/terraform-aws-config-recorder

Configures config recorder for an AWS account

Primary LanguageHCLApache License 2.0Apache-2.0

Contact Us | Stratusphere FinOps | StratusGrid Home | Blog

terraform-aws-config-recorder

GitHub: StratusGrid/terraform-aws-config-recorder

This module configures config recorder for an AWS account.

Examples

example 1

### Basic Usage

# Configures Config Recorder, IAM Role, and SNS Topic for an AWS account's region. Requires that you already have a bucket configured for it.
# Recording strategy is the AWS default "Continuous"
# It doesn't include global resources bacause `include_global_resource_types = false` by default
# delivery_frequency was set by default to `Three_Hours`
# s3_key_prefix was set by default to `config`
# Valid Recording Frequency Options can be found here: https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html#API_ConfigSnapshotDeliveryProperties_Contents

# Module Instantiation
module "aws_config_recorder" {
 source  = "StratusGrid/config-recorder/aws"
 # StratusGrid recommends pinning every module to a specific version
 version = "x.x.x"

 # Set to true to create the iam role
 create_iam_role = true

 log_bucket_id = "aws-config-bucket-example"

}

example 2

### Set recorder, and aggregator of other accounts.

# Configures Config Recorder, IAM Role, and SNS Topic for an AWS account's region. Requires that you already have a bucket configured for it.
# Change recording_frequency to DAILY
# Remove default s3_key_prefix
# Add subscriber to the SNS Topic
# change snapshot_delivery_frequency to TwentyFour_Hours
# Valid Recording Frequency Options can be found here: https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html#API_ConfigSnapshotDeliveryProperties_Contents
#
# Create aggregator in this account and region
# Set source accounts and region for the aggregator

# Module Instantiation
module "aws_config_recorder" {
 source  = "StratusGrid/config-recorder/aws"
 # StratusGrid recommends pinning every module to a specific version
 version = "x.x.x"

 # Set to true to create the iam role
 create_iam_role = true

 recording_mode = {
   recording_frequency = "DAILY"
 }

 log_bucket_id = "aws-config-bucket-example"

 # Default used by the module is "config", explicitly remove that default
 s3_key_prefix = ""

 # Add suscribers to the SNS Topic
 subscribers = {
   email = {
     protocol               = "email"
     endpoint               = "example.2@stratusgrid.com"
     endpoint_auto_confirms = true
   }
 }    

 # Change default value to TwentyFour_Hours
 snapshot_delivery_frequency = "TwentyFour_Hours"

 # Create aggregator 
 is_global_recorder_region_and_account = true
 source_collector_accounts             = ["012345678901", "987654321098"]
 source_collector_regions              = ["us-east-1", "us-west-2", "eu-central-1"]
}

example 3

### Set recorder, and authorize aggregator of other accounts to get data

# Configures Config Recorder for an AWS account's region. Requires that you already have a bucket configured for it.
# Do not create IAM Role, instead pass an existing role ARN
# Change recording_frequency to DAILY
# Remove default s3_key_prefix
# Disable the creation of SNS Topic
# change snapshot_delivery_frequency to TwentyFour_Hours
# Valid Recording Frequency Options can be found here: https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html#API_ConfigSnapshotDeliveryProperties_Contents
#
# Authorize aggregator account and region

# Module Instantiation
module "aws_config_recorder" {
 source  = "StratusGrid/config-recorder/aws"
 # StratusGrid recommends pinning every module to a specific version
 version = "x.x.x"

 # Set to false the creation of IAM Role and pass an existing Role arn
 create_iam_role = false
 iam_role_arn    = module.aws_config_recorder_us_east_1.aws_iam_role_config

 recording_mode = {
   recording_frequency = "DAILY"
 }

 log_bucket_id = "aws-config-bucket-example"

 # Default used by the module is "config", explicitly remove that default
 s3_key_prefix = ""

 # Disable SNS topic creation
 create_sns_topic = false

 # Change default value to TwentyFour_Hours
 snapshot_delivery_frequency = "TwentyFour_Hours"

 # Authorize aggregator account
 central_resource_collector_account = "058264241281"
 global_resource_collector_region   = "us-east-1"
}

example 4

### Multi-Regional Usage
# For this, Recorder will be configured in multiple regions by passing in providers blocks and creating and aggregator
# Requires that you already have a bucket configured for it.

