* 2.5.1 -- 2024-01-30

  - config
    - add enable_rules (to turn them off for the move to org config rules)
    - add s3_bucket to use a different s3 bucket (for the move to org config rules)
    - add create_s3_bucket

CHANGELOG.md

@@ -329,3 +329,9 @@
 * 2.5.0 -- 2024-01-02
   - s3-config-org
     - create for org-based s3 bucket and kms key for centralized config locations (within aws organization)
+
+* 2.5.1 -- 2024-01-30
+  - config
+    - add enable_rules (to turn them off for the move to org config rules)
+    - add s3_bucket to use a different s3 bucket (for the move to org config rules)
+

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.5.0"
+  _module_version = "2.5.1"
 }

config/README.md

@@ -207,10 +207,13 @@ No modules.
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no |
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms) | `map(map(string))` | <pre>{<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| <a name="input_create_s3_bucket"></a> [create\_s3\_bucket](#input\_create\_s3\_bucket) | Flag to enable creating of config S3 Bucket for snapshots | `bool` | n/a | yes |
 | <a name="input_enable_config_rules_standard"></a> [enable\_config\_rules\_standard](#input\_enable\_config\_rules\_standard) | Flag to enable\|disable the standard set of config rules | `bool` | `true` | no |
 | <a name="input_enable_config_rules_stopped"></a> [enable\_config\_rules\_stopped](#input\_enable\_config\_rules\_stopped) | Flag to enable\|disable EC2 stopped config rules | `bool` | `false` | no |
+| <a name="input_enable_rules"></a> [enable\_rules](#input\_enable\_rules) | Enable Config rules to be created in this module. Set to `false` to use Organization Config Rules. | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Config resource name prefix used for all resources | `string` | `""` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_s3_bucket"></a> [s3\_bucket](#input\_s3\_bucket) | Config S3 Bucket to send Config snapshots | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_use_kms_encryption"></a> [use\_kms\_encryption](#input\_use\_kms\_encryption) | Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access | `bool` | `true` | no |
 | <a name="input_versioning_configuration"></a> [versioning\_configuration](#input\_versioning\_configuration) | S3 Versioning Configuration (Enabled, Disabled, Suspended).  To disable, use Suspended if existing bucket and Disabled if new | `string` | `"Disabled"` | no |

config/config.tf

@@ -21,7 +21,7 @@ resource "aws_config_configuration_recorder_status" "config" {
 
 resource "aws_config_delivery_channel" "config" {
   name           = local.name
-  s3_bucket_name = local.bucket_id
+  s3_bucket_name = var.s3_bucket != null ? var.s3_bucket : local.bucket_id
   sns_topic_arn  = aws_sns_topic.config.arn
 
   snapshot_delivery_properties {

config/config_rules.tf

@@ -13,7 +13,7 @@ locals {
 }
 
 resource "aws_config_config_rule" "config_rules" {
-  for_each = toset(local.crules)
+  for_each = var.enable_rules ? toset(local.crules) : toset([])
   name     = format("inf-config-rule_%v", each.key)
   source {
     owner             = "AWS"
@@ -46,7 +46,7 @@ locals {
 }
 
 resource "aws_config_config_rule" "config_rules_stopped" {
-  for_each = local.crule_stopped_map
+  for_each = var.enable_rules ? local.crule_stopped_map : {}
   name     = format("inf-config-rule_%v", each.key)
   source {
     owner             = "AWS"

config/main.tf

@@ -40,8 +40,8 @@ locals {
   role_name   = format("%v%v", local._prefixes["role"], local.name)
   policy_name = format("%v%v", local._prefixes["policy"], local.name)
 
-  bucket_id  = aws_s3_bucket.config.id
-  bucket_arn = aws_s3_bucket.config.arn
+  bucket_id  = try(aws_s3_bucket.config[0].id, null)
+  bucket_arn = try(aws_s3_bucket.config[0].arn, null)
 
   base_tags = {
     "Organization"          = "census:aditcio:csvd"

config/outputs.tf

@@ -1,11 +1,11 @@
 output "config_s3_bucket_arn" {
   description = "S3 ARN for Config"
-  value       = aws_s3_bucket.config.arn
+  value       = try(aws_s3_bucket.config[0].arn, null)
 }
 
 output "config_s3_bucket_id" {
   description = "S3 ID for Config"
-  value       = aws_s3_bucket.config.id
+  value       = try(aws_s3_bucket.config[0].id, null)
 }
 
 output "config_sns_topic_arn" {

config/s3.tf

@@ -2,6 +2,7 @@
 # s3
 #---
 resource "aws_s3_bucket" "config" {
+  count  = var.create_s3_bucket ? 1 : 0
   bucket = local.bucket_name
   #  acl    = "private"
 
@@ -26,7 +27,8 @@ resource "aws_s3_bucket" "config" {
 }
 
 resource "aws_s3_bucket_public_access_block" "config" {
-  bucket                  = aws_s3_bucket.config.id
+  count                   = var.create_s3_bucket ? 1 : 0
+  bucket                  = try(aws_s3_bucket.config[0].id, null)
   block_public_acls       = true
   block_public_policy     = true
   ignore_public_acls      = true
@@ -35,15 +37,16 @@ resource "aws_s3_bucket_public_access_block" "config" {
 
 
 resource "aws_s3_bucket_ownership_controls" "config" {
-  bucket = aws_s3_bucket.config.id
+  count  = var.create_s3_bucket ? 1 : 0
+  bucket = try(aws_s3_bucket.config[0].id, null)
   rule {
     object_ownership = "BucketOwnerEnforced"
   }
 }
 
 resource "aws_s3_bucket_acl" "config" {
   count  = 0
-  bucket = aws_s3_bucket.config.id
+  bucket = try(aws_s3_bucket.config[0].id, null)
   acl    = "private"
 }
 
@@ -54,7 +57,8 @@ resource "aws_s3_bucket_acl" "config" {
 ## }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "config" {
-  bucket = aws_s3_bucket.config.id
+  count  = var.create_s3_bucket ? 1 : 0
+  bucket = try(aws_s3_bucket.config[0].id, null)
   rule {
     apply_server_side_encryption_by_default {
       sse_algorithm = var.use_kms_encryption ? "aws:kms" : "AES256"
@@ -64,7 +68,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "config" {
 }
 
 resource "aws_s3_bucket_versioning" "config" {
-  bucket = aws_s3_bucket.config.id
+  count  = var.create_s3_bucket ? 1 : 0
+  bucket = try(aws_s3_bucket.config[0].id, null)
   versioning_configuration {
     status = var.versioning_configuration
   }

config/variables.tf

@@ -4,11 +4,18 @@ variable "name" {
   default     = ""
 }
 
-##variable "bucket_id" {
-##  description = "Config S3 Bucket ID/Name"
-##  type        = string
-##}
-##
+variable "create_s3_bucket" {
+  description = "Flag to enable creating of config S3 Bucket for snapshots"
+  type        = bool
+  defaut      = true
+}
+
+variable "s3_bucket" {
+  description = "Config S3 Bucket to send Config snapshots"
+  type        = string
+  defaut      = null
+}
+
 variable "enable_config_rules_standard" {
   description = "Flag to enable|disable the standard set of config rules"
   type        = bool
@@ -44,3 +51,10 @@ variable "use_kms_encryption" {
   type        = bool
   default     = true
 }
+
+variable "enable_rules" {
+  description = "Enable Config rules to be created in this module. Set to `false` to use Organization Config Rules."
+  type        = bool
+  default     = true
+}
+