| 1234567891011121314151617181920212223242526272829303132333435363738394041424344 |
- resource "aws_config_configuration_aggregator" "account" {
- name = "xdr-aggregator-${var.environment}"
- account_aggregation_source {
- account_ids = var.responsible_accounts[var.environment]
- all_regions = true
- }
- }
- resource "aws_sns_topic" "account-alerts" {
- name = "account-alerts"
- #kms_master_key_id = "alias/aws/sns" # TODO
- }
- resource "aws_sns_topic_policy" "account-alerts" {
- arn = aws_sns_topic.account-alerts.arn
- policy = data.aws_iam_policy_document.config-sns.json
- }
- data "aws_iam_policy_document" "config-sns" {
- statement {
- sid = "AllowConfig"
- actions = [ "SNS:Publish" ]
- effect = "Allow"
- resources = [ aws_sns_topic.account-alerts.arn ]
- principals {
- type = "AWS"
- identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
- }
- }
- # This is for a service-linked role, but from https://docs.aws.amazon.com/config/latest/developerguide/sns-topic-policy.html:
- # "AWS Config does not recommend using a service-linked role when using Amazon SNS topic from other accounts."
- # statement {
- # sid = "AllowConfigServer"
- # effect = "Allow",
- # principals {
- # type = "AWS"
- # resources = [ ]
- # }
- # actions = [ "SNS:Publish", ]
- # resources = [ aws_sns_topic.account-alerts.arn ]
- # }
- }
|
