Merge pull request #221 from observeinc/jdaines/control-tower-config

obs-gh-justindaines · web-flow · commit 9a87fd94e04f · 2025-11-21T12:23:30.000-05:00
feat: Added org_id and source_accounts to SNS topic policy
diff --git a/modules/stack/README.md b/modules/stack/README.md
@@ -160,6 +160,7 @@ You can additionally configure other submodules in this manner:
 | [aws_sns_topic.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [aws_sns_topic_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [aws_sns_topic_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.sns_topic_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
@@ -174,8 +175,10 @@ You can additionally configure other submodules in this manner:
 | <a name="input_logwriter"></a> [logwriter](#input\_logwriter) | Variables for AWS CloudWatch Logs collection. | <pre>object({<br>    log_group_name_patterns         = optional(list(string))<br>    log_group_name_prefixes         = optional(list(string))<br>    exclude_log_group_name_prefixes = optional(list(string))<br>    buffering_interval              = optional(number)<br>    buffering_size                  = optional(number)<br>    filter_name                     = optional(string)<br>    filter_pattern                  = optional(string)<br>    num_workers                     = optional(number)<br>    discovery_rate                  = optional(string, "24 hours")<br>    lambda_memory_size              = optional(number)<br>    lambda_timeout                  = optional(number)<br>    lambda_env_vars                 = optional(map(string))<br>    lambda_runtime                  = optional(string)<br>    code_uri                        = optional(string)<br>    sam_release_version             = optional(string)<br>  })</pre> | `null` | no |
 | <a name="input_metricstream"></a> [metricstream](#input\_metricstream) | Variables for AWS CloudWatch Metrics Stream collection. | <pre>object({<br>    include_filters     = optional(list(object({ namespace = string, metric_names = optional(list(string)) })))<br>    exclude_filters     = optional(list(object({ namespace = string, metric_names = optional(list(string)) })))<br>    buffering_interval  = optional(number)<br>    buffering_size      = optional(number)<br>    sam_release_version = optional(string)<br>  })</pre> | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of role. Since this name must be unique within the<br>account, it will be reused for most of the resources created by this<br>module. | `string` | n/a | yes |
+| <a name="input_org_id"></a> [org\_id](#input\_org\_id) | Optional AWS Organizations ID. If set, adds an AllowAWSConfigFromOrg statement on the SNS topic that allows publishes by aws:PrincipalOrgID. Useful for AWS Control Tower integrations. | `string` | `null` | no |
 | <a name="input_s3_bucket_lifecycle_expiration"></a> [s3\_bucket\_lifecycle\_expiration](#input\_s3\_bucket\_lifecycle\_expiration) | Expiration in days for S3 objects in collection bucket | `number` | `4` | no |
 | <a name="input_sam_release_version"></a> [sam\_release\_version](#input\_sam\_release\_version) | Release version for SAM apps as defined on github.com/observeinc/aws-sam-apps. | `string` | `null` | no |
+| <a name="input_source_accounts"></a> [source\_accounts](#input\_source\_accounts) | List of AWS account IDs allowed to publish to the SNS topic via AWS Config. Useful for sub-accounts in AWS Organizations and Control Tower integrations.<br>The current account ID is automatically included when this list is non-empty. | `list(string)` | <pre>[<br>  "891377094505"<br>]</pre> | no |
 | <a name="input_verbosity"></a> [verbosity](#input\_verbosity) | Logging verbosity for Lambda. Highest log verbosity is 9. | `number` | `null` | no |
 
 ## Outputs
diff --git a/modules/stack/sns.tf b/modules/stack/sns.tf
@@ -1,3 +1,14 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  # When source_accounts is set, automatically include the current (audit) account
+  # to ensure the local AWS Config can also publish to the SNS topic
+  effective_source_accounts = length(var.source_accounts) > 0 ? distinct(concat(
+    var.source_accounts,
+    [data.aws_caller_identity.current.account_id]
+  )) : []
+}
+
 resource "aws_sns_topic" "this" {
   name_prefix = "${var.name}-"
 }
@@ -40,6 +51,65 @@ data "aws_iam_policy_document" "sns_topic_policy" {
       aws_sns_topic.this.arn,
     ]
   }
+
+  # Optional: if org_id is set, add an AllowAWSConfigFromOrg statement that
+  # allows config.amazonaws.com to publish, restricted by aws:PrincipalOrgID.
+  dynamic "statement" {
+    for_each = var.org_id == null ? [] : [1]
+    content {
+      sid    = "AllowAWSConfigFromOrg"
+      effect = "Allow"
+
+      principals {
+        type        = "Service"
+        identifiers = ["config.amazonaws.com"]
+      }
+
+      actions = [
+        "SNS:Publish",
+      ]
+
+      resources = [
+        aws_sns_topic.this.arn
+      ]
+
+      condition {
+        test     = "StringEquals"
+        variable = "aws:PrincipalOrgID"
+        values   = [var.org_id]
+      }
+    }
+  }
+  # Optional: if source_accounts is non-empty, add an AllowAWSConfigFromSourceAccounts
+  # statement that restricts publishes by AWS:SourceAccount.
+  # This automatically includes the current (audit) account ID.
+  dynamic "statement" {
+    for_each = length(local.effective_source_accounts) == 0 ? [] : [1]
+    content {
+      sid    = "AllowAWSConfigFromSourceAccounts"
+      effect = "Allow"
+
+      principals {
+        type        = "Service"
+        identifiers = ["config.amazonaws.com"]
+      }
+
+      actions = [
+        "SNS:Publish",
+      ]
+
+      resources = [
+        aws_sns_topic.this.arn,
+      ]
+
+      condition {
+        test     = "StringEquals"
+        variable = "AWS:SourceAccount"
+        values   = local.effective_source_accounts
+      }
+    }
+  }
+
 }
 
 resource "aws_sns_topic_subscription" "this" {
diff --git a/modules/stack/variables.tf b/modules/stack/variables.tf
@@ -137,3 +137,23 @@ variable "sam_release_version" {
   type        = string
   default     = null
 }
+
+# Optional AWS Organizations ID. If set, we'll add an AllowAWSConfigFromOrg
+# statement on the SNS topic that restricts publishes by aws:PrincipalOrgID.
+variable "org_id" {
+  description = "Optional AWS Organizations ID. If set, adds an AllowAWSConfigFromOrg statement on the SNS topic that allows publishes by aws:PrincipalOrgID. Useful for AWS Control Tower integrations."
+  type        = string
+  default     = null
+}
+
+# Optional list of AWS SourceAccount IDs. If non-empty, we'll add a
+# statement that restricts publishes using the AWS:SourceAccount condition.
+# The current (audit) account ID is automatically included in the list.
+variable "source_accounts" {
+  type        = list(string)
+  default     = ["891377094505"]
+  description = <<-EOF
+    List of AWS account IDs allowed to publish to the SNS topic via AWS Config. Useful for sub-accounts in AWS Organizations and Control Tower integrations.
+    The current account ID is automatically included when this list is non-empty.
+  EOF
+}
