fix(SA-603): cloudformation stack for AWS Config mgmt account (#37)

Author: teodorz

config.tf

@@ -11,7 +11,6 @@ module "config_rule_groups" {
   enabled_regions      = try(each.value.enabled_regions, null)
   exclude_accounts     = each.value.exclude_accounts
   organizational_units = each.value.associations
-  accounts             = [local.mgmt_account_id]
   permission_model     = "SERVICE_MANAGED"
   tags                 = local.tags
 

data.tf

@@ -1,6 +1,3 @@
 
 ## Find the current region
 data "aws_region" "current" {}
-
-# Get the mgmt account id via the Organization
-data "aws_organizations_organization" "this" {}

examples/basic/README.md

@@ -1,10 +1,33 @@
 <!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0.0 |
+
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws.audit_eu_west_2"></a> [aws.audit\_eu\_west\_2](#provider\_aws.audit\_eu\_west\_2) | >= 5.0.0 |
 
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_compliance"></a> [compliance](#module\_compliance) | ../.. | n/a |
+| <a name="module_config_home"></a> [config\_home](#module\_config\_home) | ../../modules/config | n/a |
+| <a name="module_config_us_east_1"></a> [config\_us\_east\_1](#module\_config\_us\_east\_1) | ../../modules/config | n/a |
+| <a name="module_guardduty_home"></a> [guardduty\_home](#module\_guardduty\_home) | ../../modules/guardduty | n/a |
+| <a name="module_guardduty_us_east_1"></a> [guardduty\_us\_east\_1](#module\_guardduty\_us\_east\_1) | ../../modules/guardduty | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_guardduty_detector.guardduty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/guardduty_detector) | data source |
+
 ## Inputs
 
 No inputs.

examples/basic/main.tf

@@ -17,6 +17,60 @@ locals {
     Product     = "LandingZone"
     Provisioner = "Terraform"
   }
+
+  config = {
+    rule_groups = {
+      root = {
+        description = "Common managed rules distribued to all accounts"
+        associations = [
+          "r-h53v"
+        ]
+
+        rules = {
+          "managed-resource-tagging" : {
+            description = "Validate the resource tags"
+            resource_types : [
+              "AWS::ACM::Certificate",
+              "AWS::CloudFront::Distribution",
+              "AWS::CloudFront::StreamingDistribution",
+              "AWS::DynamoDB::Table",
+              "AWS::EC2::Instance",
+              "AWS::EC2::VPC",
+              "AWS::EC2::Volume",
+              "AWS::ECR::PublicRepository",
+              "AWS::EC2::NatGateway",
+              "AWS::ECR::Repository",
+              "AWS::ECS::Cluster",
+              "AWS::EFS::FileSystem",
+              "AWS::EKS::Cluster",
+              "AWS::ElasticLoadBalancingV2::LoadBalancer",
+              "AWS::Elasticsearch::Domain",
+              "AWS::Kinesis::Stream",
+              "AWS::Kinesis::StreamConsumer",
+              "AWS::RDS::DBCluster",
+              "AWS::RDS::DBInstance",
+              "AWS::RDS::DBSnapshot",
+              "AWS::Redshift::Cluster",
+              "AWS::Route53::HostedZone",
+              "AWS::S3::Bucket",
+            ]
+            identifier : "REQUIRED_TAGS"
+            inputParameters = {
+              tag1Key = "Product"
+              tag2Key = "Owner"
+              tag3Key = "Environment"
+              tag4Key = "GitRepo"
+            }
+            mode = "DETECTIVE"
+            # One_Hour | Three_Hours | Six_Hours | Twelve_Hours | TwentyFour_Hours
+            max_execution_frequency : 24
+          }
+        }
+      }
+    }
+  }
+
+  home_region = "eu-west-2"
 }
 
