drata autopilot role

drata · Feb 19, 2021 · 8741beb · 8741beb
1 parent c22ad2a
commit 8741beb
Show file tree

Hide file tree

Showing 5 changed files with 105 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -1,2 +1,22 @@
 # terraform-aws-drata-autopilot-role
+
 Terraform module to create the Drata Autopilot Role in AWS
+
+## Usage
+
+**Note** the example below uses `ref=master`. It is recommended to pin this module to a specific version to avoid breaking changes.
+
+```
+module "drata_autopilot_role" {
+  source              = "git::https://github.com/drata/terraform-aws-drata-autopilot-role.git?ref=master"
+  role_sts_externalid = "YOUR_EXTERNAL_ID"
+
+  # optional
+  role_name = "DrataReadOnly" # defaults to "DrataAutopilotRole"
+  role_path = "/external"     # defaults to "/security"
+}
+```
+
+Replace `YOUR_EXTERNAL_ID` with the External ID in the AWS connection panel in Drata
+
+After you apply this terraform, it will output the Role ARN that you can paste into the AWS connection panel in Drata to initiate the connection.
diff --git a/main.tf b/main.tf
@@ -0,0 +1,36 @@
+data "aws_iam_policy_document" "drata_autopilot_assume_role" {
+  statement {
+    effect = "Allow"
+
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [var.drata_aws_account_arn]
+    }
+
+    dynamic "condition" {
+      for_each = var.role_sts_externalid != null ? [true] : []
+      content {
+        test     = "StringEquals"
+        variable = "sts:ExternalId"
+        values   = [var.role_sts_externalid]
+      }
+    }
+  }
+}
+
+resource "aws_iam_role" "drata" {
+  name        = var.role_name
+  path        = var.role_path
+  description = var.role_description
+
+  assume_role_policy = data.aws_iam_policy_document.drata_autopilot_assume_role.json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "security_audit" {
+  role       = aws_iam_role.drata.name
+  policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,4 @@
+output "role_arn" {
+  value       = aws_iam_role.drata.arn
+  description = "The ARN of the role"
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,35 @@
+variable "drata_aws_account_arn" {
+  type        = string
+  default     = "arn:aws:iam::269135526815:root"
+  description = "Drata's AWS account ARN"
+}
+
+variable "role_sts_externalid" {
+  description = "STS ExternalId condition value to use with the role"
+  type        = string
+  default     = null
+}
+
+variable "role_name" {
+  description = "IAM role name"
+  type        = string
+  default     = "DrataAutopilotRole"
+}
+
+variable "role_path" {
+  description = "Path of IAM role"
+  type        = string
+  default     = "/security"
+}
+
+variable "role_description" {
+  description = "IAM Role description"
+  type        = string
+  default     = "Cross-account read-only access for Drata Autopilot"
+}
+
+variable "tags" {
+  description = "A map of tags to add to IAM role resources"
+  type        = map(string)
+  default     = {}
+}
diff --git a/versions.tf b/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 0.13.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.1.15"
+    }
+  }
+}