diff --git a/README.md b/README.md index bbeb195..27b87d5 100644 --- a/README.md +++ b/README.md @@ -21,9 +21,13 @@ Terraform 0.11. Pin module version to ~> 1.5.1. Submit pull-requests to terrafor ## Usage +**Note: This module sets up AWS IAM Roles and Policies, which are globally namespaced. If you plan to have multiple instances of AWS Config, make sure they have unique values for `config_name`.** + ```hcl module "aws_config" { - source = "trussworks/config/aws" + source = "trussworks/config/aws" + + config_name = "my-aws-config" config_logs_bucket = "my-aws-logs" } ``` @@ -46,6 +50,7 @@ module "aws_config" { | config\_logs\_bucket | The S3 bucket for AWS Config logs. | string | n/a | yes | | config\_logs\_prefix | The S3 prefix for AWS Config logs. | string | `"config"` | no | | config\_max\_execution\_frequency | The maximum frequency with which AWS Config runs evaluations for a rule. | string | `"TwentyFour_Hours"` | no | +| config\_name | The name of the AWS Config instance. | string | `"aws-config"` | no | | password\_max\_age | Number of days before password expiration. | string | `"90"` | no | | password\_min\_length | Password minimum length. | string | `"14"` | no | | password\_require\_lowercase | Require at least one lowercase character in password. | string | `"true"` | no | diff --git a/config-aggregator.tf b/config-aggregator.tf index c753980..fd29d5f 100644 --- a/config-aggregator.tf +++ b/config-aggregator.tf @@ -17,7 +17,7 @@ data "aws_iam_policy_document" "aws_config_aggregator_role_policy" { resource "aws_iam_role" "aggregator" { count = var.aggregate_organization ? 1 : 0 - name = "aws-config-aggregator-role" + name = "${var.config_name}-aggregator-role" assume_role_policy = data.aws_iam_policy_document.aws_config_aggregator_role_policy.json } diff --git a/config-service.tf b/config-service.tf index 28233c9..32876d3 100644 --- a/config-service.tf +++ b/config-service.tf @@ -3,13 +3,13 @@ # resource "aws_config_configuration_recorder_status" "main" { - name = "aws-config" + name = var.config_name is_enabled = true depends_on = [aws_config_delivery_channel.main] } resource "aws_config_delivery_channel" "main" { - name = "aws-config" + name = var.config_name s3_bucket_name = var.config_logs_bucket s3_key_prefix = var.config_logs_prefix @@ -21,7 +21,7 @@ resource "aws_config_delivery_channel" "main" { } resource "aws_config_configuration_recorder" "main" { - name = "aws-config" + name = var.config_name role_arn = aws_iam_role.main.arn recording_group { diff --git a/examples/simple/main.tf b/examples/simple/main.tf index 1bbefe5..5e3497e 100644 --- a/examples/simple/main.tf +++ b/examples/simple/main.tf @@ -15,6 +15,7 @@ module "config_logs" { module "config" { source = "../../" + config_name = var.config_name config_logs_bucket = "${module.config_logs.aws_logs_bucket}" config_logs_prefix = "config" } diff --git a/examples/simple/variables.tf b/examples/simple/variables.tf index 8161d60..6a3795e 100644 --- a/examples/simple/variables.tf +++ b/examples/simple/variables.tf @@ -1,3 +1,7 @@ +variable "config_name" { + type = "string" +} + variable "config_logs_bucket" { type = "string" } diff --git a/iam.tf b/iam.tf index e5c9dba..d4788b5 100644 --- a/iam.tf +++ b/iam.tf @@ -66,23 +66,23 @@ data "aws_iam_policy_document" "aws-config-role-policy" { # resource "aws_iam_role" "main" { - name = "aws-config-role" + name = "${var.config_name}-role" assume_role_policy = data.aws_iam_policy_document.aws-config-role-policy.json } resource "aws_iam_policy_attachment" "managed-policy" { - name = "aws-config-managed-policy" + name = "${var.config_name}-managed-policy" roles = [aws_iam_role.main.name] policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole" } resource "aws_iam_policy" "aws-config-policy" { - name = "aws-config-policy" + name = "${var.config_name}-policy" policy = data.template_file.aws_config_policy.rendered } resource "aws_iam_policy_attachment" "aws-config-policy" { - name = "aws-config-policy" + name = "${var.config_name}-policy" roles = [aws_iam_role.main.name] policy_arn = aws_iam_policy.aws-config-policy.arn } diff --git a/test/terraform_aws_config_test.go b/test/terraform_aws_config_test.go index 1b8c6f2..f8d0e93 100644 --- a/test/terraform_aws_config_test.go +++ b/test/terraform_aws_config_test.go @@ -13,14 +13,16 @@ import ( func TestTerraformAwsConfig(t *testing.T) { t.Parallel() - expectedConfigLogsBucket := fmt.Sprintf("terratest-aws-config-%s", strings.ToLower(random.UniqueId())) - awsRegion := aws.GetRandomStableRegion(t, nil, nil) + configName := fmt.Sprintf("aws-config-%s", strings.ToLower(random.UniqueId())) + expectedConfigLogsBucket := fmt.Sprintf("terratest-%s", configName) + awsRegion := "us-west-2" terraformOptions := &terraform.Options{ TerraformDir: "../examples/simple/", Vars: map[string]interface{}{ "region": awsRegion, "config_logs_bucket": expectedConfigLogsBucket, + "config_name": configName, }, EnvVars: map[string]string{ "AWS_DEFAULT_REGION": awsRegion, @@ -28,8 +30,10 @@ func TestTerraformAwsConfig(t *testing.T) { } defer terraform.Destroy(t, terraformOptions) - terraform.InitAndApply(t, terraformOptions) // Empty config_logs_bucket before terraform destroy - aws.EmptyS3Bucket(t, awsRegion, expectedConfigLogsBucket) + defer aws.EmptyS3Bucket(t, awsRegion, expectedConfigLogsBucket) + + terraform.InitAndApply(t, terraformOptions) + } diff --git a/variables.tf b/variables.tf index aee4815..c48e1dc 100644 --- a/variables.tf +++ b/variables.tf @@ -1,3 +1,9 @@ +variable "config_name" { + description = "The name of the AWS Config instance." + type = string + default = "aws-config" +} + variable "config_aggregator_name" { description = "The name of the aggregator." type = string