From 94c714bf2a4719c8c59ca9ca1ef03b6ac2af991b Mon Sep 17 00:00:00 2001
From: Islam Heggy <islam.heggy@gmail.com>
Date: Tue, 6 Feb 2024 04:30:21 +0200
Subject: [PATCH 01/11] Add support for organization aggregator

---
 main.tf      | 78 ++++++++++++++++++++++++++++++++++++++++++++++++----
 outputs.tf   |  8 ++++++
 variables.tf | 29 +++++++++++++++++++
 3 files changed, 109 insertions(+), 6 deletions(-)

diff --git a/main.tf b/main.tf
index d0c84cb..24b4b38 100644
--- a/main.tf
+++ b/main.tf
@@ -95,8 +95,9 @@ module "aws_config_findings_label" {
 }
 
 #-----------------------------------------------------------------------------------------------------------------------
-# Optionally create an IAM Role
+# Optionally create IAM Roles
 #-----------------------------------------------------------------------------------------------------------------------
+# Create Optional IAM ROLE for S3 bucket and SNS  
 module "iam_role" {
   count   = module.this.enabled && local.create_iam_role ? 1 : 0
   source  = "cloudposse/iam-role/aws"
@@ -124,6 +125,31 @@ module "iam_role" {
   context = module.this.context
 }
 
+# Create Optional IAM ROLE for organization wide aggregator
+module "iam_role_organization_aggregator" {
+  count   = module.this.enabled && local.create_organization_aggregator_iam_role ? 1 : 0
+  source  = "cloudposse/iam-role/aws"
+  version = "0.15.0"
+
+  principals = {
+    "Service" = ["config.amazonaws.com"]
+  }
+
+  use_fullname = true
+
+ #policy_documents = [ data.aws_iam_policy_document.config_organization_aggregator_policy[0].json ]
+
+
+  policy_document_count =  0
+  policy_description    = "AWS Config IAM policy for organization aggregator"
+  role_description      = "AWS Config IAM role for organization aggregator"
+
+  attributes = ["aggregator", "config"]
+
+  context = module.this.context
+}
+
+
 resource "aws_iam_role_policy_attachment" "config_policy_attachment" {
   count = module.this.enabled && local.create_iam_role ? 1 : 0
 
@@ -131,10 +157,20 @@ resource "aws_iam_role_policy_attachment" "config_policy_attachment" {
   policy_arn = data.aws_iam_policy.aws_config_built_in_role.arn
 }
 
+resource "aws_iam_role_policy_attachment" "organization_config_policy_attachment" {
+  count = module.this.enabled && local.create_iam_role && local.organization_aggregator ? 1 : 0
+
+  role       = module.iam_role_organization_aggregator[0].name
+  policy_arn = data.aws_iam_policy.aws_config_organization_role.arn
+}
 data "aws_iam_policy" "aws_config_built_in_role" {
   arn = "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole"
 }
 
+data "aws_iam_policy" "aws_config_organization_role" {
+  arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations"
+}
+
 data "aws_iam_policy_document" "config_s3_policy" {
   count = local.create_iam_role ? 1 : 0
 
@@ -156,6 +192,15 @@ data "aws_iam_policy_document" "config_s3_policy" {
     }
   }
 }
+data "aws_iam_policy_document" "config_organization_aggregator_policy" {
+  
+  count = local.organization_aggregator ? 1 : 0
+
+  statement {
+    effect = "Allow"
+    actions = ["sts:AssumeRole"]
+  }
+}
 
 data "aws_iam_policy_document" "config_sns_policy" {
   count = local.create_iam_role && local.create_sns_topic ? 1 : 0
@@ -188,11 +233,28 @@ resource "aws_config_configuration_aggregator" "this" {
   count = local.enabled && local.is_central_account && local.is_global_recorder_region ? 1 : 0
 
   name = module.aws_config_aggregator_label.id
-  account_aggregation_source {
-    account_ids = local.child_resource_collector_accounts
-    all_regions = true
+
+# Create normal account aggregation source
+  dynamic "account_aggregation_source" {
+    for_each = local.organization_aggregator ? []: [1]
+    content { 
+      account_ids = local.child_resource_collector_accounts
+      all_regions = true
+    }
+  }
+
+# Create organization aggregation source
+  dynamic "organization_aggregation_source" {
+    for_each = local.organization_aggregator ? [1]: []
+    content { 
+      all_regions = true
+      role_arn    = local.create_organization_aggregator_iam_role ? module.iam_role_organization_aggregator[0].arn : var.iam_role_organization_aggregator_arn
+    }
   }
 
+    
+  
+
   tags = module.this.tags
 }
 
@@ -202,7 +264,7 @@ resource "aws_config_aggregate_authorization" "child" {
   #
   # Authorize each region in a child account to send its data to the global_resource_collector_region of the
   # central_resource_collector_account
-  count = local.enabled && var.central_resource_collector_account != null ? 1 : 0
+  count = local.enabled && var.central_resource_collector_account != null && local.organization_aggregator == false ? 1 : 0
 
   account_id = var.central_resource_collector_account
   region     = var.global_resource_collector_region
@@ -215,7 +277,7 @@ resource "aws_config_aggregate_authorization" "central" {
   # Multi-Account Multi-Region Data Aggregation and only enabling Multi-Region aggregation within the same account:
   #
   # Authorize each region to send its data to the global_resource_collector_region
-  count = local.enabled && var.central_resource_collector_account == null ? 1 : 0
+  count = local.enabled && var.central_resource_collector_account == null && local.organization_aggregator == false ? 1 : 0
 
   account_id = data.aws_caller_identity.this.account_id
   region     = var.global_resource_collector_region
@@ -240,4 +302,8 @@ locals {
   create_sns_topic                  = module.this.enabled && var.create_sns_topic
   findings_notification_arn         = local.enable_notifications ? (var.findings_notification_arn != null ? var.findings_notification_arn : module.sns_topic[0].sns_topic.arn) : null
   create_iam_role                   = module.this.enabled && var.create_iam_role
+
+  organization_aggregator         = var.is_organization_aggregator 
+
+  create_organization_aggregator_iam_role = var.create_organization_aggregator_iam_role
 }
diff --git a/outputs.tf b/outputs.tf
index 41de9e8..0e71aa3 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -21,6 +21,14 @@ output "iam_role" {
   value       = local.create_iam_role ? module.iam_role[0].arn : var.iam_role_arn
 }
 
