Merge pull request #185 from lorengordon/refactor

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 3.0.2
+current_version = 4.0.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

CHANGELOG.md

@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### [4.0.0](https://github.com/plus3it/terraform-aws-tardigrade-config/releases/tag/4.0.0)
+
+**Released**: 2023.12.26
+
+**Summary**:
+
+*   Adds native support for excluded or included resource types
+*   Supports all features available as of terraform-provider-aws v5.31.0
+*   Uses service-linked-role exclusively, removing custom IAM role
+
 ### 3.0.2
 
 **Released**: 2022.06.03

README.md

@@ -26,42 +26,30 @@ make mockstack/clean
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.5.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.5.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.config_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_config_bucket"></a> [config\_bucket](#input\_config\_bucket) | Name of S3 bucket for AWS Config inventory; bucket must already exist | `string` | n/a | yes |
-| <a name="input_exclude_resource_types"></a> [exclude\_resource\_types](#input\_exclude\_resource\_types) | A list of specific resource types for AWS Config to not records changes to. This variable is mutually exclusive from `include_resource_types` and if both are set, `include_resource_types` will take priority. See AWS documenation for types https://docs.aws.amazon.com/config/latest/APIReference/API_ResourceIdentifier.html#config-Type-ResourceIdentifier-resourceType | `list(string)` | `[]` | no |
-| <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn) | ARN for the IAM role to attach to the config recorder. If blank, a minimal role will be created | `string` | `null` | no |
-| <a name="input_include_resource_types"></a> [include\_resource\_types](#input\_include\_resource\_types) | A list of specific resource types for AWS Config to records changes to. See AWS documenation for types https://docs.aws.amazon.com/config/latest/APIReference/API_ResourceIdentifier.html#config-Type-ResourceIdentifier-resourceType | `list(string)` | `[]` | no |
-| <a name="input_name"></a> [name](#input\_name) | Name of the AWS Config recorder | `string` | `"default"` | no |
-| <a name="input_snapshot_delivery_frequency"></a> [snapshot\_delivery\_frequency](#input\_snapshot\_delivery\_frequency) | Frequency with which AWS Config recurringly delivers configuration snapshots, see <https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigSnapshotDeliveryProperties.html#API_ConfigSnapshotDeliveryProperties_Contents> | `string` | `"TwentyFour_Hours"` | no |
-| <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to apply to the resources | `map(string)` | `{}` | no |
+| <a name="input_config"></a> [config](#input\_config) | Object of inputs for AWS Config service | <pre>object({<br>    configuration_recorder = object({<br>      name       = string<br>      is_enabled = optional(bool, true)<br><br>      recording_group = optional(object({<br>        all_supported                 = optional(bool, true)<br>        include_global_resource_types = optional(bool)<br>        resource_types                = optional(list(string))<br><br>        exclusion_by_resource_types = optional(object({<br>          resource_types = list(string)<br>        }))<br><br>        recording_strategy = optional(object({<br>          use_only = string<br>        }))<br>      }))<br>    })<br><br>    delivery_channel = object({<br>      s3_bucket_name = string<br>      s3_key_prefix  = optional(string)<br>      s3_kms_key_arn = optional(string)<br>      sns_topic_arn  = optional(string)<br><br>      snapshot_delivery_properties = optional(object({<br>        delivery_frequency = string<br>      }))<br>    })<br>  })</pre> | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_config_delivery_channel_id"></a> [config\_delivery\_channel\_id](#output\_config\_delivery\_channel\_id) | The name of the AWS Config delivery channel |
-| <a name="output_config_iam_role_arn"></a> [config\_iam\_role\_arn](#output\_config\_iam\_role\_arn) | The Amazon Resource Name (ARN) of the config service role |
-| <a name="output_config_iam_role_name"></a> [config\_iam\_role\_name](#output\_config\_iam\_role\_name) | The name of the config service role |
 | <a name="output_config_recorder_id"></a> [config\_recorder\_id](#output\_config\_recorder\_id) | The name of the AWS Config recorder |
-| <a name="output_config_sns_topic_arn"></a> [config\_sns\_topic\_arn](#output\_config\_sns\_topic\_arn) | The Amazon Resource Name (ARN) of the config SNS topic |
 
 <!-- END TFDOCS -->

main.tf

@@ -1,107 +1,55 @@
 resource "aws_config_configuration_recorder" "this" {
-  name     = var.name
-  role_arn = local.create_iam_role ? aws_iam_role.this[0].arn : var.iam_role_arn
-
-  recording_group {
-    all_supported                 = local.record_all
-    include_global_resource_types = local.record_all
-    resource_types                = local.record_all ? [] : local.resource_types
+  name     = var.config.configuration_recorder.name
+  role_arn = aws_iam_service_linked_role.config.arn
+
+  dynamic "recording_group" {
+    for_each = var.config.configuration_recorder.recording_group != null ? [var.config.configuration_recorder.recording_group] : []
+    content {
+      all_supported                 = recording_group.value.all_supported
+      include_global_resource_types = recording_group.value.include_global_resource_types
+      resource_types                = recording_group.value.resource_types
+
+      dynamic "exclusion_by_resource_types" {
+        for_each = recording_group.value.exclusion_by_resource_types != null ? [recording_group.value.exclusion_by_resource_types] : []
+        content {
+          resource_types = exclusion_by_resource_types.value.resource_types
+        }
+      }
+
+      dynamic "recording_strategy" {
+        for_each = recording_group.value.recording_strategy != null ? [recording_group.value.recording_strategy] : []
+        content {
+          use_only = recording_strategy.value.use_only
+        }
+      }
+    }
   }
-
-  depends_on = [
-    aws_iam_role_policy.this,
-    aws_iam_role_policy_attachment.this,
-  ]
 }
 
