AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
							resource "aws_config_configuration_aggregator" "account" {
  name = "xdr-aggregator-${var.environment}"

  account_aggregation_source {
    account_ids = var.responsible_accounts[var.environment]
    all_regions = true
  }
}

resource "aws_sns_topic" "config-notifications" {
  name              = "config-notifications"
  #kms_master_key_id = aws_kms_key.config-notifications-key.id # TODO
}

resource "aws_sns_topic_policy" "config-notifications" {
  arn    = aws_sns_topic.config-notifications.arn
  policy = data.aws_iam_policy_document.config-sns.json
}

data "aws_iam_policy_document" "config-sns" {
  statement {
    sid = "AllowConfig"
    actions = [ "SNS:Publish" ]
    effect = "Allow"
    resources = [ aws_sns_topic.config-notifications.arn ]
    principals {
      type = "AWS"
      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
    }
  }
}

resource "aws_sqs_queue" "config-notifications" {
  name                       = "config-notifications"
  visibility_timeout_seconds = 300 # wait 5 minutes before allowing a different splunk instance to process the same message
  message_retention_seconds  = 604800 # Keep a message in the queue for 7 days
  receive_wait_time_seconds  = 0 # how long to wait for a message before returning
  redrive_policy             = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.config-notifications-dlq.arn}\",\"maxReceiveCount\":4}"
  tags                       = merge(var.standard_tags, var.tags)
  kms_master_key_id          = aws_kms_key.config-notifications-key.id
  kms_data_key_reuse_period_seconds = 3600
}

data "aws_iam_policy_document" "config-notifications-sns-topic-can-publish" {
  statement {
    effect = "Allow"

    principals {
      identifiers = [ "*" ]
      type = "AWS"
    }

    actions = [ "SQS:SendMessage" ]

    resources = [ aws_sqs_queue.config-notifications.arn ]

    condition {
      test = "ArnEquals"
      values = [ aws_sns_topic.config-notifications.arn ]
      variable = "aws:SourceArn"
    }
  }
}

// Dead Letter queue, use same parameters as main queue
resource "aws_sqs_queue" "config-notifications-dlq" {
  name                      = "config-notifications-dlq"
  message_retention_seconds = 300
  receive_wait_time_seconds = 0
  tags                      = merge(var.standard_tags, var.tags)
  kms_master_key_id         = aws_kms_key.config-notifications-key.id
  kms_data_key_reuse_period_seconds = 3600
}

resource "aws_sqs_queue_policy" "config-notifications-can-publish" {
  policy    = data.aws_iam_policy_document.config-notifications-sns-topic-can-publish.json
  queue_url = aws_sqs_queue.config-notifications.id
}

resource "aws_sns_topic_subscription" "config-notifications-to-queue" {
  topic_arn = aws_sns_topic.config-notifications.arn
  protocol  = "sqs"
  endpoint  = aws_sqs_queue.config-notifications.arn
}

resource "aws_kms_key" "config-notifications-key" {
  description             = "Encryption of SNS and SQS queue for config change notifications"
  policy                  = data.aws_iam_policy_document.config-notifications-kms-policy.json
  enable_key_rotation     = true
}

data "aws_iam_policy_document" "config-notifications-kms-policy" {
  statement {
    sid = "AllowServices"
    effect = "Allow"
    principals {
      identifiers = ["config.amazonaws.com", "sns.amazonaws.com", "sqs.amazonaws.com"]
      type = "Service"
    }
    actions = [
      "kms:GenerateDataKey",
      "kms:Decrypt"
    ]
    resources = [ "*" ]
  }
  statement {
    sid = "AllowOtherAccounts"
    effect = "Allow"
    principals {
      type = "AWS"
      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
    }
    actions = [
      "kms:GenerateDataKey",
      "kms:Encrypt"
    ]
    resources = [ "*" ]
  }
  # allow account to modify/manage key
  statement {
    sid = "AllowThisAccount"
    effect = "Allow"
    principals {
      identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
      type = "AWS"
    }
    actions = [
      "kms:*"
    ]
    resources = ["*"]
  }
}

resource "aws_kms_alias" "config-notifications-key-alias" {
  name          = "alias/config-notifications-key"
  target_key_id = aws_kms_key.config-notifications-key.key_id
}