fixed config policy.

y-miyazaki · May 20, 2021 · 3521379 · 3521379
1 parent 53e44e5
commit 3521379
Show file tree

Hide file tree

Showing 4 changed files with 2 additions and 241 deletions.
diff --git a/modules/aws/recipes/security/config/create/main.tf b/modules/aws/recipes/security/config/create/main.tf
@@ -24,224 +24,12 @@ POLICY
   tags                  = var.tags
 }
 #--------------------------------------------------------------
-# Generates an IAM policy document in JSON format for use with resources that expect policy documents such as aws_iam_policy.
-#--------------------------------------------------------------
-data "aws_iam_policy_document" "config" {
-  count = var.is_enabled ? 1 : 0
-  statement {
-    effect = "Allow"
-    actions = [
-      "acm:DescribeCertificate",
-      "acm:ListCertificates",
-      "acm:ListTagsForCertificate",
-      "application-autoscaling:DescribeScalableTargets",
-      "application-autoscaling:DescribeScalingPolicies",
-      "autoscaling:DescribeAutoScalingGroups",
-      "autoscaling:DescribeLaunchConfigurations",
-      "autoscaling:DescribeLifecycleHooks",
-      "autoscaling:DescribePolicies",
-      "autoscaling:DescribeScheduledActions",
-      "autoscaling:DescribeTags",
-      "backup:ListBackupPlans",
-      "backup:ListBackupSelections",
-      "backup:GetBackupSelection",
-      "cloudfront:ListTagsForResource",
-      "cloudformation:DescribeType",
-      "cloudformation:ListTypes",
-      "cloudtrail:DescribeTrails",
-      "cloudtrail:GetEventSelectors",
-      "cloudtrail:GetTrailStatus",
-      "cloudtrail:ListTags",
-      "cloudwatch:DescribeAlarms",
-      "codepipeline:GetPipeline",
-      "codepipeline:GetPipelineState",
-      "codepipeline:ListPipelines",
-      "config:BatchGet*",
-      "config:Describe*",
-      "config:Get*",
-      "config:List*",
-      "config:Put*",
-      "config:Select*",
-      "dax:DescribeClusters",
-      "dms:DescribeReplicationInstances",
-      "dynamodb:DescribeContinuousBackups",
-      "dynamodb:DescribeLimits",
-      "dynamodb:DescribeTable",
-      "dynamodb:ListTables",
-      "dynamodb:ListTagsOfResource",
-      "ec2:Describe*",
-      "ec2:GetEbsEncryptionByDefault",
-      "ecr:DescribeRepositories",
-      "ecr:GetLifecyclePolicy",
-      "ecr:GetRepositoryPolicy",
-      "ecr:ListTagsForResource",
-      "ecs:DescribeClusters",
-      "ecs:DescribeServices",
-      "ecs:DescribeTaskDefinition",
-      "ecs:DescribeTaskSets",
-      "ecs:ListClusters",
-      "ecs:ListServices",
-      "ecs:ListTagsForResource",
-      "ecs:ListTaskDefinitions",
-      "eks:DescribeCluster",
-      "eks:DescribeNodegroup",
-      "eks:ListClusters",
-      "eks:ListNodegroups",
-      "elasticache:DescribeCacheClusters",
-      "elasticache:DescribeReplicationGroups",
-      "elasticfilesystem:DescribeFileSystems",
-      "elasticfilesystem:DescribeLifecycleConfiguration",
-      "elasticfilesystem:DescribeMountTargets",
-      "elasticfilesystem:DescribeMountTargetSecurityGroups",
-      "elasticloadbalancing:DescribeListeners",
-      "elasticloadbalancing:DescribeLoadBalancerAttributes",
-      "elasticloadbalancing:DescribeLoadBalancerPolicies",
-      "elasticloadbalancing:DescribeLoadBalancers",
-      "elasticloadbalancing:DescribeRules",
-      "elasticloadbalancing:DescribeTags",
-      "elasticmapreduce:DescribeCluster",
-      "elasticmapreduce:DescribeSecurityConfiguration",
-      "elasticmapreduce:GetBlockPublicAccessConfiguration",
-      "elasticmapreduce:ListClusters",
-      "elasticmapreduce:ListInstances",
-      "es:DescribeElasticsearchDomain",
-      "es:DescribeElasticsearchDomains",
-      "es:ListDomainNames",
-      "es:ListTags",
-      "guardduty:GetDetector",
-      "guardduty:GetFindings",
-      "guardduty:GetMasterAccount",
-      "guardduty:ListDetectors",
-      "guardduty:ListFindings",
-      "iam:GenerateCredentialReport",
-      "iam:GetAccountAuthorizationDetails",
-      "iam:GetAccountPasswordPolicy",
-      "iam:GetAccountSummary",
-      "iam:GetCredentialReport",
-      "iam:GetGroup",
-      "iam:GetGroupPolicy",
-      "iam:GetPolicy",
-      "iam:GetPolicyVersion",
-      "iam:GetRole",
-      "iam:GetRolePolicy",
-      "iam:GetUser",
-      "iam:GetUserPolicy",
-      "iam:ListAttachedGroupPolicies",
-      "iam:ListAttachedRolePolicies",
