diff --git a/README.md b/README.md index 884960c..5c6dd8c 100644 --- a/README.md +++ b/README.md @@ -313,6 +313,7 @@ No modules. | required\_tags\_resource\_types | Resource types to check for tags. | `list(string)` | `[]` | no | | resource\_types | A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). See relevant part of AWS Docs for available types. | `list(string)` | `[]` | no | | s3\_bucket\_public\_access\_prohibited\_exclusion | Comma-separated list of known allowed public Amazon S3 bucket names. | `string` | `"example,CSV"` | no | +| sns\_kms\_key\_id | The ARN of the KMS key used to encrypt the Amazon SNS topic. | `string` | `null` | no | | tags | Tags to apply to AWS Config resources | `map(string)` | `{}` | no | | vpc\_sg\_authorized\_ports | Object with values as Comma-separated list of ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash. example, '443,1020-1025' | ```object({ authorizedTcpPorts = optional(string, null) authorizedUdpPorts = optional(string, null) })``` | `{}` | no | diff --git a/examples/encrypted-sns-topic/main.tf b/examples/encrypted-sns-topic/main.tf new file mode 100644 index 0000000..9c02dd1 --- /dev/null +++ b/examples/encrypted-sns-topic/main.tf @@ -0,0 +1,76 @@ +data "aws_partition" "current" {} + +# +# AWS Config Logs Bucket +# + +module "config_logs" { + source = "trussworks/logs/aws" + version = "~> 10" + + s3_bucket_name = var.config_logs_bucket + allow_config = true + config_logs_prefix = "config" + force_destroy = true +} + +# +# SNS Topic +# + +data "aws_iam_policy_document" "config" { + statement { + effect = "Allow" + principals { + type = "AWS" + identifiers = [module.config.aws_config_role_arn] + } + actions = ["SNS:Publish"] + resources = [aws_sns_topic.config.arn] + } +} + +resource "aws_sns_topic" "config" { + name = var.config_name + kms_master_key_id = module.sns_key.key_arn +} + +resource "aws_sns_topic_policy" "config" { + arn = aws_sns_topic.config.arn + policy = data.aws_iam_policy_document.config.json +} + +# +# KMS Key for SNS +# +module "sns_key" { + source = "terraform-aws-modules/kms/aws" + version = "~> 1.5.0" + description = "Key for SNS usage" + key_usage = "ENCRYPT_DECRYPT" + + # Policy + key_users = [module.config.aws_config_role_arn] + + # Aliases + aliases = ["theydo/sns"] +} + +# +# AWS Config +# + +module "config" { + source = "../../" + + config_name = var.config_name + config_logs_bucket = module.config_logs.aws_logs_bucket + config_logs_prefix = "config" + config_sns_topic_arn = aws_sns_topic.config.arn + sns_kms_key_id = module.sns_key.key_arn + + tags = { + "Automation" = "Terraform" + "Name" = var.config_name + } +} diff --git a/examples/encrypted-sns-topic/variables.tf b/examples/encrypted-sns-topic/variables.tf new file mode 100644 index 0000000..f84430f --- /dev/null +++ b/examples/encrypted-sns-topic/variables.tf @@ -0,0 +1,11 @@ +variable "config_name" { + type = string +} + +variable "config_logs_bucket" { + type = string +} + +variable "region" { + type = string +} diff --git a/iam.tf b/iam.tf index 42914cf..b2968d8 100644 --- a/iam.tf +++ b/iam.tf @@ -17,6 +17,30 @@ data "aws_iam_policy_document" "aws_config_policy" { ] } + dynamic "statement" { + for_each = var.sns_kms_key_id != null ? [1] : [] + content { + sid = "AWSAllowKMSKeyUsage" + effect = "Allow" + actions = [ + "kms:Decrypt", + "kms:GenerateDataKey*" + ] + resources = [var.sns_kms_key_id] + } + } + + dynamic "statement" { + for_each = var.sns_kms_key_id != null ? [1] : [] + content { + sid = "AWSAllowSNSPublish" + effect = "Allow" + actions = [ + "sns:Publish" + ] + resources = [var.config_sns_topic_arn] + } + } statement { sid = "AWSConfigBucketExistenceCheck" diff --git a/variables.tf b/variables.tf index 5dc7bbc..497ad19 100644 --- a/variables.tf +++ b/variables.tf @@ -551,3 +551,9 @@ variable "vpc_sg_authorized_ports" { }) default = {} } + +variable "sns_kms_key_id" { + description = "The ARN of the KMS key used to encrypt the Amazon SNS topic." + type = string + default = null +}