fix(SA-623): add permissions to mgmgt config recorder role (#39)

Author: teodorz

modules/config/locals.tf

@@ -13,4 +13,9 @@ locals {
   organization_id = data.aws_organizations_organization.this.id
 
   home_region = var.home_region
+
+  config_recorder_role_policies = [
+    "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole",
+    "arn:aws:iam::aws:policy/ReadOnlyAccess"
+  ]
 }

modules/config/main.tf

@@ -21,6 +21,12 @@ resource "aws_iam_role" "mgmt_config_recorder_role" {
   tags = local.tags
 }
 
+resource "aws_iam_role_policy_attachment" "mgmt_config_recorder_policy_attachments" {
+  for_each   = toset(local.config_recorder_role_policies)
+  role       = aws_iam_role.mgmt_config_recorder_role.name
+  policy_arn = each.value
+}
+
 #  this AWS resources has no tags attribute
 resource "aws_config_configuration_recorder" "mgmt_config_recorder" {