terraform.aws-baseline-infra/modules/security_identity_compliance/aws_config/main.tf

153 lines
4.7 KiB
HCL

/*
AWS Config Service
If config is already enabled, import it with
terraform import aws_config_configuration_recorder.config-recorder default
*/
data aws_caller_identity this {}
data aws_regions all-regions {}
resource "aws_iam_service_linked_role" "config" {
aws_service_name = "config.amazonaws.com"
}
resource null_resource cli-resource-awsconfig {
for_each = data.aws_regions.all-regions.names
provisioner "local-exec" {
when = create
command = <<-EOD
wget -q https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-CIS-AWS-v1.4-Level1.yaml -O Cis14Level1.yaml
aws configservice --region ${each.value} put-configuration-recorder --configuration-recorder name=default,roleARN="${aws_iam_service_linked_role.config.arn}" --recording-group allSupported=true,includeGlobalResourceTypes=true
aws configservice --region ${each.value} put-delivery-channel --delivery-channel name=default,s3BucketName=${module.config-bucket.bucket-name},configSnapshotDeliveryProperties={deliveryFrequency=Twelve_Hours}
aws configservice --region ${each.value} put-retention-configuration --retention-period-in-days ${var.config-retention-days}
aws configservice --region ${each.value} put-conformance-pack --conformance-pack-name Cis14Level1 --template-body file://Cis14Level1.yaml
aws configservice --region ${each.value} start-configuration-recorder --configuration-recorder-name default
EOD
}
// Destroy provisioner does not accept variables. Workaround is to delete recorder in all regions.
provisioner "local-exec" {
when = destroy
on_failure = continue
command = <<-EOD
aws ec2 describe-regions | jq -cr .Regions[].RegionName | while read r; do
aws configservice --region $r describe-configuration-recorders --output text | while read dummy; do
aws configservice --region $r stop-configuration-recorder --configuration-recorder-name default
aws configservice --region $r delete-delivery-channel --delivery-channel-name default
aws configservice --region $r delete-configuration-recorder --configuration-recorder-name default
done
done
EOD
}
}
resource "aws_config_configuration_aggregator" "config-aggregator" {
depends_on = [null_resource.cli-resource-awsconfig]
name = "ConfigAggregator"
account_aggregation_source {
account_ids = [data.aws_caller_identity.this.id]
all_regions = true
}
}
/*
resource "aws_config_configuration_recorder" "config-recorder" {
name = "${local.resource-prefix}-awsconfig"
role_arn = aws_iam_service_linked_role.config.arn
recording_group {
all_supported = true
include_global_resource_types = true
}
}
resource "aws_config_delivery_channel" "config-delivery-channel" {
name = "${local.resource-prefix}-configdeliverychannel"
s3_bucket_name = module.config-bucket.bucket-name
depends_on = [aws_config_configuration_recorder.config-recorder]
}
resource "aws_config_configuration_recorder_status" "main" {
name = aws_config_configuration_recorder.config-recorder.name
is_enabled = true
depends_on = [aws_config_delivery_channel.config-delivery-channel]
}
*/
######## Config Bucket - Policy ########
module config-bucket {
source = "../../storage/infra-s3-bucket"
bucket-name = "${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}"
add-random-suffix = false
bucket-policy-json = data.aws_iam_policy_document.config_bucket_policy.json
default-tags = var.default-tags
}
data "aws_iam_policy_document" "config_bucket_policy" {
statement {
sid = "AWSConfigBucketPermissionsCheck"
principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
actions = [
"s3:GetBucketAcl",
]
resources = [
"arn:aws:s3:::${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
]
}
statement {
sid = "AWSConfigBucketExistenceCheck"
principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
actions = [
"s3:ListBucket",
]
resources = [
"arn:aws:s3:::${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
]
}
statement {
sid = "AWSConfigBucketDelivery"
principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
actions = [
"s3:PutObject",
]
resources = [
"arn:aws:s3:::${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}/*",
]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = [
"bucket-owner-full-control",
]
}
}
}