From 18c686007dedd672d2e37e71fe6f538ec209908c Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Wed, 24 Apr 2024 02:55:08 +0900 Subject: [PATCH] Support recording frequency and retention for config-recorder --- modules/config-recorder/README.md | 46 ++++++++++++++----------- modules/config-recorder/main.tf | 19 +++++++++++ modules/config-recorder/outputs.tf | 23 +++++++++++++ modules/config-recorder/variables.tf | 51 ++++++++++++++++++++++++++++ modules/config-recorder/versions.tf | 2 +- 5 files changed, 120 insertions(+), 21 deletions(-) diff --git a/modules/config-recorder/README.md b/modules/config-recorder/README.md index 43a73da..b340ec7 100644 --- a/modules/config-recorder/README.md +++ b/modules/config-recorder/README.md @@ -7,6 +7,7 @@ This module creates following resources. - `aws_config_delivery_channel` - `aws_config_aggregate_authorization` (optional) - `aws_config_configuration_aggregator` (optional) +- `aws_config_retention_configuration` - `aws_iam_role` - `aws_iam_role_policy` - `aws_iam_role_policy_attachment` @@ -16,22 +17,22 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 4.14 | +| [terraform](#requirement\_terraform) | >= 1.6 | +| [aws](#requirement\_aws) | >= 5.39 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.19.0 | +| [aws](#provider\_aws) | 5.46.0 | ## Modules | Name | Source | Version | |------|--------|---------| | [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | -| [role\_\_aggregator](#module\_role\_\_aggregator) | tedilabs/account/aws//modules/iam-role | ~> 0.20.0 | -| [role\_\_recorder](#module\_role\_\_recorder) | tedilabs/account/aws//modules/iam-role | ~> 0.20.0 | +| [role\_\_aggregator](#module\_role\_\_aggregator) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 | +| [role\_\_recorder](#module\_role\_\_recorder) | tedilabs/account/aws//modules/iam-role | ~> 0.28.0 | ## Resources @@ -43,6 +44,7 @@ This module creates following resources. | [aws_config_configuration_recorder.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder) | resource | | [aws_config_configuration_recorder_status.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder_status) | resource | | [aws_config_delivery_channel.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_delivery_channel) | resource | +| [aws_config_retention_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_retention_configuration) | resource | | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.aggregation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.delivery](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -51,22 +53,24 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [delivery\_s3\_bucket](#input\_delivery\_s3\_bucket) | (Required) The name of the S3 bucket used to store the configuration history. | `string` | n/a | yes | -| [account\_aggregations](#input\_account\_aggregations) | (Optional) A list of configurations to aggregate config data from individual accounts. Supported properties for each configuration are `name`, `account_ids` and `regions`. Aggregate from all supported regions if `regions` is missing. | `list(any)` | `[]` | no | -| [authorized\_aggregators](#input\_authorized\_aggregators) | (Optional) A list of Authorized aggregators to allow an aggregator account and region to collect AWS Config configuration and compliance data. | 
list(object({
    account_id = string
    region     = string
  }))
| `[]` | no | -| [custom\_resource\_types](#input\_custom\_resource\_types) | (Optional) A list that specifies the types of AWS resources for which AWS Config records configuration changes. For example, `AWS::EC2::Instance` or `AWS::CloudTrail::Trail`. Only need when `scope` is confirued with value `CUSTOM`. | `list(string)` | `[]` | no | -| [delivery\_frequency](#input\_delivery\_frequency) | (Optional) The frequency with which AWS Config recurringly delivers configuration snapshots. Valid values are `1h`, `3h`, `6h`, `12h`, or `24h`. | `string` | `null` | no | -| [delivery\_s3\_key\_prefix](#input\_delivery\_s3\_key\_prefix) | (Optional) The key prefix for the specified S3 bucket. | `string` | `null` | no | -| [delivery\_s3\_sse\_kms\_key](#input\_delivery\_s3\_sse\_kms\_key) | (Optional) The ARN of the AWS KMS key used to encrypt objects delivered by AWS Config. Must belong to the same Region as the destination S3 bucket. | `string` | `null` | no | -| [delivery\_sns\_topic](#input\_delivery\_sns\_topic) | (Optional) The ARN of the SNS topic that AWS Config delivers notifications to. | `string` | `null` | no | -| [enabled](#input\_enabled) | (Optional) Whether the configuration recorder should be enabled or disabled. | `bool` | `true` | no | +| [delivery\_channels](#input\_delivery\_channels) | (Required) A configuration for the delivery channels of the configuration recorder. `delivery_channels` as defined below.
