From 9d8dcf9908740b0d2e29c5506d5e2bd2907cb7d7 Mon Sep 17 00:00:00 2001 From: Sebastian Melchior <801781+smelchior@users.noreply.github.com> Date: Mon, 23 Mar 2020 12:43:56 +0100 Subject: [PATCH 1/3] Add an option to add tags and return role for AWS config --- config-aggregator.tf | 1 + config-rules.tf | 48 ++++++++++++++++++++++++++++++++++++++++++++ iam.tf | 1 + outputs.tf | 4 ++++ variables.tf | 6 ++++++ 5 files changed, 60 insertions(+) diff --git a/config-aggregator.tf b/config-aggregator.tf index 2a1d64e..aec9bf5 100644 --- a/config-aggregator.tf +++ b/config-aggregator.tf @@ -18,6 +18,7 @@ data "aws_iam_policy_document" "aws_config_aggregator_role_policy" { resource "aws_iam_role" "aggregator" { count = var.aggregate_organization ? 1 : 0 name = "${var.config_name}-aggregator-role" + tags = var.tags assume_role_policy = data.aws_iam_policy_document.aws_config_aggregator_role_policy.json } diff --git a/config-rules.tf b/config-rules.tf index 6f8a6a2..b7c00ef 100644 --- a/config-rules.tf +++ b/config-rules.tf @@ -48,6 +48,8 @@ resource "aws_config_config_rule" "iam-password-policy" { maximum_execution_frequency = var.config_max_execution_frequency + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -63,6 +65,8 @@ resource "aws_config_config_rule" "cloudtrail-enabled" { maximum_execution_frequency = var.config_max_execution_frequency + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -78,6 +82,8 @@ resource "aws_config_config_rule" "multi-region-cloud-trail-enabled" { maximum_execution_frequency = var.config_max_execution_frequency + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -93,6 +99,8 @@ resource "aws_config_config_rule" "cloud-trail-encryption-enabled" { maximum_execution_frequency = var.config_max_execution_frequency + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -121,6 +129,8 @@ resource "aws_config_config_rule" "instances-in-vpc" { source_identifier = "INSTANCES_IN_VPC" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -136,6 +146,8 @@ resource "aws_config_config_rule" "root-account-mfa-enabled" { maximum_execution_frequency = var.config_max_execution_frequency + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -152,6 +164,8 @@ resource "aws_config_config_rule" "acm-certificate-expiration-check" { maximum_execution_frequency = var.config_max_execution_frequency + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -165,6 +179,8 @@ resource "aws_config_config_rule" "ec2-volume-inuse-check" { source_identifier = "EC2_VOLUME_INUSE_CHECK" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -178,6 +194,8 @@ resource "aws_config_config_rule" "ebs_snapshot_public_restorable" { source_identifier = "EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -191,6 +209,8 @@ resource "aws_config_config_rule" "iam-user-no-policies-check" { source_identifier = "IAM_USER_NO_POLICIES_CHECK" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -204,6 +224,8 @@ resource "aws_config_config_rule" "iam-group-has-users-check" { source_identifier = "IAM_GROUP_HAS_USERS_CHECK" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -217,6 +239,8 @@ resource "aws_config_config_rule" "rds-storage-encrypted" { source_identifier = "RDS_STORAGE_ENCRYPTED" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -230,6 +254,8 @@ resource "aws_config_config_rule" "rds-instance-public-access-check" { source_identifier = "RDS_INSTANCE_PUBLIC_ACCESS_CHECK" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -243,6 +269,8 @@ resource "aws_config_config_rule" "rds-snapshots-public-prohibited" { source_identifier = "RDS_SNAPSHOTS_PUBLIC_PROHIBITED" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -258,6 +286,8 @@ resource "aws_config_config_rule" "guardduty-enabled-centralized" { maximum_execution_frequency = var.config_max_execution_frequency + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -271,6 +301,8 @@ resource "aws_config_config_rule" "s3-bucket-public-write-prohibited" { source_identifier = "S3_BUCKET_PUBLIC_WRITE_PROHIBITED" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -284,6 +316,8 @@ resource "aws_config_config_rule" "eip_attached" { source_identifier = "EIP_ATTACHED" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -303,6 +337,8 @@ resource "aws_config_config_rule" "required-tags" { source_identifier = "REQUIRED_TAGS" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -317,6 +353,8 @@ resource "aws_config_config_rule" "approved-amis-by-tag" { source_identifier = "APPROVED_AMIS_BY_TAG" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -330,6 +368,8 @@ resource "aws_config_config_rule" "ec2-encrypted-volumes" { source_identifier = "ENCRYPTED_VOLUMES" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -344,6 +384,8 @@ resource "aws_config_config_rule" "cloudwatch_log_group_encrypted" { source_identifier = "CLOUDWATCH_LOG_GROUP_ENCRYPTED" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -358,6 +400,8 @@ resource "aws_config_config_rule" "iam_root_access_key" { source_identifier = "IAM_ROOT_ACCESS_KEY_CHECK" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -372,6 +416,8 @@ resource "aws_config_config_rule" "vpc_default_security_group_closed" { source_identifier = "VPC_DEFAULT_SECURITY_GROUP_CLOSED" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } @@ -386,5 +432,7 @@ resource "aws_config_config_rule" "s3_bucket_ssl_requests_only" { source_identifier = "S3_BUCKET_SSL_REQUESTS_ONLY" } + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } diff --git a/iam.tf b/iam.tf index 5f95e3f..46debf9 100644 --- a/iam.tf +++ b/iam.tf @@ -69,6 +69,7 @@ data "aws_iam_policy_document" "aws-config-role-policy" { resource "aws_iam_role" "main" { name = "${var.config_name}-role" assume_role_policy = data.aws_iam_policy_document.aws-config-role-policy.json + tags = var.tags } resource "aws_iam_role_policy_attachment" "managed-policy" { diff --git a/outputs.tf b/outputs.tf index 4831d0e..7d6ded1 100644 --- a/outputs.tf +++ b/outputs.tf @@ -3,3 +3,7 @@ output "required_tags_rule_arn" { value = concat(aws_config_config_rule.required-tags.*.arn, [""])[0] } +output "aws_config_role_arn" { + description = "The ARN of the AWS config role." + value = aws_iam_role.main.arn +} diff --git a/variables.tf b/variables.tf index 6acd4f3..7179120 100644 --- a/variables.tf +++ b/variables.tf @@ -254,3 +254,9 @@ variable "check_s3_bucket_ssl_requests_only" { type = bool default = true } + +variable "tags" { + description = "tags to apply to the creates resources." + type = map(string) + default = {} +} From 1a0c8e42bfae62ecbfaed4aee50e78a17dd9afd2 Mon Sep 17 00:00:00 2001 From: Sebastian Melchior <801781+smelchior@users.noreply.github.com> Date: Mon, 30 Mar 2020 11:58:17 +0200 Subject: [PATCH 2/3] fix readme and missing tag --- README.md | 2 ++ config-rules.tf | 2 ++ 2 files changed, 4 insertions(+) diff --git a/README.md b/README.md index c447db6..69e50e7 100644 --- a/README.md +++ b/README.md @@ -136,11 +136,13 @@ module "aws_config" { | password\_reuse\_prevention | Number of passwords before allowing reuse. | `number` | `24` | no | | required\_tags | A map of required resource tags. Format is tagNKey, tagNValue, where N is int. Values are optional. | `map(string)` | `{}` | no | | required\_tags\_resource\_types | Resource types to check for tags. | `list(string)` | `[]` | no | +| tags | tags to apply to the creates resources. | `map(string)` | `{}` | no | ## Outputs | Name | Description | |------|-------------| +| aws\_config\_role\_arn | The ARN of the AWS config role. | | required\_tags\_rule\_arn | The ARN of the required-tags config rule. | diff --git a/config-rules.tf b/config-rules.tf index b7c00ef..a77af6f 100644 --- a/config-rules.tf +++ b/config-rules.tf @@ -116,6 +116,8 @@ resource "aws_config_config_rule" "cloud-trail-log-file-validation-enabled" { maximum_execution_frequency = var.config_max_execution_frequency + tags = var.tags + depends_on = [aws_config_configuration_recorder.main] } From d65d9f8d8838fc8aafd34925ab94f448267137dd Mon Sep 17 00:00:00 2001 From: Michael Kania Date: Mon, 30 Mar 2020 09:06:42 -0700 Subject: [PATCH 3/3] add tags to tests --- examples/required-tags/main.tf | 5 +++++ examples/simple/main.tf | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/examples/required-tags/main.tf b/examples/required-tags/main.tf index b147a18..980ec15 100644 --- a/examples/required-tags/main.tf +++ b/examples/required-tags/main.tf @@ -28,4 +28,9 @@ module "config" { tag2Key = "Environment" tag3Value = "Terratest" } + + tags = { + "Automation" = "Terraform" + "Name" = var.config_name + } } diff --git a/examples/simple/main.tf b/examples/simple/main.tf index e3518d6..a02974b 100644 --- a/examples/simple/main.tf +++ b/examples/simple/main.tf @@ -19,4 +19,9 @@ module "config" { config_name = var.config_name config_logs_bucket = module.config_logs.aws_logs_bucket config_logs_prefix = "config" + + tags = { + "Automation" = "Terraform" + "Name" = var.config_name + } }