From 15d366db1cc6a7b9011b687ebad29d8900d522b1 Mon Sep 17 00:00:00 2001 From: Kristian Lesko Date: Mon, 26 Feb 2024 12:00:10 +0100 Subject: [PATCH] FEATURE CE-454: Set Config retention via native TF --- config_baselines.tf | 59 ++++++++-------------------- main.tf | 2 +- modules/config-baseline/main.tf | 6 +++ modules/config-baseline/variables.tf | 6 +++ resources/config_recorder.py | 42 -------------------- variables.tf | 6 --- 6 files changed, 30 insertions(+), 91 deletions(-) delete mode 100644 resources/config_recorder.py diff --git a/config_baselines.tf b/config_baselines.tf index 6438ec6..aafb878 100644 --- a/config_baselines.tf +++ b/config_baselines.tf @@ -115,6 +115,7 @@ module "config_baseline_ap-northeast-1" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-northeast-1" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "ap-northeast-1") : false limit_resource_types = var.config_limit_resource_types @@ -138,6 +139,7 @@ module "config_baseline_ap-northeast-2" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-northeast-2" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "ap-northeast-2") : false limit_resource_types = var.config_limit_resource_types @@ -161,6 +163,7 @@ module "config_baseline_ap-northeast-3" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-northeast-3" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "ap-northeast-3") : false limit_resource_types = var.config_limit_resource_types @@ -184,6 +187,7 @@ module "config_baseline_ap-south-1" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-south-1" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "ap-south-1") : false limit_resource_types = var.config_limit_resource_types @@ -207,6 +211,7 @@ module "config_baseline_ap-southeast-1" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-southeast-1" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "ap-southeast-1") : false limit_resource_types = var.config_limit_resource_types @@ -230,6 +235,7 @@ module "config_baseline_ap-southeast-2" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-southeast-2" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "ap-southeast-2") : false limit_resource_types = var.config_limit_resource_types @@ -253,6 +259,7 @@ module "config_baseline_ca-central-1" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ca-central-1" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "ca-central-1") : false limit_resource_types = var.config_limit_resource_types @@ -276,6 +283,7 @@ module "config_baseline_eu-central-1" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "eu-central-1" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "eu-central-1") : false limit_resource_types = var.config_limit_resource_types @@ -299,6 +307,7 @@ module "config_baseline_eu-north-1" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "eu-north-1" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "eu-north-1") : false limit_resource_types = var.config_limit_resource_types @@ -322,6 +331,7 @@ module "config_baseline_eu-west-1" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "eu-west-1" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "eu-west-1") : false limit_resource_types = var.config_limit_resource_types @@ -345,6 +355,7 @@ module "config_baseline_eu-west-2" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "eu-west-2" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "eu-west-2") : false limit_resource_types = var.config_limit_resource_types @@ -368,6 +379,7 @@ module "config_baseline_eu-west-3" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "eu-west-3" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "eu-west-3") : false limit_resource_types = var.config_limit_resource_types @@ -391,6 +403,7 @@ module "config_baseline_sa-east-1" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "sa-east-1" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "sa-east-1") : false limit_resource_types = var.config_limit_resource_types @@ -414,6 +427,7 @@ module "config_baseline_us-east-1" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "us-east-1" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "us-east-1") : false limit_resource_types = var.config_limit_resource_types @@ -437,6 +451,7 @@ module "config_baseline_us-east-2" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "us-east-2" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "us-east-2") : false limit_resource_types = var.config_limit_resource_types @@ -460,6 +475,7 @@ module "config_baseline_us-west-1" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "us-west-1" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "us-west-1") : false limit_resource_types = var.config_limit_resource_types @@ -483,6 +499,7 @@ module "config_baseline_us-west-2" { sns_topic_name = var.config_sns_topic_name sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "us-west-2" + config_retention_days = var.config_retention_days continuous_recording = var.config_continuous_recording ? contains(var.config_continuous_recording_regions, "us-west-2") : false limit_resource_types = var.config_limit_resource_types @@ -690,45 +707,3 @@ resource "aws_config_configuration_aggregator" "organization" { tags = var.tags } - - - -### Provision Config recorder attributes not supported by provider yet: -# recorder frequency (https://github.com/hashicorp/terraform-provider-aws/pull/35527) -# Config retention (https://github.com/hashicorp/terraform-provider-aws/issues/13305) -resource "terraform_data" "recorder_tuning" { - count = var.config_baseline_enabled && var.config_tuning_enabled ? 