пре 5 година · 8e32ba3abd
--- a/base/account_standards/config.tf
+++ b/base/account_standards/config.tf
@@ -15,7 +15,7 @@ data "aws_iam_policy_document" "awsconfig" {
 
				     effect  = "Allow"
			
 
				     actions = ["s3:PutObject"]
			
 
				     resources = [
			
 
				-      "arn:${var.aws_partition}:s3:::xdr-config-${var.environment}/*",
			
 
				+      "arn:${var.aws_partition}:s3:::xdr-config-${local.logging_environment}/*",
			
 
				     ]
			
 
				     condition {
			
 
				       test     = "StringEquals"
			
@@ -27,7 +27,7 @@ data "aws_iam_policy_document" "awsconfig" {
 
				     effect  = "Allow"
			
 
				     actions = ["s3:GetBucketAcl"]
			
 
				     resources = [
			
 
				-      "arn:${var.aws_partition}:s3:::xdr-config-${var.environment}/*",
			
 
				+      "arn:${var.aws_partition}:s3:::xdr-config-${local.logging_environment}/*",
			
 
				     ]
			
 
				   }
			
 
				 
			
@@ -84,7 +84,7 @@ resource "aws_config_configuration_recorder" "awsconfig_recorder" {
 
				 
			
 
				 resource "aws_config_delivery_channel" "awsconfig_delivery_channel" {
			
 
				   name           = "xdr-config-delivery-channel"
			
 
				-  s3_bucket_name = "xdr-config-${var.environment}"
			
 
				+  s3_bucket_name = "xdr-config-${local.logging_environment}"
			
 
				   sns_topic_arn  = "arn:${var.aws_partition}:sns:${var.aws_region}:${local.c2_account}:account-alerts"
			
 
				 
			
 
				   snapshot_delivery_properties {
			
--- a/base/account_standards/ebs-kms-key.tf
+++ b/base/account_standards/ebs-kms-key.tf
@@ -1,3 +1,8 @@
 
				+locals {
			
 
				+  # For the default EBS key, we allow the entire account access
			
 
				+  root_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:root"
			
 
				+}
			
 
				+
			
 
				 module "ebs_root_encrypt_decrypt" {
			
 
				   source = "../../submodules/kms/ebs-key"
			
 
				 
			
@@ -6,8 +11,8 @@ module "ebs_root_encrypt_decrypt" {
 
				   description = "encrypt and decrypt root volume" # updated to match legacy
			
 
				   tags = merge(var.standard_tags, var.tags)
			
 
				   key_admin_arns = var.extra_ebs_key_admins
			
 
				-  key_user_arns = var.extra_ebs_key_users
			
 
				-  key_attacher_arns = var.extra_ebs_key_attachers
			
 
				+  key_user_arns = concat([ local.root_arn ], var.extra_ebs_key_users)
			
 
				+  key_attacher_arns = concat([ local.root_arn ], var.extra_ebs_key_attachers)
			
 
				   standard_tags = var.standard_tags
			
 
				   aws_account_id = var.aws_account_id
			
 
				   aws_partition = var.aws_partition
			
--- a/base/account_standards_c2/config_aggregator.tf
+++ b/base/account_standards_c2/config_aggregator.tf
@@ -25,7 +25,7 @@ data "aws_iam_policy_document" "config-sns" {
 
				     resources = [ aws_sns_topic.account-alerts.arn ]
			
 
				     principals {
			
 
				       type = "AWS"
			
 
				-      identifiers = var.responsible_accounts[var.environment]
			
 
				+      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:aws:iam::${a}:root" ]
			
 
				     }
			
 
				   }