Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-12-21 10:33:23 +00:00
Code Issues Projects Releases Packages Wiki Activity
inspec/test/integration/aws/default/build/config.tf
Matthew Dromazos 0cbe5b60e5 New Skeletal Resource aws_config_delivery_channel (#2641) 
* Initial commit of new skeletal resource aws_config_delivery_channel
* Changes delivery_frequency to be an integer and names delivery_frequency_in_hours
* Adds more documentation and clarifies descriptions
* Wraps API call in the aws_catch_errors function
* Changes config bucket name to use dashes instead of underscores
* Updates on master and changes directory location of build and integration files
* Fix integration tests to only create one ConfigRecorder

Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
2018-03-26 14:03:23 -04:00

113 lines
3.2 KiB
HCL
Raw Blame History

#======================================================#
# Configuration Recorder
#======================================================#
resource "aws_config_configuration_recorder" "config_recorder" {
name = "config_recorder"
role_arn = "${aws_iam_role.role_for_config_recorder.arn}"
}
resource "aws_iam_role" "role_for_config_recorder" {
name = "role_for_config_recorder"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "config.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
POLICY
}
output "role_for_config_recorder_arn" {
value = "${aws_iam_role.role_for_config_recorder.arn}"
}
output "config_recorder_name" {
value = "${aws_config_configuration_recorder.config_recorder.name}"
}
#======================================================#
# Configuration Delivery Channel
#======================================================#
# Note that since AWS accounts can only have one Config Recorder,
# we have to re-use it here (as well as its role).
resource "aws_config_delivery_channel" "delivery_channel_01" {
name = "delivery_channel_01"
s3_bucket_name = "${aws_s3_bucket.bucket_for_delivery_channel.bucket}"
depends_on = ["aws_config_configuration_recorder.config_recorder"]
sns_topic_arn = "${aws_sns_topic.sns_topic_for_delivery_channel.arn}"
snapshot_delivery_properties = {
delivery_frequency = "TwentyFour_Hours"
}
}
output "delivery_channel_01" {
value = "${aws_config_delivery_channel.delivery_channel_01.id}"
}
output "config_recorder_for_delivery_channel_role_arn" {
value = "${aws_iam_role.role_for_config_recorder.arn}"
}
#======================================================#
# IAM Roles
#======================================================#
resource "aws_iam_role_policy" "policy_for_delivery_channel" {
name = "policy_for_delivery_channel"
role = "${aws_iam_role.role_for_config_recorder.id}"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"${aws_s3_bucket.bucket_for_delivery_channel.arn}",
"${aws_s3_bucket.bucket_for_delivery_channel.arn}/*"
]
}
]
}
POLICY
}
#=================================================================#
# Config S3 Buckets
#=================================================================#
resource "aws_s3_bucket" "bucket_for_delivery_channel" {
bucket = "inspec-bucket-for-delivery-channel-${terraform.env}.chef.io"
acl = "public-read"
force_destroy = true
}
output "s3_bucket_for_delivery_channel" {
value = "${aws_s3_bucket.bucket_for_delivery_channel.id}"
}
#===========================================================================#
# SNS Topic
#===========================================================================#
resource "aws_sns_topic" "sns_topic_for_delivery_channel" {
name = "${terraform.env}-sns_topic_for_delivery_channel"
}
output "sns_topic_for_delivery_channel_arn" {
value = "${aws_sns_topic.sns_topic_for_delivery_channel.arn}"
}
Reference in a new issue View git blame Copy permalink