# Example of multiple additional aliased providers to be stored in providers.tf file:
provider "aws" {
 allowed_account_ids = "${var.account_numbers}"
 region              = "${var.region}"
 access_key = "${var.access_key}"
 secret_key = "${var.secret_key}"
 token      = "${var.token}"
}

# Extra Providers for Config and other Multi-Region configurations like AWS Config
provider "aws" {
 alias  = "us-east-1"
 region = "us-east-1"
 access_key = "${var.access_key}"
 secret_key = "${var.secret_key}"
 token      = "${var.token}"
 allowed_account_ids = "${var.account_numbers}"
}

provider "aws" {
 alias  = "us-east-2"
 region = "us-east-2"
 allowed_account_ids = "${var.account_numbers}"
 access_key = "${var.access_key}"
 secret_key = "${var.secret_key}"
 token      = "${var.token}"
}

provider "aws" {
 alias  = "us-west-1"
 region = "us-west-1"
 allowed_account_ids = "${var.account_numbers}"
 access_key = "${var.access_key}"
 secret_key = "${var.secret_key}"
 token      = "${var.token}"
}

provider "aws" {
 alias  = "us-west-2"
 region = "us-west-2"
 allowed_account_ids = "${var.account_numbers}"
 access_key = "${var.access_key}"
 secret_key = "${var.secret_key}"
 token      = "${var.token}"
}

## Module Instantiation
module "aws_config_recorder_us_east_1" {
 source  = "StratusGrid/config-recorder/aws"
 # StratusGrid recommends pinning every module to a specific version
 version = "x.x.x"

 providers = {
   aws = aws
 }

 # Enable it in the region of the aggregator
 include_global_resource_types = true

 # Set to true to create the iam role
 create_iam_role = true

 recording_mode = {
   recording_frequency = "DAILY"
 }

 log_bucket_id = "aws-config-bucket-example"

 # Default used by the module is "config", explicitly remove that default
 s3_key_prefix = ""

 # Default used is true, only leave in true for the aggregator account and region
 create_sns_topic = true

 # Create aggregator 
 is_global_recorder_region_and_account = true
 source_collector_accounts             = ["012345678901", "987654321098"]
 source_collector_regions              = ["us-east-1", "us-west-2", "eu-central-1"]

}

module "aws_config_recorder_us_east_2" {
 source  = "StratusGrid/config-recorder/aws"
 # StratusGrid recommends pinning every module to a specific version
 version = "x.x.x"

 providers = {
   aws = aws.us-east-2
 }

 # Set to false and pass existing IAM role
 create_iam_role = false
 iam_role_arn    = module.aws_config_recorder_us_east_1.aws_iam_role_config

 recording_mode = {
   recording_frequency = "DAILY"
 }

 log_bucket_id = "aws-config-bucket-example"

 # Default used by the module is "config", explicitly remove that default
 s3_key_prefix = ""

 # Default used is true, only leave in true for the aggregator account and region
 # Only needed for the aggregator account and region
 create_sns_topic = false

 # Authorize aggregator account
 central_resource_collector_account = "012345678901"
 global_resource_collector_region   = "us-east-1"
}

module "aws_config_recorder_us_west_2" {
 source  = "StratusGrid/config-recorder/aws"
 # StratusGrid recommends pinning every module to a specific version
 version = "x.x.x"

 providers = {
   aws = aws.us-west-2
 }

 # Set to false and pass existing IAM role
 create_iam_role = false
 iam_role_arn    = module.aws_config_recorder_us_east_1.aws_iam_role_config

 recording_mode = {
   recording_frequency = "DAILY"
 }

 log_bucket_id = "aws-config-bucket-example"

 # Default used by the module is "config", explicitly remove that default
 s3_key_prefix = ""

 # Default used is true, only leave in true for the aggregator account and region
 # Only needed for the aggregator account and region
 create_sns_topic = false

 # Authorize aggregator account
 central_resource_collector_account = "012345678901"
 global_resource_collector_region   = "us-east-1"
}

module "aws_config_recorder_us_west_1" {
 source  = "StratusGrid/config-recorder/aws"
 # StratusGrid recommends pinning every module to a specific version
 version = "x.x.x"

 providers = {
   aws = aws.us-west-1
 }

 # Set to false and pass existing IAM role
 create_iam_role = false
 iam_role_arn    = module.aws_config_recorder_us_east_1.aws_iam_role_config

 recording_mode = {
   recording_frequency = "DAILY"
 }

 log_bucket_id = "aws-config-bucket-example"

 # Default used by the module is "config", explicitly remove that default
 s3_key_prefix = ""

 # Default used is true, only leave in true for the aggregator account and region
 # Only needed for the aggregator account and region
 create_sns_topic = false

 # Authorize aggregator account
 central_resource_collector_account = "012345678901"
 global_resource_collector_region   = "us-east-1"
}

