From 33af21cf78f61b1a06e0fded95e31ce830b21a80 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Wed, 31 Dec 2025 12:24:06 -0500
Subject: [PATCH] * 2.13.0 -- 2025-12-31   - config     - disable global iam
 things in non-east regions     - allow for other resources to be excluded
 completely

---
 CHANGELOG.md        |  5 +++++
 common/version.tf   |  2 +-
 config/README.md    |  1 +
 config/config.tf    | 44 +++++++++++++++++++++++++++++++++++++++++---
 config/variables.tf |  5 +++++
 5 files changed, 53 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1f9f629..d89c499 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -421,3 +421,8 @@
   - terraform-state
     - remove role creation for application_mode
     - add s3:DeleteObject for *.tflock to enable lockign in 1.9.x
+
+* 2.13.0 -- 2025-12-31
+  - config
+    - disable global iam things in non-east regions
+    - allow for other resources to be excluded completely
diff --git a/common/version.tf b/common/version.tf
index a57a420..db96fc9 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.12.3"
+  _module_version = "2.13.0"
 }
diff --git a/config/README.md b/config/README.md
index 69231a5..2bdbf1c 100644
--- a/config/README.md
+++ b/config/README.md
@@ -214,6 +214,7 @@ No modules.
 | <a name="input_enable_rules"></a> [enable\_rules](#input\_enable\_rules) | Enable Config rules to be created in this module. Set to `false` to use Organization Config Rules. | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Config resource name prefix used for all resources | `string` | `""` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_recorder_exclusion_types"></a> [recorder\_exclusion\_types](#input\_recorder\_exclusion\_types) | Resource type to exclude entirely. IAM resources will be used only in one region (east) | `list(string)` | `[]` | no |
 | <a name="input_recorder_override_daily"></a> [recorder\_override\_daily](#input\_recorder\_override\_daily) | Resource type to record daily instead of continuous | `list(string)` | `[]` | no |
 | <a name="input_retention_period_in_days"></a> [retention\_period\_in\_days](#input\_retention\_period\_in\_days) | Config retion period in days (default is 3 years, down from AWS default of 7 years) | `number` | `1095` | no |
 | <a name="input_s3_bucket"></a> [s3\_bucket](#input\_s3\_bucket) | Config S3 Bucket to send Config snapshots | `string` | `null` | no |
diff --git a/config/config.tf b/config/config.tf
index 48a4c02..4483b0f 100644
--- a/config/config.tf
+++ b/config/config.tf
@@ -3,15 +3,53 @@
 ## # which we are doing this
 ## # only allows for 1 recorder
 ## #---
+
+locals {
+  global_types = [
+    "AWS::IAM::User",
+    "AWS::IAM::Group",
+    "AWS::IAM::Role",
+    "AWS::IAM::Policy",
+  ]
+  _global_types_exclude = {
+    "gov" = local.region != "us-gov-east-1" ? local.global_types : []
+    "ew"  = local.region != "us-east-1" ? local.global_types : []
+  }
+  global_types_exclude     = lookup(local._global_types_exclude, local.account_environment, [])
+  recorder_exclusion_types = compact(concat(var.recorder_exclusion_types, local.global_types_exclude))
+}
+
 resource "aws_config_configuration_recorder" "config" {
   name     = local.name
   role_arn = aws_iam_role.config.arn
 
-  recording_group {
-    include_global_resource_types = true
-    all_supported                 = true
+  # if exclusions defined, or not in an east region
+  dynamic "recording_group" {
+    for_each = length(local.recorder_exclusion_types) > 0 ? { 1 = 1 } : {}
+    iterator = x
+    content {
+      include_global_resource_types = false
+      all_supported                 = false
+      exclusion_by_resource_types {
+        resource_types = length(local.recorder_exclusion_types) == 0 ? null : local.recorder_exclusion_types
+      }
+      recording_strategy {
+        use_only = "EXCLUSION_BY_RESOURCE_TYPES"
+      }
+    }
+  }
+
+  # if exclusions not defined, or in an east region
+  dynamic "recording_group" {
+    for_each = length(local.recorder_exclusion_types) == 0 ? { 1 = 1 } : {}
+    iterator = x
+    content {
+      include_global_resource_types = true
+      all_supported                 = true
+    }
   }
 
+  # if excluding via continuous (ENI are common)
   dynamic "recording_mode" {
     for_each = length(var.recorder_override_daily) > 0 ? { 1 = 1 } : {}
     iterator = x
diff --git a/config/variables.tf b/config/variables.tf
index 55db8ce..010ad88 100644
--- a/config/variables.tf
+++ b/config/variables.tf
@@ -70,3 +70,8 @@ variable "retention_period_in_days" {
   default     = 1095
 }
 
+variable "recorder_exclusion_types" {
+  description = "Resource type to exclude entirely. IAM resources will be used only in one region (east)"
+  type        = list(string)
+  default     = []
+}