resource "aws_config_configuration_aggregator" "account" { name = "xdr-aggregator-${var.environment}" account_aggregation_source { account_ids = var.responsible_accounts[var.environment] all_regions = true } } resource "aws_sns_topic" "config-notifications" { name = "config-notifications" #kms_master_key_id = aws_kms_key.config-notifications-key.id # TODO } resource "aws_sns_topic_policy" "config-notifications" { arn = aws_sns_topic.config-notifications.arn policy = data.aws_iam_policy_document.config-sns.json } data "aws_iam_policy_document" "config-sns" { statement { sid = "AllowConfig" actions = [ "SNS:Publish" ] effect = "Allow" resources = [ aws_sns_topic.config-notifications.arn ] principals { type = "AWS" identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ] } } } resource "aws_sqs_queue" "config-notifications" { name = "config-notifications" visibility_timeout_seconds = 300 # wait 5 minutes before allowing a different splunk instance to process the same message message_retention_seconds = 604800 # Keep a message in the queue for 7 days receive_wait_time_seconds = 0 # how long to wait for a message before returning redrive_policy = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.config-notifications-dlq.arn}\",\"maxReceiveCount\":4}" tags = merge(var.standard_tags, var.tags) kms_master_key_id = aws_kms_key.config-notifications-key.id kms_data_key_reuse_period_seconds = 3600 } data "aws_iam_policy_document" "config-notifications-sns-topic-can-publish" { statement { effect = "Allow" principals { identifiers = [ "*" ] type = "AWS" } actions = [ "SQS:SendMessage" ] resources = [ aws_sqs_queue.config-notifications.arn ] condition { test = "ArnEquals" values = [ aws_sns_topic.config-notifications.arn ] variable = "aws:SourceArn" } } } // Dead Letter queue, use same parameters as main queue resource "aws_sqs_queue" "config-notifications-dlq" { name = "config-notifications-dlq" message_retention_seconds = 300 receive_wait_time_seconds = 0 tags = merge(var.standard_tags, var.tags) kms_master_key_id = aws_kms_key.config-notifications-key.id kms_data_key_reuse_period_seconds = 3600 } resource "aws_sqs_queue_policy" "config-notifications-can-publish" { policy = data.aws_iam_policy_document.config-notifications-sns-topic-can-publish.json queue_url = aws_sqs_queue.config-notifications.id } resource "aws_sns_topic_subscription" "config-notifications-to-queue" { topic_arn = aws_sns_topic.config-notifications.arn protocol = "sqs" endpoint = aws_sqs_queue.config-notifications.arn } resource "aws_kms_key" "config-notifications-key" { description = "Encryption of SNS and SQS queue for config change notifications" policy = data.aws_iam_policy_document.config-notifications-kms-policy.json enable_key_rotation = true } data "aws_iam_policy_document" "config-notifications-kms-policy" { statement { sid = "AllowServices" effect = "Allow" principals { identifiers = ["config.amazonaws.com", "sns.amazonaws.com", "sqs.amazonaws.com"] type = "Service" } actions = [ "kms:GenerateDataKey", "kms:Decrypt" ] resources = [ "*" ] } statement { sid = "AllowOtherAccounts" effect = "Allow" principals { type = "AWS" identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ] } actions = [ "kms:GenerateDataKey", "kms:Encrypt" ] resources = [ "*" ] } # allow account to modify/manage key statement { sid = "AllowThisAccount" effect = "Allow" principals { identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"] type = "AWS" } actions = [ "kms:*" ] resources = ["*"] } } resource "aws_kms_alias" "config-notifications-key-alias" { name = "alias/config-notifications-key" target_key_id = aws_kms_key.config-notifications-key.key_id }