add config

terraform-modules · May 21, 2021 · 87fe0fc · 87fe0fc
1 parent e2fbcb4
commit 87fe0fc
Show file tree

Hide file tree

Showing 16 changed files with 1,970 additions and 0 deletions.
diff --git a/config/OLD/config.tf.1 b/config/OLD/config.tf.1
@@ -0,0 +1,347 @@
+#---
+# config 
+#---
+locals {
+  config_policies = list("arn:${data.aws_arn.current.partition}:iam::aws:policy/service-role/AWSConfigRole",
+    data.terraform_remote_state.common.outputs.policy_deny_billing_arn,
+    aws_iam_policy.config.arn
+  )
+  config_bucket_arn = aws_s3_bucket.config.arn
+}
+
+#---
+# role: config 
+#---
+resource "aws_iam_role" "config" {
+  name = "r-inf-config"
+
+  assume_role_policy    = data.aws_iam_policy_document.config_assume.json
+  description           = "EDL AWS Config Role"
+  force_detach_policies = false
+  max_session_duration  = 3600
+  path                  = "/service-role/"
+}
+
+#---
+# policy: config 
+#---
+resource "aws_iam_policy" "config" {
+  name        = "p-inf-awsconfig"
+  path        = "/service-role/"
+  description = "Policy for AWS Config"
+  policy      = data.aws_iam_policy_document.config.json
+}
+
+resource "aws_iam_role_policy_attachment" "config" {
+  count      = length(local.config_policies)
+  role       = aws_iam_role.config.name
+  policy_arn = local.config_policies[count.index]
+}
+
+data "aws_iam_policy_document" "config" {
+  statement {
+    sid    = "AWSConfigAllowBucketPutObject"
+    effect = "Allow"
+
+    resources = ["${local.config_bucket_arn}/*"]
+    actions   = ["s3:PutObject*"]
+
+    condition {
+      test     = "StringLike"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+  }
+
+  statement {
+    sid       = "AWSConfigAllowBucketACL"
+    effect    = "Allow"
+    resources = [local.config_bucket_arn]
+    actions   = ["s3:GetBucketAcl"]
+  }
+
+  ## this goes in a per-region policy
+  ##   statement {
+  ##     sid = "AWSConfigPublishTopic"
+  ##     effect = "Allow"
+  ##     resources = [ aws_sns_topic.arn ]
+  ##     actions = [ "sns:Publish" ]
+  ##   }
+}
+
+#---
+# STS: sts config assume
+#---
+data "aws_iam_policy_document" "config_assume" {
+  statement {
+    sid     = "AWSConfigServiceAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+  }
+}
+
+#--
+# much of this is per region, so we list through all the regions in
+# which we are doing this
+# only allows for 1 recorder
+#---
+resource "aws_config_configuration_recorder" "config" {
+#  count    = length(var.regions)
+  count    = 1
+  name     = "inf-config-${var.regions[count.index]}"
+  role_arn = aws_iam_role.config.arn
+
+  recording_group {
+    include_global_resource_types = true
+    all_supported                 = true
+  }
+}
+
+resource "aws_config_configuration_recorder_status" "config" {
+#  count      = length(var.regions)
+  count    = 1
+  name       = aws_config_configuration_recorder.config.*.name[count.index]
+  is_enabled = true
+  depends_on = [aws_config_delivery_channel.config]
+}
+
+resource "aws_config_delivery_channel" "config" {
+#  count          = length(var.regions)
+  count    = 1
+  name           = "inf-config-${var.regions[count.index]}"
+  s3_bucket_name = aws_s3_bucket.config.bucket
+  sns_topic_arn  = aws_sns_topic.config[count.index].arn
+
+  snapshot_delivery_properties {
+    delivery_frequency = "Six_Hours"
+  }
+
+  depends_on = [aws_config_configuration_recorder.config]
+}
+
+#---
+# config rules
+#---
+locals {
+  crules = {
+    "vpc-flowlogs" = "VPC_FLOW_LOGS_ENABLED"
+    "mfa-console"  = "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS"
+# this requires a parameter
+#    "iam-group-check" = "IAM_USER_GROUP_MEMBERSHIP_CHECK"
+    "encrypted-volumes" = "ENCRYPTED_VOLUMES"
+    "rds-encrypted" = "RDS_STORAGE_ENCRYPTED"
+  }
+  crules_keys = keys(local.crules)
+  crules_values = values(local.crules)
+}
+
+resource "aws_config_config_rule" "config_rules" {
+  count = length(local.crules_keys)
+  name = "inf-config_rule-${local.crules_keys[count.index]}"
+  source {
+    owner = "AWS"
+    source_identifier = local.crules_values[count.index]
+  }
+  depends_on = [aws_config_configuration_recorder.config]
+}
+
+#---
+# sns: config 
+#---
+data "aws_iam_policy_document" "config_sns" {
+#  count = length(var.regions)
+  count = 1
+  statement {
+    sid     = "AWSConfigBucketPolicy"
+    effect  = "Allow"
+    actions = ["s3:*"]
+
+    resources = [
+      aws_s3_bucket.config.arn,
+      "${aws_s3_bucket.config.arn}/*",
+    ]
+  }
+  statement {
+    sid       = "AWSConfigSNSPublish"
+    effect    = "Allow"
