Support for aggregating by organization (#14)

support for aggregating by organization

.circleci/config.yml

@@ -2,7 +2,7 @@ version: 2
 jobs:
   validate:
     docker:
-      - image: trussworks/circleci-docker-primary:a18ba9987556eec2e48354848a3c9fb4d5b69ac8
+      - image: trussworks/circleci-docker-primary:93fe471597189fed29f1ab2f517fc4c3370f2a77
     steps:
       - checkout
       - restore_cache:

README.md

@@ -26,8 +26,10 @@ The following AWS Config Rules are supported:
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | acm\_days\_to\_expiration | Specify the number of days before the rule flags the ACM Certificate as noncompliant. | string | `"14"` | no |
+| aggregate\_organization | Aggregate compliance data by organization | string | `"false"` | no |
 | check\_guard\_duty | Enable guardduty-enabled-centralized rule | string | `"false"` | no |
 | check\_rds\_public\_access | Enable rds-instance-public-access-check rule | string | `"false"` | no |
+| config\_aggregator\_name | The name of the aggregator. | string | `"organization"` | no |
 | config\_delivery\_frequency | The frequency with which AWS Config delivers configuration snapshots. | string | `"Six_Hours"` | no |
 | config\_logs\_bucket | The S3 bucket for AWS Config logs. | string | n/a | yes |
 | config\_logs\_prefix | The S3 prefix for AWS Config logs. | string | `"config"` | no |

config-aggregator.tf

@@ -0,0 +1,43 @@
+#
+# IAM Role
+#
+
+data "aws_iam_policy_document" "aws_config_aggregator_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+
+    effect = "Allow"
+  }
+}
+
+resource "aws_iam_role" "aggregator" {
+  count              = "${var.aggregate_organization ? 1 : 0}"
+  name               = "aws-config-aggregator-role"
+  assume_role_policy = "${data.aws_iam_policy_document.aws_config_aggregator_role_policy.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "aggregator" {
+  count      = "${var.aggregate_organization ? 1 : 0}"
+  role       = "${aws_iam_role.aggregator.0.name}"
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations"
+}
+
+#
+# Configuration Aggregator
+#
+
+resource "aws_config_configuration_aggregator" "organization" {
+  count      = "${var.aggregate_organization ? 1 : 0}"
+  depends_on = ["aws_iam_role_policy_attachment.aggregator"]
+  name       = "${var.config_aggregator_name}"
+
+  organization_aggregation_source {
+    all_regions = true
+    role_arn    = "${aws_iam_role.aggregator.0.arn}"
+  }
+}

config-rules.tf

@@ -144,7 +144,7 @@ resource "aws_config_config_rule" "rds-storage-encrypted" {
 }
 
 resource "aws_config_config_rule" "rds-instance-public-access-check" {
-  count = "${var.check_rds_public_access}"
+  count = "${var.check_rds_public_access ? 1 : 0}"
 
   name        = "rds-instance-public-access-check"
   description = "Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item."
@@ -170,7 +170,7 @@ resource "aws_config_config_rule" "rds-snapshots-public-prohibited" {
 }
 
 resource "aws_config_config_rule" "guardduty-enabled-centralized" {
-  count = "${var.check_guard_duty}"
+  count = "${var.check_guard_duty ? 1 : 0}"
 
   name        = "guardduty-enabled-centralized"
   description = "Checks whether Amazon GuardDuty is enabled in your AWS account and region."

iam.tf

@@ -1,15 +1,43 @@
 # Get the access to the effective Account ID in which Terraform is working.
 data "aws_caller_identity" "current" {}
 
-# Allows AWS Config IAM role to access the S3 bucket where AWS Config records
-# are stored.
+# Allow the AWS Config role to deliver logs to configured S3 Bucket.
+# Derived from IAM Policy document found at https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html
 data "template_file" "aws_config_policy" {
-  template = "${file("${path.module}/iam-policies/aws-config-policy.tpl")}"
+  template = <<JSON
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+        "Sid": "AWSConfigBucketPermissionsCheck",
+        "Effect": "Allow",
+        "Action": "s3:GetBucketAcl",
+        "Resource": "$${bucket_arn}"
+    },
+    {
+        "Sid": "AWSConfigBucketExistenceCheck",
+        "Effect": "Allow",
+        "Action": "s3:ListBucket",
+        "Resource": "$${bucket_arn}"
+    },
+    {
+        "Sid": "AWSConfigBucketDelivery",
+        "Effect": "Allow",
+        "Action": "s3:PutObject",
+        "Resource": "$${resource}",
+        "Condition": {
+          "StringLike": {
+            "s3:x-amz-acl": "bucket-owner-full-control"
+          }
+        }
+    }
+  ]
+}
+JSON
 
   vars = {
-    config_logs_bucket = "${var.config_logs_bucket}"
-    config_logs_prefix = "${var.config_logs_prefix}"
-    account_id         = "${data.aws_caller_identity.current.account_id}"
+    bucket_arn = "${format("arn:aws:s3:::%s", var.config_logs_bucket)}"
+    resource   = "${format("arn:aws:s3:::%s/%s/AWSLogs/%s/Config/*", var.config_logs_bucket, var.config_logs_prefix, data.aws_caller_identity.current.account_id)}"
   }
 }
 
@@ -32,8 +60,7 @@ data "aws_iam_policy_document" "aws-config-role-policy" {
 #
 
 resource "aws_iam_role" "main" {
-  name = "aws-config-role"
-
+  name               = "aws-config-role"
   assume_role_policy = "${data.aws_iam_policy_document.aws-config-role-policy.json}"
 }
 

variables.tf

@@ -1,3 +1,15 @@
+variable "config_aggregator_name" {
+  description = "The name of the aggregator."
+  type        = "string"
+  default     = "organization"
+}
+
+variable "aggregate_organization" {
+  description = "Aggregate compliance data by organization"
+  type        = "string"
+  default     = "false"
+}
+
 variable "config_logs_bucket" {
   description = "The S3 bucket for AWS Config logs."
   type        = "string"