+output "iam_role_organization_aggregator" {
+  description = <<-DOC
+  IAM Role used to make read or write requests to the delivery channel and to describe the AWS resources associated with 
+  the account.
+  DOC
+  value       = local.create_organization_aggregator_iam_role ? module.iam_role_organization_aggregator[0].arn : var.iam_role_organization_aggregator_arn
+}
+
 output "sns_topic" {
   description = "SNS topic"
   value       = local.create_sns_topic ? module.sns_topic[0].sns_topic : null
diff --git a/variables.tf b/variables.tf
index 3a8a367..2a24e4a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -69,6 +69,14 @@ variable "create_iam_role" {
   default     = false
 }
 
+variable "create_organization_aggregator_iam_role" {
+  description = "Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config to send logs from organization accounts"
+  type        = bool
+  default     = false
+}
+
+
+
 variable "iam_role_arn" {
   description = <<-DOC
     The ARN for an IAM Role AWS Config uses to make read or write requests to the delivery channel and to describe the
@@ -84,6 +92,21 @@ variable "iam_role_arn" {
   type        = string
 }
 
+variable "iam_role_organization_aggregator_arn" {
+  description = <<-DOC
+    The ARN for an IAM Role AWS Config uses for the organization aggregator that  fetches AWS config data from aws accounts. 
+    This is only used if create_organization_aggregator_iam_role is false.
+
+    If you want to use an existing IAM Role, set the value of this to the ARN of the existing topic and set
+    create_organization_aggregator_iam_role to false.
+
+    See the AWS Docs for further information:
+    http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html
+  DOC
+  default     = null
+  type        = string
+}
+
 variable "global_resource_collector_region" {
   description = "The region that collects AWS Config data for global resources such as IAM"
   type        = string
@@ -146,6 +169,12 @@ variable "disabled_aggregation_regions" {
   default     = ["ap-northeast-3"]
 }
 
+variable "is_organization_aggregator" {
+  type      = bool 
+  default   = false 
+  description = "The aggregator is an AWS Organizations aggrgator"
+}
+
 variable "allowed_aws_services_for_sns_published" {
   type        = list(string)
   description = "AWS services that will have permission to publish to SNS topic. Used when no external JSON policy is used"

From 434d11adf28bd308ba99586cff0d0ea72c6a8f9a Mon Sep 17 00:00:00 2001
From: Islam Heggy <islam.heggy@gmail.com>
Date: Tue, 6 Feb 2024 04:53:49 +0200
Subject: [PATCH 02/11] chore: apply terraform fmt

---
 main.tf      | 26 +++++++++++++-------------
 variables.tf |  4 ++--
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/main.tf b/main.tf
index 24b4b38..bec01a3 100644
--- a/main.tf
+++ b/main.tf
@@ -137,10 +137,10 @@ module "iam_role_organization_aggregator" {
 
   use_fullname = true
 
- #policy_documents = [ data.aws_iam_policy_document.config_organization_aggregator_policy[0].json ]
+  #policy_documents = [ data.aws_iam_policy_document.config_organization_aggregator_policy[0].json ]
 
 
-  policy_document_count =  0
+  policy_document_count = 0
   policy_description    = "AWS Config IAM policy for organization aggregator"
   role_description      = "AWS Config IAM role for organization aggregator"
 
@@ -193,11 +193,11 @@ data "aws_iam_policy_document" "config_s3_policy" {
   }
 }
 data "aws_iam_policy_document" "config_organization_aggregator_policy" {
-  
+
   count = local.organization_aggregator ? 1 : 0
 
   statement {
-    effect = "Allow"
+    effect  = "Allow"
     actions = ["sts:AssumeRole"]
   }
 }
@@ -234,26 +234,26 @@ resource "aws_config_configuration_aggregator" "this" {
 
   name = module.aws_config_aggregator_label.id
 
-# Create normal account aggregation source
+  # Create normal account aggregation source
   dynamic "account_aggregation_source" {
-    for_each = local.organization_aggregator ? []: [1]
-    content { 
+    for_each = local.organization_aggregator ? [] : [1]
+    content {
       account_ids = local.child_resource_collector_accounts
       all_regions = true
     }
   }
 
-# Create organization aggregation source
+  # Create organization aggregation source
   dynamic "organization_aggregation_source" {
-    for_each = local.organization_aggregator ? [1]: []
-    content { 
+    for_each = local.organization_aggregator ? [1] : []
+    content {
       all_regions = true
       role_arn    = local.create_organization_aggregator_iam_role ? module.iam_role_organization_aggregator[0].arn : var.iam_role_organization_aggregator_arn
     }
   }
 
-    
-  
+
+
 
   tags = module.this.tags
 }
@@ -303,7 +303,7 @@ locals {
   findings_notification_arn         = local.enable_notifications ? (var.findings_notification_arn != null ? var.findings_notification_arn : module.sns_topic[0].sns_topic.arn) : null
   create_iam_role                   = module.this.enabled && var.create_iam_role
 
-  organization_aggregator         = var.is_organization_aggregator 
+  organization_aggregator = var.is_organization_aggregator
 
   create_organization_aggregator_iam_role = var.create_organization_aggregator_iam_role
 }
diff --git a/variables.tf b/variables.tf
index 2a24e4a..33b87d0 100644
--- a/variables.tf
+++ b/variables.tf
@@ -170,8 +170,8 @@ variable "disabled_aggregation_regions" {
 }
 
 variable "is_organization_aggregator" {
-  type      = bool 
-  default   = false 
+  type        = bool
+  default     = false
   description = "The aggregator is an AWS Organizations aggrgator"
 }
 

From 3fe4e27c8ec982fee251d9a4c452db43a0d5363d Mon Sep 17 00:00:00 2001
From: Islam Heggy <islam.heggy@gmail.com>
Date: Tue, 6 Feb 2024 05:39:12 +0200
Subject: [PATCH 03/11] chore: add aws partition to arns