 ## Find the guardduty detector if it exists
@@ -55,7 +109,8 @@ module "config_home" {
   control_tower_sns_topic_arn = "arn:aws:sns:eu-west-1:123456789033:aws-controltower-AllConfigNotifications"
   logarchive_account_id       = "987654321012"
   tags                        = local.tags
-  home_region                 = "eu-west-2"
+  home_region                 = local.home_region
+  config                      = local.config
 }
 
 module "config_us_east_1" {
@@ -65,7 +120,8 @@ module "config_us_east_1" {
   logarchive_account_id       = "987654321012"
   config_retention_in_days    = 90
   tags                        = local.tags
-  home_region                 = "eu-west-2"
+  home_region                 = local.home_region
+  config                      = local.config
 }
 
 module "compliance" {
@@ -79,57 +135,7 @@ module "compliance" {
     }
   }
 
-  config = {
-    rule_groups = {
-      root = {
-        description = "Common managed rules distribued to all accounts"
-        associations = [
-          "r-h53v"
-        ]
-
-        rules = {
-          "managed-resource-tagging" : {
-            description = "Validate the resource tags"
-            resource_types : [
-              "AWS::ACM::Certificate",
-              "AWS::CloudFront::Distribution",
-              "AWS::CloudFront::StreamingDistribution",
-              "AWS::DynamoDB::Table",
-              "AWS::EC2::Instance",
-              "AWS::EC2::VPC",
-              "AWS::EC2::Volume",
-              "AWS::ECR::PublicRepository",
-              "AWS::EC2::NatGateway",
-              "AWS::ECR::Repository",
-              "AWS::ECS::Cluster",
-              "AWS::EFS::FileSystem",
-              "AWS::EKS::Cluster",
-              "AWS::ElasticLoadBalancingV2::LoadBalancer",
-              "AWS::Elasticsearch::Domain",
-              "AWS::Kinesis::Stream",
-              "AWS::Kinesis::StreamConsumer",
-              "AWS::RDS::DBCluster",
-              "AWS::RDS::DBInstance",
-              "AWS::RDS::DBSnapshot",
-              "AWS::Redshift::Cluster",
-              "AWS::Route53::HostedZone",
-              "AWS::S3::Bucket",
-            ]
-            identifier : "REQUIRED_TAGS"
-            inputParameters = {
-              tag1Key = "Product"
-              tag2Key = "Owner"
-              tag3Key = "Environment"
-              tag4Key = "GitRepo"
-            }
-            mode = "DETECTIVE"
-            # One_Hour | Three_Hours | Six_Hours | Twelve_Hours | TwentyFour_Hours
-            max_execution_frequency : 24
-          }
-        }
-      }
-    }
-  }
+  config = local.config
 
   tags = local.tags
 

locals.tf

@@ -5,7 +5,4 @@ locals {
 
   ## Tag applied to all resources
   tags = merge(var.tags, {})
-
-  # using Organization - resolve the mgmt account id (it's only ever the one account in the Management OU)
-  mgmt_account_id = data.aws_organizations_organization.this.master_account_id
 }

