I am working on a project to implement the CIS foundations benchmark in terraform. The previous implementation did not encompass AWS organizations. This new implementation covers all of our AWS accounts including one organization account. Given that the region associated with an AWS organization is global this requires modifying the provider configuration.
My current implementation uses hierarchical modules.
The main.tf for the root module is configured like so
provider aws {
region = "us-east-1"
assume_role {
role_arn = var.workspace_iam_roles[terraform.workspace]
}
}
provider aws {
alias = "us-east-1"
region = "us-east-1"
assume_role {
role_arn = var.workspace_iam_roles[terraform.workspace]
}
}
# provider aws {
# alias = "af-south-1"
# region = "af-south-1"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "ap-east-1"
# region = "ap-east-1"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "ap-northeast-1"
# region = "ap-northeast-1"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "ap-northeast-2"
# region = "ap-northeast-2"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "ap-south-1"
# region = "ap-south-1"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "ap-southeast-1"
# region = "ap-southeast-1"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "ap-southeast-2"
# region = "ap-southeast-2"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "ca-central-1"
# region = "ca-central-1"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "eu-central-1"
# region = "eu-central-1"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "eu-north-1"
# region = "eu-north-1"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "eu-south-1"
# region = "eu-south-1"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "eu-west-1"
# region = "eu-west-1"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "eu-west-2"
# region = "eu-west-2"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "eu-west-3"
# region = "eu-west-3"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "me-south-1"
# region = "me-south-1"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "sa-east-1"
# region = "sa-east-1"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "us-east-2"
# region = "us-east-2"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "us-west-1"
# region = "us-west-1"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
# provider aws {
# alias = "us-west-2"
# region = "us-west-2"
# assume_role {
# role_arn = var.workspace_iam_roles[terraform.workspace]
# }
# }
terraform {
required_version = ">= 0.13.7"
backend "s3" {
bucket = "nf-mop-tf-state"
key = "security/terraform.tfstate"
region = "us-east-1"
encrypt = true
dynamodb_table = "nf-terraform-state-lock"
}
}
# Current Account ID
data aws_caller_identity current {
}
data aws_region current {
}
The nf_cisbenchmark.tf module consumes the provider arguments like so
module nf_cis_benchmark {
source = "./modules/nf_cis_benchmark"
name = local.name
environment = "${local.environments[terraform.workspace]}"
region = data.aws_region.current.name
organization_id = data.aws_organizations_organization.org.id
account_id = data.aws_caller_identity.current.account_id
workspace = "${terraform.workspace}"
workspace_iam_role = var.workspace_iam_roles[terraform.workspace]
providers = {
aws.us-east-1 = aws.us-east-1,
# aws.af-south-1 = aws.af-south-1,
# aws.ap-east-1 = aws.ap-east-1,
# aws.ap-northeast-1 = aws.ap-northeast-1,
# aws.ap-northeast-2 = aws.ap-northeast-2,
# aws.ap-south-1 = aws.ap-south-1,
# aws.ap-southeast-1 = aws.ap-southeast-1,
# aws.ap-southeast-2 = aws.ap-southeast-2
# aws.ca-central-1 = aws.ca-central-1,
# aws.eu-central-1 = aws.eu-central-1,
# aws.eu-north-1 = aws.eu-north-1,
# aws.eu-south-1 = aws.eu-south-1,
# aws.eu-west-1 = aws.eu-west-1,
# aws.eu-west-2 = aws.eu-west-2,
# aws.eu-west-3 = aws.eu-west-3,
# aws.me-south-1 = aws.me-south-1,
# aws.sa-east-1 = aws.sa-east-1,
# aws.us-east-2 = aws.us-east-2,
# aws.us-west-1 = aws.us-west-1,
# aws.us-west-2 = aws.us-west-2
}
}
I’ve commented out providers with the exception of us-east-1 because this provides me with a successful terraform plan for an organization account.
The main.tf for the nf_cisbenchmark.tf module is configured like so
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
configuration_aliases = [
aws.us-east-1,
# aws.af-south-1,
# aws.ap-east-1,
# aws.ap-northeast-1,
# aws.ap-northeast-2,
# aws.ap-south-1,
# aws.ap-southeast-1,
# aws.ap-southeast-2,
# aws.ca-central-1,
# aws.eu-central-1,
# aws.eu-north-1,
# aws.eu-south-1,
# aws.eu-west-1,
# aws.eu-west-2,
# aws.eu-west-3,
# aws.me-south-1,
# aws.sa-east-1,
# aws.us-east-2,
# aws.us-west-1,
# aws.us-west-2
]
}
}
}
My goal is to conditionally restrict the map of providers such that if var.environment == "organization" then only us-east-1 is passed into the module. Has anyone accomplished something like this? I would appreciate any advice.