fix(SA-603): enabling AWS Config root (mgmt) account (#34)

wozzer72 · web-flow · commit 400965e1eae1 · 2025-10-13T18:00:18.000+01:00
diff --git a/README.md b/README.md
@@ -707,7 +707,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_region"></a> [region](#input\_region) | The region to deploy the resources | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to the resources | `map(string)` | n/a | yes |
 | <a name="input_access_analyzer"></a> [access\_analyzer](#input\_access\_analyzer) | Configuration for the AWS Access Analyzer service | <pre>object({<br/>    enable_unused_analyzer = optional(bool, true)<br/>    # Indicates whether to enable the unused AWS Access Analyzer service<br/>    unused_analyzer_name = optional(string, "lza-unused-access-analyzer")<br/>    # The name of the unused AWS Access Analyzer service<br/>    unused_access_age = optional(number, 90)<br/>  })</pre> | `null` | no |
-| <a name="input_config"></a> [config](#input\_config) | Configuration for the securityhub organization managed rules | <pre>object({<br/>    stackset_name_prefix = optional(string, "lza-config-")<br/>    # The prefix added to the stacksets<br/>    rule_groups = optional(map(object({<br/>      associations = list(string)<br/>      # List of organizational units to deploy the managed rules<br/>      description = string<br/>      # Description for the rule group<br/>      enabled_regions = optional(list(string), null)<br/>      # List of regions to enable these rules<br/>      exclude_accounts = optional(list(string), null)<br/>      # The list of accounts to exclude from the organization managed rule<br/>      rules = map(object({<br/>        description = string<br/>        # The description of the organization managed rules<br/>        identifier = string<br/>        # The identifier of the organization managed rule<br/>        inputs = optional(map(string), {})<br/>        # The identifier of the organization managed rule scope<br/>        resource_types = list(string)<br/>        # The list of resource types to scope the organization managed rule<br/>        max_execution_frequency = optional(string, null)<br/>        # The max_execution_frequency of the rule<br/>      }))<br/>    })), {})<br/>    # The configuration for the securityhub organization managed rules<br/>  })</pre> | <pre>{<br/>  "rule_groups": {}<br/>}</pre> | no |
+| <a name="input_config"></a> [config](#input\_config) | Configuration for the securityhub organization managed rules | <pre>object({<br/>    stackset_name_prefix = optional(string, "lza-config-")<br/><br/>    # The prefix added to the stacksets<br/>    rule_groups = optional(map(object({<br/>      associations = list(string)<br/>      # List of organizational units to deploy the managed rules<br/>      description = string<br/>      # Description for the rule group<br/>      enabled_regions = optional(list(string), null)<br/>      # List of regions to enable these rules<br/>      exclude_accounts = optional(list(string), null)<br/>      # The list of accounts to exclude from the organization managed rule<br/>      rules = map(object({<br/>        description = string<br/>        # The description of the organization managed rules<br/>        identifier = string<br/>        # The identifier of the organization managed rule<br/>        inputs = optional(map(string), {})<br/>        # The identifier of the organization managed rule scope<br/>        resource_types = list(string)<br/>        # The list of resource types to scope the organization managed rule<br/>        max_execution_frequency = optional(string, null)<br/>        # The max_execution_frequency of the rule<br/>      }))<br/>    })), {})<br/>    # The configuration for the securityhub organization managed rules<br/>  })</pre> | <pre>{<br/>  "rule_groups": {}<br/>}</pre> | no |
 | <a name="input_inspector"></a> [inspector](#input\_inspector) | Organizational configuration for the AWS Inspector service | <pre>object({<br/>    account_id = optional(string, null)<br/>    # The delegated administrator account ID for the AWS Inspector service<br/>    enable = optional(bool, false)<br/>    # Indicates whether to enable the AWS Inspector service<br/>    enable_ec2_scan = optional(bool, false)<br/>    # Indicates whether to enable the AWS Inspector service for EC2 instances<br/>    enable_ecr_scan = optional(bool, false)<br/>    # Indicates whether to enable the AWS Inspector service for ECR repositories<br/>    enable_lambda_scan = optional(bool, false)<br/>    # Indicates whether to enable the AWS Inspector service for Lambda functions<br/>    enable_lambda_code_scan = optional(bool, false)<br/>    # Indicates whether to enable the AWS Inspector service for Lambda code<br/>  })</pre> | <pre>{<br/>  "enable": false<br/>}</pre> | no |
 | <a name="input_macie"></a> [macie](#input\_macie) | Configuration for the AWS Macie service | <pre>object({<br/>    enable = optional(bool, false)<br/>    # Indicates whether to enable the AWS Macie service should be enabled in all accounts<br/>    excluded_accounts = optional(list(string), null)<br/>    # The list of accounts to exclude from the AWS Macie service<br/>    frequency = optional(string, "FIFTEEN_MINUTES")<br/>    # The frequency at which the AWS Macie service should be enabled<br/>    organizational_units = optional(list(string), null)<br/>    # The list of member accounts to associate with the AWS Macie service<br/>    stackset_name = optional(string, "lza-macie-configuration")<br/>  })</pre> | `null` | no |
 | <a name="input_notifications"></a> [notifications](#input\_notifications) | Configuration for the notifications | <pre>object({<br/>    email = optional(object({<br/>      addresses = optional(list(string), [])<br/>    }), null)<br/>    slack = optional(object({<br/>      lamdba_name = optional(string, "lz-securityhub-all-notifications-slack")<br/>      webhook_url = string<br/>    }), null)<br/>    teams = optional(object({<br/>      lamdba_name = optional(string, "lz-securityhub-all-notifications-teams")<br/>      webhook_url = string<br/>    }), null)<br/>  })</pre> | <pre>{<br/>  "email": {<br/>    "addresses": []<br/>  },<br/>  "slack": null,<br/>  "teams": null<br/>}</pre> | no |
@@ -721,3 +721,4 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="output_securityhub_policy_associations"></a> [securityhub\_policy\_associations](#output\_securityhub\_policy\_associations) | A map of policy associations by policy name |
 | <a name="output_securityhub_policy_configurations"></a> [securityhub\_policy\_configurations](#output\_securityhub\_policy\_configurations) | A map of all the policies to the central configuration arns |
 <!-- END_TF_DOCS -->
+
diff --git a/config.tf b/config.tf
@@ -11,6 +11,7 @@ module "config_rule_groups" {
   enabled_regions      = try(each.value.enabled_regions, null)
   exclude_accounts     = each.value.exclude_accounts
   organizational_units = each.value.associations
+  accounts             = [local.mgmt_account_id]
   permission_model     = "SERVICE_MANAGED"
   tags                 = local.tags
 
