feat(security): create cloudformation-stacksets module (#47)

* feat(security): create cloudformation-stacksets module

* chore: make capabilities customizable

* fix: standardise template_body

* chore: rename module

* fix: force auto deployment

* chore(identity): expose role_arn as an output

* fix: rogue period

* fix: outputs are outputs not variables

* fix: lookup OIDC by arn

* fix: caller_identity reference

* fix: remove incorrect comment

modules/aws/identity/github-actions-role/main.tf

@@ -1,3 +1,5 @@
+data "aws_caller_identity" "current" {}
+
 resource "aws_iam_role" "this" {
   name               = var.name
   assume_role_policy = data.aws_iam_policy_document.assume_role.json

modules/aws/identity/github-actions-role/oidc.tf

@@ -1,6 +1,6 @@
 data "aws_iam_openid_connect_provider" "github" {
   count = var.create_openid_connect_provider ? 0 : 1
-  url   = "https://token.actions.githubusercontent.com"
+  arn   = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
 }
 
 data "tls_certificate" "github" {

modules/aws/security/cloudformation-stackset/main.tf

@@ -0,0 +1,36 @@
+resource "aws_cloudformation_stack_set" "this" {
+  name             = var.name
+  description      = var.description
+  capabilities     = var.capabilities
+  permission_model = "SERVICE_MANAGED"
+
+  template_body = var.template_body
+  template_url  = var.template_url
+  parameters    = var.parameters
+
+  auto_deployment {
+    enabled = true
+  }
+
+  tags = var.tags_all
+}
+
+resource "aws_cloudformation_stack_set_instance" "accounts" {
+  count = length(var.target_accounts) > 0 ? 1 : 0
+
+  stack_set_name = aws_cloudformation_stack_set.this.name
+
+  deployment_targets {
+    accounts = var.target_accounts
+  }
+}
+
+resource "aws_cloudformation_stack_set_instance" "this" {
+  count = length(var.target_org_units) > 0 ? 1 : 0
+
+  stack_set_name = aws_cloudformation_stack_set.this.name
+
+  deployment_targets {
+    organizational_unit_ids = var.target_org_units
+  }
+}

modules/aws/security/cloudformation-stackset/variables.tf

@@ -0,0 +1,52 @@
+variable "name" {
+  description = "The name of the stackset"
+  type        = string
+}
+
+variable "description" {
+  description = "The description of the stackset"
+  type        = string
+  default     = null
+}
+
+variable "capabilities" {
+  description = "A list of capabilities to pass to the stackset"
+  type        = list(string)
+  default     = ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM"]
+}
+
+variable "template_body" {
+  description = "The template body"
+  type        = string
+  default     = null
+}
+
+variable "template_url" {
+  description = "The URL of the template"
+  type        = string
+  default     = null
+}
+
+variable "parameters" {
+  description = "A list of parameters to pass to the stackset"
+  type        = map(string)
+  default     = {}
+}
+
+variable "tags_all" {
+  description = "A mapping of tags to assign to the resource"
+  type        = map(string)
+  default     = {}
+}
+
+variable "target_accounts" {
+  description = "A list of account IDs to target"
+  type        = list(string)
+  default     = []
+}
+
+variable "target_org_units" {
+  description = "A list of organization unit IDs to target"
+  type        = list(string)
+  default     = []
+}

modules/aws/security/cloudformation-stackset/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">=1.3"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">=4.0"
+    }
+  }
+}