diff --git a/CHANGELOG.md b/CHANGELOG.md
index 366fb5d..f9d9d3d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -329,3 +329,9 @@
* 2.5.0 -- 2024-01-02
- s3-config-org
- create for org-based s3 bucket and kms key for centralized config locations (within aws organization)
+
+* 2.5.1 -- 2024-01-30
+ - config
+ - add enable_rules (to turn them off for the move to org config rules)
+ - add s3_bucket to use a different s3 bucket (for the move to org config rules)
+
diff --git a/common/version.tf b/common/version.tf
index fca0743..5624ad5 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "2.5.0"
+ _module_version = "2.5.1"
}
diff --git a/config/README.md b/config/README.md
index 348ebc9..5c32f1c 100644
--- a/config/README.md
+++ b/config/README.md
@@ -207,10 +207,13 @@ No modules.
| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no |
| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms) | `map(map(string))` | {
"kms": {},
"s3": {}
} | no |
+| [create\_s3\_bucket](#input\_create\_s3\_bucket) | Flag to enable creating of config S3 Bucket for snapshots | `bool` | n/a | yes |
| [enable\_config\_rules\_standard](#input\_enable\_config\_rules\_standard) | Flag to enable\|disable the standard set of config rules | `bool` | `true` | no |
| [enable\_config\_rules\_stopped](#input\_enable\_config\_rules\_stopped) | Flag to enable\|disable EC2 stopped config rules | `bool` | `false` | no |
+| [enable\_rules](#input\_enable\_rules) | Enable Config rules to be created in this module. Set to `false` to use Organization Config Rules. | `bool` | `true` | no |
| [name](#input\_name) | Config resource name prefix used for all resources | `string` | `""` | no |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [s3\_bucket](#input\_s3\_bucket) | Config S3 Bucket to send Config snapshots | `string` | n/a | yes |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
| [use\_kms\_encryption](#input\_use\_kms\_encryption) | Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access | `bool` | `true` | no |
| [versioning\_configuration](#input\_versioning\_configuration) | S3 Versioning Configuration (Enabled, Disabled, Suspended). To disable, use Suspended if existing bucket and Disabled if new | `string` | `"Disabled"` | no |
diff --git a/config/config.tf b/config/config.tf
index d2e890e..96d0a3e 100644
--- a/config/config.tf
+++ b/config/config.tf
@@ -21,7 +21,7 @@ resource "aws_config_configuration_recorder_status" "config" {
resource "aws_config_delivery_channel" "config" {
name = local.name
- s3_bucket_name = local.bucket_id
+ s3_bucket_name = var.s3_bucket != null ? var.s3_bucket : local.bucket_id
sns_topic_arn = aws_sns_topic.config.arn
snapshot_delivery_properties {
diff --git a/config/config_rules.tf b/config/config_rules.tf
index c762b6c..d79fe1d 100644
--- a/config/config_rules.tf
+++ b/config/config_rules.tf
@@ -13,7 +13,7 @@ locals {
}
resource "aws_config_config_rule" "config_rules" {
- for_each = toset(local.crules)
+ for_each = var.enable_rules ? toset(local.crules) : toset([])
name = format("inf-config-rule_%v", each.key)
source {
owner = "AWS"
@@ -46,7 +46,7 @@ locals {
}
resource "aws_config_config_rule" "config_rules_stopped" {
- for_each = local.crule_stopped_map
+ for_each = var.enable_rules ? local.crule_stopped_map : {}
name = format("inf-config-rule_%v", each.key)
source {
owner = "AWS"
diff --git a/config/main.tf b/config/main.tf
index c3a6b5b..8d955e0 100644
--- a/config/main.tf
+++ b/config/main.tf
@@ -40,8 +40,8 @@ locals {