@@ -20,4 +21,3 @@ module "config_rule_groups" {
     "rules"           = each.value.rules
   })
 }
-
diff --git a/data.tf b/data.tf
@@ -1,3 +1,6 @@
 
 ## Find the current region
 data "aws_region" "current" {}
+
+# Get the mgmt account id via the Organization
+data "aws_organizations_organization" "this" {}
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -49,6 +49,23 @@ module "guardduty_us_east_1" {
   }
 }
 
+module "config_home" {
+  source = "github.com/appvia/terraform-aws-compliance//modules/config?ref=fix/sa-603-pushing-aws-config-rules-to-mgmt"
+
+  control_tower_sns_topic_arn = "arn:aws:sns:eu-west-1:123456789033:aws-controltower-AllConfigNotifications"
+  logarchive_account_id       = "987654321012"
+  tags                        = local.tags
+}
+
+module "config_us_east_1" {
+  source = "github.com/appvia/terraform-aws-compliance//modules/config?ref=fix/sa-603-pushing-aws-config-rules-to-mgmt"
+
+  control_tower_sns_topic_arn = "arn:aws:sns:eu-west-1:123456789033:aws-controltower-AllConfigNotifications"
+  logarchive_account_id       = "987654321012"
+  config_retention_in_days    = 90
+  tags                        = local.tags
+}
+
 module "compliance" {
   source = "../.."
 
