Last active
March 30, 2023 21:13
-
-
Save paprika101/562fc64fe47037f49b0edfe6b61f5a77 to your computer and use it in GitHub Desktop.
Terraform configuration for creating Systems Manager, S3 and Config resources to track and store EC2 applications data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terraform { | |
required_providers { | |
aws = { | |
source = "hashicorp/aws" | |
version = "~> 4.5" | |
} | |
} | |
required_version = "~> 1.4" | |
} | |
provider "aws" { | |
access_key = var.aws_access_key | |
secret_key = var.aws_secret_key | |
region = var.cloud_region | |
} | |
# To get the effective Account ID for where you are using Terraform | |
data "aws_caller_identity" "current_session" {} | |
# Create the S3 bucket where you logs will be aggregated | |
resource "aws_s3_bucket" "sample_bucket" { | |
bucket = "inventory-data-bucket-s3" | |
force_destroy = true | |
} | |
# Enable Encryption at rest using SSE AES256 | |
# soon will be enabled by default on AWS | |
# You could use KMS key based encrpytion as well | |
resource "aws_s3_bucket_server_side_encryption_configuration" "sse_encryption_config" { | |
bucket = aws_s3_bucket.sample_bucket.id | |
rule { | |
apply_server_side_encryption_by_default { | |
sse_algorithm = "AES256" | |
} | |
} | |
} | |
# Enable versioning on S3 bucket | |
resource "aws_s3_bucket_versioning" "s3_versioning" { | |
bucket = aws_s3_bucket.sample_bucket.id | |
versioning_configuration { | |
status = "Enabled" | |
} | |
} | |
# Create the S3 Bucket Policy JSON | |
data "aws_iam_policy_document" "s3sample_policy" { | |
statement { | |
sid = "SSMBucketPermissionsCheck" | |
effect = "Allow" | |
principals { | |
type = "Service" | |
identifiers = ["ssm.amazonaws.com", "config.amazonaws.com"] | |
} | |
actions = ["s3:GetBucketAcl"] | |
resources = ["${aws_s3_bucket.sample_bucket.arn}"] | |
} | |
statement { | |
sid = "SSMBucketDelivery" | |
effect = "Allow" | |
principals { | |
type = "Service" | |
identifiers = ["ssm.amazonaws.com", "config.amazonaws.com"] | |
} | |
actions = ["s3:PutObject"] | |
resources = ["${aws_s3_bucket.sample_bucket.arn}/*"] | |
condition { | |
test = "StringEquals" | |
variable = "s3:x-amz-acl" | |
values = ["bucket-owner-full-control"] | |
} | |
} | |
} | |
# Attach the S3 bucket policy to your bucket | |
resource "aws_s3_bucket_policy" "s3policy_attach" { | |
bucket = aws_s3_bucket.sample_bucket.id | |
policy = data.aws_iam_policy_document.s3sample_policy.json | |
} | |
# Create SSM Association with the AWS-GatherSoftwareInventory | |
# Document. Wait for it to succeed and then move on to the next step | |
resource "aws_ssm_association" "ssm_association_sync" { | |
association_name = "sample_sync" | |
name = "AWS-GatherSoftwareInventory" | |
targets { | |
key = "tag:Environment" | |
values = ["Dev"] | |
} | |
parameters = { | |
awsComponents = "Enabled" | |
applications = "Enabled" | |
services = "Enabled" | |
} | |
# the minimum is 30 minutes. | |
schedule_expression = "cron(0/30 * * * ? *)" | |
} | |
# Create a resource data sync to aggregate the metadata | |
# in an S3 bucket | |
resource "aws_ssm_resource_data_sync" "sample_sync" { | |
depends_on = [aws_ssm_association.ssm_association_sync] | |
name = "CollectEC2AppData" | |
s3_destination { | |
bucket_name = aws_s3_bucket.sample_bucket.bucket | |
region = aws_s3_bucket.sample_bucket.region | |
prefix = var.s3prefix | |
} | |
} | |
data "aws_iam_policy_document" "config_role_policy" { | |
statement { | |
effect = "Allow" | |
principals { | |
type = "Service" | |
identifiers = ["config.amazonaws.com"] | |
} | |
actions = ["sts:AssumeRole"] | |
} | |
} | |
resource "aws_iam_role" "config_role" { | |
name = "awsconfig_sample_role" | |
assume_role_policy = data.aws_iam_policy_document.config_role_policy.json | |
} | |
# Attach the AWS_ConfigRole Policy to the role | |
resource "aws_iam_role_policy_attachment" "config_policy_attach" { | |
role = aws_iam_role.config_role.name | |
policy_arn = "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole" | |
} | |
resource "aws_config_delivery_channel" "s3_aggregate" { | |
name = "sample_channel" | |
s3_bucket_name = aws_s3_bucket.sample_bucket.bucket | |
s3_key_prefix = "Config" | |
depends_on = [aws_config_configuration_recorder.config_recorder] | |
} | |
# Create the Config recorder specifying the correct IAM role | |
resource "aws_config_configuration_recorder" "config_recorder" { | |
name = "EC2InventoryHistoryTracker" | |
role_arn = aws_iam_role.config_role.arn | |
recording_group { | |
all_supported = false | |
include_global_resource_types = false | |
resource_types = ["AWS::SSM::AssociationCompliance", | |
"AWS::SSM::PatchCompliance", | |
"AWS::SSM::ManagedInstanceInventory", | |
"AWS::SSM::FileData"] | |
} | |
} | |
# To start the recording of the SSM resources | |
resource "aws_config_configuration_recorder_status" "config_record_status" { | |
name = aws_config_configuration_recorder.config_recorder.name | |
is_enabled = true | |
depends_on = [aws_config_delivery_channel.s3_aggregate] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
variable "cloud_region" { | |
} | |
variable "aws_access_key" { | |
} | |
variable "aws_secret_key" { | |
} | |
variable "s3prefix" { | |
type = string | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment