terraform.aws-baseline-infra/modules/security_identity_compliance/aws_config/main.tf

/*
 AWS Config Service
 If config is already enabled, import it with
 terraform import aws_config_configuration_recorder.config-recorder default
*/

data aws_caller_identity this {}
data aws_regions all-regions {}

resource "aws_iam_service_linked_role" "config" {
  aws_service_name = "config.amazonaws.com"
}

resource null_resource cli-resource-awsconfig {
  for_each = data.aws_regions.all-regions.names
  provisioner "local-exec" {
    when = create
    command = <<-EOD
    aws configservice --region ${each.value} put-configuration-recorder --configuration-recorder name=default,roleARN="${aws_iam_service_linked_role.config.arn}" --recording-group allSupported=true,includeGlobalResourceTypes=false
    aws configservice --region ${each.value} put-delivery-channel --delivery-channel name=default,s3BucketName=${module.config-bucket.bucket-name},configSnapshotDeliveryProperties={deliveryFrequency=Twelve_Hours}
    aws configservice --region ${each.value} put-retention-configuration --retention-period-in-days ${var.config-retention-days}
    aws configservice --region ${each.value} put-conformance-pack --conformance-pack-name Cis14Level1 --template-body file://Cis14Level1.yaml
    aws configservice --region ${each.value} start-configuration-recorder --configuration-recorder-name default
    if [ \"${each.value}\" == \"${var.primary-aws-region}\" ]; then
          aws configservice --region ${each.value} put-configuration-recorder --configuration-recorder name=default,roleARN="${aws_iam_service_linked_role.config.arn}" --recording-group allSupported=true,includeGlobalResourceTypes=true
    fi
EOD
  }

  // Destroy provisioner does not accept variables. Workaround is to delete recorder in all regions.
  provisioner "local-exec" {
    when = destroy
    on_failure = continue
    command = <<-EOD
    aws ec2 describe-regions | jq -cr .Regions[].RegionName | while read r; do
      aws configservice --region $r describe-configuration-recorders --output text | while read dummy; do
        aws configservice --region $r stop-configuration-recorder --configuration-recorder-name default
        aws configservice --region $r delete-delivery-channel --delivery-channel-name default
        aws configservice --region $r delete-configuration-recorder --configuration-recorder-name default
      done
    done
EOD
  }
}

resource "aws_config_configuration_aggregator" "config-aggregator" {
  depends_on = [null_resource.cli-resource-awsconfig]
  name = "ConfigAggregator"

  account_aggregation_source {
    account_ids = [data.aws_caller_identity.this.id]
    all_regions = true
  }
}

/*
resource "aws_config_configuration_recorder" "config-recorder" {
  name     = "${local.resource-prefix}-awsconfig"
  role_arn = aws_iam_service_linked_role.config.arn

  recording_group {
    all_supported                 = true
    include_global_resource_types = true
  }
}

resource "aws_config_delivery_channel" "config-delivery-channel" {
  name           = "${local.resource-prefix}-configdeliverychannel"
  s3_bucket_name = module.config-bucket.bucket-name

  depends_on = [aws_config_configuration_recorder.config-recorder]
}

resource "aws_config_configuration_recorder_status" "main" {
  name       = aws_config_configuration_recorder.config-recorder.name
  is_enabled = true
  depends_on = [aws_config_delivery_channel.config-delivery-channel]
}
*/

######## Config Bucket - Policy ########

module config-bucket {
  source = "../../storage/infra-s3-bucket"
  bucket-name = "${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}"
  add-random-suffix = false
  bucket-policy-json = data.aws_iam_policy_document.config_bucket_policy.json
  default-tags = var.default-tags
}

data "aws_iam_policy_document" "config_bucket_policy" {

  statement {
    sid = "AWSConfigBucketPermissionsCheck"

    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com"]
    }

    actions = [
      "s3:GetBucketAcl",
    ]

    resources = [
      "arn:aws:s3:::${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
    ]
  }

  statement {
    sid = "AWSConfigBucketExistenceCheck"

    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com"]
    }

    actions = [
      "s3:ListBucket",
    ]

    resources = [
      "arn:aws:s3:::${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
    ]
  }

  statement {
    sid = "AWSConfigBucketDelivery"

    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com"]
    }

    actions = [
      "s3:PutObject",
    ]

    resources = [
      "arn:aws:s3:::${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}/*",
    ]

    condition {
      test     = "StringEquals"
      variable = "s3:x-amz-acl"

      values = [
        "bucket-owner-full-control",
      ]
    }
  }
}