resource "aws_config_configuration_aggregator" "account" {
  name = "xdr-aggregator-${var.environment}"

  account_aggregation_source {
    account_ids = var.responsible_accounts[var.environment]
    all_regions = true
  }
}

resource "aws_sns_topic" "account-alerts" {
  name              = "account-alerts"
  #kms_master_key_id = "alias/aws/sns" # TODO
}

resource "aws_sns_topic_policy" "account-alerts" {
  arn    = aws_sns_topic.account-alerts.arn
  policy = data.aws_iam_policy_document.config-sns.json
}

data "aws_iam_policy_document" "config-sns" {
  statement {
    sid = "AllowConfig"
    actions = [ "SNS:Publish" ]
    effect = "Allow"
    resources = [ aws_sns_topic.account-alerts.arn ]
    principals {
      type = "AWS"
      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
    }
  }

# This is for a service-linked role, but from https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html:
#   "AWS Config does not recommend using a service-linked role when using Amazon SNS topic from other accounts."
#  statement {
#    sid = "AllowConfigServer"
#    effect = "Allow",
#    principals {
#      type = "AWS"
#      resources = [ ]
#    }
#    actions = [ "SNS:Publish", ]
#    resources = [ aws_sns_topic.account-alerts.arn ]
#  }
}