Add aws config (#1)

* add aws config baseline

* add missing IAM

* removing iam variable

* add conditional for sns topics

* add conditional for iam roles

* add provider

* add provider

* remove extra provider

* removing config submodule, adding as a separate file

Author: helderklemp

README.md

@@ -10,7 +10,9 @@ Terraform module to set up AWS account with the secure baseline configuration ba
 
 ## Providers
 
-No provider.
+| Name | Version |
+|------|---------|
+| aws | n/a |
 
 ## Inputs
 
@@ -19,8 +21,12 @@ No provider.
 | alarm\_namespace | The namespace in which all alarms are set up. | `string` | `"CISBenchmark"` | no |
 | alarm\_sns\_topic\_name | The name of the SNS Topic which will be notified when any alarm is performed. | `string` | `"CISAlarm"` | no |
 | cloudtrail\_log\_group\_name | The name of Cloudtrail log group. | `string` | `"bubbletea-cloudtrail"` | no |
+| config\_delivery\_frequency | The frequency which AWS Config sends a snapshot into the S3 bucket. | `string` | `"One_Hour"` | no |
+| config\_include\_global\_resource\_types | Specifies whether AWS Config includes all supported types of global resources with the resources that it records. | `bool` | `true` | no |
+| config\_s3\_bucket\_name | The name of the S3 bucket which will store configuration snapshots. | `any` | n/a | yes |
 | enable\_alarm\_baseline | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `string` | `"false"` | no |
 | enable\_chatbot\_slack | If true, will create aws chatboot and integrate to slack | `string` | `"false"` | no |
+| enable\_config\_baseline | If true, will create aws config | `string` | `"false"` | no |
 | org\_name | Name for this organization | `any` | n/a | yes |
 | slack\_channel\_id | Sclack channel id to send budget notfication using AWS Chatbot | `string` | `""` | no |
 | slack\_workspace\_id | Sclack workspace id to send budget notfication using AWS Chatbot | `string` | `""` | no |

_providers.tf

@@ -0,0 +1 @@
+provider "aws" {}

_variables.tf

@@ -44,3 +44,22 @@ variable "slack_workspace_id" {
   description = "Sclack workspace id to send budget notfication using AWS Chatbot"
   default     = ""
 }
+
+# --------------------------------------------------------------------------------------------------
+# Variables for alarm-baseline module.
+# --------------------------------------------------------------------------------------------------
+variable "enable_config_baseline" {
+  description = "If true, will create aws config"
+  default     = "false"
+}
+variable "config_s3_bucket_name" {
+  description = "The name of the S3 bucket which will store configuration snapshots."
+}
+variable "config_delivery_frequency" {
+  description = "The frequency which AWS Config sends a snapshot into the S3 bucket."
+  default     = "One_Hour"
+}
+variable "config_include_global_resource_types" {
+  description = "Specifies whether AWS Config includes all supported types of global resources with the resources that it records."
+  default     = true
+}

aws_config.tf

@@ -0,0 +1,97 @@
+# This file was created instead a sub module since we found an issue passing the provider to child submodules
+# AWS Config should be enabled into all accounts (master and sub accounts)
+resource "aws_sns_topic" "config" {
+  count = var.enable_config_baseline ? 1 : 0
+
+  name = "ConfigChanges"
+  tags = var.tags
+}
+resource "aws_iam_role_policy_attachment" "config" {
+  count      = var.enable_config_baseline ? 1 : 0
+  role       = aws_iam_role.config_role[0].name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
+}
+
+resource "aws_iam_role" "config_role" {
+  count = var.enable_config_baseline ? 1 : 0
+  name  = "awsconfig-role"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "config.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+POLICY
+}
+resource "aws_config_configuration_recorder" "recorder" {
+  count = var.enable_config_baseline ? 1 : 0
+
+  name = "default"
+
+  role_arn = aws_iam_role.config_role[0].arn
+
+  recording_group {
+    all_supported                 = true
+    include_global_resource_types = var.config_include_global_resource_types
+  }
+}
+
+resource "aws_config_delivery_channel" "bucket" {
+  count = var.enable_config_baseline ? 1 : 0
+
+  name = "default"
+
+  s3_bucket_name = var.config_s3_bucket_name
+  s3_key_prefix  = ""
+  sns_topic_arn  = aws_sns_topic.config[0].arn
+
+  snapshot_delivery_properties {
+    delivery_frequency = var.config_delivery_frequency
+  }
+
+  depends_on = [aws_config_configuration_recorder.recorder[0]]
+}
+
+resource "aws_config_configuration_recorder_status" "recorder" {
+  count = var.enable_config_baseline ? 1 : 0
+
+  name = aws_config_configuration_recorder.recorder[0].id
+
+  is_enabled = true
+  depends_on = [aws_config_delivery_channel.bucket[0]]
+}
+
+# --------------------------------------------------------------------------------------------------
+# A config rule to monitor open known ports.
+# --------------------------------------------------------------------------------------------------
+
+resource "aws_config_config_rule" "restricted_ports" {
+  count = var.enable_config_baseline ? 1 : 0
+
+  name = "RestrictedIncomingTraffic"
+
+  source {
+    owner             = "AWS"
+    source_identifier = "RESTRICTED_INCOMING_TRAFFIC"
+  }
+
+  input_parameters = <<JSON
+{
+  "blockedPort1": "22",
+  "blockedPort2": "3389"
+}
+JSON
+
+  tags = var.tags
+
+  depends_on = [aws_config_configuration_recorder.recorder[0]]
+}

main.tf

@@ -16,14 +16,15 @@ module "alarm_baseline" {
 # --------------------------------------------------------------------------------------------------
 # Chatbot Notifications
 # --------------------------------------------------------------------------------------------------
-module "chatbot" {
+module "chatbot_alarms" {
   source = "git::https://github.com/DNXLabs/terraform-aws-chatbot?ref=0.1.1"
 
   enabled             = var.enable_chatbot_slack
   org_name            = var.org_name
   workspace_name      = var.alarm_namespace
   slack_channel_id    = var.slack_channel_id
   slack_workspace_id  = var.slack_workspace_id
-  alarm_sns_topic_arn = module.alarm_baseline.alarm_sns_topic.*.arn[0]
+  alarm_sns_topic_arn = (var.enable_chatbot_slack && var.enable_alarm_baseline) ? module.alarm_baseline.alarm_sns_topic.*.arn[0] : null
   tags                = var.tags
 }
+