-      "iam:ListAttachedUserPolicies",
-      "iam:ListEntitiesForPolicy",
-      "iam:ListGroupPolicies",
-      "iam:ListGroupsForUser",
-      "iam:ListInstanceProfilesForRole",
-      "iam:ListPolicyVersions",
-      "iam:ListRolePolicies",
-      "iam:ListUserPolicies",
-      "iam:ListVirtualMFADevices",
-      "kms:DescribeKey",
-      "kms:GetKeyPolicy",
-      "kms:GetKeyRotationStatus",
-      "kms:ListKeys",
-      "kms:ListResourceTags",
-      "lambda:GetAlias",
-      "lambda:GetFunction",
-      "lambda:GetPolicy",
-      "lambda:ListAliases",
-      "lambda:ListFunctions",
-      "logs:DescribeLogGroups",
-      "organizations:DescribeOrganization",
-      "rds:DescribeDBClusters",
-      "rds:DescribeDBClusterSnapshotAttributes",
-      "rds:DescribeDBClusterSnapshots",
-      "rds:DescribeDBInstances",
-      "rds:DescribeDBSecurityGroups",
-      "rds:DescribeDBSnapshotAttributes",
-      "rds:DescribeDBSnapshots",
-      "rds:DescribeDBSubnetGroups",
-      "rds:DescribeEventSubscriptions",
-      "rds:ListTagsForResource",
-      "redshift:DescribeClusterParameterGroups",
-      "redshift:DescribeClusterParameters",
-      "redshift:DescribeClusterSecurityGroups",
-      "redshift:DescribeClusterSnapshots",
-      "redshift:DescribeClusterSubnetGroups",
-      "redshift:DescribeClusters",
-      "redshift:DescribeEventSubscriptions",
-      "redshift:DescribeLoggingStatus",
-      "s3:GetAccelerateConfiguration",
-      "s3:GetAccountPublicAccessBlock",
-      "s3:GetBucketAcl",
-      "s3:GetBucketCORS",
-      "s3:GetBucketLocation",
-      "s3:GetBucketLogging",
-      "s3:GetBucketNotification",
-      "s3:GetBucketObjectLockConfiguration",
-      "s3:GetBucketPolicy",
-      "s3:GetBucketPublicAccessBlock",
-      "s3:GetBucketRequestPayment",
-      "s3:GetBucketTagging",
-      "s3:GetBucketVersioning",
-      "s3:GetBucketWebsite",
-      "s3:GetEncryptionConfiguration",
-      "s3:GetLifecycleConfiguration",
-      "s3:GetReplicationConfiguration",
-      "s3:ListAllMyBuckets",
-      "s3:ListBucket",
-      "sagemaker:DescribeEndpointConfig",
-      "sagemaker:DescribeNotebookInstance",
-      "sagemaker:ListEndpointConfigs",
-      "sagemaker:ListNotebookInstances",
-      "secretsmanager:ListSecrets",
-      "secretsmanager:ListSecretVersionIds",
-      "securityhub:describeHub",
-      "shield:DescribeDRTAccess",
-      "shield:DescribeProtection",
-      "shield:DescribeSubscription",
-      "sns:GetTopicAttributes",
-      "sns:ListSubscriptions",
-      "sns:ListTagsForResource",
-      "sns:ListTopics",
-      "sqs:GetQueueAttributes",
-      "sqs:ListQueues",
-      "sqs:ListQueueTags",
-      "ssm:DescribeAutomationExecutions",
-      "ssm:DescribeDocument",
-      "ssm:GetAutomationExecution",
-      "ssm:GetDocument",
-      "storagegateway:ListGateways",
-      "storagegateway:ListVolumes",
-      "support:DescribeCases",
-      "tag:GetResources",
-      "waf:GetLoggingConfiguration",
-      "waf:GetWebACL",
-      "wafv2:GetLoggingConfiguration",
-      "waf-regional:GetLoggingConfiguration",
-      "waf-regional:GetWebACL",
-      "waf-regional:GetWebACLForResource"
-    ]
-    resources = ["*"]
-  }
-}
-
-#--------------------------------------------------------------
-# Provides an IAM policy.
-#--------------------------------------------------------------
-resource "aws_iam_policy" "config" {
-  count       = var.is_enabled ? 1 : 0
-  description = lookup(var.aws_iam_policy, "description", null)
-  name        = lookup(var.aws_iam_policy, "name")
-  path        = lookup(var.aws_iam_policy, "path", "/")
-  policy      = data.aws_iam_policy_document.config[0].json
-  depends_on = [
-    data.aws_iam_policy_document.config,
-  ]
-}
-#--------------------------------------------------------------
 # Attaches a Managed IAM Policy to an IAM role
 #--------------------------------------------------------------
 resource "aws_iam_role_policy_attachment" "config" {
   count      = var.is_enabled ? 1 : 0
   role       = aws_iam_role.config[0].name
-  policy_arn = aws_iam_policy.config[0].arn
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
 }
 #--------------------------------------------------------------
 # Provides an AWS Config Configuration Recorder. Please note that this resource does not start the created recorder automatically.

