Skip to content

Commit

Permalink
Merge pull request #45 from smelchior/master
Browse files Browse the repository at this point in the history
Add an option to add tags and return role for AWS config
Michael Kania authored Mar 30, 2020
2 parents 533ff51 + d65d9f8 commit 09a8e0e
Showing 8 changed files with 74 additions and 0 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -136,11 +136,13 @@ module "aws_config" {
| password\_reuse\_prevention | Number of passwords before allowing reuse. | `number` | `24` | no |
| required\_tags | A map of required resource tags. Format is tagNKey, tagNValue, where N is int. Values are optional. | `map(string)` | `{}` | no |
| required\_tags\_resource\_types | Resource types to check for tags. | `list(string)` | `[]` | no |
| tags | tags to apply to the creates resources. | `map(string)` | `{}` | no |

## Outputs

| Name | Description |
|------|-------------|
| aws\_config\_role\_arn | The ARN of the AWS config role. |
| required\_tags\_rule\_arn | The ARN of the required-tags config rule. |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
1 change: 1 addition & 0 deletions config-aggregator.tf
Original file line number Diff line number Diff line change
@@ -18,6 +18,7 @@ data "aws_iam_policy_document" "aws_config_aggregator_role_policy" {
resource "aws_iam_role" "aggregator" {
count = var.aggregate_organization ? 1 : 0
name = "${var.config_name}-aggregator-role"
tags = var.tags
assume_role_policy = data.aws_iam_policy_document.aws_config_aggregator_role_policy.json
}

50 changes: 50 additions & 0 deletions config-rules.tf
Original file line number Diff line number Diff line change
@@ -48,6 +48,8 @@ resource "aws_config_config_rule" "iam-password-policy" {

maximum_execution_frequency = var.config_max_execution_frequency

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -63,6 +65,8 @@ resource "aws_config_config_rule" "cloudtrail-enabled" {

maximum_execution_frequency = var.config_max_execution_frequency

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -78,6 +82,8 @@ resource "aws_config_config_rule" "multi-region-cloud-trail-enabled" {

maximum_execution_frequency = var.config_max_execution_frequency

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -93,6 +99,8 @@ resource "aws_config_config_rule" "cloud-trail-encryption-enabled" {

maximum_execution_frequency = var.config_max_execution_frequency

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -108,6 +116,8 @@ resource "aws_config_config_rule" "cloud-trail-log-file-validation-enabled" {

maximum_execution_frequency = var.config_max_execution_frequency

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -121,6 +131,8 @@ resource "aws_config_config_rule" "instances-in-vpc" {
source_identifier = "INSTANCES_IN_VPC"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -136,6 +148,8 @@ resource "aws_config_config_rule" "root-account-mfa-enabled" {

maximum_execution_frequency = var.config_max_execution_frequency

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -152,6 +166,8 @@ resource "aws_config_config_rule" "acm-certificate-expiration-check" {

maximum_execution_frequency = var.config_max_execution_frequency

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -165,6 +181,8 @@ resource "aws_config_config_rule" "ec2-volume-inuse-check" {
source_identifier = "EC2_VOLUME_INUSE_CHECK"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -178,6 +196,8 @@ resource "aws_config_config_rule" "ebs_snapshot_public_restorable" {
source_identifier = "EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -191,6 +211,8 @@ resource "aws_config_config_rule" "iam-user-no-policies-check" {
source_identifier = "IAM_USER_NO_POLICIES_CHECK"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -204,6 +226,8 @@ resource "aws_config_config_rule" "iam-group-has-users-check" {
source_identifier = "IAM_GROUP_HAS_USERS_CHECK"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -217,6 +241,8 @@ resource "aws_config_config_rule" "rds-storage-encrypted" {
source_identifier = "RDS_STORAGE_ENCRYPTED"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -230,6 +256,8 @@ resource "aws_config_config_rule" "rds-instance-public-access-check" {
source_identifier = "RDS_INSTANCE_PUBLIC_ACCESS_CHECK"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -243,6 +271,8 @@ resource "aws_config_config_rule" "rds-snapshots-public-prohibited" {
source_identifier = "RDS_SNAPSHOTS_PUBLIC_PROHIBITED"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -258,6 +288,8 @@ resource "aws_config_config_rule" "guardduty-enabled-centralized" {