---
 main.tf | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/main.tf b/main.tf
index bec01a3..001b971 100644
--- a/main.tf
+++ b/main.tf
@@ -137,9 +137,6 @@ module "iam_role_organization_aggregator" {
 
   use_fullname = true
 
-  #policy_documents = [ data.aws_iam_policy_document.config_organization_aggregator_policy[0].json ]
-
-
   policy_document_count = 0
   policy_description    = "AWS Config IAM policy for organization aggregator"
   role_description      = "AWS Config IAM role for organization aggregator"
@@ -164,11 +161,11 @@ resource "aws_iam_role_policy_attachment" "organization_config_policy_attachment
   policy_arn = data.aws_iam_policy.aws_config_organization_role.arn
 }
 data "aws_iam_policy" "aws_config_built_in_role" {
-  arn = "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole"
+  arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWS_ConfigRole"
 }
 
 data "aws_iam_policy" "aws_config_organization_role" {
-  arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations"
+  arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSConfigRoleForOrganizations"
 }
 
 data "aws_iam_policy_document" "config_s3_policy" {
@@ -291,6 +288,7 @@ resource "aws_config_aggregate_authorization" "central" {
 #-----------------------------------------------------------------------------------------------------------------------
 data "aws_region" "this" {}
 data "aws_caller_identity" "this" {}
+data "aws_partition" "current" {}
 
 locals {
   enabled = module.this.enabled && !contains(var.disabled_aggregation_regions, data.aws_region.this.name)

From cdcbce4f19c2d0fef69df60d509485d8b5289869 Mon Sep 17 00:00:00 2001
From: Islam Heggy <islam.heggy@gmail.com>
Date: Wed, 7 Feb 2024 02:25:37 +0200
Subject: [PATCH 04/11] docs: Update README.md & terraform.md

---
 README.md         | 90 +++++++++++++++++++++++++++++++----------------
 docs/terraform.md | 11 +++++-
 2 files changed, 70 insertions(+), 31 deletions(-)

diff --git a/README.md b/README.md
index db3a440..4a8b441 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,9 @@
 
 <!-- markdownlint-disable -->
-# terraform-aws-config<a href="https://cpco.io/homepage"><img align="right" src="https://cloudposse.com/logo-300x69.svg" width="150" /></a> [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-config.svg)](https://github.com/cloudposse/terraform-aws-config/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) [![Discourse Forum](https://img.shields.io/discourse/https/ask.sweetops.com/posts.svg)](https://ask.sweetops.com/)
+# terraform-aws-config <a href="https://cpco.io/homepage"><img align="right" src="https://cloudposse.com/logo-300x69.svg" width="150" /></a>
+<a href="https://github.com/cloudposse/terraform-aws-config/releases/latest"><img src="https://img.shields.io/github/release/cloudposse/terraform-aws-config.svg" alt="Latest Release"/></a><a href="https://slack.cloudposse.com"><img src="https://slack.cloudposse.com/badge.svg" alt="Slack Community"/></a><a href="https://ask.sweetops.com/"><img src="https://img.shields.io/discourse/https/ask.sweetops.com/posts.svg" alt="Discourse Forum"/></a>
 <!-- markdownlint-restore -->
 
-
 <!--
 
 
@@ -11,7 +11,7 @@
 
   ** DO NOT EDIT THIS FILE
   **
-  ** This file was automatically generated by the `build-harness`.
+  ** This file was automatically generated by the `cloudposse/build-harness`.
   ** 1) Make all changes to `README.yaml`
   ** 2) Run `make init` (you only need to do this once)
   ** 3) Run`make readme` to rebuild this file.
@@ -31,11 +31,20 @@ This module enables [AWS Config](https://aws.amazon.com/config/) and optionally
 ---
 > [!NOTE]
 > This project is part of Cloud Posse's comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps.
-> <a href="https://cpco.io/terraform-modules"><img src="https://docs.cloudposse.com/images/terraform-open-source-modules.svg" align="right" /></a>
+> <details><summary>Learn More</summary>
+> <a href="https://cpco.io/terraform-modules">
+>   <picture>
+>     <source media="(prefers-color-scheme: dark)" srcset="https://docs.cloudposse.com/images/terraform-open-source-modules-light.svg">
+>     <source media="(prefers-color-scheme: light)" srcset="https://docs.cloudposse.com/images/terraform-open-source-modules-dark.svg">
+>     <img alt="Terraform Open Source Modules" src="https://docs.cloudposse.com/images/terraform-open-source-modules.svg" align="right">
+>   </picture>
+> </a>
+>
 >
 > It's 100% Open Source and licensed under the [APACHE2](LICENSE).
 >
 > We literally have [*hundreds of terraform modules*][terraform_modules] that are Open Source and well-maintained. Check them out!
+> </details>
 
 [![README Header][readme_header_img]][readme_header_link]
 
@@ -46,12 +55,11 @@ This module enables [AWS Config](https://aws.amazon.com/config/) and optionally
 
 
 
-> **Important**
-> We do not pin modules to versions in Cloud Posse's examples because of the
-> difficulty of keeping the versions in the documentation in sync with the latest released versions.
-> We highly recommend that in your code you pin the version to the exact version you are
-> using so that your infrastructure remains stable, and update versions in a
-> systematic way so that they do not catch you by surprise.
+> [!IMPORTANT]
+> In Cloud Posse's examples, we avoid pinning modules to specific versions to prevent discrepancies between the documentation 
+> and the latest released versions. However, for your own projects, we strongly advise pinning each module to the exact version
+> you're using. This practice ensures the stability of your infrastructure. Additionally, we recommend implementing a systematic 
+> approach for updating versions to avoid unexpected changes.
 
 
 
@@ -115,7 +123,7 @@ Available targets:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.33.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
 