(Required) `s3_bucket` - A configuration for the S3 Bucket delivery channel. `s3_bucket` as defined below.
(Required) `name` - The name of the S3 bucket used to store the configuration history.
(Optional) `key_prefix` - The key prefix for the specified S3 bucket.
(Optional) `sse_kms_key` - The ARN of the AWS KMS key used to encrypt objects delivered by AWS Config. Must belong to the same Region as the destination S3 bucket.
(Optional) `sns_topic` - A configuration for the SNS Topic delivery channel. `sns_topic` as defined below.
(Optional) `enabled` - Whether to enable the SNS Topic delivery channel. Defaults to `false`.
(Optional) `arn` - The ARN of the SNS topic that AWS Config delivers notifications to. | 
object({
    s3_bucket = object({
      name        = string
      key_prefix  = optional(string)
      sse_kms_key = optional(string)
    })
    sns_topic = optional(object({
      enabled = optional(bool, false)
      arn     = optional(string)
    }), {})
  })
| n/a | yes | +| [account\_aggregations](#input\_account\_aggregations) | (Optional) A list of configurations to aggregate config data from individual accounts. Each item of `account_aggregations` as defined below.
(Required) `name` - The name of the account aggregation.
(Required) `accounts` - A list of account IDs to be aggregated.
(Optional) `regions` - A list of regions to aggregate data. Aggregate from all supported regions if `regions` is missing.
(Optional) `tags` - A map of tags to add to the account aggregation resource. | 
list(object({
    name     = string
    accounts = set(string)
    regions  = optional(set(string), [])
    tags     = optional(map(string), {})
  }))
| `[]` | no | +| [authorized\_aggregators](#input\_authorized\_aggregators) | (Optional) A list of Authorized aggregators to allow an aggregator account and region to collect AWS Config configuration and compliance data. Each item of `authorized_aggregators` as defined below.
(Required) `account` - The account ID of the account authorized to aggregate data.
(Required) `region` - The region authorized to collect aggregated data.
(Optional) `tags` - A map of tags to add to authorized aggregator resource. | 
list(object({
    account = string
    region  = string
    tags    = optional(map(string), {})
  }))
| `[]` | no | +| [default\_organization\_aggregator\_role](#input\_default\_organization\_aggregator\_role) | (Optional) A configuration for the default service role to use for organization aggregator in Config. Use `organization_aggregator_role` if `default_organization_aggregator_role.enabled` is `false`. `default_organization_aggregator_role` as defined below.
(Optional) `enabled` - Whether to create the default organization aggregator role. Defaults to `true`.
(Optional) `name` - The name of the default organization aggregator role. Defaults to `config-configuration-aggregator-${var.name}`.
(Optional) `path` - The path of the default organization aggregator role. Defaults to `/`.
(Optional) `description` - The description of the default organization aggregator role.
(Optional) `policies` - A list of IAM policy ARNs to attach to the default organization aggregator role. `AWSConfigRoleForOrganizations` is always attached. Defaults to `[]`.
(Optional) `inline_policies` - A Map of inline IAM policies to attach to the default organization aggregator role. (`name` => `policy`). | 
object({
    enabled     = optional(bool, true)
    name        = optional(string)
    path        = optional(string, "/")
    description = optional(string, "Managed by Terraform.")

    policies        = optional(list(string), [])
    inline_policies = optional(map(string), {})
  })
| `{}` | no | +| [default\_service\_role](#input\_default\_service\_role) | (Optional) A configuration for the default service role to use for Config recorder. Use `service_role` if `default_service_role.enabled` is `false`. `default_service_role` as defined below.
(Optional) `enabled` - Whether to create the default service role. Defaults to `true`.
(Optional) `name` - The name of the default service role. Defaults to `config-configuration-recorder-${var.name}`.
(Optional) `path` - The path of the default service role. Defaults to `/`.
(Optional) `description` - The description of the default service role.
(Optional) `policies` - A list of IAM policy ARNs to attach to the default service role. `AWS_ConfigRole` is always attached. Defaults to `[]`.
(Optional) `inline_policies` - A Map of inline IAM policies to attach to the default service role. (`name` => `policy`). | 
object({
    enabled     = optional(bool, true)
    name        = optional(string)
    path        = optional(string, "/")
    description = optional(string, "Managed by Terraform.")

