply to this S3 bucket. You can use this to grant
# read/write access. This should be a map, where each key is a unique
# statement ID (SID), and each value is an object that contains the parameters
@@ -350,10 +346,6 @@ inputs = {
# for more info.
bucket_ownership = "BucketOwnerEnforced"
- # Provides an IAM policy in JSON format to apply to S3 bucket. See more:
- # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
- bucket_policy_from_file = null
-
# The IAM policy to apply to this S3 bucket. You can use this to grant
# read/write access. This should be a map, where each key is a unique
# statement ID (SID), and each value is an object that contains the parameters
@@ -584,40 +576,6 @@ Configure who will be the default owner of objects uploaded to this S3 bucket: m
-
-
-
-Provides an IAM policy in JSON format to apply to S3 bucket. See more: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
-
-
-
-
-```hcl
-object({
- # Path to file
- file_path = string
-
- # Variables to substitute in the policy file
- vars = map(string)
- })
-```
-
-
-
-
-
-
-
-```hcl
-
- Variables to substitute in the policy file
-
-```
-
-
-
-
-
@@ -1100,6 +1058,6 @@ The name of an IAM role that can be used to configure replication from various s
"https://github.com/gruntwork-io/terraform-aws-security/tree/v0.75.0/modules/private-s3-bucket/outputs.tf"
],
"sourcePlugin": "module-catalog-api",
- "hash": "990e0d2ba3e04a99b6784fc8b8aa76ed"
+ "hash": "1b1abda0bebc0f51ed3fa7afefe08309"
}
##DOCS-SOURCER-END -->