AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102
							# Approve the aggregator in C2
resource "aws_config_aggregate_authorization" "authorization" {
  account_id = local.c2_account
  region     = var.aws_region
  tags       = merge(var.standard_tags, var.tags)
}

output authorizations {
  value = aws_config_aggregate_authorization.authorization
}

########### IAM Role for AWS Config
data "aws_iam_policy_document" "awsconfig" {
  statement {
    effect  = "Allow"
    actions = ["s3:PutObject"]
    resources = [
      "arn:${var.aws_partition}:s3:::xdr-config-${local.logging_environment}/*",
    ]
    condition {
      test     = "StringEquals"
      variable = "s3:x-amz-acl"
      values   = ["bucket-owner-full-control"]
    }
  }
  statement {
    effect  = "Allow"
    actions = ["s3:GetBucketAcl"]
    resources = [
      "arn:${var.aws_partition}:s3:::xdr-config-${local.logging_environment}/*",
    ]
  }

  statement {
    effect = "Allow"
    actions = [ "sns:Publish" ]
    resources = [ "arn:${var.aws_partition}:sns:${var.aws_region}:${local.c2_account}:account-alerts" ]
  }
}

resource "aws_iam_policy" "awsconfig" {
  name_prefix = "awsconfig-"
  policy      = data.aws_iam_policy_document.awsconfig.json
}

data "aws_iam_policy_document" "assume" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "awsconfig" {
  name_prefix        = "aws-config-role"
  path               = "/aws_services/"
  assume_role_policy = data.aws_iam_policy_document.assume.json
}

resource "aws_iam_role_policy_attachment" "awsconfig_managed_policy" {
  role       = aws_iam_role.awsconfig.name
  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSConfigRole"
}

resource "aws_iam_role_policy_attachment" "awsconfig_local_policy" {
  role       = aws_iam_role.awsconfig.name
  policy_arn = aws_iam_policy.awsconfig.arn
}

################ Config Recorder
resource "aws_config_configuration_recorder" "awsconfig_recorder" {
  name     = "xdr-config-recorder"
  role_arn = aws_iam_role.awsconfig.arn

  recording_group {
    all_supported                 = true
    include_global_resource_types = true
  }
}

resource "aws_config_delivery_channel" "awsconfig_delivery_channel" {
  name           = "xdr-config-delivery-channel"
  s3_bucket_name = "xdr-config-${local.logging_environment}"
  sns_topic_arn  = "arn:${var.aws_partition}:sns:${var.aws_region}:${local.c2_account}:account-alerts"

  snapshot_delivery_properties {
    delivery_frequency = "One_Hour"
  }

  depends_on = [aws_config_configuration_recorder.awsconfig_recorder]
}

resource "aws_config_configuration_recorder_status" "awsconfig_recorder_status" {
  name       = "xdr-config-recorder"
  is_enabled = true

  depends_on = [aws_config_delivery_channel.awsconfig_delivery_channel]
}