modules/config/README.md

@@ -20,7 +20,9 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_cloudformation_stack.mgmt_config_rules_cloudformation_stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) | resource |
 | [aws_config_configuration_recorder.mgmt_config_recorder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder) | resource |
+| [aws_config_configuration_recorder_status.mgmt_config_recorder_status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder_status) | resource |
 | [aws_config_delivery_channel.mgmt_config_delivery_channel](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_delivery_channel) | resource |
 | [aws_config_retention_configuration.mgmt_config_retention](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_retention_configuration) | resource |
 | [aws_iam_role.mgmt_config_recorder_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -32,6 +34,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_config"></a> [config](#input\_config) | Configuration for the securityhub organization managed rules | <pre>object({<br/>    stackset_name_prefix = optional(string, "lza-config-")<br/><br/>    # The prefix added to the stacksets<br/>    rule_groups = optional(map(object({<br/>      associations = list(string)<br/>      # List of organizational units to deploy the managed rules<br/>      description = string<br/>      # Description for the rule group<br/>      enabled_regions = optional(list(string), null)<br/>      # List of regions to enable these rules<br/>      exclude_accounts = optional(list(string), null)<br/>      # The list of accounts to exclude from the organization managed rule<br/>      rules = map(object({<br/>        description = string<br/>        # The description of the organization managed rules<br/>        identifier = string<br/>        # The identifier of the organization managed rule<br/>        inputs = optional(map(string), {})<br/>        # The identifier of the organization managed rule scope<br/>        resource_types = list(string)<br/>        # The list of resource types to scope the organization managed rule<br/>        max_execution_frequency = optional(string, null)<br/>        # The max_execution_frequency of the rule<br/>      }))<br/>    })), {})<br/>    # The configuration for the securityhub organization managed rules<br/>  })</pre> | n/a | yes |
 | <a name="input_config_retention_in_days"></a> [config\_retention\_in\_days](#input\_config\_retention\_in\_days) | The number of days to store config historical data (defaults to one year) | `number` | `366` | no |
 | <a name="input_control_tower_sns_topic_arn"></a> [control\_tower\_sns\_topic\_arn](#input\_control\_tower\_sns\_topic\_arn) | The ARN of the SNS topic created by Control Tower for AWS notifications | `string` | n/a | yes |
 | <a name="input_home_region"></a> [home\_region](#input\_home\_region) | The home Region in which Control Tower created the Config S3 buckiet (namely, in logarchive account | `string` | n/a | yes |

modules/config/main.tf

@@ -61,6 +61,26 @@ resource "aws_config_delivery_channel" "mgmt_config_delivery_channel" {
   depends_on = [aws_config_configuration_recorder.mgmt_config_recorder]
 }
 
+resource "aws_config_configuration_recorder_status" "mgmt_config_recorder_status" {
+  name       = aws_config_configuration_recorder.mgmt_config_recorder.name
+  is_enabled = true
+  depends_on = [aws_config_delivery_channel.mgmt_config_delivery_channel]
+}
+
 resource "aws_config_retention_configuration" "mgmt_config_retention" {
   retention_period_in_days = var.config_retention_in_days
 }
+
+resource "aws_cloudformation_stack" "mgmt_config_rules_cloudformation_stack" {
+  for_each = var.config.rule_groups
+
+  name   = format("%s%s", var.config.stackset_name_prefix, lower(each.key))
+  region = local.region
+  template_body = templatefile("${path.module}/../../assets/cloudformation/config.yaml", {
+    "description"     = each.value.description
+    "rule_group_name" = each.key
+    "rules"           = each.value.rules
+  })
+
+  depends_on = [aws_config_configuration_recorder_status.mgmt_config_recorder_status]
+}

modules/config/variables.tf

@@ -29,3 +29,35 @@ variable "home_region" {
     error_message = "Region must be in the form xx-xxxx-x, e.g., eu-west-1"
   }
 }
+
+variable "config" {
+  description = "Configuration for the securityhub organization managed rules"
+  type = object({
+    stackset_name_prefix = optional(string, "lza-config-")
+
+    # The prefix added to the stacksets
+    rule_groups = optional(map(object({
+      associations = list(string)
+      # List of organizational units to deploy the managed rules
+      description = string
+      # Description for the rule group
+      enabled_regions = optional(list(string), null)
+      # List of regions to enable these rules
+      exclude_accounts = optional(list(string), null)
+      # The list of accounts to exclude from the organization managed rule
+      rules = map(object({
+        description = string
+        # The description of the organization managed rules
+        identifier = string
+        # The identifier of the organization managed rule
+        inputs = optional(map(string), {})
+        # The identifier of the organization managed rule scope
+        resource_types = list(string)
+        # The list of resource types to scope the organization managed rule
+        max_execution_frequency = optional(string, null)
+        # The max_execution_frequency of the rule
+      }))
+    })), {})
+    # The configuration for the securityhub organization managed rules
+  })
+}

tests/module.tftest.hcl

@@ -198,12 +198,6 @@ mock_provider "aws" {
       region = "eu-west-2"
     }
   }
-
-  mock_data "aws_organizations_organization" {
-    defaults = {
-      master_account_id = "123456789012"
-    }
-  }
 }
 
 override_module {