Skip to content

ACAI ACF Module: terraform-aws-acf-configservice

Solution

GitHub Repository | Terraform Registry

This Terraform module automates the deployment of the central and de-central resources for AWS Config.

This module is featuring:

  • Central AWS Config Aggregator
  • Central AWS Config Logging
  • AWS Config Member Resources (via ACAI PROVISIO)

architecture

Usage

Define the AWS Config settings:

# ¦ security - aws_config
aws_config = {
  aggregation = {
    aggregator_name        = "aws-config-aggregator"
    aggregator_role_name   = "aws-config-aggregator-role"
    aggregation_account_id = try(var.aws_config_configuration.aggregation.aggregation_account_id, local.core_accounts.security) 
  }
  delivery_channel_target = {    
    central_s3 = {
      bucket_name               = format("aws-config-logs-%s", local.core_accounts.logging)
      kms_cmk = {
        key_alias                   = "aws-config-recorder-logs-key"
        deletion_window_in_days     = 30
        additional_kms_cmk_grants   = ""
        enable_iam_user_permissions = true
        arn = try(var.aws_config_configuration.delivery_channel_target.central_s3.kms_cmk.arn, null)
      }
      bucket_days_to_glacier    = 90
      bucket_days_to_expiration = 360
    }
  }
  account_baseline = {
    iam_role_name         = "aws-config-recorder-role"
    iam_role_path         = "/"
    recorder_name         = "aws-config-recorder"
    delivery_channel_name = "aws-config-recorder-delivery-channel"
  }
}

Provision the central aggregator to e.g. Core Security:

module "aggregation" {
  source = "git::https://github.com/acai-consulting/terraform-aws-acf-configservice.git//aggregation?ref=1.0.3"

  aws_config_settings = local.aws_config_settings
  providers = {
    aws = aws.core_security
  }
}

Provision the central delivery bucket to e.g. Core Logging:

module "s3_delivery_channel" {
  source = "git::https://github.com/acai-consulting/terraform-aws-acf-configservice.git//delivery-channel-target-s3?ref=1.0.3"

  aws_config_settings = local.aws_config_settings
  providers = {
    aws = aws.core_logging
  }
}

Provision the member resources with ACAI PROVISIO:

module "aws_config_service" {
  source = "git::https://github.com/acai-consulting/terraform-aws-acf-configservice.git//member/acai-provisio?ref=1.0.3"

  provisio_settings = {
    provisio_regions = local.regions_settings
  }
  aws_config_settings = local.aws_config_settings
}

locals {
  package_specification = [
    module.aws_config_service,
  ]
  package_deployment = [
    {
      deployment_name = "account-baselining-default"
      provisio_package_names = [
        module.aws_config_service.provisio_package_name,
      ]
    }
  ]
}

module "provisio_core_baseling" {
  source = "git::https://github.com/acai-consulting/terraform-aws-acai-provisio//baseline?ref=1.0.0"

  provisio_baseline_specification = {
    package_specification = local.package_specification
    package_deployment    = local.package_deployment
  }
  provisio_regions   = {
    primary_region    = "eu-central-1"
    secondary_regions = [
      "eu-west-1",
      "us-east-1"
    ]
  }
  provisio_bucket_id = module.provisio_core.provisio_configuration_to_write.core_provisio.provisio_bucket_id
  providers = {
    aws = aws.core_baselining
  }
}