ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-19 05:17:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8d9bf2384f9f2b44a5022fe528f775f50bf3846f
prowler/permissions/templates/terraform/main.tf
Alejandro Bailo 8d9bf2384f docs: S3 tutorial documentation (#8414) 
Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
Co-authored-by: Adrián Jesús Peña Rodríguez <adrianjpr@gmail.com>
2025-08-07 16:04:42 +05:45

82 lines
2.6 KiB
HCL
Raw Blame History

# Local validation for conditional requirements
###################################
locals {
s3_integration_validation = (
!var.enable_s3_integration ||
(var.enable_s3_integration && var.s3_integration_bucket_name != "" && var.s3_integration_bucket_account_id != "")
)
}
# Validation check using check block (Terraform 1.5+)
check "s3_integration_requirements" {
assert {
condition = !var.enable_s3_integration || (var.s3_integration_bucket_name != "" && var.s3_integration_bucket_account_id != "")
error_message = "When enable_s3_integration is true, both s3_integration_bucket_name and s3_integration_bucket_account_id must be provided and non-empty."
}
}
# IAM Role
###################################
data "aws_iam_policy_document" "prowler_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:${data.aws_partition.current.partition}:iam::${var.account_id}:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
var.external_id,
]
}
condition {
test = "StringLike"
variable = "aws:PrincipalArn"
values = [
"arn:${data.aws_partition.current.partition}:iam::${var.account_id}:${var.iam_principal}",
]
}
}
}
resource "aws_iam_role" "prowler_scan" {
name = "ProwlerScan"
assume_role_policy = data.aws_iam_policy_document.prowler_assume_role_policy.json
}
resource "aws_iam_policy" "prowler_scan_policy" {
name = "ProwlerScan"
description = "Prowler Scan Policy"
policy = file("../../prowler-additions-policy.json")
}
resource "aws_iam_role_policy_attachment" "prowler_scan_policy_attachment" {
role = aws_iam_role.prowler_scan.name
policy_arn = aws_iam_policy.prowler_scan_policy.arn
}
resource "aws_iam_role_policy_attachment" "prowler_scan_securityaudit_policy_attachment" {
role = aws_iam_role.prowler_scan.name
policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/SecurityAudit"
}
resource "aws_iam_role_policy_attachment" "prowler_scan_viewonly_policy_attachment" {
role = aws_iam_role.prowler_scan.name
policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/job-function/ViewOnlyAccess"
}
# S3 Integration Module
###################################
module "s3_integration" {
count = var.enable_s3_integration ? 1 : 0
source = "./s3-integration"
s3_integration_bucket_name = var.s3_integration_bucket_name
s3_integration_bucket_account_id = var.s3_integration_bucket_account_id
prowler_role_name = aws_iam_role.prowler_scan.name
}
Reference in New Issue View Git Blame Copy Permalink