Skip to content

Latest commit

History

History

config-recorder

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
aggregator.tf
aggregator.tf
iam.tf
iam.tf
main.tf
main.tf
migrations.tf
migrations.tf
outputs.tf
outputs.tf
resource-group.tf
resource-group.tf
variables.tf
variables.tf
versions.tf
versions.tf

README.md

config-recorder

This module creates following resources.

  • aws_config_configuration_recorder
  • aws_config_configuration_recorder_status
  • aws_config_delivery_channel
  • aws_config_aggregate_authorization (optional)
  • aws_config_configuration_aggregator (optional)
  • aws_config_retention_configuration
  • aws_iam_role
  • aws_iam_role_policy
  • aws_iam_role_policy_attachment

Requirements

Name Version
terraform >= 1.6
aws >= 5.39

Providers

Name Version
aws 5.48.0

Modules

Name Source Version
resource_group tedilabs/misc/aws//modules/resource-group ~> 0.10.0
role__aggregator tedilabs/account/aws//modules/iam-role ~> 0.28.0
role__recorder tedilabs/account/aws//modules/iam-role ~> 0.28.0

Resources

Name Type
aws_config_aggregate_authorization.this resource
aws_config_configuration_aggregator.account resource
aws_config_configuration_aggregator.organization resource
aws_config_configuration_recorder.this resource
aws_config_configuration_recorder_status.this resource
aws_config_delivery_channel.this resource
aws_config_retention_configuration.this resource
aws_caller_identity.this data source
aws_iam_policy_document.aggregation data source
aws_iam_policy_document.delivery data source

Inputs

Name Description Type Default Required
delivery_channels (Required) A configuration for the delivery channels of the configuration recorder. delivery_channels as defined below.
(Required) s3_bucket - A configuration for the S3 Bucket delivery channel. s3_bucket as defined below.
(Required) name - The name of the S3 bucket used to store the configuration history.
(Optional) key_prefix - The key prefix for the specified S3 bucket.
(Optional) sse_kms_key - The ARN of the AWS KMS key used to encrypt objects delivered by AWS Config. Must belong to the same Region as the destination S3 bucket.
(Optional) sns_topic - A configuration for the SNS Topic delivery channel. sns_topic as defined below.
(Optional) enabled - Whether to enable the SNS Topic delivery channel. Defaults to false.
(Optional) arn - The ARN of the SNS topic that AWS Config delivers notifications to.		 
object({
    s3_bucket = object({
      name        = string
      key_prefix  = optional(string)
      sse_kms_key = optional(string)
    })
    sns_topic = optional(object({
      enabled = optional(bool, false)
      arn     = optional(string)
    }), {})
  })
 n/a yes
account_aggregations (Optional) A list of configurations to aggregate config data from individual accounts. Each item of account_aggregations as defined below.
(Required) name - The name of the account aggregation.
(Required) accounts - A list of account IDs to be aggregated.
(Optional) regions - A list of regions to aggregate data. Aggregate from all supported regions if regions is missing.
(Optional) tags - A map of tags to add to the account aggregation resource.		 
list(object({
    name     = string
    accounts = set(string)
    regions  = optional(set(string), [])
    tags     = optional(map(string), {})
  }))
 [] no
authorized_aggregators (Optional) A list of Authorized aggregators to allow an aggregator account and region to collect AWS Config configuration and compliance data. Each item of authorized_aggregators as defined below.
(Required) account - The account ID of the account authorized to aggregate data.
(Required) region - The region authorized to collect aggregated data.
(Optional) tags - A map of tags to add to authorized aggregator resource.		 
list(object({
    account = string
    region  = string
    tags    = optional(map(string), {})
  }))
 [] no
default_organization_aggregator_role (Optional) A configuration for the default service role to use for organization aggregator in Config. Use organization_aggregator_role if default_organization_aggregator_role.enabled is false. default_organization_aggregator_role as defined below.
(Optional) enabled - Whether to create the default organization aggregator role. Defaults to true.
(Optional) name - The name of the default organization aggregator role. Defaults to config-configuration-aggregator-${var.name}.
(Optional) path - The path of the default organization aggregator role. Defaults to /.
(Optional) description - The description of the default organization aggregator role.
(Optional) policies - A list of IAM policy ARNs to attach to the default organization aggregator role. AWSConfigRoleForOrganizations is always attached. Defaults to [].
(Optional) inline_policies - A Map of inline IAM policies to attach to the default organization aggregator role. (name => policy).		 
object({
    enabled     = optional(bool, true)
    name        = optional(string)
    path        = optional(string, "/")
    description = optional(string, "Managed by Terraform.")

    policies        = optional(list(string), [])
    inline_policies = optional(map(string), {})
  })
 {} no
default_service_role (Optional) A configuration for the default service role to use for Config recorder. Use service_role if default_service_role.enabled is false. default_service_role as defined below.
(Optional) enabled - Whether to create the default service role. Defaults to true.
(Optional) name - The name of the default service role. Defaults to config-configuration-recorder-${var.name}.
(Optional) path - The path of the default service role. Defaults to /.
(Optional) description - The description of the default service role.
(Optional) policies - A list of IAM policy ARNs to attach to the default service role. AWS_ConfigRole is always attached. Defaults to [].
(Optional) inline_policies - A Map of inline IAM policies to attach to the default service role. (name => policy).		 
object({
    enabled     = optional(bool, true)
    name        = optional(string)
    path        = optional(string, "/")
    description = optional(string, "Managed by Terraform.")

