Merge pull request #8 from kabisa/update-for-aws-provider-4

Update for AWS provider version 4
kabisa · Mar 18, 2022 · f4cb8a9 · f4cb8a9
2 parents d787ce3 + 27169d5
commit f4cb8a9
Show file tree

Hide file tree

Showing 9 changed files with 211 additions and 244 deletions.
diff --git a/aws_config.tf b/aws_config.tf
@@ -47,14 +47,21 @@ resource "aws_config_delivery_channel" "aws_config_delivery_channel" {
   ]
 }
 
-data "template_file" "aws_config_iam_assume_role_policy_document" {
-  template = file("${path.module}/policies/aws_config_assume_role_policy.tpl")
+data "aws_iam_policy_document" "aws_config_assume" {
+  statement {
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
 }
 
 resource "aws_iam_role" "aws_config_iam_role" {
   count              = var.enable_aws_config ? 1 : 0
   name               = "terraform-awsconfig-role"
-  assume_role_policy = data.template_file.aws_config_iam_assume_role_policy_document.rendered
+  assume_role_policy = data.aws_iam_policy_document.aws_config_assume.json
 }
 
 resource "aws_iam_role_policy_attachment" "aws_config_iam_policy_attachment" {
@@ -63,21 +70,34 @@ resource "aws_iam_role_policy_attachment" "aws_config_iam_policy_attachment" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
 }
 
-data "template_file" "aws_config_iam_policy_document" {
-  template = file("${path.module}/policies/aws_config_policy.tpl")
-  count    = var.enable_aws_config ? 1 : 0
+data "aws_iam_policy_document" "aws_config" {
+  count = var.enable_aws_config ? 1 : 0
 
-  vars = {
-    sns_topic_arn = aws_sns_topic.aws_config_updates_topic[0].arn
-    s3_bucket_arn = aws_s3_bucket.aws_config_configuration_bucket[0].arn
+  statement {
+    actions   = ["config:Put*"]
+    resources = ["*"]
+  }
+
+  statement {
+    actions   = ["sns:*"]
+    resources = [one(aws_sns_topic.aws_config_updates_topic).arn]
+  }
+
+  statement {
+    actions = ["s3:*"]
+
+    resources = [
+      one(aws_s3_bucket.aws_config_configuration_bucket).arn,
+      "${one(aws_s3_bucket.aws_config_configuration_bucket).arn}/*"
+    ]
   }
 }
 
 resource "aws_iam_role_policy" "aws_config_iam_policy" {
   count  = var.enable_aws_config ? 1 : 0
   name   = "terraform-awsconfig-policy"
   role   = aws_iam_role.aws_config_iam_role[0].id
-  policy = data.template_file.aws_config_iam_policy_document[0].rendered
+  policy = one(data.aws_iam_policy_document.aws_config).json
 }
 
 resource "null_resource" "sns_subscribe" {
@@ -93,4 +113,3 @@ resource "null_resource" "sns_subscribe" {
     command = "aws sns subscribe --topic-arn ${aws_sns_topic.aws_config_updates_topic[0].arn} --protocol email --notification-endpoint ${element(var.aws_config_notification_emails, count.index)}"
   }
 }
-
diff --git a/cloudtrail.tf b/cloudtrail.tf
@@ -54,14 +54,21 @@ resource "aws_cloudwatch_log_group" "log_group" {
 #
 # CloudTrail Cloudwatch IAM Role
 #
-data "template_file" "cloudwatch_iam_assume_role_policy_document" {
-  template = file("${path.module}/policies/cloudwatch_assume_role_policy.tpl")
+data "aws_iam_policy_document" "cloudwatch_assume" {
+  statement {
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrial.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
 }
 
 resource "aws_iam_role" "cloudwatch_iam_role" {
   count              = var.enable_cloudwatch_logs ? 1 : 0
   name               = var.cloudwatch_iam_role_name
-  assume_role_policy = data.template_file.cloudwatch_iam_assume_role_policy_document.rendered
+  assume_role_policy = data.aws_iam_policy_document.cloudwatch_assume.json
 }
 
 resource "aws_iam_role_policy_attachment" "cloudwatch_iam_policy_attachment" {
@@ -70,19 +77,19 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_iam_policy_attachment" {
   policy_arn = aws_iam_policy.cloudwatch_iam_policy[0].arn
 }
 
