Refactors config module for modern aws/terraform and all resource opt…

…ions

main.tf

@@ -1,107 +1,55 @@
 resource "aws_config_configuration_recorder" "this" {
-  name     = var.name
-  role_arn = local.create_iam_role ? aws_iam_role.this[0].arn : var.iam_role_arn
-
-  recording_group {
-    all_supported                 = local.record_all
-    include_global_resource_types = local.record_all
-    resource_types                = local.record_all ? [] : local.resource_types
+  name     = var.config.configuration_recorder.name
+  role_arn = aws_iam_service_linked_role.config.arn
+
+  dynamic "recording_group" {
+    for_each = var.config.configuration_recorder.recording_group != null ? [var.config.configuration_recorder.recording_group] : []
+    content {
+      all_supported                 = recording_group.value.all_supported
+      include_global_resource_types = recording_group.value.include_global_resource_types
+      resource_types                = recording_group.value.resource_types
+
+      dynamic "exclusion_by_resource_types" {
+        for_each = recording_group.value.exclusion_by_resource_types != null ? [recording_group.value.exclusion_by_resource_types] : []
+        content {
+          resource_types = exclusion_by_resource_types.value.resource_types
+        }
+      }
+
+      dynamic "recording_strategy" {
+        for_each = recording_group.value.recording_strategy != null ? [recording_group.value.recording_strategy] : []
+        content {
+          use_only = recording_strategy.value.use_only
+        }
+      }
+    }
   }
-
-  depends_on = [
-    aws_iam_role_policy.this,
-    aws_iam_role_policy_attachment.this,
-  ]
 }
 
 resource "aws_config_delivery_channel" "this" {
-  name           = var.name
-  s3_bucket_name = var.config_bucket
-  sns_topic_arn  = aws_sns_topic.this.arn
-
-  snapshot_delivery_properties {
-    delivery_frequency = var.snapshot_delivery_frequency
+  name           = aws_config_configuration_recorder.this.name
+  s3_bucket_name = var.config.delivery_channel.s3_bucket_name
+  s3_key_prefix  = var.config.delivery_channel.s3_key_prefix
+  s3_kms_key_arn = var.config.delivery_channel.s3_kms_key_arn
+  sns_topic_arn  = var.config.delivery_channel.sns_topic_arn
+
+  dynamic "snapshot_delivery_properties" {
+    for_each = var.config.delivery_channel.snapshot_delivery_properties != null ? [var.config.delivery_channel.snapshot_delivery_properties] : []
+    content {
+      delivery_frequency = snapshot_delivery_properties.delivery_frequency
+    }
   }
-
-  depends_on = [
-    aws_config_configuration_recorder.this,
-  ]
 }
 
 resource "aws_config_configuration_recorder_status" "this" {
   name       = aws_config_configuration_recorder.this.name
-  is_enabled = true
+  is_enabled = var.config.configuration_recorder.is_enabled
+
   depends_on = [
     aws_config_delivery_channel.this,
   ]
 }
 
-resource "aws_iam_role" "this" {
-  count = local.create_iam_role ? 1 : 0
-
-  name               = "config-continuous-monitoring"
-  assume_role_policy = data.aws_iam_policy_document.config_assume_role[0].json
-  tags               = var.tags
-}
-
-resource "aws_iam_role_policy" "this" {
-  count = local.create_iam_role ? 1 : 0
-
-  name   = "config-continuous-monitoring"
-  role   = aws_iam_role.this[0].id
-  policy = data.aws_iam_policy_document.config[0].json
-}
-
-resource "aws_iam_role_policy_attachment" "this" {
-  count = local.create_iam_role ? 1 : 0
-
-  role       = aws_iam_role.this[0].name
-  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWS_ConfigRole"
-}
-
-resource "aws_sns_topic" "this" {
-  name = "config-topic"
-}
-
-locals {
-  create_iam_role = var.iam_role_arn == null
-  record_all      = length(var.include_resource_types) == 0 && length(var.exclude_resource_types) == 0
-  resource_types  = length(var.include_resource_types) > 0 ? var.include_resource_types : setsubtract(local.all_resource_types, var.exclude_resource_types)
-}
-
-data "aws_partition" "current" {}
-
-data "aws_caller_identity" "current" {}
-
-data "aws_iam_policy_document" "config_assume_role" {
-  count = local.create_iam_role ? 1 : 0
-
-  statement {
-    actions = ["sts:AssumeRole"]
-
-    principals {
-      type        = "Service"
-      identifiers = ["config.amazonaws.com"]
-    }
-  }
-}
-
-data "aws_iam_policy_document" "config" {
-  count = local.create_iam_role ? 1 : 0
-
-  statement {
-    actions   = ["s3:PutObject*"]
-    resources = ["arn:${data.aws_partition.current.partition}:s3:::${var.config_bucket}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"]
-
-    condition {
-      test     = "StringLike"
-      variable = "s3:x-amz-acl"
-      values   = ["bucket-owner-full-control"]
-    }
-  }
-
-  statement {
-    actions   = ["s3:GetBucketAcl"]
-    resources = ["arn:${data.aws_partition.current.partition}:s3:::${var.config_bucket}"]
-  }
+resource "aws_iam_service_linked_role" "config" {
+  aws_service_name = "config.amazonaws.com"
 }

