Refine config modules

tedilabs · Dec 7, 2023 · 1463825 · 1463825
1 parent 9e203b8
commit 1463825
Show file tree

Hide file tree

Showing 15 changed files with 3,586 additions and 336 deletions.
diff --git a/examples/config-recorder-simple/main.tf b/examples/config-recorder-simple/main.tf
@@ -0,0 +1,31 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+
+###################################################
+# Config Recorder
+###################################################
+
+module "recorder" {
+  source = "../../modules/config-recorder"
+  # source  = "tedilabs/security/aws//modules/config-recorder"
+  # version = "~> 0.6.0"
+
+  name    = "test"
+  enabled = true
+
+  scope = {
+    strategy = "ALL_WITHOUT_GLOBAL"
+  }
+
+  delivery_channels = {
+    s3_bucket = {
+      name = module.bucket.name
+    }
+  }
+
+  tags = {
+    "project" = "terraform-aws-security-examples"
+  }
+}
diff --git a/examples/config-recorder-simple/outputs.tf b/examples/config-recorder-simple/outputs.tf
@@ -0,0 +1,3 @@
+output "recorder" {
+  value = module.recorder
+}
diff --git a/examples/config-recorder-simple/s3.tf b/examples/config-recorder-simple/s3.tf
@@ -0,0 +1,73 @@
+data "aws_iam_policy_document" "config" {
+  statement {
+    sid = "AWSConfigBucketExistenceAndPermissionsCheck"
+
+    effect = "Allow"
+    actions = [
+      "s3:GetBucketAcl",
+      "s3:ListBucket",
+    ]
+    resources = [
+      module.bucket.arn,
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+  }
+  statement {
+    sid = "AWSConfigBucketDelivery"
+
+    effect = "Allow"
+    actions = [
+      "s3:PutObject",
+    ]
+    resources = [
+      module.bucket.arn,
+      "${module.bucket.arn}/AWSLogs/*/Config/*",
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+  }
+}
+
+
+###################################################
+# S3 Bucket
+###################################################
+
+resource "random_string" "this" {
+  length  = 32
+  special = false
+  numeric = false
+  upper   = false
+}
+
+locals {
+  bucket_name = random_string.this.id
+}
+
+module "bucket" {
+  source  = "tedilabs/data/aws//modules/s3-bucket"
+  version = "~> 0.6.0"
+
+  name          = local.bucket_name
+  force_destroy = true
+
+  policy = data.aws_iam_policy_document.config.json
+
+  tags = {
+    "project" = "terraform-aws-data-examples"
+  }
+}
+
+
diff --git a/examples/config-recorder-simple/versions.tf b/examples/config-recorder-simple/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = "~> 1.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
diff --git a/modules/config-managed-rule/raw.json b/modules/config-managed-rule/raw.json