config.tf 3.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114
  1. # Approve the aggregator in C2
  2. resource "aws_config_aggregate_authorization" "authorization" {
  3. account_id = local.c2_account
  4. region = var.aws_region
  5. tags = merge(var.standard_tags, var.tags)
  6. }
  7. output authorizations {
  8. value = aws_config_aggregate_authorization.authorization
  9. }
  10. ########### IAM Role for AWS Config
  11. data "aws_iam_policy_document" "awsconfig" {
  12. statement {
  13. sid = "PutConfigS3BucketObjects"
  14. effect = "Allow"
  15. actions = ["s3:PutObject"]
  16. resources = [
  17. "arn:${var.aws_partition}:s3:::xdr-config-${local.logging_environment}/*",
  18. ]
  19. condition {
  20. test = "StringEquals"
  21. variable = "s3:x-amz-acl"
  22. values = ["bucket-owner-full-control"]
  23. }
  24. }
  25. statement {
  26. sid = "GetConfigS3BucketACL"
  27. effect = "Allow"
  28. actions = ["s3:GetBucketAcl"]
  29. resources = [
  30. "arn:${var.aws_partition}:s3:::xdr-config-${local.logging_environment}/*",
  31. ]
  32. }
  33. statement {
  34. sid = "PublishAlertsToSNS"
  35. effect = "Allow"
  36. actions = [ "sns:Publish" ]
  37. resources = [ "arn:${var.aws_partition}:sns:${var.aws_region}:${local.c2_account}:config-notifications" ]
  38. }
  39. statement {
  40. sid = "PermissionsForRuleChecks"
  41. effect = "Allow"
  42. actions = [
  43. "kms:DescribeKey"
  44. ]
  45. resources = [ "*" ]
  46. }
  47. }
  48. resource "aws_iam_policy" "awsconfig" {
  49. name_prefix = "awsconfig-"
  50. policy = data.aws_iam_policy_document.awsconfig.json
  51. }
  52. data "aws_iam_policy_document" "assume" {
  53. statement {
  54. effect = "Allow"
  55. actions = ["sts:AssumeRole"]
  56. principals {
  57. type = "Service"
  58. identifiers = ["config.amazonaws.com"]
  59. }
  60. }
  61. }
  62. resource "aws_iam_role" "awsconfig" {
  63. name_prefix = "aws-config-role"
  64. path = "/aws_services/"
  65. assume_role_policy = data.aws_iam_policy_document.assume.json
  66. }
  67. resource "aws_iam_role_policy_attachment" "awsconfig_managed_policy" {
  68. role = aws_iam_role.awsconfig.name
  69. policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSConfigRole"
  70. }
  71. resource "aws_iam_role_policy_attachment" "awsconfig_local_policy" {
  72. role = aws_iam_role.awsconfig.name
  73. policy_arn = aws_iam_policy.awsconfig.arn
  74. }
  75. ################ Config Recorder
  76. resource "aws_config_configuration_recorder" "awsconfig_recorder" {
  77. name = "xdr-config-recorder"
  78. role_arn = aws_iam_role.awsconfig.arn
  79. recording_group {
  80. all_supported = true
  81. include_global_resource_types = true
  82. }
  83. }
  84. resource "aws_config_delivery_channel" "awsconfig_delivery_channel" {
  85. name = "xdr-config-delivery-channel"
  86. s3_bucket_name = "xdr-config-${local.logging_environment}"
  87. sns_topic_arn = "arn:${var.aws_partition}:sns:${var.aws_region}:${local.c2_account}:config-notifications"
  88. snapshot_delivery_properties {
  89. delivery_frequency = "One_Hour"
  90. }
  91. depends_on = [aws_config_configuration_recorder.awsconfig_recorder]
  92. }
  93. resource "aws_config_configuration_recorder_status" "awsconfig_recorder_status" {
  94. name = "xdr-config-recorder"
  95. is_enabled = true
  96. depends_on = [aws_config_delivery_channel.awsconfig_delivery_channel]
  97. }