diff --git a/examples/basic/providers.tf b/examples/basic/providers.tf
@@ -10,3 +10,13 @@ provider "aws" {
   alias  = "audit_eu_west_2"
   region = "eu-west-2"
 }
+
+provider "aws" {
+  alias  = "management_us_east_1"
+  region = "us-east-1"
+}
+
+provider "aws" {
+  alias  = "management_eu_west_2"
+  region = "eu-west-2"
+}
diff --git a/locals.tf b/locals.tf
@@ -1,7 +1,11 @@
 
 locals {
   ## The current region
-  region = data.aws_region.current.name
+  region = data.aws_region.current.region
+
   ## Tag applied to all resources
   tags = merge(var.tags, {})
+
+  # using Organization - resolve the mgmt account id (it's only ever the one account in the Management OU)
+  mgmt_account_id = data.aws_organizations_organization.this.master_account_id
 }
diff --git a/modules/config/README.md b/modules/config/README.md
@@ -0,0 +1,46 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_config_configuration_recorder.mgmt_config_recorder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder) | resource |
+| [aws_config_delivery_channel.mgmt_config_delivery_channel](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_delivery_channel) | resource |
+| [aws_config_retention_configuration.mgmt_config_retention](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_retention_configuration) | resource |
+| [aws_iam_role.mgmt_config_recorder_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_policy_document.mgmt_config_recorder_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_organizations_organization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_config_retention_in_days"></a> [config\_retention\_in\_days](#input\_config\_retention\_in\_days) | The number of days to store config historical data (defaults to one year) | `number` | `366` | no |
+| <a name="input_control_tower_sns_topic_arn"></a> [control\_tower\_sns\_topic\_arn](#input\_control\_tower\_sns\_topic\_arn) | The ARN of the SNS topic created by Control Tower for AWS notifications | `string` | n/a | yes |
+| <a name="input_logarchive_account_id"></a> [logarchive\_account\_id](#input\_logarchive\_account\_id) | The AWS account id for the logarchive account created by Control Tower | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to the resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_aws_config_delivery_channel_id"></a> [aws\_config\_delivery\_channel\_id](#output\_aws\_config\_delivery\_channel\_id) | The ID of Config delivery channel |
+| <a name="output_aws_config_recorder_id"></a> [aws\_config\_recorder\_id](#output\_aws\_config\_recorder\_id) | The ID of Config recorder |
+<!-- END_TF_DOCS -->
diff --git a/modules/config/data.tf b/modules/config/data.tf
@@ -0,0 +1,6 @@
+
+## Find the current region
+data "aws_region" "current" {}
+
+# Get the mgmt account id via the Organization
+data "aws_organizations_organization" "this" {}
diff --git a/modules/config/locals.tf b/modules/config/locals.tf
@@ -0,0 +1,14 @@
+
+locals {
+  ## The current region
+  region = data.aws_region.current.region
+
+  ## Tag applied to all resources
+  tags = merge(var.tags, {})
+
+  ## used to resovle the target S3 bucket for Config data
+  logarchive_account_id = var.logarchive_account_id
+
+  # capture the Organization - to then resolve the mgmt account id in locals
+  organization_id = data.aws_organizations_organization.this.id
+}
diff --git a/modules/config/main.tf b/modules/config/main.tf
@@ -0,0 +1,66 @@
+## the mgmt account is not configured by Control Tower, for AWS Config
+# Create a recorder in mgmt account
+# Create and associate a delivery channel - that delivery channel is to existing logarchive S3 bucket and SNS topic created by Control Tower
+data "aws_iam_policy_document" "mgmt_config_recorder_policy" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "mgmt_config_recorder_role" {