maximum_execution_frequency = var.config_max_execution_frequency

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -271,6 +303,8 @@ resource "aws_config_config_rule" "s3-bucket-public-write-prohibited" {
source_identifier = "S3_BUCKET_PUBLIC_WRITE_PROHIBITED"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -284,6 +318,8 @@ resource "aws_config_config_rule" "eip_attached" {
source_identifier = "EIP_ATTACHED"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -303,6 +339,8 @@ resource "aws_config_config_rule" "required-tags" {
source_identifier = "REQUIRED_TAGS"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -317,6 +355,8 @@ resource "aws_config_config_rule" "approved-amis-by-tag" {
source_identifier = "APPROVED_AMIS_BY_TAG"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -330,6 +370,8 @@ resource "aws_config_config_rule" "ec2-encrypted-volumes" {
source_identifier = "ENCRYPTED_VOLUMES"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -344,6 +386,8 @@ resource "aws_config_config_rule" "cloudwatch_log_group_encrypted" {
source_identifier = "CLOUDWATCH_LOG_GROUP_ENCRYPTED"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -358,6 +402,8 @@ resource "aws_config_config_rule" "iam_root_access_key" {
source_identifier = "IAM_ROOT_ACCESS_KEY_CHECK"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -372,6 +418,8 @@ resource "aws_config_config_rule" "vpc_default_security_group_closed" {
source_identifier = "VPC_DEFAULT_SECURITY_GROUP_CLOSED"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}

@@ -386,5 +434,7 @@ resource "aws_config_config_rule" "s3_bucket_ssl_requests_only" {
source_identifier = "S3_BUCKET_SSL_REQUESTS_ONLY"
}

tags = var.tags

depends_on = [aws_config_configuration_recorder.main]
}
5 changes: 5 additions & 0 deletions examples/required-tags/main.tf
Original file line number Diff line number Diff line change
@@ -28,4 +28,9 @@ module "config" {
tag2Key = "Environment"
tag3Value = "Terratest"
}

tags = {
"Automation" = "Terraform"
"Name" = var.config_name
}
}
5 changes: 5 additions & 0 deletions examples/simple/main.tf
Original file line number Diff line number Diff line change
@@ -19,4 +19,9 @@ module "config" {
config_name = var.config_name
config_logs_bucket = module.config_logs.aws_logs_bucket
config_logs_prefix = "config"

tags = {
"Automation" = "Terraform"
"Name" = var.config_name
}
}
1 change: 1 addition & 0 deletions iam.tf
Original file line number Diff line number Diff line change
@@ -69,6 +69,7 @@ data "aws_iam_policy_document" "aws-config-role-policy" {
resource "aws_iam_role" "main" {
name = "${var.config_name}-role"
assume_role_policy = data.aws_iam_policy_document.aws-config-role-policy.json
tags = var.tags
}

resource "aws_iam_role_policy_attachment" "managed-policy" {
4 changes: 4 additions & 0 deletions outputs.tf
Original file line number Diff line number Diff line change
@@ -3,3 +3,7 @@ output "required_tags_rule_arn" {
value = concat(aws_config_config_rule.required-tags.*.arn, [""])[0]
}

output "aws_config_role_arn" {
description = "The ARN of the AWS config role."
value = aws_iam_role.main.arn
}
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
@@ -254,3 +254,9 @@ variable "check_s3_bucket_ssl_requests_only" {
type = bool
default = true
}

variable "tags" {
description = "tags to apply to the creates resources."
type = map(string)
default = {}
}

0 comments on commit 09a8e0e

Please sign in to comment.