    policies        = optional(list(string), [])
    inline_policies = optional(map(string), {})
  })
| `{}` | no | +| [enabled](#input\_enabled) | (Optional) Whether the configuration recorder should be enabled or disabled. Defaults to `true`. | `bool` | `true` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | | [name](#input\_name) | (Optional) The name of the recorder. Defaults to `default`. Changing it recreates the resource. | `string` | `"default"` | no | -| [organization\_aggregation](#input\_organization\_aggregation) | (Optional) The configuration to aggregate config data from organization accounts. Supported properties are `enabled` and `regions`. Aggregate from all supported regions if `regions` is missing. | `any` | `{}` | no | +| [organization\_aggregation](#input\_organization\_aggregation) | (Optional) A configuration to aggregate config data from organization accounts. `organization_aggregations` as defined below.
(Optional) `enabled` - Whether to enable the organization aggregation. Defaults to `false`.
(Optional) `name` - The name of the organization aggregation. Defaults to `organization`.
(Optional) `regions` - A list of regions to aggregate data. Aggregate from all supported regions if `regions` is missing.
(Optional) `tags` - A map of tags to add to the organization aggregation resource. | 
object({
    enabled = optional(bool, false)
    name    = optional(string, "organization")
    regions = optional(set(string), [])
    tags    = optional(map(string), {})
  })
| `{}` | no | +| [organization\_aggregator\_role](#input\_organization\_aggregator\_role) | (Optional) The ARN (Amazon Resource Name) of the IAM Role that provides permissions for the organization aggregator in Config. Only required if `default_organization_aggregator_role.enabled` is `false`. | `string` | `null` | no | +| [recording\_frequency](#input\_recording\_frequency) | (Optional) A configuration for the recording frequency mode of AWS Config configuration recorder. `recording_frequency` as defined below.
(Optional) `mode` - The recording frequency mode for the recorder. Valid values are `CONTINUOUS`, `DAILIY`. Defaults to `CONTINUOUS`.

`CONTINUOUS`: Continuous recording allows you to record configuration changes continuously whenever a change occurs.
`DAILY`: Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it's different from the previous CI recorded.
(Optional) `overrides` - A configurations to override the recording frequency for specific resource types. Each block of `overrides` as defined below.
(Required) `resource_types` - A set of resource types to override the recording frequency mode. For example, `AWS::EC2::Instance` or `AWS::CloudTrail::Trail`.
(Required) `mode` - The recording frequency mode to override to all the resource types specified in the `resource_types`. Valid values are `CONTINUOUS`, `DAILIY`.
(Optional) `description` - The description of the override. Defaults to `Managed by Terraform.` | 
object({
    mode = optional(string, "CONTINUOUS")
    overrides = optional(list(object({
      resource_types = set(string)
      mode           = string
      description    = optional(string, "Managed by Terraform.")
    })), [])
  })
| `{}` | no | | [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | | [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | | [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [scope](#input\_scope) | (Optional) Specifies the scope of AWS Config configuration recorder. Supported values are `REGIONAL_WITH_GLOBAL`, `REGIONAL`, or `CUSTOM`. | `string` | `"REGIONAL"` | no | +| [retention\_period](#input\_retention\_period) | (Optional) The number of days AWS Config stores historical information. Valid range is between a minimum period of 30 days and a maximum period of 7 years (2557 days).Defaults to `2557` (7 years). | `number` | `2557` | no | +| [scope](#input\_scope) | (Optional) A configuration for the scope of AWS Config configuration recorder. `scope` as defined below.
(Optional) `strategy` - The recording strategy for the configuration recorder. Valid values are `ALL_WITHOUT_GLOBAL`, `ALL`, `WHITELIST`, `BLACKLIST`. Defaults to `ALL_WITHOUT_GLOBAL`.
(Optional) `resource_types` - A list of resource types to include/exclude for recording. For example, `AWS::EC2::Instance` or `AWS::CloudTrail::Trail`. Only need when `strategy` is confirued with value `WHITELIST` or `BLACKLIST`. | 
object({
    strategy       = optional(string, "ALL_WITHOUT_GLOBAL")
    resource_types = optional(set(string), [])
  })
| `{}` | no | +| [service\_role](#input\_service\_role) | (Optional) The ARN (Amazon Resource Name) of the IAM Role that provides permissions for the Config Recorder. Only required if `default_service_role.enabled` is `false`. | `string` | `null` | no | +| [snapshot\_delivery](#input\_snapshot\_delivery) | (Optional) A configuration for the configuration snapshot delivery of the recorder. `snapshot_delivery` as defined below.
