terraform-aws-config icon indicating copy to clipboard operation
terraform-aws-config copied to clipboard

Published 20 hours ago verified publisher icon trussworks

Feature/multi account

Open lgallard opened this issue 2 years ago • 5 comments

What?

  • Add support to multi account prefixes in Config bucket

Why?

  • To be able to send logs and snapshots from different Config accounts / regions into a single bucket

cc: @exequielrafaela @diego-ojeda-binbash

lgallard avatar Feb 08 '22 19:02 lgallard

@rpdelaney The idea is to be able to send logs across accounts. If you set "%s" you will only be allowed to send logs to the current account, that's why we suggested to use "*" to be able to access other accounts buckets.

lgallard avatar Sep 22 '22 17:09 lgallard

Ok, thanks for the explanation. Can that be made configurable with a default to the existing, more-paranoid behavior? That way this wouldn't have to be shipped as a major revision. :-)

rpdelaney avatar Sep 22 '22 19:09 rpdelaney

@rpdelaney added variable to enable sending of logs and snapshots from different Config accounts / regions into a single bucket

cc: @exequielrafaela @diego-ojeda-binbash

lgallard avatar Sep 27 '22 03:09 lgallard

Thanks @lgallard it seems we covered @rpdelaney request. Hope to get their reviewal soon 🙏🏼

CC: @diego-ojeda-binbash

exequielrafaela avatar Sep 29 '22 17:09 exequielrafaela

Y'all have been heroically maintaining this PR since February. Thank you! I feel bad that we've overlooked your contribution for so long; I want to hopefully get this merged by mid next week.

rpdelaney avatar Sep 29 '22 21:09 rpdelaney

I'm getting an error:

$ terraform --version
Terraform v1.3.2
on darwin_arm64
$ terraform fmt .
╷
│ Error: Invalid expression
│
│   on iam.tf line 41, in data "aws_iam_policy_document" "aws_config_policy":
│   41:         var.enable_multi_account_logs  ? == true ? "*" : data.aws_caller_identity.current.account_id
│
│ Expected the start of an expression, but found an invalid expression token.

Have you deployed from this branch successfully anywhere yet? What terraform version are you using?

rpdelaney avatar Oct 07 '22 16:10 rpdelaney

@rpdelaney The invalid expression was fixed!! Sorry about that!!

lgallard avatar Oct 07 '22 17:10 lgallard

Great! Would you kindly allow edits to this PR by maintainers so I can run terraform-docs and do a bit of cleanup?

rpdelaney avatar Oct 07 '22 18:10 rpdelaney

Alternatively, here's a patch:

--- a/README.md
+++ b/README.md
@@ -195,6 +195,7 @@ No modules.
 | <a name="input_config_sns_topic_arn"></a> [config\_sns\_topic\_arn](#input\_config\_sns\_topic\_arn) | An SNS topic to stream configuration changes and notifications to. | `string` | `null` | no |
 | <a name="input_cw_loggroup_retention_period"></a> [cw\_loggroup\_retention\_period](#input\_cw\_loggroup\_retention\_period) | Retention period for cloudwatch logs in number of days | `number` | `3653` | no |
 | <a name="input_enable_config_recorder"></a> [enable\_config\_recorder](#input\_enable\_config\_recorder) | Enables configuring the AWS Config recorder resources in this module. | `bool` | `true` | no |
+| <a name="input_enable_multi_account_logs"></a> [enable\_multi\_account\_logs](#input\_enable\_multi\_account\_logs) | Enable sending of logs and snapshots from different Config accounts / regions into a single bucket | `bool` | `false` | no |
 | <a name="input_include_global_resource_types"></a> [include\_global\_resource\_types](#input\_include\_global\_resource\_types) | Specifies whether AWS Config includes all supported types of global resources with the resources that it records. | `bool` | `true` | no |
 | <a name="input_password_max_age"></a> [password\_max\_age](#input\_password\_max\_age) | Number of days before password expiration. | `number` | `90` | no |
 | <a name="input_password_min_length"></a> [password\_min\_length](#input\_password\_min\_length) | Password minimum length. | `number` | `14` | no |
@@ -205,8 +206,8 @@ No modules.
 | <a name="input_password_reuse_prevention"></a> [password\_reuse\_prevention](#input\_password\_reuse\_prevention) | Number of passwords before allowing reuse. | `number` | `24` | no |
 | <a name="input_required_tags"></a> [required\_tags](#input\_required\_tags) | A map of required resource tags. Format is tagNKey, tagNValue, where N is int. Values are optional. | `map(string)` | `{}` | no |
 | <a name="input_required_tags_resource_types"></a> [required\_tags\_resource\_types](#input\_required\_tags\_resource\_types) | Resource types to check for tags. | `list(string)` | `[]` | no |
+| <a name="input_resource_types"></a> [resource\_types](#input\_resource\_types) | A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). See relevant part of AWS Docs for available types. | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to AWS Config resources | `map(string)` | `{}` | no |
-| <a name="input\_resource\_types"></a> [resource_types](#input\_resource\_types) | A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). See relevant part of AWS Docs for available types." | `map(string)` | `{}` | no |

 ## Outputs

rpdelaney avatar Oct 07 '22 19:10 rpdelaney

@rpdelaney I ran pre-commit and updated the README. Please don't hesitate in letting me know if you need anything else!

lgallard avatar Oct 08 '22 01:10 lgallard

Shipped in v4.7.0. Thank you!

rpdelaney avatar Oct 11 '22 13:10 rpdelaney