Revert "Fix: Critical SecurityHub finding Config.1 (#6766, PR #6836)"

This reverts commit 9577999, reversing changes made to aa72f61.
DataBiosphere · Jan 24, 2025 · b35d598 · b35d598
1 parent 9577999
commit b35d598
Showing 1 changed file with 41 additions and 4 deletions.
diff --git a/terraform/shared/shared.tf.json.template.py b/terraform/shared/shared.tf.json.template.py
@@ -614,6 +614,23 @@ def conformance_pack(name: str) -> str:
                     }
                 )
             },
+            'aws_config': {
+                'name': 'azul-aws_config',
+                'assume_role_policy': json.dumps(
+                    {
+                        'Version': '2012-10-17',
+                        'Statement': [
+                            {
+                                'Action': 'sts:AssumeRole',
+                                'Effect': 'Allow',
+                                'Principal': {
+                                    'Service': 'config.amazonaws.com'
+                                }
+                            }
+                        ]
+                    }
+                )
+            },
             'trail': {
                 'name': config.qualified_resource_name('trail'),
                 'assume_role_policy': json.dumps(
@@ -693,6 +710,25 @@ def conformance_pack(name: str) -> str:
                     ]
                 })
             },
+            'aws_config': {
+                'name': 'azul-aws_config',
+                'role': '${aws_iam_role.aws_config.id}',
+                'policy': json.dumps({
+                    'Version': '2012-10-17',
+                    'Statement': [
+                        {
+                            'Action': [
+                                's3:*'
+                            ],
+                            'Effect': 'Allow',
+                            'Resource': [
+                                '${aws_s3_bucket.aws_config.arn}',
+                                '${aws_s3_bucket.aws_config.arn}/*'
+                            ]
+                        }
+                    ]
+                })
+            },
             'trail': {
                 'name': config.qualified_resource_name('trail'),
                 'role': '${aws_iam_role.trail.id}',
@@ -768,9 +804,6 @@ def conformance_pack(name: str) -> str:
         'aws_iam_service_linked_role': {
             'opensearch': {
                 'aws_service_name': 'opensearchservice.amazonaws.com'
-            },
-            'aws_config': {
-                'aws_service_name': 'config.amazonaws.com'
             }
         },
         'aws_api_gateway_account': {
@@ -781,7 +814,7 @@ def conformance_pack(name: str) -> str:
         'aws_config_configuration_recorder': {
             'shared': {
                 'name': config.qualified_resource_name(config.aws_config_term),
-                'role_arn': '${aws_iam_service_linked_role.aws_config.arn}',
+                'role_arn': '${aws_iam_role.aws_config.arn}',
                 'recording_group': {
                     'all_supported': True,
                     'include_global_resource_types': True
@@ -805,6 +838,10 @@ def conformance_pack(name: str) -> str:
             }
         },
         'aws_iam_role_policy_attachment': {
+            'aws_config': {
+                'role': '${aws_iam_role.aws_config.name}',
+                'policy_arn': 'arn:aws:iam::aws:policy/service-role/AWS_ConfigRole'
+            },
             **{
                 f'support_{i}': {
                     'role': '${data.aws_iam_role.support_%s.name}' % i,