 ## Modules
 
@@ -125,6 +133,7 @@ Available targets:
 | <a name="module_aws_config_findings_label"></a> [aws\_config\_findings\_label](#module\_aws\_config\_findings\_label) | cloudposse/label/null | 0.25.0 |
 | <a name="module_aws_config_label"></a> [aws\_config\_label](#module\_aws\_config\_label) | cloudposse/label/null | 0.25.0 |
 | <a name="module_iam_role"></a> [iam\_role](#module\_iam\_role) | cloudposse/iam-role/aws | 0.15.0 |
+| <a name="module_iam_role_organization_aggregator"></a> [iam\_role\_organization\_aggregator](#module\_iam\_role\_organization\_aggregator) | cloudposse/iam-role/aws | 0.15.0 |
 | <a name="module_sns_topic"></a> [sns\_topic](#module\_sns\_topic) | cloudposse/sns-topic/aws | 0.20.1 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
@@ -140,10 +149,14 @@ Available targets:
 | [aws_config_configuration_recorder_status.recorder_status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder_status) | resource |
 | [aws_config_delivery_channel.channel](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_delivery_channel) | resource |
 | [aws_iam_role_policy_attachment.config_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.organization_config_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy.aws_config_built_in_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.aws_config_organization_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy_document.config_organization_aggregator_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.config_s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.config_sns_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
@@ -158,6 +171,7 @@ Available targets:
 | <a name="input_child_resource_collector_accounts"></a> [child\_resource\_collector\_accounts](#input\_child\_resource\_collector\_accounts) | The account IDs of other accounts that will send their AWS Configuration to this account | `set(string)` | `null` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "descriptor_formats": {},<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "labels_as_tags": [<br>    "unset"<br>  ],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {},<br>  "tenant": null<br>}</pre> | no |
 | <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config | `bool` | `false` | no |
+| <a name="input_create_organization_aggregator_iam_role"></a> [create\_organization\_aggregator\_iam\_role](#input\_create\_organization\_aggregator\_iam\_role) | Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config to send logs from organization accounts | `bool` | `false` | no |
 | <a name="input_create_sns_topic"></a> [create\_sns\_topic](#input\_create\_sns\_topic) | Flag to indicate whether an SNS topic should be created for notifications<br>If you want to send findings to a new SNS topic, set this to true and provide a valid configuration for subscribers | `bool` | `false` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
@@ -168,7 +182,9 @@ Available targets:
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable | `bool` | `false` | no |
 | <a name="input_global_resource_collector_region"></a> [global\_resource\_collector\_region](#input\_global\_resource\_collector\_region) | The region that collects AWS Config data for global resources such as IAM | `string` | n/a | yes |
 | <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn) | The ARN for an IAM Role AWS Config uses to make read or write requests to the delivery channel and to describe the<br>AWS resources associated with the account. This is only used if create\_iam\_role is false.<br><br>If you want to use an existing IAM Role, set the value of this to the ARN of the existing topic and set<br>create\_iam\_role to false.<br><br>See the AWS Docs for further information:<br>http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html | `string` | `null` | no |
+| <a name="input_iam_role_organization_aggregator_arn"></a> [iam\_role\_organization\_aggregator\_arn](#input\_iam\_role\_organization\_aggregator\_arn) | The ARN for an IAM Role AWS Config uses for the organization aggregator that  fetches AWS config data from aws accounts. <br>This is only used if create\_organization\_aggregator\_iam\_role is false.<br><br>If you want to use an existing IAM Role, set the value of this to the ARN of the existing topic and set<br>create\_organization\_aggregator\_iam\_role to false.<br><br>See the AWS Docs for further information:<br>http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html | `string` | `null` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
+| <a name="input_is_organization_aggregator"></a> [is\_organization\_aggregator](#input\_is\_organization\_aggregator) | The aggregator is an AWS Organizations aggrgator | `bool` | `false` | no |
 | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
 | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |
@@ -193,6 +209,7 @@ Available targets:
 |------|-------------|
 | <a name="output_aws_config_configuration_recorder_id"></a> [aws\_config\_configuration\_recorder\_id](#output\_aws\_config\_configuration\_recorder\_id) | The ID of the AWS Config Recorder |
 | <a name="output_iam_role"></a> [iam\_role](#output\_iam\_role) | IAM Role used to make read or write requests to the delivery channel and to describe the AWS resources associated with <br>the account. |
+| <a name="output_iam_role_organization_aggregator"></a> [iam\_role\_organization\_aggregator](#output\_iam\_role\_organization\_aggregator) | IAM Role used to make read or write requests to the delivery channel and to describe the AWS resources associated with <br>the account. |
 | <a name="output_sns_topic"></a> [sns\_topic](#output\_sns\_topic) | SNS topic |
 | <a name="output_sns_topic_subscriptions"></a> [sns\_topic\_subscriptions](#output\_sns\_topic\_subscriptions) | SNS topic subscriptions |
 | <a name="output_storage_bucket_arn"></a> [storage\_bucket\_arn](#output\_storage\_bucket\_arn) | Bucket ARN |
@@ -219,7 +236,7 @@ For additional context, refer to some of these links.
 
 ## ✨ Contributing
 
-This project is under active development, and we encourage contributions from our community. 
+This project is under active development, and we encourage contributions from our community.
 Many thanks to our outstanding contributors:
 
 <a href="https://github.com/cloudposse/terraform-aws-config/graphs/contributors">
@@ -232,15 +249,16 @@ Please use the [issue tracker](https://github.com/cloudposse/terraform-aws-confi
 
 ### 💻 Developing
 
-If you are interested in being a contributor and want to get involved in developing this project or [help out](https://cpco.io/help-out) with Cloud Posse's other projects, we would love to hear from you! Shoot us an [email][email].
+If you are interested in being a contributor and want to get involved in developing this project or help out with Cloud Posse's other projects, we would love to hear from you! 
+Hit us up in [Slack][slack], in the `#cloudposse` channel.
 
 In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
-
- 1. **Fork** the repo on GitHub
- 2. **Clone** the project to your own machine
- 3. **Commit** changes to your own branch
- 4. **Push** your work back up to your fork
- 5. Submit a **Pull Request** so that we can review your changes
+ 1. Review our [Code of Conduct](https://github.com/cloudposse/terraform-aws-config/?tab=coc-ov-file#code-of-conduct) and [Contributor Guidelines](https://github.com/cloudposse/.github/blob/main/CONTRIBUTING.md).
+ 2. **Fork** the repo on GitHub
+ 3. **Clone** the project to your own machine
+ 4. **Commit** changes to your own branch
+ 5. **Push** your work back up to your fork
+ 6. Submit a **Pull Request** so that we can review your changes
 
 **NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request!
 
@@ -250,27 +268,34 @@ Join our [Open Source Community][slack] on Slack. It's **FREE** for everyone! Ou
 
 ### 📰 Newsletter
 
-Sign up for [our newsletter][newsletter] that covers everything on our technology radar.  Receive updates on what we're up to on GitHub as well as awesome new projects we discover.
+Sign up for [our newsletter][newsletter] and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know.
+Dropped straight into your Inbox every week — and usually a 5-minute read.
 
 ### 📆 Office Hours <img src="https://img.cloudposse.com/fit-in/200x200/https://cloudposse.com/wp-content/uploads/2019/08/Powered-by-Zoom.png" align="right" />
 
-[Join us every Wednesday via Zoom][office_hours] for our weekly "Lunch & Learn" sessions. It's **FREE** for everyone!
+[Join us every Wednesday via Zoom][office_hours] for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a _live Q&A_ that you can’t find anywhere else.
+It's **FREE** for everyone!
 
