terraform.aws-baseline-infra/modules/security_identity_compliance/aws_config/main.tf

116 lines
2.7 KiB
Terraform
Raw Normal View History

2021-01-29 16:21:17 +08:00
/*
AWS Config Service
If config is already enabled, import it with
terraform import aws_config_configuration_recorder.config-recorder default
*/
data aws_caller_identity this {}
resource "aws_iam_service_linked_role" "config" {
aws_service_name = "config.amazonaws.com"
}
resource "aws_config_configuration_recorder" "config-recorder" {
name = "${local.resource-prefix}-awsconfig"
role_arn = aws_iam_service_linked_role.config.arn
recording_group {
all_supported = true
include_global_resource_types = true
}
}
resource "aws_config_delivery_channel" "config-delivery-channel" {
name = "${local.resource-prefix}-configdeliverychannel"
s3_bucket_name = module.config-bucket.bucket-name
depends_on = [aws_config_configuration_recorder.config-recorder]
}
resource "aws_config_configuration_recorder_status" "main" {
name = aws_config_configuration_recorder.config-recorder.name
is_enabled = true
depends_on = [aws_config_delivery_channel.config-delivery-channel]
}
######## Config Bucket - Policy ########
module config-bucket {
source = "../../storage/infra-s3-bucket"
application = var.application
aws-region-short = var.aws-region-short
bucket-name = "${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}"
add-random-suffix = false
bucket-policy-json = data.aws_iam_policy_document.config_bucket_policy.json
customer-name = var.customer-name
default-tags = var.default-tags
environment = var.environment
project = var.project
}
data "aws_iam_policy_document" "config_bucket_policy" {
statement {
sid = "AWSConfigBucketPermissionsCheck"
principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
actions = [
"s3:GetBucketAcl",
]
resources = [
"arn:aws:s3:::${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
]
}
statement {
sid = "AWSConfigBucketExistenceCheck"
principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
actions = [
"s3:ListBucket",
]
resources = [
"arn:aws:s3:::${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
]
}
statement {
sid = "AWSConfigBucketDelivery"
principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
actions = [
"s3:PutObject",
]
resources = [
"arn:aws:s3:::${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}/*",
]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = [
"bucket-owner-full-control",
]
}
}
}