 resource "aws_config_delivery_channel" "this" {
-  name           = var.name
-  s3_bucket_name = var.config_bucket
-  sns_topic_arn  = aws_sns_topic.this.arn
-
-  snapshot_delivery_properties {
-    delivery_frequency = var.snapshot_delivery_frequency
+  name           = aws_config_configuration_recorder.this.name
+  s3_bucket_name = var.config.delivery_channel.s3_bucket_name
+  s3_key_prefix  = var.config.delivery_channel.s3_key_prefix
+  s3_kms_key_arn = var.config.delivery_channel.s3_kms_key_arn
+  sns_topic_arn  = var.config.delivery_channel.sns_topic_arn
+
+  dynamic "snapshot_delivery_properties" {
+    for_each = var.config.delivery_channel.snapshot_delivery_properties != null ? [var.config.delivery_channel.snapshot_delivery_properties] : []
+    content {
+      delivery_frequency = snapshot_delivery_properties.delivery_frequency
+    }
   }
-
-  depends_on = [
-    aws_config_configuration_recorder.this,
-  ]
 }
 
 resource "aws_config_configuration_recorder_status" "this" {
   name       = aws_config_configuration_recorder.this.name
-  is_enabled = true
+  is_enabled = var.config.configuration_recorder.is_enabled
+
   depends_on = [
     aws_config_delivery_channel.this,
   ]
 }
 
-resource "aws_iam_role" "this" {
-  count = local.create_iam_role ? 1 : 0
-
-  name               = "config-continuous-monitoring"
-  assume_role_policy = data.aws_iam_policy_document.config_assume_role[0].json
-  tags               = var.tags
-}
-
-resource "aws_iam_role_policy" "this" {
-  count = local.create_iam_role ? 1 : 0
-
-  name   = "config-continuous-monitoring"
-  role   = aws_iam_role.this[0].id
-  policy = data.aws_iam_policy_document.config[0].json
-}
-
-resource "aws_iam_role_policy_attachment" "this" {
-  count = local.create_iam_role ? 1 : 0
-
-  role       = aws_iam_role.this[0].name
-  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWS_ConfigRole"
-}
-
-resource "aws_sns_topic" "this" {
-  name = "config-topic"
-}
-
-locals {
-  create_iam_role = var.iam_role_arn == null
-  record_all      = length(var.include_resource_types) == 0 && length(var.exclude_resource_types) == 0
-  resource_types  = length(var.include_resource_types) > 0 ? var.include_resource_types : setsubtract(local.all_resource_types, var.exclude_resource_types)
-}
-
-data "aws_partition" "current" {}
-
-data "aws_caller_identity" "current" {}
-
-data "aws_iam_policy_document" "config_assume_role" {
-  count = local.create_iam_role ? 1 : 0
-
-  statement {
-    actions = ["sts:AssumeRole"]
-
-    principals {
-      type        = "Service"
-      identifiers = ["config.amazonaws.com"]
-    }
-  }
-}
-
-data "aws_iam_policy_document" "config" {
-  count = local.create_iam_role ? 1 : 0
-
-  statement {
-    actions   = ["s3:PutObject*"]
-    resources = ["arn:${data.aws_partition.current.partition}:s3:::${var.config_bucket}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"]
-
-    condition {
-      test     = "StringLike"
-      variable = "s3:x-amz-acl"
-      values   = ["bucket-owner-full-control"]
-    }
-  }
-
-  statement {
-    actions   = ["s3:GetBucketAcl"]
-    resources = ["arn:${data.aws_partition.current.partition}:s3:::${var.config_bucket}"]
-  }
+resource "aws_iam_service_linked_role" "config" {
+  aws_service_name = "config.amazonaws.com"
 }

outputs.tf

@@ -1,13 +1,3 @@
-output "config_iam_role_arn" {
-  description = "The Amazon Resource Name (ARN) of the config service role"
-  value       = local.create_iam_role ? aws_iam_role.this[0].arn : ""
-}
-
-output "config_iam_role_name" {
-  description = "The name of the config service role"
-  value       = local.create_iam_role ? aws_iam_role.this[0].name : ""
-}
-
 output "config_recorder_id" {
   description = "The name of the AWS Config recorder"
   value       = aws_config_configuration_recorder.this.id
@@ -17,8 +7,3 @@ output "config_delivery_channel_id" {
   description = "The name of the AWS Config delivery channel"
   value       = aws_config_delivery_channel.this.id
 }
-
-output "config_sns_topic_arn" {
-  description = "The Amazon Resource Name (ARN) of the config SNS topic"
-  value       = aws_sns_topic.this.arn
-}