Skip to content

Commit

Permalink
Merge pull request #205 from schubergphilis/service-linked-role-for-c…
Browse files Browse the repository at this point in the history
…onfig-recorder-core-management

fix: for passing Control.1 Security Hub control on the core-mgmt account
  • Loading branch information
marceldevroed authored Jul 2, 2024
2 parents 8bb5251 + 6f40625 commit bbe5b48
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 18 deletions.
2 changes: 0 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -653,9 +653,7 @@ ENHANCEMENTS
BUG FIXES

- Add `endpoint_auto_confirms` variable to the AWS Config SNS topic ([#62](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/62)) ([#64](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/64))
-
- Modify accountID of the AWS Config SNS topic ([#65](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/65))
-

## v0.4.4 - 2021-01-05

Expand Down
3 changes: 1 addition & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -487,10 +487,9 @@ module "landing_zone" {
| [aws_iam_account_password_policy.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource |
| [aws_iam_account_password_policy.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource |
| [aws_iam_account_password_policy.master](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource |
| [aws_iam_role.config_recorder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.sns_feedback](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy.sns_feedback_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_role_policy_attachment.config_recorder_config_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_service_linked_role.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) | resource |
| [aws_inspector2_delegated_admin_account.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector2_delegated_admin_account) | resource |
| [aws_inspector2_enabler.audit_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector2_enabler) | resource |
| [aws_inspector2_enabler.member_accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector2_enabler) | resource |
Expand Down
17 changes: 3 additions & 14 deletions config.tf
Original file line number Diff line number Diff line change
Expand Up @@ -39,24 +39,13 @@ resource "aws_config_aggregate_authorization" "master_to_audit" {
tags = var.tags
}

resource "aws_iam_role" "config_recorder" {
name = "LandingZone-ConfigRecorderRole"
path = var.path
tags = var.tags

assume_role_policy = templatefile("${path.module}/files/iam/service_assume_role.json.tpl", {
service = "config.amazonaws.com"
})
}

resource "aws_iam_role_policy_attachment" "config_recorder_config_role" {
role = aws_iam_role.config_recorder.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole"
resource "aws_iam_service_linked_role" "config" {
aws_service_name = "config.amazonaws.com"
}

resource "aws_config_configuration_recorder" "default" {
name = "default"
role_arn = aws_iam_role.config_recorder.arn
role_arn = aws_iam_service_linked_role.config.arn

recording_group {
all_supported = true
Expand Down

0 comments on commit bbe5b48

Please sign in to comment.