Terraform that enables AWS Config

main.tf

resource "aws_s3_bucket" "aws_config_bucket" {
  bucket_prefix = "aws-config-"
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}

# https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html#granting-access-in-another-account
resource "aws_s3_bucket_policy" "config_bucket_policy" {
  bucket = aws_s3_bucket.aws_config_bucket.id
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Sid" : "AWSConfigBucketPermissionsCheck",
        "Effect" : "Allow",
        "Principal" : {
          "Service" : [
            "config.amazonaws.com"
          ]
        },
        "Action" : "s3:GetBucketAcl",
        "Resource" : aws_s3_bucket.aws_config_bucket.arn
      },
      {
        "Sid" : "AWSConfigBucketExistenceCheck",
        "Effect" : "Allow",
        "Principal" : {
          "Service" : [
            "config.amazonaws.com"
          ]
        },
        "Action" : "s3:ListBucket",
        "Resource" : aws_s3_bucket.aws_config_bucket.arn
      },
      {
        "Sid" : "AWSConfigBucketDelivery",
        "Effect" : "Allow",
        "Principal" : {
          "Service" : [
            "config.amazonaws.com"
          ]
        },
        "Action" : "s3:PutObject",
        "Resource" : "${aws_s3_bucket.aws_config_bucket.arn}/*",
        "Condition" : {
          "StringEquals" : {
            "s3:x-amz-acl" : "bucket-owner-full-control"
          }
        }
      }
    ]
  })
}

resource "aws_s3_bucket_public_access_block" "aws_config_bucket_block" {
  bucket = aws_s3_bucket.aws_config_bucket.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_config_delivery_channel" "channel" {
  name           = "channel"
  s3_bucket_name = aws_s3_bucket.aws_config_bucket.bucket
  depends_on     = [aws_config_configuration_recorder.recorder]
}

resource "aws_config_configuration_recorder" "recorder" {
  name     = "recorder"
  role_arn = aws_iam_role.aws_config_role.arn
  recording_group {
    all_supported                 = true
    include_global_resource_types = true
  }
}

resource "aws_iam_role" "aws_config_role" {
  name_prefix = "aws_config_role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        "Action" : "sts:AssumeRole",
        "Principal" : {
          "Service" : "config.amazonaws.com"
        },
        "Effect" : "Allow",
      }
    ]
  })
  # https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html
  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWS_ConfigRole"]
  inline_policy {
    name = "allow_access_to_s3_bucket"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          "Effect" : "Allow",
          "Action" : [
            "s3:PutObject",
            "s3:PutObjectAcl"
          ],
          "Resource" : "${aws_s3_bucket.aws_config_bucket.arn}/*",
          "Condition" : {
            "StringLike" : {
              "s3:x-amz-acl" : "bucket-owner-full-control"
            }
          }
        },
        {
          "Effect" : "Allow",
          "Action" : [
            "s3:GetBucketAcl"
          ],
          "Resource" : aws_s3_bucket.aws_config_bucket.arn
        }
      ]
    })
  }
}