-## About 
+## About
 
-This project is maintained and funded by [Cloud Posse, LLC][website]. 
+This project is maintained by [Cloud Posse, LLC][website].
 <a href="https://cpco.io/homepage"><img src="https://cloudposse.com/logo-300x69.svg" align="right" /></a>
 
-We are a [**DevOps Accelerator**][commercial_support]. We'll help you build your cloud infrastructure from the ground up so you can own it. Then we'll show you how to operate it and stick around for as long as you need us.
+We are a [**DevOps Accelerator**][commercial_support] for funded startups and enterprises.
+Use our ready-to-go terraform architecture blueprints for AWS to get up and running quickly.
+We build it with you. You own everything. Your team wins. Plus, we stick around until you succeed.
 
 [![Learn More](https://img.shields.io/badge/learn%20more-success.svg?style=for-the-badge)][commercial_support]
 
-Work directly with our team of DevOps experts via email, slack, and video conferencing.
+*Your team can operate like a pro today.*
 
-We deliver 10x the value for a fraction of the cost of a full-time engineer. Our track record is not even funny. If you want things done right and you need it done FAST, then we're your best bet.
+Ensure that your team succeeds by using our proven process and turnkey blueprints. Plus, we stick around until you succeed.
+
+<details>
+  <summary>📚 <strong>What's included?</strong></summary>
 
 - **Reference Architecture.** You'll get everything you need from the ground up built using 100% infrastructure as code.
-- **Release Engineering.** You'll have end-to-end CI/CD with unlimited staging environments.
+- **Deployment Strategy.** You'll have a battle-tested deployment strategy using GitHub Actions that's automated and repeatable.
 - **Site Reliability Engineering.** You'll have total visibility into your apps and microservices.
 - **Security Baseline.** You'll have built-in governance with accountability and audit logs for all changes.
 - **GitOps.** You'll be able to operate your infrastructure via Pull Requests.
@@ -279,14 +304,18 @@ We deliver 10x the value for a fraction of the cost of a full-time engineer. Our
 - **Troubleshooting.** You'll get help to triage when things aren't working.
 - **Code Reviews.** You'll receive constructive feedback on Pull Requests.
 - **Bug Fixes.** We'll rapidly work with you to fix any bugs in our projects.
+</details>
 
 [![README Commercial Support][readme_commercial_support_img]][readme_commercial_support_link]
 ## License
 
-[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
-
-See [LICENSE](LICENSE) for full details.
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg?style=for-the-badge)](https://opensource.org/licenses/Apache-2.0)
 
