diff --git a/tests/basic_create/main.tf b/tests/basic_create/main.tf deleted file mode 100644 index 16a4551..0000000 --- a/tests/basic_create/main.tf +++ /dev/null @@ -1,20 +0,0 @@ -module "basic_create" { - source = "../../" - - name = "tardigrade-config-${random_string.this.result}" - config_bucket = aws_s3_bucket.this.id -} - -resource "random_string" "this" { - length = 6 - number = false - upper = false - special = false -} - -resource "aws_s3_bucket" "this" { - bucket = "tardigrade-config-${random_string.this.result}" - force_destroy = true -} - -data "aws_caller_identity" "current" {} diff --git a/tests/defaults/main.tf b/tests/defaults/main.tf new file mode 100644 index 0000000..e80c488 --- /dev/null +++ b/tests/defaults/main.tf @@ -0,0 +1,80 @@ +module "config" { + source = "../../" + + config = { + configuration_recorder = { + name = "tardigrade-config-${random_string.this.result}" + } + + delivery_channel = { + s3_bucket_name = aws_s3_bucket_policy.this.id + } + } +} + +resource "aws_s3_bucket" "this" { + bucket = "tardigrade-config-${random_string.this.result}" + force_destroy = true +} + +resource "aws_s3_bucket_policy" "this" { + bucket = aws_s3_bucket.this.id + + policy = jsonencode({ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AWSConfigBucketPermissionsCheck", + "Effect": "Allow", + "Principal": { + "Service": "config.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": aws_s3_bucket.this.arn, + "Condition": { + "StringEquals": { + "AWS:SourceAccount": data.aws_caller_identity.current.account_id + } + } + }, + { + "Sid": "AWSConfigBucketExistenceCheck", + "Effect": "Allow", + "Principal": { + "Service": "config.amazonaws.com" + }, + "Action": "s3:ListBucket", + "Resource": aws_s3_bucket.this.arn, + "Condition": { + "StringEquals": { + "AWS:SourceAccount": data.aws_caller_identity.current.account_id + } + } + }, + { + "Sid": "AWSConfigBucketDelivery", + "Effect": "Allow", + "Principal": { + "Service": "config.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/Config/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control", + "AWS:SourceAccount": data.aws_caller_identity.current.account_id + } + } + } + ] + }) +} + +resource "random_string" "this" { + length = 6 + numeric = false + upper = false + special = false +} + +data "aws_caller_identity" "current" {} diff --git a/tests/exclude_specific_resources/main.tf b/tests/exclude_specific_resources/main.tf index 0da506d..e66e6b2 100644 --- a/tests/exclude_specific_resources/main.tf +++ b/tests/exclude_specific_resources/main.tf @@ -1,20 +1,28 @@ -module "exclude_specific_resources" { +module "config" { source = "../../" - name = "tardigrade-config-${random_string.this.result}" - config_bucket = aws_s3_bucket.this.id + config = { + configuration_recorder = { + name = "tardigrade-config-${random_string.this.result}" + recording_group = { + all_supported = false - exclude_resource_types = [ - "AWS::EC2::Instance", - "AWS::CloudTrail::Trail", - ] -} + exclusion_by_resource_types = { + resource_types = [ + "AWS::SSM::ManagedInstanceInventory", + ] + } -resource "random_string" "this" { - length = 6 - number = false - upper = false - special = false + recording_strategy = { + use_only = "EXCLUSION_BY_RESOURCE_TYPES" + } + } + } + + delivery_channel = { + s3_bucket_name = aws_s3_bucket_policy.this.id + } + } } resource "aws_s3_bucket" "this" { @@ -22,4 +30,64 @@ resource "aws_s3_bucket" "this" { force_destroy = true } +resource "aws_s3_bucket_policy" "this" { + bucket = aws_s3_bucket.this.id + + policy = jsonencode({ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AWSConfigBucketPermissionsCheck", + "Effect": "Allow", + "Principal": { + "Service": "config.