🚀 Feature Request: Config Aggregator Support

[gazoakley]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS Config now supports aggregating resources across accounts/regions: https://aws.amazon.com/blogs/aws/aws-config-update-aggregate-compliance-data-across-accounts-regions/

New or Affected Resource(s)

• aws_config_aggregator
• aws_config_authorization

Potential Terraform Configuration

# Example implementation, may change when developed

resource "aws_config_aggregator" "example" {
  name = "example" # Required

  account_aggregation_source {
    account_ids     = ["123456789012"] # Required
    all_aws_regions = true             # Optional
    aws_regions     = ["eu-west-2"]    # Optional
  }

  organization_aggregation_source {
    all_aws_regions = true          # Optional
    aws_regions     = ["eu-west-2"] # Optional
    role_arn        = ""            # Required
  }
}

resource "aws_config_authorization" "example" {
  authorized_account_id = "123456789012" # Required
  authorized_aws_region = "eu-west-2"    # Required
}

References

• https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationAggregator.html
• https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteConfigurationAggregator.html
• https://docs.aws.amazon.com/config/latest/APIReference/API_PutAggregationAuthorization.html
• https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteAggregationAuthorization.html

[marcotesch]

Terraform Configuration Files

# Example implementation, may change when developed

resource "aws_config_aggregator" "example" {
  name = "example" # Required

  account_aggregation_source {
    account_ids     = ["123456789012"] # Required
    all_aws_regions = true             # Optional
    aws_regions     = ["eu-west-2"]    # Optional
  }

  organization_aggregation_source {
    all_aws_regions = true          # Optional
    aws_regions     = ["eu-west-2"] # Optional
    role_arn        = ""            # Required
  }
}

resource "aws_config_authorization" "example" {
  authorized_account_id = "123456789012" # Required
  authorized_aws_region = "eu-west-2"    # Required
}

I think it would be better to have the all_aws_regions argument as a required argument in the first place, or the default value set to false instead of true.

[gazoakley]

The Config API seems to default all_aws_regions to false if not specified - but it does return an error if you specify it as true and then also set aws_regions. I'd probably go for the latter to make configuration easier and match what the API does.

[lorengordon]

I don't suppose there's a way to do this that allows accounts to be added to the aggregator over time, as separate resources? I'm imagining a resource to create the aggregator in one config, then in a separate config a resource that adds the account to that aggregator. I think this would improve composition. Otherwise every time we create an account, we also need to re-run the terraform config that manages the aggregator config in its entirety (with some mechanism that collects the accounts and updates the account list).

It doesn't really look like the API would be terribly supportive of this approach though. :(

But... perhaps an aggregator per account would work...

[hoeg]

Until this gets merged, what are the best practices for getting a centralized overview of these logs?

[jayzes]

@hoeg I've been looking for the same - my current approach is to use a Terraform-managed Cloudformation template to create all of the aggregator resources (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.html). It's a little hacky for sure, but I think it's going to work.

[bflad]

The following new resources have been merged in (thanks @gazoakley!) and will release with v1.22.0 of the AWS provider, middle of this week:

• aws_config_aggregate_authorization
• aws_config_configuration_aggregator

[bflad]

This has been released in version 1.22.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!