role_name = format("%v%v", local._prefixes["role"], local.name)
policy_name = format("%v%v", local._prefixes["policy"], local.name)
- bucket_id = aws_s3_bucket.config.id
- bucket_arn = aws_s3_bucket.config.arn
+ bucket_id = try(aws_s3_bucket.config[0].id, null)
+ bucket_arn = try(aws_s3_bucket.config[0].arn, null)
base_tags = {
"Organization" = "census:aditcio:csvd"
diff --git a/config/outputs.tf b/config/outputs.tf
index e17ae68..3c4b93e 100644
--- a/config/outputs.tf
+++ b/config/outputs.tf
@@ -1,11 +1,11 @@
output "config_s3_bucket_arn" {
description = "S3 ARN for Config"
- value = aws_s3_bucket.config.arn
+ value = try(aws_s3_bucket.config[0].arn, null)
}
output "config_s3_bucket_id" {
description = "S3 ID for Config"
- value = aws_s3_bucket.config.id
+ value = try(aws_s3_bucket.config[0].id, null)
}
output "config_sns_topic_arn" {
diff --git a/config/s3.tf b/config/s3.tf
index 0fea855..27ef7d3 100644
--- a/config/s3.tf
+++ b/config/s3.tf
@@ -2,6 +2,7 @@
# s3
#---
resource "aws_s3_bucket" "config" {
+ count = var.create_s3_bucket ? 1 : 0
bucket = local.bucket_name
# acl = "private"
@@ -26,7 +27,8 @@ resource "aws_s3_bucket" "config" {
}
resource "aws_s3_bucket_public_access_block" "config" {
- bucket = aws_s3_bucket.config.id
+ count = var.create_s3_bucket ? 1 : 0
+ bucket = try(aws_s3_bucket.config[0].id, null)
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
@@ -35,7 +37,8 @@ resource "aws_s3_bucket_public_access_block" "config" {
resource "aws_s3_bucket_ownership_controls" "config" {
- bucket = aws_s3_bucket.config.id
+ count = var.create_s3_bucket ? 1 : 0
+ bucket = try(aws_s3_bucket.config[0].id, null)
rule {
object_ownership = "BucketOwnerEnforced"
}
@@ -43,7 +46,7 @@ resource "aws_s3_bucket_ownership_controls" "config" {
resource "aws_s3_bucket_acl" "config" {
count = 0
- bucket = aws_s3_bucket.config.id
+ bucket = try(aws_s3_bucket.config[0].id, null)
acl = "private"
}
@@ -54,7 +57,8 @@ resource "aws_s3_bucket_acl" "config" {
## }
resource "aws_s3_bucket_server_side_encryption_configuration" "config" {
- bucket = aws_s3_bucket.config.id
+ count = var.create_s3_bucket ? 1 : 0
+ bucket = try(aws_s3_bucket.config[0].id, null)
rule {
apply_server_side_encryption_by_default {
sse_algorithm = var.use_kms_encryption ? "aws:kms" : "AES256"
@@ -64,7 +68,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "config" {
}
resource "aws_s3_bucket_versioning" "config" {
- bucket = aws_s3_bucket.config.id
+ count = var.create_s3_bucket ? 1 : 0
+ bucket = try(aws_s3_bucket.config[0].id, null)
versioning_configuration {
status = var.versioning_configuration
}
diff --git a/config/variables.tf b/config/variables.tf
index e888002..6505d99 100644
--- a/config/variables.tf
+++ b/config/variables.tf
@@ -4,11 +4,18 @@ variable "name" {
default = ""
}
-##variable "bucket_id" {
-## description = "Config S3 Bucket ID/Name"
-## type = string
-##}
-##
+variable "create_s3_bucket" {
+ description = "Flag to enable creating of config S3 Bucket for snapshots"
+ type = bool
+ defaut = true
+}
+
+variable "s3_bucket" {
+ description = "Config S3 Bucket to send Config snapshots"
+ type = string
+ defaut = null
+}
+
variable "enable_config_rules_standard" {
description = "Flag to enable|disable the standard set of config rules"
type = bool
@@ -44,3 +51,10 @@ variable "use_kms_encryption" {
type = bool
default = true
}
+
+variable "enable_rules" {
+ description = "Enable Config rules to be created in this module. Set to `false` to use Organization Config Rules."
+ type = bool
+ default = true
+}
+