diff --git a/modules/aws/recipes/security/config/create/variables.tf b/modules/aws/recipes/security/config/create/variables.tf
@@ -35,24 +35,7 @@ variable "aws_iam_role" {
     path        = "/"
   }
 }
-variable "aws_iam_policy" {
-  type = object(
-    {
-      # (Optional) Description of the IAM policy.
-      description = string
-      # (Optional, Forces new resource) Friendly name of the role. If omitted, Terraform will assign a random, unique name. See IAM Identifiers for more information.
-      name = string
-      # (Optional) Path to the role. See IAM Identifiers for more information.
-      path = string
-    }
-  )
-  description = "(Required) The aws_iam_policy resource."
-  default = {
-    description = null
-    name        = "security-config-policy"
-    path        = "/"
-  }
-}
+
 variable "aws_s3_bucket" {
   type = object(
     {

diff --git a/terraform/main_security_config.tf b/terraform/main_security_config.tf
@@ -13,10 +13,6 @@ locals {
     name = "${var.name_prefix}${lookup(var.security_config.aws_iam_role, "name")}"
     }
   )
-  aws_iam_policy_config = merge(var.security_config.aws_iam_policy, {
-    name = "${var.name_prefix}${lookup(var.security_config.aws_iam_policy, "name")}"
-    }
-  )
   aws_s3_bucket_config = merge(var.security_config.aws_s3_bucket, { bucket = "${var.name_prefix}${var.security_config.aws_s3_bucket.bucket}-${random_id.this.dec}" })
   aws_config_delivery_channel_config = merge(var.security_config.aws_config_delivery_channel, {
     name = "${var.name_prefix}${lookup(var.security_config.aws_config_delivery_channel, "name")}"
@@ -31,7 +27,6 @@ module "aws_recipes_security_config_create" {
   is_enabled                               = lookup(var.security_config, "is_enabled", true)
   aws_config_configuration_recorder        = local.aws_config_configuration_recorder_config
   aws_iam_role                             = local.aws_iam_role_config
-  aws_iam_policy                           = local.aws_iam_policy_config
   aws_s3_bucket                            = local.aws_s3_bucket_config
   aws_config_delivery_channel              = local.aws_config_delivery_channel_config
   aws_config_configuration_recorder_status = lookup(var.security_config, "aws_config_configuration_recorder_status")

diff --git a/terraform/terraform.example.tfvars b/terraform/terraform.example.tfvars
@@ -671,11 +671,6 @@ security_config = {
     name        = "security-config-role"
     path        = "/"
   }
-  aws_iam_policy = {
-    description = null
-    name        = "security-config-policy"
-    path        = "/"
-  }
   aws_s3_bucket = {
     # Random suffix is automatically added to the bucket name.
     bucket        = "aws-config"