paprika101/main.tf

## main.tf
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.5"
    }
  }
  required_version = "~> 1.4"
}

provider "aws" {
  access_key = var.aws_access_key
  secret_key = var.aws_secret_key
  region     = var.cloud_region
}

# To get the effective Account ID for where you are using Terraform
data "aws_caller_identity" "current_session" {}

# Create the S3 bucket where you logs will be aggregated
resource "aws_s3_bucket" "sample_bucket" {
  bucket        = "inventory-data-bucket-s3"
  force_destroy = true
}

# Enable Encryption at rest using SSE AES256
# soon will be enabled by default on AWS
# You could use KMS key based encrpytion as well
resource "aws_s3_bucket_server_side_encryption_configuration" "sse_encryption_config" {
  bucket = aws_s3_bucket.sample_bucket.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

# Enable versioning on S3 bucket
resource "aws_s3_bucket_versioning" "s3_versioning" {
  bucket = aws_s3_bucket.sample_bucket.id
  versioning_configuration {
    status = "Enabled"
  }
}

# Create the S3 Bucket Policy JSON
data "aws_iam_policy_document" "s3sample_policy" {
  statement {
    sid    = "SSMBucketPermissionsCheck"
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["ssm.amazonaws.com", "config.amazonaws.com"]
    }
    actions   = ["s3:GetBucketAcl"]
    resources = ["${aws_s3_bucket.sample_bucket.arn}"]
  }
  statement {
    sid    = "SSMBucketDelivery"
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["ssm.amazonaws.com", "config.amazonaws.com"]
    }
    actions   = ["s3:PutObject"]
    resources = ["${aws_s3_bucket.sample_bucket.arn}/*"]
    condition {
      test     = "StringEquals"
      variable = "s3:x-amz-acl"
      values   = ["bucket-owner-full-control"]
    }
  }
}

# Attach the S3 bucket policy to your bucket
resource "aws_s3_bucket_policy" "s3policy_attach" {
  bucket = aws_s3_bucket.sample_bucket.id
  policy = data.aws_iam_policy_document.s3sample_policy.json
}

# Create SSM Association with the AWS-GatherSoftwareInventory
# Document. Wait for it to succeed and then move on to the next step
resource "aws_ssm_association" "ssm_association_sync" {
  association_name = "sample_sync"
  name             = "AWS-GatherSoftwareInventory"
  targets {
    key    = "tag:Environment"
    values = ["Dev"]
  }
  parameters = {
    awsComponents = "Enabled"
    applications  = "Enabled"
    services      = "Enabled"
  }
  # the minimum is 30 minutes.
  schedule_expression = "cron(0/30 * * * ? *)"
}

# Create a resource data sync to aggregate the metadata
# in an S3 bucket
resource "aws_ssm_resource_data_sync" "sample_sync" {
  depends_on = [aws_ssm_association.ssm_association_sync]
  name       = "CollectEC2AppData"
  s3_destination {
    bucket_name = aws_s3_bucket.sample_bucket.bucket
    region      = aws_s3_bucket.sample_bucket.region
    prefix      = var.s3prefix
  }
}

data "aws_iam_policy_document" "config_role_policy" {
  statement {
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com"]
    }
    actions = ["sts:AssumeRole"]
  }
}

resource "aws_iam_role" "config_role" {
  name               = "awsconfig_sample_role"
  assume_role_policy = data.aws_iam_policy_document.config_role_policy.json
}

# Attach the AWS_ConfigRole Policy to the role
resource "aws_iam_role_policy_attachment" "config_policy_attach" {
  role       = aws_iam_role.config_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole"
}

resource "aws_config_delivery_channel" "s3_aggregate" {
  name           = "sample_channel"
  s3_bucket_name = aws_s3_bucket.sample_bucket.bucket
  s3_key_prefix  = "Config"
  depends_on     = [aws_config_configuration_recorder.config_recorder]
}

# Create the Config recorder specifying the correct IAM role
resource "aws_config_configuration_recorder" "config_recorder" {
  name     = "EC2InventoryHistoryTracker"
  role_arn = aws_iam_role.config_role.arn
  recording_group {
    all_supported                 = false
    include_global_resource_types = false
    resource_types = ["AWS::SSM::AssociationCompliance",
      "AWS::SSM::PatchCompliance",
      "AWS::SSM::ManagedInstanceInventory",
    "AWS::SSM::FileData"]
  }
}

# To start the recording of the SSM resources
resource "aws_config_configuration_recorder_status" "config_record_status" {
  name       = aws_config_configuration_recorder.config_recorder.name
  is_enabled = true
  depends_on = [aws_config_delivery_channel.s3_aggregate]
}

## variables.tf
variable "cloud_region" {
}

variable "aws_access_key" {
}

variable "aws_secret_key" {
}

variable "s3prefix" {
  type = string
}
	terraform {
	required_providers {
	aws = {
	source = "hashicorp/aws"
	version = "~> 4.5"
	}
	}
	required_version = "~> 1.4"
	}

	provider "aws" {
	access_key = var.aws_access_key
	secret_key = var.aws_secret_key
	region = var.cloud_region
	}