    policies        = optional(list(string), [])
    inline_policies = optional(map(string), {})
  })
 {} no
enabled (Optional) Whether the configuration recorder should be enabled or disabled. Defaults to true. bool true no
module_tags_enabled (Optional) Whether to create AWS Resource Tags for the module informations. bool true no
name (Optional) The name of the recorder. Defaults to default. Changing it recreates the resource. string "default" no
organization_aggregation (Optional) A configuration to aggregate config data from organization accounts. organization_aggregations as defined below.
(Optional) enabled - Whether to enable the organization aggregation. Defaults to false.
(Optional) name - The name of the organization aggregation. Defaults to organization.
(Optional) regions - A list of regions to aggregate data. Aggregate from all supported regions if regions is missing.
(Optional) tags - A map of tags to add to the organization aggregation resource.		 
object({
    enabled = optional(bool, false)
    name    = optional(string, "organization")
    regions = optional(set(string), [])
    tags    = optional(map(string), {})
  })
 {} no
organization_aggregator_role (Optional) The ARN (Amazon Resource Name) of the IAM Role that provides permissions for the organization aggregator in Config. Only required if default_organization_aggregator_role.enabled is false. string null no
recording_frequency (Optional) A configuration for the recording frequency mode of AWS Config configuration recorder. recording_frequency as defined below.
(Optional) mode - The recording frequency mode for the recorder. Valid values are CONTINUOUS, DAILIY. Defaults to CONTINUOUS.

CONTINUOUS: Continuous recording allows you to record configuration changes continuously whenever a change occurs.
DAILY: Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it's different from the previous CI recorded.
(Optional) overrides - A configurations to override the recording frequency for specific resource types. Each block of overrides as defined below.
(Required) resource_types - A set of resource types to override the recording frequency mode. For example, AWS::EC2::Instance or AWS::CloudTrail::Trail.
(Required) mode - The recording frequency mode to override to all the resource types specified in the resource_types. Valid values are CONTINUOUS, DAILIY.
(Optional) description - The description of the override. Defaults to Managed by Terraform.		 
object({
    mode = optional(string, "CONTINUOUS")
    overrides = optional(list(object({
      resource_types = set(string)
      mode           = string
      description    = optional(string, "Managed by Terraform.")
    })), [])
  })
 {} no
resource_group_description (Optional) The description of Resource Group. string "Managed by Terraform." no
resource_group_enabled (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. bool true no
resource_group_name (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with AWS or aws. string "" no
retention_period (Optional) The number of days AWS Config stores historical information. Valid range is between a minimum period of 30 days and a maximum period of 7 years (2557 days).Defaults to 2557 (7 years). number 2557 no
scope (Optional) A configuration for the scope of AWS Config configuration recorder. scope as defined below.
(Optional) strategy - The recording strategy for the configuration recorder. Valid values are ALL_WITHOUT_GLOBAL, ALL, WHITELIST, BLACKLIST. Defaults to ALL_WITHOUT_GLOBAL.
(Optional) resource_types - A list of resource types to include/exclude for recording. For example, AWS::EC2::Instance or AWS::CloudTrail::Trail. Only need when strategy is confirued with value WHITELIST or BLACKLIST.		 
object({
    strategy       = optional(string, "ALL_WITHOUT_GLOBAL")
    resource_types = optional(set(string), [])
  })
 {} no
service_role (Optional) The ARN (Amazon Resource Name) of the IAM Role that provides permissions for the Config Recorder. Only required if default_service_role.enabled is false. string null no
snapshot_delivery (Optional) A configuration for the configuration snapshot delivery of the recorder. snapshot_delivery as defined below.
(Optional) enabled - Whether to enable the configuration snapshot delivery. Defaults to false.
(Optional) frequency - The frequency with which AWS Config recurringly delivers configuration snapshots. Valid values are 1h, 3h, 6h, 12h, or 24h.		 
object({
    enabled   = optional(bool, false)
    frequency = optional(string, "24h")
  })
 {} no
tags (Optional) A map of tags to add to all resources. map(string) {} no

Outputs

Name Description
account_aggregations A list of configurations to aggregate config data from individual accounts.
authorized_aggregators A list of Authorized aggregators allowed to collect AWS Config configuration and compliance data.
delivery_channels The configuration of delivery channels of the recorder.
s3_bucket - The configuration for the S3 Bucket delivery channel.
sns_topic - The configuration for the SNS Topic delivery channel.
enabled Whether the configuration recorder is enabled.
id The ID of the recorder.
name The name of the recorder.
organization_aggregation The configuration to aggregate config data from organization accounts.
recording_frequency The configuration for the recording frequency mode of the recorder.
mode - The recording frequency mode for the recorder.
overrides - The configurations to override the recording frequency for specific resource types.
retention_period The number of days AWS Config stores historical information
scope A list that specifies the types of AWS resources for which AWS Config records configuration changes.
strategy - The recording strategy for the configuration recorder.
resource_types - A list of resource types to include/exclude for recording.
service_role The Amazon Resource Name (ARN) of the IAM role for the recorder.
snapshot_delivery The configuration for the configuration snapshot delivery of the recorder.
enabled - Whether the configuration snapshot delivery is enabled.
frequency - The frequency with which AWS Config recurringly delivers configuration snapshots.