mirror of
https://github.com/inspec/inspec
synced 2024-12-19 01:23:50 +00:00
8934352935
* Update tests and docs to assume one recorder per region * Config recorder supports singleton fetch * Docs and tests for singleton mode delivery_channel * Implementation for singleton delivery channel, and some other code cleanup * Implement some feedback, and fix a bug in traversing the struct in looking for empty results Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
113 lines
3.2 KiB
HCL
113 lines
3.2 KiB
HCL
#======================================================#
|
|
# Configuration Recorder
|
|
#======================================================#
|
|
|
|
resource "aws_config_configuration_recorder" "config_recorder" {
|
|
name = "config_recorder"
|
|
role_arn = "${aws_iam_role.role_for_config_recorder.arn}"
|
|
}
|
|
|
|
resource "aws_iam_role" "role_for_config_recorder" {
|
|
name = "role_for_config_recorder"
|
|
|
|
assume_role_policy = <<POLICY
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Action": "sts:AssumeRole",
|
|
"Principal": {
|
|
"Service": "config.amazonaws.com"
|
|
},
|
|
"Effect": "Allow",
|
|
"Sid": ""
|
|
}
|
|
]
|
|
}
|
|
POLICY
|
|
}
|
|
|
|
output "role_for_config_recorder_arn" {
|
|
value = "${aws_iam_role.role_for_config_recorder.arn}"
|
|
}
|
|
|
|
output "config_recorder_name" {
|
|
value = "${aws_config_configuration_recorder.config_recorder.name}"
|
|
}
|
|
|
|
#======================================================#
|
|
# Configuration Delivery Channel
|
|
#======================================================#
|
|
|
|
# Note that since AWS accounts can only have one Config Recorder,
|
|
# we have to re-use it here (as well as its role).
|
|
|
|
resource "aws_config_delivery_channel" "delivery_channel_01" {
|
|
name = "delivery_channel_01"
|
|
s3_bucket_name = "${aws_s3_bucket.bucket_for_delivery_channel.bucket}"
|
|
depends_on = ["aws_config_configuration_recorder.config_recorder"]
|
|
sns_topic_arn = "${aws_sns_topic.sns_topic_for_delivery_channel.arn}"
|
|
|
|
snapshot_delivery_properties = {
|
|
delivery_frequency = "TwentyFour_Hours"
|
|
}
|
|
}
|
|
|
|
output "delivery_channel_01_name" {
|
|
value = "${aws_config_delivery_channel.delivery_channel_01.id}"
|
|
}
|
|
|
|
output "config_recorder_for_delivery_channel_role_arn" {
|
|
value = "${aws_iam_role.role_for_config_recorder.arn}"
|
|
}
|
|
|
|
#======================================================#
|
|
# IAM Roles
|
|
#======================================================#
|
|
|
|
resource "aws_iam_role_policy" "policy_for_delivery_channel" {
|
|
name = "policy_for_delivery_channel"
|
|
role = "${aws_iam_role.role_for_config_recorder.id}"
|
|
|
|
policy = <<POLICY
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Action": [
|
|
"s3:*"
|
|
],
|
|
"Effect": "Allow",
|
|
"Resource": [
|
|
"${aws_s3_bucket.bucket_for_delivery_channel.arn}",
|
|
"${aws_s3_bucket.bucket_for_delivery_channel.arn}/*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
POLICY
|
|
}
|
|
|
|
#=================================================================#
|
|
# Config S3 Buckets
|
|
#=================================================================#
|
|
resource "aws_s3_bucket" "bucket_for_delivery_channel" {
|
|
bucket = "inspec-bucket-for-delivery-channel-${terraform.env}.chef.io"
|
|
acl = "public-read"
|
|
force_destroy = true
|
|
}
|
|
|
|
output "s3_bucket_for_delivery_channel_name" {
|
|
value = "${aws_s3_bucket.bucket_for_delivery_channel.id}"
|
|
}
|
|
|
|
#===========================================================================#
|
|
# SNS Topic
|
|
#===========================================================================#
|
|
resource "aws_sns_topic" "sns_topic_for_delivery_channel" {
|
|
name = "${terraform.env}-sns_topic_for_delivery_channel"
|
|
}
|
|
|
|
output "sns_topic_for_delivery_channel_arn" {
|
|
value = "${aws_sns_topic.sns_topic_for_delivery_channel.arn}"
|
|
}
|