	# To get the effective Account ID for where you are using Terraform
	data "aws_caller_identity" "current_session" {}

	# Create the S3 bucket where you logs will be aggregated
	resource "aws_s3_bucket" "sample_bucket" {
	bucket = "inventory-data-bucket-s3"
	force_destroy = true
	}

	# Enable Encryption at rest using SSE AES256
	# soon will be enabled by default on AWS
	# You could use KMS key based encrpytion as well
	resource "aws_s3_bucket_server_side_encryption_configuration" "sse_encryption_config" {
	bucket = aws_s3_bucket.sample_bucket.id
	rule {
	apply_server_side_encryption_by_default {
	sse_algorithm = "AES256"
	}
	}
	}

	# Enable versioning on S3 bucket
	resource "aws_s3_bucket_versioning" "s3_versioning" {
	bucket = aws_s3_bucket.sample_bucket.id
	versioning_configuration {
	status = "Enabled"
	}
	}

	# Create the S3 Bucket Policy JSON
	data "aws_iam_policy_document" "s3sample_policy" {
	statement {
	sid = "SSMBucketPermissionsCheck"
	effect = "Allow"
	principals {
	type = "Service"
	identifiers = ["ssm.amazonaws.com", "config.amazonaws.com"]
	}
	actions = ["s3:GetBucketAcl"]
	resources = ["${aws_s3_bucket.sample_bucket.arn}"]
	}
	statement {
	sid = "SSMBucketDelivery"
	effect = "Allow"
	principals {
	type = "Service"
	identifiers = ["ssm.amazonaws.com", "config.amazonaws.com"]
	}
	actions = ["s3:PutObject"]
	resources = ["${aws_s3_bucket.sample_bucket.arn}/*"]
	condition {
	test = "StringEquals"
	variable = "s3:x-amz-acl"
	values = ["bucket-owner-full-control"]
	}
	}
	}

	# Attach the S3 bucket policy to your bucket
	resource "aws_s3_bucket_policy" "s3policy_attach" {
	bucket = aws_s3_bucket.sample_bucket.id
	policy = data.aws_iam_policy_document.s3sample_policy.json
	}

	# Create SSM Association with the AWS-GatherSoftwareInventory
	# Document. Wait for it to succeed and then move on to the next step
	resource "aws_ssm_association" "ssm_association_sync" {
	association_name = "sample_sync"
	name = "AWS-GatherSoftwareInventory"
	targets {
	key = "tag:Environment"
	values = ["Dev"]
	}
	parameters = {
	awsComponents = "Enabled"
	applications = "Enabled"
	services = "Enabled"
	}
	# the minimum is 30 minutes.
	schedule_expression = "cron(0/30 * * * ? *)"
	}

	# Create a resource data sync to aggregate the metadata
	# in an S3 bucket
	resource "aws_ssm_resource_data_sync" "sample_sync" {
	depends_on = [aws_ssm_association.ssm_association_sync]
	name = "CollectEC2AppData"
	s3_destination {
	bucket_name = aws_s3_bucket.sample_bucket.bucket
	region = aws_s3_bucket.sample_bucket.region
	prefix = var.s3prefix
	}
	}

	data "aws_iam_policy_document" "config_role_policy" {
	statement {
	effect = "Allow"
	principals {
	type = "Service"
	identifiers = ["config.amazonaws.com"]
	}
	actions = ["sts:AssumeRole"]
	}
	}

	resource "aws_iam_role" "config_role" {
	name = "awsconfig_sample_role"
	assume_role_policy = data.aws_iam_policy_document.config_role_policy.json
	}

	# Attach the AWS_ConfigRole Policy to the role
	resource "aws_iam_role_policy_attachment" "config_policy_attach" {
	role = aws_iam_role.config_role.name
	policy_arn = "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole"
	}

	resource "aws_config_delivery_channel" "s3_aggregate" {
	name = "sample_channel"
	s3_bucket_name = aws_s3_bucket.sample_bucket.bucket
	s3_key_prefix = "Config"
	depends_on = [aws_config_configuration_recorder.config_recorder]
	}

	# Create the Config recorder specifying the correct IAM role
	resource "aws_config_configuration_recorder" "config_recorder" {
	name = "EC2InventoryHistoryTracker"
	role_arn = aws_iam_role.config_role.arn
	recording_group {
	all_supported = false
	include_global_resource_types = false
	resource_types = ["AWS::SSM::AssociationCompliance",
	"AWS::SSM::PatchCompliance",
	"AWS::SSM::ManagedInstanceInventory",
	"AWS::SSM::FileData"]
	}
	}

	# To start the recording of the SSM resources
	resource "aws_config_configuration_recorder_status" "config_record_status" {
	name = aws_config_configuration_recorder.config_recorder.name
	is_enabled = true
	depends_on = [aws_config_delivery_channel.s3_aggregate]
	}
	variable "cloud_region" {
	}

	variable "aws_access_key" {
	}

	variable "aws_secret_key" {
	}

	variable "s3prefix" {
	type = string
	}