1 : 0 - - triggers_replace = concat( - module.config_baseline_ap-northeast-1[*].configuration_recorder, - module.config_baseline_ap-northeast-2[*].configuration_recorder, - module.config_baseline_ap-northeast-3[*].configuration_recorder, - module.config_baseline_ap-south-1[*].configuration_recorder, - module.config_baseline_ap-southeast-1[*].configuration_recorder, - module.config_baseline_ap-southeast-2[*].configuration_recorder, - module.config_baseline_ca-central-1[*].configuration_recorder, - module.config_baseline_eu-central-1[*].configuration_recorder, - module.config_baseline_eu-north-1[*].configuration_recorder, - module.config_baseline_eu-west-1[*].configuration_recorder, - module.config_baseline_eu-west-2[*].configuration_recorder, - module.config_baseline_eu-west-3[*].configuration_recorder, - module.config_baseline_sa-east-1[*].configuration_recorder, - module.config_baseline_us-east-1[*].configuration_recorder, - module.config_baseline_us-east-2[*].configuration_recorder, - module.config_baseline_us-west-1[*].configuration_recorder, - module.config_baseline_us-west-2[*].configuration_recorder, - [ - var.config_retention_days, - ], - ) - - provisioner "local-exec" { - command = "${path.module}/resources/config_recorder.py" - interpreter = ["python3"] - environment = { - CONFIG_RECORDER_RETENTION = var.config_retention_days - CONFIG_REGIONS = join(",", var.target_regions) - TF_AWS_ROLE = data.aws_iam_session_context.current.issuer_arn - } - } -} diff --git a/main.tf b/main.tf index 6d6042a..cb5f744 100644 --- a/main.tf +++ b/main.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.38" + version = ">= 5.39" # A provider alias should be passed for each AWS region. # Reference: https://docs.aws.amazon.com/general/latest/gr/rande.html diff --git a/modules/config-baseline/main.tf b/modules/config-baseline/main.tf index 2bd4aba..229035c 100644 --- a/modules/config-baseline/main.tf +++ b/modules/config-baseline/main.tf @@ -39,6 +39,7 @@ resource "aws_config_configuration_recorder" "recorder" { name = var.recorder_name role_arn = var.iam_role_arn + recording_group { all_supported = length(var.limit_resource_types) == 0 include_global_resource_types = length(var.limit_resource_types) == 0 ? var.include_global_resource_types : false @@ -53,6 +54,11 @@ resource "aws_config_configuration_recorder" "recorder" { } } +resource "aws_config_retention_configuration" "this" { + count = var.config_retention_days == 0 ? 0 : 1 + retention_period_in_days = var.config_retention_days +} + resource "aws_config_delivery_channel" "bucket" { name = var.delivery_channel_name s3_bucket_name = var.s3_bucket_name diff --git a/modules/config-baseline/variables.tf b/modules/config-baseline/variables.tf index c384aa4..0f57c8e 100644 --- a/modules/config-baseline/variables.tf +++ b/modules/config-baseline/variables.tf @@ -44,6 +44,12 @@ variable "delivery_channel_name" { default = "default" } +variable "config_retention_days" { + description = "AWS Config retention in days. 0 disables setting retention." + type = number + default = 0 +} + variable "continuous_recording" { description = "Enable CONTINUOUS recording (as opposed to DAILY)." type = bool diff --git a/resources/config_recorder.py b/resources/config_recorder.py deleted file mode 100644 index 7729e5e..0000000 --- a/resources/config_recorder.py +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/python3 - -import boto3 -import os -import sys - -retention = int(os.getenv("CONFIG_RECORDER_RETENTION", "0")) -role_arn = os.environ["TF_AWS_ROLE"] -target_regions = os.environ["CONFIG_REGIONS"].split(",") - -if not retention: - print("No retention config, nothing to do, bye.") - sys.exit(0) - -# assume terraform role -sts_client = boto3.client("sts") -print(f"Assuming AWS role {role_arn}") -assumed = sts_client.assume_role( - RoleArn=role_arn, - RoleSessionName="TerragruntConfigurationRecorderProvisioner", -)["Credentials"] - -for region in target_regions: - # setup AWS Config connection - config = boto3.client( - "config", - aws_access_key_id=assumed["AccessKeyId"], - aws_secret_access_key=assumed["SecretAccessKey"], - aws_session_token=assumed["SessionToken"], - region_name=region, - ) - - recorder = config.describe_configuration_recorders()["ConfigurationRecorders"][0] - - current_retention = config.describe_retention_configurations()[ - "RetentionConfigurations" - ] - if current_retention != [ - {"Name": recorder["name"], "RetentionPeriodInDays": retention} - ]: - print(f"Setting {region} Config retention to {retention} days") - config.put_retention_configuration(RetentionPeriodInDays=retention) diff --git a/variables.tf b/variables.tf index 2dad70e..87c5dba 100644 --- a/variables.tf +++ b/variables.tf @@ -295,12 +295,6 @@ variable "config_s3_bucket_retention_days" { default = 0 } -variable "config_tuning_enabled" { - description = "Tune AWS Config frequency & retention using Python local provisioner." - type = bool - default = false -} - variable "config_retention_days" { description = "AWS Config retention in days. 0 disables setting retention." type = number