# Approve the aggregator in C2
resource "aws_config_aggregate_authorization" "authorization" {
  account_id = local.c2_account
  region     = var.aws_region
  tags       = merge(local.standard_tags, var.tags)
}

output "authorizations" {
  value = aws_config_aggregate_authorization.authorization
}

########### IAM Role for AWS Config
data "aws_iam_policy_document" "awsconfig" {
  statement {
    sid     = "PutConfigS3BucketObjects"
    effect  = "Allow"
    actions = ["s3:PutObject"]
    resources = [
      # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
      "arn:${var.aws_partition}:s3:::xdr-config-${local.logging_environment}/*",
    ]
    condition {
      test     = "StringEquals"
      variable = "s3:x-amz-acl"
      values   = ["bucket-owner-full-control"]
    }
  }
  statement {
    sid     = "GetConfigS3BucketACL"
    effect  = "Allow"
    actions = ["s3:GetBucketAcl"]
    resources = [
      # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
      "arn:${var.aws_partition}:s3:::xdr-config-${local.logging_environment}/*",
    ]
  }

  statement {
    sid       = "PublishAlertsToSNS"
    effect    = "Allow"
    actions   = ["sns:Publish"]
    resources = ["arn:${var.aws_partition}:sns:${var.aws_region}:${local.c2_account}:config-notifications"]
  }

  statement {
    sid    = "PermissionsForRuleChecks"
    effect = "Allow"
    actions = [
      # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
      "kms:DescribeKey"
    ]
    resources = ["*"]
  }
}

resource "aws_iam_policy" "awsconfig" {
  name_prefix = "awsconfig-"
  policy      = data.aws_iam_policy_document.awsconfig.json
}

data "aws_iam_policy_document" "assume" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "awsconfig" {
  name_prefix        = "aws-config-role"
  path               = "/aws_services/"
  assume_role_policy = data.aws_iam_policy_document.assume.json
}

resource "aws_iam_role_policy_attachment" "awsconfig_managed_policy" {
  role       = aws_iam_role.awsconfig.name
  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWS_ConfigRole"
}

resource "aws_iam_role_policy_attachment" "awsconfig_local_policy" {
  role       = aws_iam_role.awsconfig.name
  policy_arn = aws_iam_policy.awsconfig.arn
}

################ Config Recorder
resource "aws_config_configuration_recorder" "awsconfig_recorder" {
  name     = "xdr-config-recorder"
  role_arn = aws_iam_role.awsconfig.arn

  recording_group {
    all_supported                 = true
    include_global_resource_types = true
  }
}

resource "aws_config_delivery_channel" "awsconfig_delivery_channel" {
  name           = "xdr-config-delivery-channel"
  s3_bucket_name = "xdr-config-${local.logging_environment}"
  sns_topic_arn  = "arn:${var.aws_partition}:sns:${var.aws_region}:${local.c2_account}:config-notifications"

  snapshot_delivery_properties {
    delivery_frequency = "One_Hour"
  }

  depends_on = [aws_config_configuration_recorder.awsconfig_recorder]
}

resource "aws_config_configuration_recorder_status" "awsconfig_recorder_status" {
  name       = "xdr-config-recorder"
  is_enabled = true

  depends_on = [aws_config_delivery_channel.awsconfig_delivery_channel]
}