116 lines
2.7 KiB
Terraform
116 lines
2.7 KiB
Terraform
|
/*
|
||
|
AWS Config Service
|
||
|
If config is already enabled, import it with
|
||
|
terraform import aws_config_configuration_recorder.config-recorder default
|
||
|
*/
|
||
|
|
||
|
data aws_caller_identity this {}
|
||
|
|
||
|
resource "aws_iam_service_linked_role" "config" {
|
||
|
aws_service_name = "config.amazonaws.com"
|
||
|
}
|
||
|
|
||
|
resource "aws_config_configuration_recorder" "config-recorder" {
|
||
|
name = "${local.resource-prefix}-awsconfig"
|
||
|
role_arn = aws_iam_service_linked_role.config.arn
|
||
|
|
||
|
recording_group {
|
||
|
all_supported = true
|
||
|
include_global_resource_types = true
|
||
|
}
|
||
|
}
|
||
|
|
||
|
resource "aws_config_delivery_channel" "config-delivery-channel" {
|
||
|
name = "${local.resource-prefix}-configdeliverychannel"
|
||
|
s3_bucket_name = module.config-bucket.bucket-name
|
||
|
|
||
|
depends_on = [aws_config_configuration_recorder.config-recorder]
|
||
|
}
|
||
|
|
||
|
resource "aws_config_configuration_recorder_status" "main" {
|
||
|
name = aws_config_configuration_recorder.config-recorder.name
|
||
|
is_enabled = true
|
||
|
depends_on = [aws_config_delivery_channel.config-delivery-channel]
|
||
|
}
|
||
|
|
||
|
######## Config Bucket - Policy ########
|
||
|
|
||
|
module config-bucket {
|
||
|
source = "../../storage/infra-s3-bucket"
|
||
|
|
||
|
application = var.application
|
||
|
aws-region-short = var.aws-region-short
|
||
|
bucket-name = "${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}"
|
||
|
add-random-suffix = false
|
||
|
bucket-policy-json = data.aws_iam_policy_document.config_bucket_policy.json
|
||
|
customer-name = var.customer-name
|
||
|
default-tags = var.default-tags
|
||
|
environment = var.environment
|
||
|
project = var.project
|
||
|
}
|
||
|
|
||
|
data "aws_iam_policy_document" "config_bucket_policy" {
|
||
|
|
||
|
statement {
|
||
|
sid = "AWSConfigBucketPermissionsCheck"
|
||
|
|
||
|
principals {
|
||
|
type = "Service"
|
||
|
identifiers = ["config.amazonaws.com"]
|
||
|
}
|
||
|
|
||
|
actions = [
|
||
|
"s3:GetBucketAcl",
|
||
|
]
|
||
|
|
||
|
resources = [
|
||
|
"arn:aws:s3:::${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
|
||
|
]
|
||
|
}
|
||
|
|
||
|
statement {
|
||
|
sid = "AWSConfigBucketExistenceCheck"
|
||
|
|
||
|
principals {
|
||
|
type = "Service"
|
||
|
identifiers = ["config.amazonaws.com"]
|
||
|
}
|
||
|
|
||
|
actions = [
|
||
|
"s3:ListBucket",
|
||
|
]
|
||
|
|
||
|
resources = [
|
||
|
"arn:aws:s3:::${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
|
||
|
]
|
||
|
}
|
||
|
|
||
|
statement {
|
||
|
sid = "AWSConfigBucketDelivery"
|
||
|
|
||
|
principals {
|
||
|
type = "Service"
|
||
|
identifiers = ["config.amazonaws.com"]
|
||
|
}
|
||
|
|
||
|
actions = [
|
||
|
"s3:PutObject",
|
||
|
]
|
||
|
|
||
|
resources = [
|
||
|
"arn:aws:s3:::${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}/*",
|
||
|
]
|
||
|
|
||
|
condition {
|
||
|
test = "StringEquals"
|
||
|
variable = "s3:x-amz-acl"
|
||
|
|
||
|
values = [
|
||
|
"bucket-owner-full-control",
|
||
|
]
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
|