Initialized the Repository with basic AWS Config

.gitignore

@@ -0,0 +1,6 @@
+.idea/
+.terraform/
+*.tfstate
+*.tfstate.backup
+*.py
+env

cloudwatch.tf

@@ -0,0 +1,4 @@
+resource "aws_cloudwatch_log_group" "s3_webserver_buckets_cloudwatch" {
+  name              = "/aws/lambda/${aws_lambda_function.s3_webserver_buckets.function_name}"
+  retention_in_days = 14
+}

config.tf

@@ -0,0 +1,93 @@
+# Enable Config via Terraform if it was not enabled before.
+# You can only have one Config Recorder. This resource would fail
+# if you enabled AWS config manually before.
+#resource "aws_config_configuration_recorder" "config-recorder" {
+#  name = "aws_config_recorder"
+#  role_arn = "${aws_iam_role.aws_config_recorder.arn}"
+#}
+
+resource "aws_config_organization_managed_rule" "resourcesTagged" {
+  name = "instanceTagged"
+  input_parameters = <<EOF
+  {
+    "tag1Key" : "owner"
+  }
+EOF
+  rule_identifier = "REQUIRED_TAGS"
+}
+
+resource "aws_config_organization_managed_rule" "accessKeyRotated" {
+  name = "access_key_rotated"
+  input_parameters = <<EOF
+  {
+    "maxAccessKeyAge" : "${var.accessKeyRotated_maxAccessKeyAge}"
+  }
+EOF
+
+  rule_identifier = "ACCESS_KEYS_ROTATED"
+}
+
+resource "aws_config_organization_managed_rule" "dbInstanceBackupEnabled" {
+  name = "db_instance_backup_enabled"
+  input_parameters = <<EOF
+  {
+    "backupRetentionPeriod" : "${var.dbInstanceBackupEnabled_RetentionPeriod}",
+    "preferredBackupWindow" : "${var.dbInstanceBackupEnabled_PreferredBackupWindow}",
+    "checkReadReplicas"     : "${var.dbInstanceBackupEnabled_CheckReadReplicas}"
+  }
+EOF
+
+  rule_identifier = "DB_INSTANCE_BACKUP_ENABLED"
+}
+
+resource "aws_config_organization_managed_rule" "ec2InstanceNoPublicIp" {
+  name = "ec2_instance_no_public_ip"
+
+  rule_identifier = "EC2_INSTANCE_NO_PUBLIC_IP"
+}
+
+resource "aws_config_organization_managed_rule" "elasticsearchInVpcOnly" {
+  name = "elasticsearch_in_vpc_only"
+
+  rule_identifier = "ELASTICSEARCH_IN_VPC_ONLY"
+}
+
+resource "aws_config_organization_managed_rule" "elbLoggingEnabled" {
+  name = "elb_logging_enabled"
+  input_parameters = <<EOF
+  {
+    "s3BucketNames" : "${var.elbLoggingEnabled_s3BucketNames}"
+  }
+  EOF
+
+  rule_identifier = "ELB_LOGGING_ENABLED"
+}
+
+resource "aws_config_organization_managed_rule" "iamRootAccessKeyCheck" {
+  name = "iam_root_access_key_check"
+
+  rule_identifier = "IAM_ROOT_ACCESS_KEY_CHECK"
+}
+
+resource "aws_config_organization_managed_rule" "rdsInstancePublicAccessCheck" {
+  name = "rds_instance_public_access_check"
+
+  rule_identifier = "RDS_INSTANCE_PUBLIC_ACCESS_CHECK"
+}
+
+## CUSTOM RULES ##
+resource "aws_config_organization_custom_rule" "s3WebserverBuckets" {
+  name = "s3_webserver_buckets"
+
+  #depends_on = ["aws_config_configuration_recorder.config-recorder", "aws_lambda_permission.s3_webserver_buckets_config_permissions"]
+  lambda_function_arn = "${aws_lambda_function.s3_webserver_buckets.arn}"
+  trigger_types = ["ScheduledNotification"]
+}
+
+resource "aws_config_organization_custom_rule" "iam_console_login" {
+  name = "iam_console_login"
+
+  lambda_function_arn = "${aws_lambda_function.iam_console_login.arn}"
+  trigger_types = ["ScheduledNotification"]
+}
+

