Module: service-control-policies
Terraform module to provision Service Control Policies (SCP) for AWS Organizations, Organizational Units, and AWS accounts.
Introduction
Service Control Policies are configured in YAML configuration files.
We maintain a comprehensive catalog of SCP configurations and welcome contributions via pull request!
The example in this module uses the catalog to provision the SCPs on AWS.
The policies in the catalog/*-templates files require parameters supplied via the parameters input
to terraform-yaml-config.
Usage
For a complete example, see examples/complete.
For automated tests of the complete example using bats and Terratest (which tests and deploys the example on Datadog), see test.
module "yaml_config" {
source = "cloudposse/config/yaml"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
list_config_local_base_path = path.module
list_config_paths = ["catalog/*.yaml"]
context = module.this.context
}
module "yaml_config_with_parameters" {
source = "cloudposse/config/yaml"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
list_config_local_base_path = path.module
list_config_paths = ["https://raw.githubusercontent.com/cloudposse/terraform-aws-service-control-policies/0.12.0/catalog/s3-templates/DenyS3InNonSelectedRegion.yaml"]
parameters = {
"s3_regions_lockdown" = "us-*,eu-north-1"
}
context = module.this.context
}
data "aws_caller_identity" "this" {}
module "service_control_policies" {
source = "../../"
service_control_policy_statements = concat(module.yaml_config.list_configs, module.yaml_config_with_parameters.list_configs)
service_control_policy_description = var.service_control_policy_description
target_id = data.aws_caller_identity.this.account_id
context = module.this.context
}
Examples
Review the complete example to see how to use this module.