* 2.13.0 -- 2025-12-31

  - config
    - disable global iam things in non-east regions
    - allow for other resources to be excluded completely

CHANGELOG.md

@@ -421,3 +421,8 @@
   - terraform-state
     - remove role creation for application_mode
     - add s3:DeleteObject for *.tflock to enable lockign in 1.9.x
+
+* 2.13.0 -- 2025-12-31
+  - config
+    - disable global iam things in non-east regions
+    - allow for other resources to be excluded completely

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.12.3"
+  _module_version = "2.13.0"
 }

config/README.md

@@ -214,6 +214,7 @@ No modules.
 | <a name="input_enable_rules"></a> [enable\_rules](#input\_enable\_rules) | Enable Config rules to be created in this module. Set to `false` to use Organization Config Rules. | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Config resource name prefix used for all resources | `string` | `""` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_recorder_exclusion_types"></a> [recorder\_exclusion\_types](#input\_recorder\_exclusion\_types) | Resource type to exclude entirely. IAM resources will be used only in one region (east) | `list(string)` | `[]` | no |
 | <a name="input_recorder_override_daily"></a> [recorder\_override\_daily](#input\_recorder\_override\_daily) | Resource type to record daily instead of continuous | `list(string)` | `[]` | no |
 | <a name="input_retention_period_in_days"></a> [retention\_period\_in\_days](#input\_retention\_period\_in\_days) | Config retion period in days (default is 3 years, down from AWS default of 7 years) | `number` | `1095` | no |
 | <a name="input_s3_bucket"></a> [s3\_bucket](#input\_s3\_bucket) | Config S3 Bucket to send Config snapshots | `string` | `null` | no |

config/config.tf

@@ -3,15 +3,53 @@
 ## # which we are doing this
 ## # only allows for 1 recorder
 ## #---
+
+locals {
+  global_types = [
+    "AWS::IAM::User",
+    "AWS::IAM::Group",
+    "AWS::IAM::Role",
+    "AWS::IAM::Policy",
+  ]
+  _global_types_exclude = {
+    "gov" = local.region != "us-gov-east-1" ? local.global_types : []
+    "ew"  = local.region != "us-east-1" ? local.global_types : []
+  }
+  global_types_exclude     = lookup(local._global_types_exclude, local.account_environment, [])
+  recorder_exclusion_types = compact(concat(var.recorder_exclusion_types, local.global_types_exclude))
+}
+
 resource "aws_config_configuration_recorder" "config" {
   name     = local.name
   role_arn = aws_iam_role.config.arn
 
-  recording_group {
-    include_global_resource_types = true
-    all_supported                 = true
+  # if exclusions defined, or not in an east region
+  dynamic "recording_group" {
+    for_each = length(local.recorder_exclusion_types) > 0 ? { 1 = 1 } : {}
+    iterator = x
+    content {
+      include_global_resource_types = false
+      all_supported                 = false
+      exclusion_by_resource_types {
+        resource_types = length(local.recorder_exclusion_types) == 0 ? null : local.recorder_exclusion_types
+      }
+      recording_strategy {
+        use_only = "EXCLUSION_BY_RESOURCE_TYPES"
+      }
+    }
+  }
+
+  # if exclusions not defined, or in an east region
+  dynamic "recording_group" {
+    for_each = length(local.recorder_exclusion_types) == 0 ? { 1 = 1 } : {}
+    iterator = x
+    content {
+      include_global_resource_types = true
+      all_supported                 = true
+    }
   }
 
+  # if excluding via continuous (ENI are common)
   dynamic "recording_mode" {
     for_each = length(var.recorder_override_daily) > 0 ? { 1 = 1 } : {}
     iterator = x

config/variables.tf

@@ -70,3 +70,8 @@ variable "retention_period_in_days" {
   default     = 1095
 }
 
+variable "recorder_exclusion_types" {
+  description = "Resource type to exclude entirely. IAM resources will be used only in one region (east)"
+  type        = list(string)
+  default     = []
+}