examples awsconfig: awsconfig every region

This module enables aws_config in every region that is enabled

examples/tf/awsconfig/baseconfig/main.tf

@@ -0,0 +1,28 @@
+data "aws_region" "this" {}
+
+data "aws_caller_identity" "this" {}
+
+data "aws_partition" "current" {}
+
+locals {
+  is_global_recorder_region = var.global_resource_collector_region == data.aws_region.this.name
+  partition                 = data.aws_partition.current.partition
+}
+
+resource "aws_config_configuration_recorder" "recorder" {
+  name     = "telophase-configuration-recorder"
+  role_arn = var.iam_role
+
+  recording_group {
+    all_supported                 = true
+    include_global_resource_types = local.is_global_recorder_region
+  }
+}
+
+
+resource "aws_config_delivery_channel" "this" {
+  name           = "telophase-config-delivery-channel"
+  s3_bucket_name = var.bucket_name
+
+  depends_on = [aws_config_configuration_recorder.recorder]
+}

examples/tf/awsconfig/baseconfig/variables.tf

@@ -0,0 +1,15 @@
+variable "iam_role" {
+  type        = string
+  description = "IAM role ARN for AWS Config"
+}
+
+variable "global_resource_collector_region" {
+  type        = string
+  description = "value of the global resource collector region"
+  default     = "us-east-1"
+}
+
+variable "bucket_name" {
+  type        = string
+  description = "name of the S3 bucket"
+}

examples/tf/awsconfig/bucket.tf

@@ -0,0 +1,57 @@
+resource "aws_s3_bucket" "bucket" {
+  bucket = var.bucket_name
+
+  tags = merge(var.tags, {
+    "Name" = var.bucket_name
+  })
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
+  bucket = aws_s3_bucket.bucket.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "block" {
+  bucket                  = aws_s3_bucket.bucket.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+
+resource "aws_s3_bucket_versioning" "versioning_example" {
+  bucket = aws_s3_bucket.bucket.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "example" {
+  bucket = aws_s3_bucket.bucket.id
+
+  rule {
+    id     = "expire-old-logs"
+    status = "Enabled"
+
+    transition {
+      days          = 90
+      storage_class = "GLACIER"
+    }
+
+    noncurrent_version_expiration {
+      noncurrent_days = 120
+    }
+
+    expiration {
+      # Default to 7 years
+      days = 2555
+    }
+  }
+}

examples/tf/awsconfig/iam.tf

@@ -0,0 +1,54 @@
+data "aws_iam_policy_document" "iam" {
+  statement {
+    effect  = "Allow"
+    actions = ["s3:PutObject"]
+    resources = [
+      "${aws_s3_bucket.bucket.arn}/*",
+    ]
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+  }
+  statement {
+    effect  = "Allow"
+    actions = ["s3:GetBucketAcl"]
+    resources = [
+      aws_s3_bucket.bucket.arn,
+    ]
+  }
+}
+
+resource "aws_iam_policy" "iam" {
+  name_prefix = "telophase-config-role"
+  policy      = data.aws_iam_policy_document.iam.json
+}
+
+data "aws_iam_policy_document" "assume" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "iam" {
+  name_prefix        = "TelophaseConfigRole"
+  assume_role_policy = data.aws_iam_policy_document.assume.json
+}
+
+resource "aws_iam_role_policy_attachment" "awsconfig_managed_policy" {
+  role       = aws_iam_role.iam.name
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWS_ConfigRole"
+}
+
+
+resource "aws_iam_role_policy_attachment" "iam" {
+  role       = aws_iam_role.iam.name
+  policy_arn = aws_iam_policy.iam.arn
+}