+<details>
+<summary>Preamble to the Apache License, Version 2.0</summary>
+<br/>
+<br/>
+Complete license is available in the [`LICENSE`](LICENSE) file.
 ```text
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
@@ -305,6 +334,7 @@ KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 ```
+</details>
 
 ## Trademarks
 
diff --git a/docs/terraform.md b/docs/terraform.md
index 2dde5f7..51a76aa 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -11,7 +11,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.33.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
 
 ## Modules
 
@@ -21,6 +21,7 @@
 | <a name="module_aws_config_findings_label"></a> [aws\_config\_findings\_label](#module\_aws\_config\_findings\_label) | cloudposse/label/null | 0.25.0 |
 | <a name="module_aws_config_label"></a> [aws\_config\_label](#module\_aws\_config\_label) | cloudposse/label/null | 0.25.0 |
 | <a name="module_iam_role"></a> [iam\_role](#module\_iam\_role) | cloudposse/iam-role/aws | 0.15.0 |
+| <a name="module_iam_role_organization_aggregator"></a> [iam\_role\_organization\_aggregator](#module\_iam\_role\_organization\_aggregator) | cloudposse/iam-role/aws | 0.15.0 |
 | <a name="module_sns_topic"></a> [sns\_topic](#module\_sns\_topic) | cloudposse/sns-topic/aws | 0.20.1 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
@@ -36,10 +37,14 @@
 | [aws_config_configuration_recorder_status.recorder_status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder_status) | resource |
 | [aws_config_delivery_channel.channel](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_delivery_channel) | resource |
 | [aws_iam_role_policy_attachment.config_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.organization_config_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy.aws_config_built_in_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.aws_config_organization_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy_document.config_organization_aggregator_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.config_s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.config_sns_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
@@ -54,6 +59,7 @@
 | <a name="input_child_resource_collector_accounts"></a> [child\_resource\_collector\_accounts](#input\_child\_resource\_collector\_accounts) | The account IDs of other accounts that will send their AWS Configuration to this account | `set(string)` | `null` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "descriptor_formats": {},<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "labels_as_tags": [<br>    "unset"<br>  ],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {},<br>  "tenant": null<br>}</pre> | no |
 | <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config | `bool` | `false` | no |
+| <a name="input_create_organization_aggregator_iam_role"></a> [create\_organization\_aggregator\_iam\_role](#input\_create\_organization\_aggregator\_iam\_role) | Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config to send logs from organization accounts | `bool` | `false` | no |
 | <a name="input_create_sns_topic"></a> [create\_sns\_topic](#input\_create\_sns\_topic) | Flag to indicate whether an SNS topic should be created for notifications<br>If you want to send findings to a new SNS topic, set this to true and provide a valid configuration for subscribers | `bool` | `false` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
@@ -64,7 +70,9 @@
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable | `bool` | `false` | no |
 | <a name="input_global_resource_collector_region"></a> [global\_resource\_collector\_region](#input\_global\_resource\_collector\_region) | The region that collects AWS Config data for global resources such as IAM | `string` | n/a | yes |
 | <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn) | The ARN for an IAM Role AWS Config uses to make read or write requests to the delivery channel and to describe the<br>AWS resources associated with the account. This is only used if create\_iam\_role is false.<br><br>If you want to use an existing IAM Role, set the value of this to the ARN of the existing topic and set<br>create\_iam\_role to false.<br><br>See the AWS Docs for further information:<br>http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html | `string` | `null` | no |
+| <a name="input_iam_role_organization_aggregator_arn"></a> [iam\_role\_organization\_aggregator\_arn](#input\_iam\_role\_organization\_aggregator\_arn) | The ARN for an IAM Role AWS Config uses for the organization aggregator that  fetches AWS config data from aws accounts. <br>This is only used if create\_organization\_aggregator\_iam\_role is false.<br><br>If you want to use an existing IAM Role, set the value of this to the ARN of the existing topic and set<br>create\_organization\_aggregator\_iam\_role to false.<br><br>See the AWS Docs for further information:<br>http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html | `string` | `null` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
+| <a name="input_is_organization_aggregator"></a> [is\_organization\_aggregator](#input\_is\_organization\_aggregator) | The aggregator is an AWS Organizations aggrgator | `bool` | `false` | no |
 | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
 | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |
@@ -89,6 +97,7 @@
 |------|-------------|
 | <a name="output_aws_config_configuration_recorder_id"></a> [aws\_config\_configuration\_recorder\_id](#output\_aws\_config\_configuration\_recorder\_id) | The ID of the AWS Config Recorder |
 | <a name="output_iam_role"></a> [iam\_role](#output\_iam\_role) | IAM Role used to make read or write requests to the delivery channel and to describe the AWS resources associated with <br>the account. |
+| <a name="output_iam_role_organization_aggregator"></a> [iam\_role\_organization\_aggregator](#output\_iam\_role\_organization\_aggregator) | IAM Role used to make read or write requests to the delivery channel and to describe the AWS resources associated with <br>the account. |
 | <a name="output_sns_topic"></a> [sns\_topic](#output\_sns\_topic) | SNS topic |
 | <a name="output_sns_topic_subscriptions"></a> [sns\_topic\_subscriptions](#output\_sns\_topic\_subscriptions) | SNS topic subscriptions |
 | <a name="output_storage_bucket_arn"></a> [storage\_bucket\_arn](#output\_storage\_bucket\_arn) | Bucket ARN |

From 0c8d35906f6bef0093665eb88645c6ff1a463b47 Mon Sep 17 00:00:00 2001
From: Islam Heggy <islam.heggy@gmail.com>
Date: Wed, 7 Feb 2024 06:16:17 +0200
Subject: [PATCH 05/11] chore: clean not used resources and fix indentation

---
 README.md         |  1 -
 docs/terraform.md |  1 -
 main.tf           | 50 ++++++++++++++++-------------------------------
 variables.tf      |  6 +-----
 4 files changed, 18 insertions(+), 40 deletions(-)

diff --git a/README.md b/README.md
index 4a8b441..b346458 100644
--- a/README.md
+++ b/README.md
@@ -153,7 +153,6 @@ Available targets:
 | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy.aws_config_built_in_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy.aws_config_organization_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
-| [aws_iam_policy_document.config_organization_aggregator_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.config_s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.config_sns_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
diff --git a/docs/terraform.md b/docs/terraform.md
index 51a76aa..072b1bc 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -41,7 +41,6 @@
 | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy.aws_config_built_in_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy.aws_config_organization_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
-| [aws_iam_policy_document.config_organization_aggregator_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.config_s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.config_sns_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
diff --git a/main.tf b/main.tf
index 001b971..c42dece 100644
--- a/main.tf
+++ b/main.tf
@@ -146,7 +146,6 @@ module "iam_role_organization_aggregator" {
   context = module.this.context
 }
 
-
 resource "aws_iam_role_policy_attachment" "config_policy_attachment" {
   count = module.this.enabled && local.create_iam_role ? 1 : 0
 
@@ -155,17 +154,18 @@ resource "aws_iam_role_policy_attachment" "config_policy_attachment" {
 }
 
 resource "aws_iam_role_policy_attachment" "organization_config_policy_attachment" {
-  count = module.this.enabled && local.create_iam_role && local.organization_aggregator ? 1 : 0
