From e1e116874c87f29849810e9b9cd8c2cf1827c75f Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Wed, 5 Feb 2025 11:48:35 -0500
Subject: [PATCH] config: add recorder_override_daily to allow specific
 resource to be recorded daily vs continously

---
 CHANGELOG.md        |  4 ++++
 common/version.tf   |  2 +-
 config/README.md    |  3 ++-
 config/config.tf    | 14 ++++++++++++++
 config/variables.tf |  6 ++++++
 5 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index abe0c6c..2e2901e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -391,3 +391,7 @@
 * 2.9.1 -- 2024-12-26
   - cloudtrail
     - move managed_policy_arns to aws_iam_role_policy_attachment due to deprecation
+
+* 2.10.0 -- 2025-02-05
+  - config
+    - add recorder_override_daily to allow specific resource to be recorded daily vs continously
diff --git a/common/version.tf b/common/version.tf
index d5903b2..a57e56b 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.9.1"
+  _module_version = "2.10.0"
 }
diff --git a/config/README.md b/config/README.md
index 2ee86f4..95a9d1b 100644
--- a/config/README.md
+++ b/config/README.md
@@ -206,13 +206,14 @@ No modules.
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no |
-| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms) | `map(map(string))` | <pre>{<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms) | `map(map(string))` | <pre>{<br/>  "kms": {},<br/>  "s3": {}<br/>}</pre> | no |
 | <a name="input_create_s3_bucket"></a> [create\_s3\_bucket](#input\_create\_s3\_bucket) | Flag to enable creating of config S3 Bucket for snapshots | `bool` | `true` | no |
 | <a name="input_enable_config_rules_standard"></a> [enable\_config\_rules\_standard](#input\_enable\_config\_rules\_standard) | Flag to enable\|disable the standard set of config rules | `bool` | `true` | no |
 | <a name="input_enable_config_rules_stopped"></a> [enable\_config\_rules\_stopped](#input\_enable\_config\_rules\_stopped) | Flag to enable\|disable EC2 stopped config rules | `bool` | `false` | no |
 | <a name="input_enable_rules"></a> [enable\_rules](#input\_enable\_rules) | Enable Config rules to be created in this module. Set to `false` to use Organization Config Rules. | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Config resource name prefix used for all resources | `string` | `""` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_recorder_override_daily"></a> [recorder\_override\_daily](#input\_recorder\_override\_daily) | Resource type to record daily instead of continuous | `list(string)` | `[]` | no |
 | <a name="input_s3_bucket"></a> [s3\_bucket](#input\_s3\_bucket) | Config S3 Bucket to send Config snapshots | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_use_kms_encryption"></a> [use\_kms\_encryption](#input\_use\_kms\_encryption) | Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access | `bool` | `true` | no |
diff --git a/config/config.tf b/config/config.tf
index 96d0a3e..cb54c27 100644
--- a/config/config.tf
+++ b/config/config.tf
@@ -11,6 +11,20 @@ resource "aws_config_configuration_recorder" "config" {
     include_global_resource_types = true
     all_supported                 = true
   }
+
+  dynamic "recording_mode" {
+    for_each = length(var.recorder_override_daily) > 0 ? { 1 = 1 } : {}
+    iterator = x
+    content {
+      recording_frequency = "CONTINUOUS"
+
+      recording_mode_override {
+        description         = "Record specific resources daily"
+        resource_types      = var.recorder_override_daily
+        recording_frequency = "DAILY"
+      }
+    }
+  }
 }
 
 resource "aws_config_configuration_recorder_status" "config" {
diff --git a/config/variables.tf b/config/variables.tf
index feaa711..7415b2a 100644
--- a/config/variables.tf
+++ b/config/variables.tf
@@ -58,3 +58,9 @@ variable "enable_rules" {
   default     = true
 }
 
+variable "recorder_override_daily" {
+  description = "Resource type to record daily instead of continuous"
+  type        = list(string)
+  default     = []
+}
+