AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138
							resource "aws_config_configuration_aggregator" "account" {
  name = "xdr-aggregator-${var.environment}"

  account_aggregation_source {
    account_ids = local.responsible_accounts[var.environment]
    all_regions = true
  }
}

# tfsec:ignore:aws-sns-enable-topic-encryption
resource "aws_sns_topic" "config-notifications" {
  name = "config-notifications"
  #kms_master_key_id = aws_kms_key.config-notifications-key.id # TODO
}

resource "aws_sns_topic_policy" "config-notifications" {
  arn    = aws_sns_topic.config-notifications.arn
  policy = data.aws_iam_policy_document.config-sns.json
}

data "aws_iam_policy_document" "config-sns" {
  statement {
    sid       = "AllowConfig"
    actions   = ["SNS:Publish"]
    effect    = "Allow"
    resources = [aws_sns_topic.config-notifications.arn]
    principals {
      type        = "AWS"
      identifiers = [for a in local.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
    }
  }
}

resource "aws_sqs_queue" "config-notifications" {
  name                              = "config-notifications"
  visibility_timeout_seconds        = 300    # wait 5 minutes before allowing a different splunk instance to process the same message
  message_retention_seconds         = 604800 # Keep a message in the queue for 7 days
  receive_wait_time_seconds         = 0      # how long to wait for a message before returning
  redrive_policy                    = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.config-notifications-dlq.arn}\",\"maxReceiveCount\":4}"
  tags                              = merge(local.standard_tags, var.tags)
  kms_master_key_id                 = aws_kms_key.config-notifications-key.id
  kms_data_key_reuse_period_seconds = 3600
}

data "aws_iam_policy_document" "config-notifications-sns-topic-can-publish" {
  statement {
    effect = "Allow"

    principals {
      identifiers = ["*"]
      type        = "AWS"
    }

    actions = ["SQS:SendMessage"]

    resources = [aws_sqs_queue.config-notifications.arn]

    condition {
      test     = "ArnEquals"
      values   = [aws_sns_topic.config-notifications.arn]
      variable = "aws:SourceArn"
    }
  }
}

// Dead Letter queue, use same parameters as main queue
resource "aws_sqs_queue" "config-notifications-dlq" {
  name                              = "config-notifications-dlq"
  message_retention_seconds         = 300
  receive_wait_time_seconds         = 0
  tags                              = merge(local.standard_tags, var.tags)
  kms_master_key_id                 = aws_kms_key.config-notifications-key.id
  kms_data_key_reuse_period_seconds = 3600
}

resource "aws_sqs_queue_policy" "config-notifications-can-publish" {
  policy    = data.aws_iam_policy_document.config-notifications-sns-topic-can-publish.json
  queue_url = aws_sqs_queue.config-notifications.id
}

resource "aws_sns_topic_subscription" "config-notifications-to-queue" {
  topic_arn = aws_sns_topic.config-notifications.arn
  protocol  = "sqs"
  endpoint  = aws_sqs_queue.config-notifications.arn
}

resource "aws_kms_key" "config-notifications-key" {
  description         = "Encryption of SNS and SQS queue for config change notifications"
  policy              = data.aws_iam_policy_document.config-notifications-kms-policy.json
  enable_key_rotation = true
}

data "aws_iam_policy_document" "config-notifications-kms-policy" {
  statement {
    sid    = "AllowServices"
    effect = "Allow"
    principals {
      identifiers = ["config.amazonaws.com", "sns.amazonaws.com", "sqs.amazonaws.com"]
      type        = "Service"
    }
    actions = [
      "kms:GenerateDataKey",
      "kms:Decrypt"
    ]
    resources = ["*"]
  }
  statement {
    sid    = "AllowOtherAccounts"
    effect = "Allow"
    principals {
      type        = "AWS"
      identifiers = [for a in local.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
    }
    actions = [
      "kms:GenerateDataKey",
      "kms:Encrypt"
    ]
    resources = ["*"]
  }
  # allow account to modify/manage key
  statement {
    sid    = "AllowThisAccount"
    effect = "Allow"
    principals {
      identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
      type        = "AWS"
    }
    actions = [
      "kms:*"
    ]
    resources = ["*"]
  }
}

resource "aws_kms_alias" "config-notifications-key-alias" {
  name          = "alias/config-notifications-key"
  target_key_id = aws_kms_key.config-notifications-key.key_id
}