+  count = module.this.enabled && local.create_iam_role && var.is_organization_aggregator ? 1 : 0
 
   role       = module.iam_role_organization_aggregator[0].name
   policy_arn = data.aws_iam_policy.aws_config_organization_role.arn
 }
+
 data "aws_iam_policy" "aws_config_built_in_role" {
-  arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWS_ConfigRole"
+  arn = "arn:${local.partition}:iam::aws:policy/service-role/AWS_ConfigRole"
 }
 
 data "aws_iam_policy" "aws_config_organization_role" {
-  arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSConfigRoleForOrganizations"
+  arn = "arn:${local.partition}:iam::aws:policy/service-role/AWSConfigRoleForOrganizations"
 }
 
 data "aws_iam_policy_document" "config_s3_policy" {
@@ -189,15 +189,6 @@ data "aws_iam_policy_document" "config_s3_policy" {
     }
   }
 }
-data "aws_iam_policy_document" "config_organization_aggregator_policy" {
-
-  count = local.organization_aggregator ? 1 : 0
-
-  statement {
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
-  }
-}
 
 data "aws_iam_policy_document" "config_sns_policy" {
   count = local.create_iam_role && local.create_sns_topic ? 1 : 0
@@ -233,7 +224,7 @@ resource "aws_config_configuration_aggregator" "this" {
 
   # Create normal account aggregation source
   dynamic "account_aggregation_source" {
-    for_each = local.organization_aggregator ? [] : [1]
+    for_each = var.is_organization_aggregator ? [] : [1]
     content {
       account_ids = local.child_resource_collector_accounts
       all_regions = true
@@ -242,16 +233,12 @@ resource "aws_config_configuration_aggregator" "this" {
 
   # Create organization aggregation source
   dynamic "organization_aggregation_source" {
-    for_each = local.organization_aggregator ? [1] : []
+    for_each = var.is_organization_aggregator ? [1] : []
     content {
       all_regions = true
       role_arn    = local.create_organization_aggregator_iam_role ? module.iam_role_organization_aggregator[0].arn : var.iam_role_organization_aggregator_arn
     }
   }
-
-
-
-
   tags = module.this.tags
 }
 
@@ -261,7 +248,7 @@ resource "aws_config_aggregate_authorization" "child" {
   #
   # Authorize each region in a child account to send its data to the global_resource_collector_region of the
   # central_resource_collector_account
-  count = local.enabled && var.central_resource_collector_account != null && local.organization_aggregator == false ? 1 : 0
+  count = local.enabled && var.central_resource_collector_account != null && var.is_organization_aggregator == false ? 1 : 0
 
   account_id = var.central_resource_collector_account
   region     = var.global_resource_collector_region
@@ -274,7 +261,7 @@ resource "aws_config_aggregate_authorization" "central" {
   # Multi-Account Multi-Region Data Aggregation and only enabling Multi-Region aggregation within the same account:
   #
   # Authorize each region to send its data to the global_resource_collector_region
-  count = local.enabled && var.central_resource_collector_account == null && local.organization_aggregator == false ? 1 : 0
+  count = local.enabled && var.central_resource_collector_account == null && var.is_organization_aggregator == false ? 1 : 0
 
   account_id = data.aws_caller_identity.this.account_id
   region     = var.global_resource_collector_region
@@ -282,7 +269,6 @@ resource "aws_config_aggregate_authorization" "central" {
   tags = module.this.tags
 }
 
-
 #-----------------------------------------------------------------------------------------------------------------------
 # LOCALS AND DATA SOURCES
 #-----------------------------------------------------------------------------------------------------------------------
@@ -293,15 +279,13 @@ data "aws_partition" "current" {}
 locals {
   enabled = module.this.enabled && !contains(var.disabled_aggregation_regions, data.aws_region.this.name)
 
-  is_central_account                = var.central_resource_collector_account == data.aws_caller_identity.this.account_id
-  is_global_recorder_region         = var.global_resource_collector_region == data.aws_region.this.name
-  child_resource_collector_accounts = var.child_resource_collector_accounts != null ? var.child_resource_collector_accounts : []
-  enable_notifications              = module.this.enabled && (var.create_sns_topic || var.findings_notification_arn != null)
-  create_sns_topic                  = module.this.enabled && var.create_sns_topic
-  findings_notification_arn         = local.enable_notifications ? (var.findings_notification_arn != null ? var.findings_notification_arn : module.sns_topic[0].sns_topic.arn) : null
-  create_iam_role                   = module.this.enabled && var.create_iam_role
-
-  organization_aggregator = var.is_organization_aggregator
-
-  create_organization_aggregator_iam_role = var.create_organization_aggregator_iam_role
+  is_central_account                      = var.central_resource_collector_account == data.aws_caller_identity.this.account_id
+  is_global_recorder_region               = var.global_resource_collector_region == data.aws_region.this.name
+  child_resource_collector_accounts       = var.child_resource_collector_accounts != null ? var.child_resource_collector_accounts : []
+  enable_notifications                    = module.this.enabled && (var.create_sns_topic || var.findings_notification_arn != null)
+  create_sns_topic                        = module.this.enabled && var.create_sns_topic
+  findings_notification_arn               = local.enable_notifications ? (var.findings_notification_arn != null ? var.findings_notification_arn : module.sns_topic[0].sns_topic.arn) : null
+  create_iam_role                         = module.this.enabled && var.create_iam_role
+  create_organization_aggregator_iam_role = module.this.enabled && var.create_organization_aggregator_iam_role
+  partition                               = data.aws_partition.current.partition
 }
diff --git a/variables.tf b/variables.tf
index 33b87d0..3b7a48c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -62,7 +62,6 @@ variable "findings_notification_arn" {
   type        = string
 }
 
-
 variable "create_iam_role" {
   description = "Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config"
   type        = bool
@@ -75,8 +74,6 @@ variable "create_organization_aggregator_iam_role" {
   default     = false
 }
 
-
-
 variable "iam_role_arn" {
   description = <<-DOC
     The ARN for an IAM Role AWS Config uses to make read or write requests to the delivery channel and to describe the
@@ -185,5 +182,4 @@ variable "allowed_iam_arns_for_sns_publish" {
   type        = list(string)
   description = "IAM role/user ARNs that will have permission to publish to SNS topic. Used when no external json policy is used."
   default     = []
-}
-
+}
\ No newline at end of file

From f81786b5185a4b87c4b3c857e60e69a663c331ce Mon Sep 17 00:00:00 2001
From: Islam Heggy <islam.heggy@gmail.com>
Date: Wed, 7 Feb 2024 17:18:10 +0200
Subject: [PATCH 06/11] Update variables.tf

Co-authored-by: Andriy Knysh <aknysh@users.noreply.github.com>
---
 variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/variables.tf b/variables.tf
index 3b7a48c..7deb748 100644
--- a/variables.tf
+++ b/variables.tf
@@ -169,7 +169,7 @@ variable "disabled_aggregation_regions" {
 variable "is_organization_aggregator" {
   type        = bool
   default     = false
-  description = "The aggregator is an AWS Organizations aggrgator"
+  description = "The aggregator is an AWS Organizations aggregator"
 }
 
 variable "allowed_aws_services_for_sns_published" {

From 64f781c3c1a0509aecde1fb345aa50c095890593 Mon Sep 17 00:00:00 2001
From: Islam Heggy <islam.heggy@gmail.com>
Date: Wed, 7 Feb 2024 17:41:56 +0200
Subject: [PATCH 07/11] Update main.tf

Co-authored-by: Andriy Knysh <aknysh@users.noreply.github.com>
---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index c42dece..1531935 100644
--- a/main.tf
+++ b/main.tf
@@ -127,7 +127,7 @@ module "iam_role" {
 
 # Create Optional IAM ROLE for organization wide aggregator
 module "iam_role_organization_aggregator" {
-  count   = module.this.enabled && local.create_organization_aggregator_iam_role ? 1 : 0
+  count   = local.create_organization_aggregator_iam_role ? 1 : 0
   source  = "cloudposse/iam-role/aws"
   version = "0.15.0"
 

From f145c107d834402f53f875d9b1f11cabf3fce616 Mon Sep 17 00:00:00 2001
From: Islam Heggy <islam.heggy@gmail.com>
Date: Wed, 7 Feb 2024 22:24:11 +0200
Subject: [PATCH 08/11] Update variables.tf

Co-authored-by: Andriy Knysh <aknysh@users.noreply.github.com>
