Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Organization-wide aggregator across all regions #28

Closed
wants to merge 2 commits into from
Closed

Support Organization-wide aggregator across all regions #28

wants to merge 2 commits into from

Conversation

rdkls
Copy link

@rdkls rdkls commented Jun 24, 2021

what

  • Support AWS Config Aggregator being created to aggregate Org-wide (vs. fixed list of accounts)
  • Optional IAM Role creation to support such, or can pass in (same as existing "iam_role" functionality)

why

  • Make it easy to create Aggregator for all accounts (including newly-created ones)

references

@rdkls rdkls requested review from a team as code owners June 24, 2021 16:06
@rdkls rdkls requested a review from a team as a code owner June 24, 2021 16:06
@rdkls rdkls requested review from nitrocode and woz5999 June 24, 2021 16:06
@osterman osterman requested review from mcalhoun and removed request for nitrocode and woz5999 June 24, 2021 16:30
mcalhoun
mcalhoun requested changes Jun 25, 2021
View reviewed changes
Copy link
Member

@mcalhoun mcalhoun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution! I've left a few comments I think should be addressed before we merge the changes.

main.tf
}

data "aws_iam_policy" "aws_config_built_in_role_for_organizations" {
arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider using the aws_partition data source to look up the partition rather than hard-coding aws here.

main.tf
Comment on lines +211 to 224
dynamic "account_aggregation_source" {
for_each = var.aggregate_organization_wide ? [] : [1]
content {
account_ids = local.child_resource_collector_accounts
all_regions = true
}
}
dynamic "organization_aggregation_source" {
for_each = var.aggregate_organization_wide ? [1] : []
content {
all_regions = true
role_arn = local.create_iam_role ? module.iam_role_organization_aggregator[0].arn : var.iam_role_organization_aggregator_arn
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As this is a generic module, I'd look for a way to disable aggregation all together if the consumer doesn't want to aggregate. The way your change is currently structured, it requires aggregation, which way not be what is desired.

main.tf
Comment on lines +125 to +151
module "iam_role_organization_aggregator" {
count = module.this.enabled && var.aggregate_organization_wide && local.create_iam_role ? 1 : 0
source = "cloudposse/iam-role/aws"
version = "0.9.3"

principals = {
"Service" = ["config.amazonaws.com"]
}

policy_document_count = 0
policy_description = "AWS Config IAM policy for Organization Aggregation"
role_description = "AWS Config IAM role for Organization Aggregation"

name = "aggregator"
use_fullname = true

attributes = ["config"]

context = module.this.context
}

resource "aws_iam_role_policy_attachment" "config_organization_aggregator_policy_attachment" {
count = module.this.enabled && var.aggregate_organization_wide && local.create_iam_role ? 1 : 0

role = module.iam_role_organization_aggregator[0].name
policy_arn = data.aws_iam_policy.aws_config_built_in_role_for_organizations.arn
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest decoupling the create_iam_role variable to allow the consumer to specify an existing role for either the standard config role or the aggregation role (but have the module create the other).

outputs.tf
Comment on lines +25 to +27
description = <<-DOC
IAM Role the Aggregator uses to read organization data
DOC
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When you have a short one-line description, consider just using quotes rather than a HEREDOC.

@mergify
Copy link

mergify bot commented Aug 24, 2021

This pull request is now in conflict. Could you fix it @rdkls? 🙏

@thai-intelematics
Copy link

@rdkls do you plan to address the comments so that the PR can be merged into master?

@IslamHeggy
Copy link
Contributor

This is now a duplicate of this #85 merge request which is now fixed and it's addressing the same feature!

@rdkls This issue should be closed! cc @mcalhoun

@Gowiem
Copy link
Member

Gowiem commented Feb 8, 2024

Fixed by #85

@Gowiem Gowiem closed this Feb 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mcalhoun mcalhoun mcalhoun requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@rdkls @thai-intelematics @IslamHeggy @Gowiem @mcalhoun @cloudpossebot