outputs.tf

@@ -1,13 +1,3 @@
-output "config_iam_role_arn" {
-  description = "The Amazon Resource Name (ARN) of the config service role"
-  value       = local.create_iam_role ? aws_iam_role.this[0].arn : ""
-}
-
-output "config_iam_role_name" {
-  description = "The name of the config service role"
-  value       = local.create_iam_role ? aws_iam_role.this[0].name : ""
-}
-
 output "config_recorder_id" {
   description = "The name of the AWS Config recorder"
   value       = aws_config_configuration_recorder.this.id
@@ -17,8 +7,3 @@ output "config_delivery_channel_id" {
   description = "The name of the AWS Config delivery channel"
   value       = aws_config_delivery_channel.this.id
 }
-
-output "config_sns_topic_arn" {
-  description = "The Amazon Resource Name (ARN) of the config SNS topic"
-  value       = aws_sns_topic.this.arn
-}

variables.tf

@@ -1,40 +1,34 @@
-variable "config_bucket" {
-  description = "Name of S3 bucket for AWS Config inventory; bucket must already exist"
-  type        = string
-}
+variable "config" {
+  description = "Object of inputs for AWS Config service"
+  type = object({
+    configuration_recorder = object({
+      name       = string
+      is_enabled = optional(bool, true)
 
-variable "name" {
-  description = "Name of the AWS Config recorder"
-  type        = string
-  default     = "default"
-}
+      recording_group = optional(object({
+        all_supported                 = optional(bool, true)
+        include_global_resource_types = optional(bool)
+        resource_types                = optional(list(string))
 
-variable "include_resource_types" {
-  description = "A list of specific resource types for AWS Config to records changes to. See AWS documenation for types https://docs.aws.amazon.com/config/latest/APIReference/API_ResourceIdentifier.html#config-Type-ResourceIdentifier-resourceType"
-  type        = list(string)
-  default     = []
-}
+        exclusion_by_resource_types = optional(object({
+          resource_types = list(string)
+        }))
 
-variable "exclude_resource_types" {
-  description = "A list of specific resource types for AWS Config to not records changes to. This variable is mutually exclusive from `include_resource_types` and if both are set, `include_resource_types` will take priority. See AWS documenation for types https://docs.aws.amazon.com/config/latest/APIReference/API_ResourceIdentifier.html#config-Type-ResourceIdentifier-resourceType"
-  type        = list(string)
-  default     = []
-}
+        recording_strategy = optional(object({
+          use_only = string
+        }))
+      }))
+    })
 
-variable "snapshot_delivery_frequency" {
-  description = "Frequency with which AWS Config recurringly delivers configuration snapshots, see <https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html#API_ConfigSnapshotDeliveryProperties_Contents>"
-  type        = string
-  default     = "TwentyFour_Hours"
-}
-
-variable "iam_role_arn" {
-  description = "ARN for the IAM role to attach to the config recorder. If blank, a minimal role will be created"
-  type        = string
-  default     = null
-}
+    delivery_channel = object({
+      s3_bucket_name = string
+      s3_key_prefix  = optional(string)
+      s3_kms_key_arn = optional(string)
+      sns_topic_arn  = optional(string)
 
-variable "tags" {
-  description = "Map of tags to apply to the resources"
-  type        = map(string)
-  default     = {}
+      snapshot_delivery_properties = optional(object({
+        delivery_frequency = string
+      }))
+    })
+  })
 }

versions.tf

@@ -1,3 +1,10 @@
 terraform {
   required_version = ">= 0.12"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.5.0"
+    }
+  }
 }