This repository was archived by the owner on May 3, 2023. It is now read-only.
- Notifications
You must be signed in to change notification settings - Fork4
Terraform AWS Config module
License
NotificationsYou must be signed in to change notification settings
cmdlabs/terraform-aws-config
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
AWS Config catpures point in time snapshots of the environment to allow for point in time review of configuration. Additionally AWS Config can be utilised for automated action using AWS Config rules.
NOTE: Currently only supports AWS owned / managed rules -http://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
Terraform >= 0.12.6 is required for this module.
Terraform AWS Config automation includes use of the following core Terraform resources:
aws_config_aggregate_authorization- Manages an AWS Config Aggregate Authorization.aws_config_configuration_aggregator- Manages an AWS Config Configuration Aggregator.aws_config_config_rule- Provides an AWS Config Rule.aws_config_configuration_recorder_status- Manages status (recording / stopped) of an AWS Config Configuration Recorder.aws_config_configuration_recorder- Provides an AWS Config Configuration Recorder.aws_config_delivery_channel- Provides an AWS Config Delivery Channel.
The below outlines the current parameters and defaults.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| delivery_frequency | The frequency with which AWS Config recurringly delivers configuration snapshots. May be one of One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours | string | TwentyFour_Hours | No |
| enable_recorder | Whether the configuration recorder should be enabled or disabled | bool | true | No |
| expiration | The number of days to wait before expiring an object | number | 2555 | No |
| transition_to_glacier | The number of days to wait before transitioning an object to Glacier | number | 30 | No |
| is_aggregator | Whether the account is to be an aggregator or not | bool | false | No |
| aggregator_account_id | The AWS Account ID of the aggregator account | string | null | No |
| aggregator_account_region | The AWS Region of the aggregator account | string | null | No |
| source_account_ids | List of 12-digit account IDs of the accounts being aggregated | list(string) | [] | No |
| bucket_name | The bucket name - required by both aggregator and source accounts | string | "" | Yes |
| config_rules | A list of config rules. By not specifying, a minimum set of recommended rules are applied | map(any) | (map) | No |
| Name | Description |
|---|---|
| bucket | The bucket name that config writes output to |
| bucket_arn | The bucket ARN that config writes output to |
| delivery_channel_id | The name of the delivery channel |
| recorder_id | Name of the recorder |
| topic_arn | The ARN of the SNS topic AWS Config writes events to |
A Config account configured as an Aggregator:
variable"aggregator_account_id" {}variable"source_account_id" {}variable"bucket_name" {}module"aggregator" {source="git@github.com:cmdlabs/terraform-aws-config.git"is_aggregator=trueaggregator_account_id=var.aggregator_account_idaggregator_account_region="ap-southeast-2"source_account_ids=[var.source_account_id]bucket_name=var.bucket_name}
To apply that:
▶ export TF_VAR_bucket_name=config-bucket-"$(uuidgen | tr 'A-Z' 'a-z')" # bucket name must be globally unique▶ TF_VAR_aggregator_account_id=xxxxxxxxxxxx TF_VAR_source_account_id=yyyyyyyyyyyy terraform applyThen a Config Source that points to its S3 bucket:
variable"bucket_name" {}module"source" {source="git@github.com:cmdlabs/terraform-aws-config.git"is_aggregator=falsebucket_name=var.bucket_name}
To apply that:
# $TF_VAR_bucket_name set from above.▶ terraform applyApache 2.0.