-data "template_file" "cloudwatch_iam_policy_document" {
-  count    = var.enable_cloudwatch_logs ? 1 : 0
-  template = file("${path.module}/policies/cloudwatch_policy.tpl")
+data "aws_iam_policy_document" "cloudwatch" {
+  count = var.enable_cloudwatch_logs ? 1 : 0
 
-  vars = {
-    log_group_arn = aws_cloudwatch_log_group.log_group[0].arn
+  statement {
+    actions   = ["logs:CreateLogStream", "logs:PutLogEvents"]
+    resources = ["${one(aws_cloudwatch_log_group.log_group).arn}:*"]
   }
 }
 
 resource "aws_iam_policy" "cloudwatch_iam_policy" {
   count  = var.enable_cloudwatch_logs ? 1 : 0
   name   = var.cloudwatch_iam_policy_name
-  policy = data.template_file.cloudwatch_iam_policy_document[0].rendered
+  policy = one(data.aws_iam_policy_document.cloudwatch).rendered
 }
 
 #
@@ -103,46 +110,55 @@ resource "aws_s3_bucket" "cloudtrail_bucket" {
   force_destroy = true
 
   tags = var.tags
+}
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        kms_master_key_id = aws_kms_key.cloudtrail_bucket_key[0].arn
-        sse_algorithm     = "aws:kms"
-      }
+resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail_bucket" {
+  count  = var.enable_cloudtrail && var.cloudtrail_bucket == "" ? 1 : 0
+  bucket = one(aws_s3_bucket.cloudtrail_bucket).bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.cloudtrail_bucket_key[0].arn
+      sse_algorithm     = "aws:kms"
     }
   }
+}
 
-  policy = <<POLICY
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "AWSCloudTrailAclCheck",
-            "Effect": "Allow",
-            "Principal": {
-              "Service": "cloudtrail.amazonaws.com"
-            },
-            "Action": "s3:GetBucketAcl",
-            "Resource": "arn:aws:s3:::${local.bucket_name}"
-        },
-        {
-            "Sid": "AWSCloudTrailWrite",
-            "Effect": "Allow",
-            "Principal": {
-              "Service": "cloudtrail.amazonaws.com"
-            },
-            "Action": "s3:PutObject",
-            "Resource": "arn:aws:s3:::${local.bucket_name}/*",
-            "Condition": {
-                "StringEquals": {
-                    "s3:x-amz-acl": "bucket-owner-full-control"
-                }
-            }
-        }
-    ]
+data "aws_iam_policy_document" "cloudtrail_bucket" {
+  statement {
+    sid = "AWSCloudTrailAclCheck"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions   = ["s3:GetBucketAcl"]
+    resources = ["arn:aws:s3:::${local.bucket_name}"]
+  }
+
+  statement {
+    sid = "AWSCloudTrailWrite"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions   = ["s3:PutObject"]
+    resources = ["arn:aws:s3:::${local.bucket_name}/*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+  }
 }
-POLICY
 
+resource "aws_s3_bucket_policy" "cloudtrail_bucket" {
+  count  = var.enable_cloudtrail && var.cloudtrail_bucket == "" ? 1 : 0
+  bucket = one(aws_s3_bucket.cloudtrail_bucket).bucket
+  policy = data.aws_iam_policy_document.cloudtrail_bucket.json
 }
 
diff --git a/policies/aws_config_assume_role_policy.tpl b/policies/aws_config_assume_role_policy.tpl
diff --git a/policies/aws_config_policy.tpl b/policies/aws_config_policy.tpl
diff --git a/policies/cloudwatch_assume_role_policy.tpl b/policies/cloudwatch_assume_role_policy.tpl
diff --git a/policies/cloudwatch_policy.tpl b/policies/cloudwatch_policy.tpl