Requirements

Name Version
terraform >= v1.6.3
aws >= 5.57.0

Resources

Name Type
aws_config_aggregate_authorization.source resource
aws_config_configuration_aggregator.this resource
aws_config_configuration_recorder.config resource
aws_config_configuration_recorder_status.config resource
aws_config_delivery_channel.config resource
aws_iam_policy.config_sns_policy resource
aws_iam_role.config resource
aws_iam_role_policy_attachment.config resource
aws_iam_role_policy_attachment.config_sns_policy resource
aws_sns_topic.aws_config_stream resource
aws_sns_topic_policy.config resource
aws_sns_topic_subscription.this resource

Inputs

Name Description Type Default Required
central_resource_collector_account The account ID of a central account that will aggregate AWS Config from other accounts string null no
create_iam_role Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config bool false no
create_sns_topic Flag to indicate whether an SNS topic should be created for notifications
If you want to send findings to a new SNS topic, set this to true and provide a valid configuration for subscribers
If you are using this module to set multiple accounts and regions, only enable the SNS topic in the aggregator account and region.		 bool true no
global_resource_collector_region The region that collects AWS Config data string null no
iam_role_arn The ARN for an IAM Role AWS Config uses to make read or write requests to the delivery channel and to describe the
AWS resources associated with the account. This is only used if create_iam_role is false.

If you want to use an existing IAM Role, set the value of this to the ARN of the existing topic and set
create_iam_role to false.

See the AWS Docs for further information:
http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html		 string null no
include_global_resource_types True/False to add global resources to config. Default is false string false no
input_tags Map of tags to apply to resources map(any) 
{
  "Developer": "StratusGrid",
  "Provisioner": "Terraform"
}
 no
is_global_recorder_region_and_account Flag to indicate whether this is the aggregator account and region bool false no
log_bucket_id ID of bucket to log config change snapshots to string n/a yes
recording_mode The mode for AWS Config to record configuration changes.

recording_frequency:
The frequency with which AWS Config records configuration changes (service defaults to CONTINUOUS).
- CONTINUOUS
- DAILY

You can also override the recording frequency for specific resource types.
recording_mode_override:
description:
A description for the override.
resource_types:
A list of resource types for which AWS Config records configuration changes. For example, AWS::EC2::Instance.
Refer to: https://docs.aws.amazon.com/config/latest/APIReference/API_RecordingModeOverride.html
recording_frequency:
The frequency with which AWS Config records configuration changes for the specified resource types.
- CONTINUOUS
- DAILY

/
recording_mode = {
recording_frequency = "DAILY"
recording_mode_override = {
description = "Override for specific resource types"
resource_types = ["AWS::EC2::Instance"]
recording_frequency = "CONTINUOUS"
}
}
/		 
object({
    recording_frequency = string
    recording_mode_override = optional(object({
      description         = string
      resource_types      = list(string)
      recording_frequency = string
    }))
  })
 null no
s3_key_prefix The prefix for AWS Config objects stored in the the S3 bucket. If this variable is set to null, the default, no
prefix will be used.

Examples:

with prefix: {S3_BUCKET NAME}:/{S3_KEY_PREFIX}/AWSLogs/{ACCOUNT_ID}/Config/.
without prefix: {S3_BUCKET NAME}:/AWSLogs/{ACCOUNT_ID}/Config/.		 string null no
snapshot_delivery_frequency Frequency which AWS Config snapshots the configuration string "Three_Hours" no
sns_kms_key_id KMS key id for encrypting cloudtrail config recorder stream sns topic. If left empty uses SNS default AWS managed key. string "" no
source_collector_accounts The account IDs of other accounts that will send their AWS Configuration to this account set(string) null no
source_collector_all_regions Flag to indicate whether all regions are included for the source collector bool false no
source_collector_regions A list of regions for the source collector to use list(string) [] no
subscribers A map of subscription configurations for SNS topics

For more information, see:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference

protocol:
The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially
supported, see link) (email is an option but is unsupported in terraform, see link).
endpoint:
The endpoint to send data to, the contents will vary with the protocol. (see link for more information)
endpoint_auto_confirms (Optional):
Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is
false
raw_message_delivery (Optional):
Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property). Default is false.		 map(any) {} no

Outputs

Name Description
aws_config_configuration_recorder_id ID of configuration recorder
aws_iam_role_config aws_iam_role for config
sns_encryption_kms_key_id Id of key used to encrypt sns topic

Note, manual changes to the README will be overwritten when the documentation is updated. To update the documentation, run terraform-docs -c .config/.terraform-docs.yml