%!s(int64=5) %!d(string=hai) anos · 8e32ba3abd
--- a/base/account_standards/config.tf
+++ b/base/account_standards/config.tf
@@ -15,7 +15,7 @@ data "aws_iam_policy_document" "awsconfig" {
 
															     effect  = "Allow"
														
 
															     actions = ["s3:PutObject"]
														
 
															     resources = [
														
 
															-      "arn:${var.aws_partition}:s3:::xdr-config-${var.environment}/*",
														
 
															+      "arn:${var.aws_partition}:s3:::xdr-config-${local.logging_environment}/*",
														
 
															     ]
														
 
															     condition {
														
 
															       test     = "StringEquals"
														
@@ -27,7 +27,7 @@ data "aws_iam_policy_document" "awsconfig" {
 
															     effect  = "Allow"
														
 
															     actions = ["s3:GetBucketAcl"]
														
 
															     resources = [
														
 
															-      "arn:${var.aws_partition}:s3:::xdr-config-${var.environment}/*",
														
 
															+      "arn:${var.aws_partition}:s3:::xdr-config-${local.logging_environment}/*",
														
 
															     ]
														
 
															   }
														
@@ -84,7 +84,7 @@ resource "aws_config_configuration_recorder" "awsconfig_recorder" {
 
															 resource "aws_config_delivery_channel" "awsconfig_delivery_channel" {
														
 
															   name           = "xdr-config-delivery-channel"
														
 
															-  s3_bucket_name = "xdr-config-${var.environment}"
														
 
															+  s3_bucket_name = "xdr-config-${local.logging_environment}"
														
 
															   sns_topic_arn  = "arn:${var.aws_partition}:sns:${var.aws_region}:${local.c2_account}:account-alerts"
														
 
															   snapshot_delivery_properties {
														
--- a/base/account_standards/ebs-kms-key.tf
+++ b/base/account_standards/ebs-kms-key.tf
@@ -1,3 +1,8 @@
 
															+locals {
														
 
															+  # For the default EBS key, we allow the entire account access
														
 
															+  root_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:root"
														
 
															+}
														
 
															+
														
 
															 module "ebs_root_encrypt_decrypt" {
														
 
															   source = "../../submodules/kms/ebs-key"
														
@@ -6,8 +11,8 @@ module "ebs_root_encrypt_decrypt" {
 
															   description = "encrypt and decrypt root volume" # updated to match legacy
														
 
															   tags = merge(var.standard_tags, var.tags)
														
 
															   key_admin_arns = var.extra_ebs_key_admins
														
 
															-  key_user_arns = var.extra_ebs_key_users
														
 
															-  key_attacher_arns = var.extra_ebs_key_attachers
														
 
															+  key_user_arns = concat([ local.root_arn ], var.extra_ebs_key_users)
														
 
															+  key_attacher_arns = concat([ local.root_arn ], var.extra_ebs_key_attachers)
														
 
															   standard_tags = var.standard_tags
														
 
															   aws_account_id = var.aws_account_id
														
 
															   aws_partition = var.aws_partition
														
--- a/base/account_standards_c2/config_aggregator.tf
+++ b/base/account_standards_c2/config_aggregator.tf
@@ -25,7 +25,7 @@ data "aws_iam_policy_document" "config-sns" {
 
															     resources = [ aws_sns_topic.account-alerts.arn ]
														
 
															     principals {
														
 
															       type = "AWS"
														
 
															-      identifiers = var.responsible_accounts[var.environment]
														
 
															+      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:aws:iam::${a}:root" ]
														
 
															     }
														
 
															   }