+  name               = format("lz-mgmt-awsconfig-recorder-%s-role", local.region)
+  assume_role_policy = data.aws_iam_policy_document.mgmt_config_recorder_policy.json
+
+  tags = local.tags
+}
+
+#  this AWS resources has no tags attribute
+resource "aws_config_configuration_recorder" "mgmt_config_recorder" {
+
+  name     = "lz-mgmt-recorder"
+  role_arn = aws_iam_role.mgmt_config_recorder_role.arn
+
+  recording_group {
+    all_supported                 = true
+    include_global_resource_types = true
+    resource_types                = null
+    #  if all_supported is true, must be specify any exclusions
+    # exclusion_by_resource_types {
+    #   resource_types = []
+    # }
+    recording_strategy {
+      use_only = "ALL_SUPPORTED_RESOURCE_TYPES"
+    }
+  }
+
+  recording_mode {
+    recording_frequency = "CONTINUOUS"
+    # recording_mode_override {}
+  }
+}
+
+#  this AWS resources has no tags attribute
+resource "aws_config_delivery_channel" "mgmt_config_delivery_channel" {
+  name           = "lz-mgmt-delivery-channel"
+  s3_bucket_name = format("aws-controltower-logs-%s-%s", local.logarchive_account_id, local.region)
+  s3_key_prefix  = local.organization_id
+  sns_topic_arn  = var.control_tower_sns_topic_arn
+
+  snapshot_delivery_properties {
+    # default is TwentyFour_Hours; but this is the mgmt account
+    delivery_frequency = "Three_Hours"
+  }
+
+  depends_on = [aws_config_configuration_recorder.mgmt_config_recorder]
+}
+
+resource "aws_config_retention_configuration" "mgmt_config_retention" {
+  retention_period_in_days = var.config_retention_in_days
+}
diff --git a/modules/config/outputs.tf b/modules/config/outputs.tf
@@ -0,0 +1,9 @@
+output "aws_config_recorder_id" {
+  description = "The ID of Config recorder"
+  value       = aws_config_configuration_recorder.mgmt_config_recorder.id
+}
+
+output "aws_config_delivery_channel_id" {
+  description = "The ID of Config delivery channel"
+  value       = aws_config_delivery_channel.mgmt_config_delivery_channel.id
+}
diff --git a/modules/config/terraform.tf b/modules/config/terraform.tf
@@ -0,0 +1,11 @@
+
+terraform {
+  required_version = ">= 1.0.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0.0"
+    }
+  }
+}
diff --git a/modules/config/variables.tf b/modules/config/variables.tf
@@ -0,0 +1,22 @@
+variable "tags" {
+  description = "A map of tags to add to the resources"
+  type        = map(string)
+  default = {
+  }
+}
+
+variable "logarchive_account_id" {
+  description = "The AWS account id for the logarchive account created by Control Tower"
+  type        = string
+}
+
+variable "config_retention_in_days" {
+  description = "The number of days to store config historical data (defaults to one year)"
+  type        = number
+  default     = 366
+}
+
+variable "control_tower_sns_topic_arn" {
+  description = "The ARN of the SNS topic created by Control Tower for AWS notifications"
+  type        = string
+}
diff --git a/tests/module.tftest.hcl b/tests/module.tftest.hcl
@@ -194,7 +194,14 @@ mock_provider "aws" {
 
   mock_data "aws_region" {
     defaults = {
-      name = "eu-west-2"
+      name   = "eu-west-2"
+      region = "eu-west-2"
+    }
+  }
+
+  mock_data "aws_organizations_organization" {
+    defaults = {
+      master_account_id = "123456789012"
     }
   }
 }
@@ -205,5 +212,3 @@ override_module {
     sns_topic_arn = "arn:aws:sns:eu-west-2:123456789012:appvia-notifications"
   }
 }
-
-
diff --git a/variables.tf b/variables.tf
@@ -3,6 +3,7 @@ variable "config" {
   description = "Configuration for the securityhub organization managed rules"
   type = object({
     stackset_name_prefix = optional(string, "lza-config-")
+
     # The prefix added to the stacksets
     rule_groups = optional(map(object({
       associations = list(string)