iam_lambda.tf

@@ -0,0 +1,134 @@
+resource "aws_iam_role" "s3_webserver_buckets_role" {
+  name = "lambda-s3-webserver-buckets"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "lambda_logging" {
+  name = "lambda_logging"
+  path = "/"
+  description = "Allows Lambda functions to write to CloudWatch"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Resource": "arn:aws:logs:*:*:*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "lambda_put_config_evaluations" {
+  name = "lambda-put-config-evaluations"
+  path = "/"
+  description = "Allows Lambda to put an evaluation to AWS Config"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {
+          "Sid": "VisualEditor0",
+          "Effect": "Allow",
+          "Action": "config:PutEvaluations",
+          "Resource": "*"
+      }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "s3_webserver_buckets_cloudwatch" {
+  role       = "${aws_iam_role.s3_webserver_buckets_role.name}"
+  policy_arn = "${aws_iam_policy.lambda_logging.arn}"
+}
+
+resource "aws_iam_role_policy_attachment" "s3_webserver_buckets_attachment_s3readonly" {
+  role       = "${aws_iam_role.s3_webserver_buckets_role.name}"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
+}
+
+resource "aws_iam_role_policy_attachment" "s3_webserver_buckets_attachment_config_putevaluation" {
+  role       = "${aws_iam_role.s3_webserver_buckets_role.name}"
+  policy_arn = "${aws_iam_policy.lambda_put_config_evaluations.arn}"
+}
+
+
+
+resource "aws_iam_role" "iam_console_login_role" {
+  name = "lambda-iam-console-login"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "iam_console_login_iam_read_only" {
+  role       = "${aws_iam_role.iam_console_login_role.name}"
+  policy_arn = "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
+}
+
+resource "aws_iam_role_policy_attachment" "iam_console_login_cloudwatch" {
+  role       = "${aws_iam_role.iam_console_login_role.name}"
+  policy_arn = "${aws_iam_policy.lambda_logging.arn}"
+}
+
+resource "aws_iam_role_policy_attachment" "iam_console_login_config" {
+  role = "${aws_iam_role.iam_console_login_role.name}"
+  policy_arn = "${aws_iam_policy.lambda_put_config_evaluations.arn}"
+}
+
+resource "aws_iam_role" "aws_config_recorder" {
+  name = "svc_aws_config_recorder"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "config.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}

lambda.tf

@@ -0,0 +1,26 @@
+resource "aws_lambda_function" "s3_webserver_buckets" {
+  filename      = "lambda/s3_webserver_buckets.zip"
+  function_name = "s3_webserver_buckets"
+  role          = "${aws_iam_role.s3_webserver_buckets_role.arn}"
+  handler       = "s3_webserver_buckets.lambda_handler"
+  timeout       = "${var.lambda_timeout}"
+
+  runtime = "python3.7"
+}
+
+resource "aws_lambda_permission" "s3_webserver_buckets_config_permissions" {
+  action        = "lambda:InvokeFunction"
+  function_name = "${aws_lambda_function.s3_webserver_buckets.arn}"
+  principal     = "config.amazonaws.com"
+  statement_id  = "AllowExecutionFromConfig"
+}
+
+resource "aws_lambda_function" "iam_console_login" {
+  filename      = "lambda/iam_console_login.zip"
+  function_name = "iam_console_login"
+  role          = "${aws_iam_role.iam_console_login_role.arn}"
+  handler       = "iam_console_login.lambda_handler"
+  timeout       = "${var.lambda_timeout}"
+
+  runtime = "python3.7"
+}