(Optional) `enabled` - Whether to enable the configuration snapshot delivery. Defaults to `false`.
(Optional) `frequency` - The frequency with which AWS Config recurringly delivers configuration snapshots. Valid values are `1h`, `3h`, `6h`, `12h`, or `24h`. | 
object({
    enabled   = optional(bool, false)
    frequency = optional(string, "24h")
  })
| `{}` | no | | [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | ## Outputs @@ -75,12 +79,14 @@ This module creates following resources. |------|-------------| | [account\_aggregations](#output\_account\_aggregations) | A list of configurations to aggregate config data from individual accounts. | | [authorized\_aggregators](#output\_authorized\_aggregators) | A list of Authorized aggregators allowed to collect AWS Config configuration and compliance data. | -| [custom\_resource\_types](#output\_custom\_resource\_types) | A list that specifies the types of AWS resources for which AWS Config records configuration changes. | -| [delivery\_channels](#output\_delivery\_channels) | Delivery channels of the recorder. | +| [delivery\_channels](#output\_delivery\_channels) | The configuration of delivery channels of the recorder.
`s3_bucket` - The configuration for the S3 Bucket delivery channel.
`sns_topic` - The configuration for the SNS Topic delivery channel. | | [enabled](#output\_enabled) | Whether the configuration recorder is enabled. | | [id](#output\_id) | The ID of the recorder. | | [name](#output\_name) | The name of the recorder. | | [organization\_aggregation](#output\_organization\_aggregation) | The configuration to aggregate config data from organization accounts. | -| [role\_arn](#output\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role. | -| [scope](#output\_scope) | The scope of the recorder. | +| [recording\_frequency](#output\_recording\_frequency) | The configuration for the recording frequency mode of the recorder.
`mode` - The recording frequency mode for the recorder.
`overrides` - The configurations to override the recording frequency for specific resource types. | +| [retention\_period](#output\_retention\_period) | The number of days AWS Config stores historical information | +| [scope](#output\_scope) | A list that specifies the types of AWS resources for which AWS Config records configuration changes.
`strategy` - The recording strategy for the configuration recorder.
`resource_types` - A list of resource types to include/exclude for recording. | +| [service\_role](#output\_service\_role) | The Amazon Resource Name (ARN) of the IAM role for the recorder. | +| [snapshot\_delivery](#output\_snapshot\_delivery) | The configuration for the configuration snapshot delivery of the recorder.
`enabled` - Whether the configuration snapshot delivery is enabled.
`frequency` - The frequency with which AWS Config recurringly delivers configuration snapshots. | diff --git a/modules/config-recorder/main.tf b/modules/config-recorder/main.tf index ebb1e98..d5f0a3c 100644 --- a/modules/config-recorder/main.tf +++ b/modules/config-recorder/main.tf @@ -66,6 +66,21 @@ resource "aws_config_configuration_recorder" "this" { : var.service_role ) + recording_mode { + recording_frequency = var.recording_frequency.mode + + dynamic "recording_mode_override" { + for_each = var.recording_frequency.overrides + iterator = override + + content { + resource_types = override.value.resource_types + recording_frequency = override.value.mode + description = override.value.description + } + } + } + recording_group { recording_strategy { use_only = local.recording_groups[var.scope.strategy].recording_strategy @@ -94,6 +109,10 @@ resource "aws_config_configuration_recorder_status" "this" { ] } +resource "aws_config_retention_configuration" "this" { + retention_period_in_days = var.retention_period +} + ################################################### # Delivery Channel diff --git a/modules/config-recorder/outputs.tf b/modules/config-recorder/outputs.tf index e9d1cf9..f7a2a80 100644 --- a/modules/config-recorder/outputs.tf +++ b/modules/config-recorder/outputs.tf @@ -13,6 +13,29 @@ output "enabled" { value = aws_config_configuration_recorder_status.this.is_enabled } +output "retention_period" { + description = "The number of days AWS Config stores historical information" + value = aws_config_retention_configuration.this.retention_period_in_days +} + +output "recording_frequency" { + description = <= 30, + var.retention_period <= 2557, + ]) + error_message = "Valid range for `retention_period` is between 30 and 2557 days." + } +} + variable "default_service_role" { description = <