+    actions   = ["sns:Publish"]
+    resources = [aws_sns_topic.config[count.index].arn]
+  }
+}
+
+resource "aws_iam_role_policy" "config_sns" {
+#  count  = length(var.regions)
+  count  = 1
+#  role   = aws_iam_role.config[count.index].name
+  role   = aws_iam_role.config.name
+  name   = "p-inf-config-${var.regions[count.index]}"
+  policy = data.aws_iam_policy_document.config_sns[count.index].json
+}
+
+resource "aws_sns_topic" "config" {
+#  count = length(var.regions)
+  count = 1
+  name  = "inf-config-${var.regions[count.index]}"
+}
+
+resource "aws_sns_topic_policy" "config" {
+  count  = length(var.regions)
+  arn    = aws_sns_topic.config[count.index].arn
+  policy = data.aws_iam_policy_document.config_sns_topic[count.index].json
+}
+
+data "aws_iam_policy_document" "config_sns_topic" {
+  count     = length(var.regions)
+  policy_id = "inf-config_policy-${var.regions[count.index]}"
+  statement {
+    sid    = "inf-config-AllowSNS"
+    effect = "Allow"
+    resources = [aws_sns_topic.config[count.index].arn]
+    actions = [
+      "sns:Subscribe",
+      "sns:SetTopicAttributes",
+      "sns:RemovePermission",
+      "sns:Receive",
+      "sns:Publish",
+      "sns:ListSubscriptionsByTopic",
+      "sns:GetTopicAttributes",
+      "sns:DeleteTopic",
+      "sns:AddPermission",
+    ]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceOwner"
+      values   = ["${var.account_id}"]
+    }
+  }
+}
+
+#---
+# sqs: config (from splunk)
+#---
+# one per region we are using
+resource "aws_sqs_queue" "config_deadletter" {
+  # delay=0 retention=4d max=256k visibility=1h
+  count = length(var.regions)
+  name  = "inf-config-${var.regions[count.index]}-deadletter"
+  delay_seconds              = 0
+  max_message_size           = 262144
+  message_retention_seconds  = 345600
+  receive_wait_time_seconds  = 15
+  visibility_timeout_seconds = 3600
+
+  # disable kms, doesn't seem to work with splunk
+  #  kms_master_key_id = "alias/${var.kms_inf_key}"
+  #  kms_data_key_reuse_period_seconds = 300
+  tags = merge(
+    local.common_tags,
+    map("Name", "inf-config-${var.regions[count.index]}-deadletter")
+  )
+}
+
+resource "aws_sqs_queue_policy" "config_deadletter" {
+  count = length(var.regions)
+  queue_url = aws_sqs_queue.config_deadletter[count.index].id
+  policy    = data.aws_iam_policy_document.config_sqs_deadletter[count.index].json
+}
+
+data "aws_iam_policy_document" "config_sqs_deadletter" {
+  count = length(var.regions)
+  policy_id = "SQSDefaultPolicy"
+
+  statement {
+    sid       = "AllowSNSSendMessage"
+    effect    = "Allow"
+    actions   = ["SQS:SendMessage"]
+    resources = [aws_sqs_queue.config_deadletter[count.index].arn]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_sns_topic.config[count.index].arn]
+    }
+  }
+}
+
+resource "aws_sqs_queue" "config" {
+  # delay=0 retention=7d max=256k visibity=2h
+  count = length(var.regions)
+  name                      = "inf-config-${var.regions[count.index]}"
+  delay_seconds             = 0
+  max_message_size          = 262144
+  message_retention_seconds = 604800
+  receive_wait_time_seconds = 0
+  visibility_timeout_seconds = 600
+
+  redrive_policy = <<EOP
+{
+  "deadLetterTargetArn":"${aws_sqs_queue.config_deadletter[count.index].arn}",
+  "maxReceiveCount":100
+}
+EOP
+
+  # disable kms, doesn't seem to work with splunk
+  #  kms_master_key_id = "alias/${var.kms_inf_key}"
+  #  kms_data_key_reuse_period_seconds = 300
+
+  tags = merge(
+    local.common_tags,
+    map("Name", "inf-config-${var.regions[count.index]}")
+  )
+}
+
+resource "aws_sqs_queue_policy" "config" {
+  count = length(var.regions)
+  queue_url = aws_sqs_queue.config[count.index].id
+  policy    = data.aws_iam_policy_document.config_sqs[count.index].json
+}
+
+data "aws_iam_policy_document" "config_sqs" {
+  count = length(var.regions)
+  policy_id = "SQSDefaultPolicy"
+
+  statement {
+    sid       = "AllowSNSSendMessage"
+    effect    = "Allow"
+    actions   = ["SQS:SendMessage"]
+    resources = [aws_sqs_queue.config[count.index].arn]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_sns_topic.config[count.index].arn]
+    }
+  }
+}
+
+#resource "aws_sns_topic_subscription" "splunk-cloudtrail" {
+#  protocol  = "sqs"
+#  topic_arn = "${aws_sns_topic.splunk-cloudtrail.arn}"
+#  endpoint  = "${aws_sqs_queue.splunk-cloudtrail.arn}"
+#}
+
+resource "aws_sns_topic_subscription" "config" {
+  count     = length(var.regions)
+  protocol  = "sqs"
+  topic_arn = aws_sns_topic.config[count.index].arn
+  endpoint  = aws_sqs_queue.config[count.index].arn
+}