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": aws_s3_bucket.this.arn, + "Condition": { + "StringEquals": { + "AWS:SourceAccount": data.aws_caller_identity.current.account_id + } + } + }, + { + "Sid": "AWSConfigBucketExistenceCheck", + "Effect": "Allow", + "Principal": { + "Service": "config.amazonaws.com" + }, + "Action": "s3:ListBucket", + "Resource": aws_s3_bucket.this.arn, + "Condition": { + "StringEquals": { + "AWS:SourceAccount": data.aws_caller_identity.current.account_id + } + } + }, + { + "Sid": "AWSConfigBucketDelivery", + "Effect": "Allow", + "Principal": { + "Service": "config.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/Config/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control", + "AWS:SourceAccount": data.aws_caller_identity.current.account_id + } + } + } + ] + }) +} + +resource "random_string" "this" { + length = 6 + numeric = false + upper = false + special = false +} + data "aws_caller_identity" "current" {} diff --git a/tests/include_and_exclude/main.tf b/tests/include_and_exclude/main.tf deleted file mode 100644 index 9c69a15..0000000 --- a/tests/include_and_exclude/main.tf +++ /dev/null @@ -1,30 +0,0 @@ -module "include_and_exclude" { - source = "../../" - - name = "tardigrade-config-${random_string.this.result}" - config_bucket = aws_s3_bucket.this.id - - include_resource_types = [ - "AWS::EC2::Instance", - "AWS::CloudTrail::Trail", - ] - - exclude_resource_types = [ - "AWS::EC2::Instance", - "AWS::CloudTrail::Trail", - ] -} - -resource "random_string" "this" { - length = 6 - number = false - upper = false - special = false -} - -resource "aws_s3_bucket" "this" { - bucket = "tardigrade-config-${random_string.this.result}" - force_destroy = true -} - -data "aws_caller_identity" "current" {} diff --git a/tests/include_specific_resources/main.tf b/tests/include_specific_resources/main.tf index 41261dd..0c7649e 100644 --- a/tests/include_specific_resources/main.tf +++ b/tests/include_specific_resources/main.tf @@ -1,20 +1,27 @@ -module "include_specific_resources" { +module "config" { source = "../../" - name = "tardigrade-config-${random_string.this.result}" - config_bucket = aws_s3_bucket.this.id + config = { + configuration_recorder = { + name = "tardigrade-config-${random_string.this.result}" + recording_group = { + all_supported = false - include_resource_types = [ - "AWS::EC2::Instance", - "AWS::CloudTrail::Trail", - ] -} + recording_strategy = { + use_only = "INCLUSION_BY_RESOURCE_TYPES" + } -resource "random_string" "this" { - length = 6 - number = false - upper = false - special = false + resource_types = [ + "AWS::EC2::Instance", + "AWS::CloudTrail::Trail", + ] + } + } + + delivery_channel = { + s3_bucket_name = aws_s3_bucket_policy.this.id + } + } } resource "aws_s3_bucket" "this" { @@ -22,4 +29,64 @@ resource "aws_s3_bucket" "this" { force_destroy = true } +resource "aws_s3_bucket_policy" "this" { + bucket = aws_s3_bucket.this.id + + policy = jsonencode({ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AWSConfigBucketPermissionsCheck", + "Effect": "Allow", + "Principal": { + "Service": "config.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": aws_s3_bucket.this.arn, + "Condition": { + "StringEquals": { + "AWS:SourceAccount": data.aws_caller_identity.current.account_id + } + } + }, + { + "Sid": "AWSConfigBucketExistenceCheck", + "Effect": "Allow", + "Principal": { + "Service": "config.amazonaws.com" + }, + "Action": "s3:ListBucket", + "Resource": aws_s3_bucket.this.arn, + "Condition": { + "StringEquals": { + "AWS:SourceAccount": data.aws_caller_identity.current.account_id + } + } + }, + { + "Sid": "AWSConfigBucketDelivery", + "Effect": "Allow", + "Principal": { + "Service": "config.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/Config/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control", + "AWS:SourceAccount": data.aws_caller_identity.current.account_id + } + } + } + ] + }) +} + +resource "random_string" "this" { + length = 6 + numeric = false + upper = false + special = false +} + data "aws_caller_identity" "current" {}