---
 variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/variables.tf b/variables.tf
index 7deb748..efcd57f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -91,7 +91,7 @@ variable "iam_role_arn" {
 
 variable "iam_role_organization_aggregator_arn" {
   description = <<-DOC
-    The ARN for an IAM Role AWS Config uses for the organization aggregator that  fetches AWS config data from aws accounts. 
+    The ARN for an IAM Role that AWS Config uses for the organization aggregator that fetches AWS config data from AWS accounts. 
     This is only used if create_organization_aggregator_iam_role is false.
 
     If you want to use an existing IAM Role, set the value of this to the ARN of the existing topic and set

From 1cd3f1769c0345751ba03f578659e8c061e81a9d Mon Sep 17 00:00:00 2001
From: Islam Heggy <islam.heggy@gmail.com>
Date: Wed, 7 Feb 2024 22:24:21 +0200
Subject: [PATCH 09/11] Update variables.tf

Co-authored-by: Andriy Knysh <aknysh@users.noreply.github.com>
---
 variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/variables.tf b/variables.tf
index efcd57f..f9fd118 100644
--- a/variables.tf
+++ b/variables.tf
@@ -94,7 +94,7 @@ variable "iam_role_organization_aggregator_arn" {
     The ARN for an IAM Role that AWS Config uses for the organization aggregator that fetches AWS config data from AWS accounts. 
     This is only used if create_organization_aggregator_iam_role is false.
 
-    If you want to use an existing IAM Role, set the value of this to the ARN of the existing topic and set
+    If you want to use an existing IAM Role, set the value of this to the ARN of the existing role and set
     create_organization_aggregator_iam_role to false.
 
     See the AWS Docs for further information:

From e4288c5c534fbe875f3e40e6be39b34c2ce42cd8 Mon Sep 17 00:00:00 2001
From: Islam Heggy <islam.heggy@gmail.com>
Date: Wed, 7 Feb 2024 22:24:31 +0200
Subject: [PATCH 10/11] Update variables.tf

Co-authored-by: Andriy Knysh <aknysh@users.noreply.github.com>
---
 variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/variables.tf b/variables.tf
index f9fd118..f6dd508 100644
--- a/variables.tf
+++ b/variables.tf
@@ -97,7 +97,7 @@ variable "iam_role_organization_aggregator_arn" {
     If you want to use an existing IAM Role, set the value of this to the ARN of the existing role and set
     create_organization_aggregator_iam_role to false.
 
-    See the AWS Docs for further information:
+    See the AWS docs for further information:
     http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html
   DOC
   default     = null

From acc789f7ae5bddb60ae9ed9f59ff3ff736df4072 Mon Sep 17 00:00:00 2001
From: Islam Heggy <islam.heggy@gmail.com>
Date: Wed, 7 Feb 2024 22:33:29 +0200
Subject: [PATCH 11/11] docs: Update README.md

---
 README.md         | 4 ++--
 docs/terraform.md | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index b346458..35ee431 100644
--- a/README.md
+++ b/README.md
@@ -181,9 +181,9 @@ Available targets:
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable | `bool` | `false` | no |
 | <a name="input_global_resource_collector_region"></a> [global\_resource\_collector\_region](#input\_global\_resource\_collector\_region) | The region that collects AWS Config data for global resources such as IAM | `string` | n/a | yes |
 | <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn) | The ARN for an IAM Role AWS Config uses to make read or write requests to the delivery channel and to describe the<br>AWS resources associated with the account. This is only used if create\_iam\_role is false.<br><br>If you want to use an existing IAM Role, set the value of this to the ARN of the existing topic and set<br>create\_iam\_role to false.<br><br>See the AWS Docs for further information:<br>http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html | `string` | `null` | no |
-| <a name="input_iam_role_organization_aggregator_arn"></a> [iam\_role\_organization\_aggregator\_arn](#input\_iam\_role\_organization\_aggregator\_arn) | The ARN for an IAM Role AWS Config uses for the organization aggregator that  fetches AWS config data from aws accounts. <br>This is only used if create\_organization\_aggregator\_iam\_role is false.<br><br>If you want to use an existing IAM Role, set the value of this to the ARN of the existing topic and set<br>create\_organization\_aggregator\_iam\_role to false.<br><br>See the AWS Docs for further information:<br>http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html | `string` | `null` | no |
+| <a name="input_iam_role_organization_aggregator_arn"></a> [iam\_role\_organization\_aggregator\_arn](#input\_iam\_role\_organization\_aggregator\_arn) | The ARN for an IAM Role that AWS Config uses for the organization aggregator that fetches AWS config data from AWS accounts. <br>This is only used if create\_organization\_aggregator\_iam\_role is false.<br><br>If you want to use an existing IAM Role, set the value of this to the ARN of the existing role and set<br>create\_organization\_aggregator\_iam\_role to false.<br><br>See the AWS docs for further information:<br>http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html | `string` | `null` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
-| <a name="input_is_organization_aggregator"></a> [is\_organization\_aggregator](#input\_is\_organization\_aggregator) | The aggregator is an AWS Organizations aggrgator | `bool` | `false` | no |
+| <a name="input_is_organization_aggregator"></a> [is\_organization\_aggregator](#input\_is\_organization\_aggregator) | The aggregator is an AWS Organizations aggregator | `bool` | `false` | no |
 | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
 | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 072b1bc..78e52a5 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -69,9 +69,9 @@
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable | `bool` | `false` | no |
 | <a name="input_global_resource_collector_region"></a> [global\_resource\_collector\_region](#input\_global\_resource\_collector\_region) | The region that collects AWS Config data for global resources such as IAM | `string` | n/a | yes |
 | <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn) | The ARN for an IAM Role AWS Config uses to make read or write requests to the delivery channel and to describe the<br>AWS resources associated with the account. This is only used if create\_iam\_role is false.<br><br>If you want to use an existing IAM Role, set the value of this to the ARN of the existing topic and set<br>create\_iam\_role to false.<br><br>See the AWS Docs for further information:<br>http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html | `string` | `null` | no |
-| <a name="input_iam_role_organization_aggregator_arn"></a> [iam\_role\_organization\_aggregator\_arn](#input\_iam\_role\_organization\_aggregator\_arn) | The ARN for an IAM Role AWS Config uses for the organization aggregator that  fetches AWS config data from aws accounts. <br>This is only used if create\_organization\_aggregator\_iam\_role is false.<br><br>If you want to use an existing IAM Role, set the value of this to the ARN of the existing topic and set<br>create\_organization\_aggregator\_iam\_role to false.<br><br>See the AWS Docs for further information:<br>http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html | `string` | `null` | no |
+| <a name="input_iam_role_organization_aggregator_arn"></a> [iam\_role\_organization\_aggregator\_arn](#input\_iam\_role\_organization\_aggregator\_arn) | The ARN for an IAM Role that AWS Config uses for the organization aggregator that fetches AWS config data from AWS accounts. <br>This is only used if create\_organization\_aggregator\_iam\_role is false.<br><br>If you want to use an existing IAM Role, set the value of this to the ARN of the existing role and set<br>create\_organization\_aggregator\_iam\_role to false.<br><br>See the AWS docs for further information:<br>http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html | `string` | `null` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
-| <a name="input_is_organization_aggregator"></a> [is\_organization\_aggregator](#input\_is\_organization\_aggregator) | The aggregator is an AWS Organizations aggrgator | `bool` | `false` | no |
+| <a name="input_is_organization_aggregator"></a> [is\_organization\_aggregator](#input\_is\_organization\_aggregator) | The aggregator is an AWS Organizations aggregator | `bool` | `false` | no |
 | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
 | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |