From fa7ff7901d9209fab7fda79bd8ca673c8afff17b Mon Sep 17 00:00:00 2001
From: "Luis M. Gallardo D" <lgallard@gmail.com>
Date: Thu, 3 Feb 2022 00:37:20 -0300
Subject: [PATCH 01/11] Add SourceAccount condition

---
 main.tf      | 5 +++++
 variables.tf | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/main.tf b/main.tf
index 7599626..40ed75f 100644
--- a/main.tf
+++ b/main.tf
@@ -231,6 +231,11 @@ data "aws_iam_policy_document" "main" {
     }
     actions   = ["s3:GetBucketAcl"]
     resources = [local.bucket_arn]
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceAccount"
+      values   = var.config_source_accounts
+    }
   }
 
   statement {
diff --git a/variables.tf b/variables.tf
index c5eaa9d..1c77b45 100644
--- a/variables.tf
+++ b/variables.tf
@@ -118,6 +118,12 @@ variable "cloudtrail_accounts" {
   type        = list(string)
 }
 
+variable "config_source_accounts" {
+  description = "List of source accounts with permission to send logs Config bucket."
+  default     = []
+  type        = list(string)
+}
+
 variable "config_accounts" {
   description = "List of accounts for Config logs.  By default limits to the current account."
   default     = []

From 02a1fb7fd150eee1a84c813dc8b52a560cb338eb Mon Sep 17 00:00:00 2001
From: "Luis M. Gallardo D" <lgallard@gmail.com>
Date: Thu, 3 Feb 2022 00:59:26 -0300
Subject: [PATCH 02/11] Use config_accounts variables a the source accounts
 list

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 40ed75f..e5311d9 100644
--- a/main.tf
+++ b/main.tf
@@ -234,7 +234,7 @@ data "aws_iam_policy_document" "main" {
     condition {
       test     = "StringEquals"
       variable = "AWS:SourceAccount"
-      values   = var.config_source_accounts
+      values   = var.config_accounts
     }
   }
 

From 8d3de05b4bf557c5f12a53b3b7199562ce039902 Mon Sep 17 00:00:00 2001
From: "Luis M. Gallardo D" <lgallard@gmail.com>
Date: Thu, 3 Feb 2022 01:21:29 -0300
Subject: [PATCH 03/11] Add dynamic statatement

---
 main.tf | 32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/main.tf b/main.tf
index e5311d9..3f0dde2 100644
--- a/main.tf
+++ b/main.tf
@@ -229,7 +229,7 @@ data "aws_iam_policy_document" "main" {
       type        = "Service"
       identifiers = ["config.amazonaws.com"]
     }
-    actions   = ["s3:GetBucketAcl"]
+    actions   = ["s3:GetBucketAcl", "s3:ListBucket"]
     resources = [local.bucket_arn]
     condition {
       test     = "StringEquals"
@@ -238,22 +238,24 @@ data "aws_iam_policy_document" "main" {
     }
   }
 
-  statement {
-    sid    = "config-bucket-delivery"
-    effect = local.config_effect
-    principals {
-      type        = "Service"
-      identifiers = ["config.amazonaws.com"]
-    }
-    actions = ["s3:PutObject"]
-    condition {
-      test     = "StringEquals"
-      variable = "s3:x-amz-acl"
-      values   = ["bucket-owner-full-control"]
+  dynamic "statement" {
+    for_each = { for k, v in local.config_resources : k => v }
+    content {
+      sid    = "config-bucket-delivery-${statement.key}"
+      effect = local.config_effect
+      principals {
+        type        = "Service"
+        identifiers = ["config.amazonaws.com"]
+      }
+      actions = ["s3:PutObject"]
+      condition {
+        test     = "StringEquals"
+        variable = "AWS:SourceAccount"
+        values   = [statement.value]
+      }
+      resources = statement.value
     }
-    resources = local.config_resources
   }
-
   #
   # ELB bucket policies
   #

From 9e8aa578c0a0c156ec42c0eb7c61d544d237963d Mon Sep 17 00:00:00 2001
From: "Luis M. Gallardo D" <lgallard@gmail.com>
Date: Thu, 3 Feb 2022 01:30:35 -0300
Subject: [PATCH 04/11] Fix resources parameter in dynamic statement

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 3f0dde2..55c1c22 100644
--- a/main.tf
+++ b/main.tf
@@ -253,7 +253,7 @@ data "aws_iam_policy_document" "main" {
         variable = "AWS:SourceAccount"
         values   = [statement.value]
       }
-      resources = statement.value
+      resources = [statement.value]
     }
   }
   #

From 3553ccd493c5108497fff12ff6a99c0ebb551e60 Mon Sep 17 00:00:00 2001
From: "Luis M. Gallardo D" <lgallard@gmail.com>
Date: Thu, 3 Feb 2022 02:23:30 -0300
Subject: [PATCH 05/11] Change resources parameter in dynamic statement

---
 main.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/main.tf b/main.tf
index 55c1c22..b9f10b7 100644
--- a/main.tf
+++ b/main.tf
@@ -239,7 +239,7 @@ data "aws_iam_policy_document" "main" {
   }
 
   dynamic "statement" {
-    for_each = { for k, v in local.config_resources : k => v }
+    for_each = { for k, v in local.config_accounts : k => v }
     content {
       sid    = "config-bucket-delivery-${statement.key}"
       effect = local.config_effect
@@ -253,7 +253,7 @@ data "aws_iam_policy_document" "main" {
         variable = "AWS:SourceAccount"
         values   = [statement.value]
       }
-      resources = [statement.value]
+      resources = ["${local.bucket_arn}/${local.config_logs_path}/${statement.vale}/Config/*"]
     }
   }
   #

From 2c09b259ee62f86706ffd35d79932d391fdc4e6d Mon Sep 17 00:00:00 2001
From: "Luis M. Gallardo D" <lgallard@gmail.com>
Date: Thu, 3 Feb 2022 02:31:34 -0300
Subject: [PATCH 06/11] Fix typo in resources parameter for dynamic statement

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index b9f10b7..07a286d 100644
--- a/main.tf
+++ b/main.tf
@@ -253,7 +253,7 @@ data "aws_iam_policy_document" "main" {
         variable = "AWS:SourceAccount"
         values   = [statement.value]
       }
-      resources = ["${local.bucket_arn}/${local.config_logs_path}/${statement.vale}/Config/*"]
+      resources = ["${local.bucket_arn}/${local.config_logs_path}/${statement.value}/Config/*"]
     }
   }
   #

From a3071af1e2e9f1b3d1223f5efaffcaaef3750f39 Mon Sep 17 00:00:00 2001
From: "Luis M. Gallardo D" <lgallard@gmail.com>
Date: Tue, 8 Feb 2022 01:41:37 -0300
Subject: [PATCH 07/11] Add full controll condition to the bucket

---
 main.tf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/main.tf b/main.tf
index 07a286d..a3ff6e7 100644
--- a/main.tf
+++ b/main.tf
@@ -253,6 +253,11 @@ data "aws_iam_policy_document" "main" {
         variable = "AWS:SourceAccount"
         values   = [statement.value]
       }
+      condition {
+        test     = "StringEquals"
+        variable = "s3:x-amz-acl"
+        values   = "bucket-owner-full-control"
+      }
       resources = ["${local.bucket_arn}/${local.config_logs_path}/${statement.value}/Config/*"]
     }
   }

From 3e528a1d453ec52a7e29798f03729cbf27d91be0 Mon Sep 17 00:00:00 2001
From: "Luis M. Gallardo D" <lgallard@gmail.com>
Date: Tue, 8 Feb 2022 01:49:57 -0300
Subject: [PATCH 08/11] Fix values as list

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index a3ff6e7..c31007e 100644
--- a/main.tf
+++ b/main.tf
@@ -256,7 +256,7 @@ data "aws_iam_policy_document" "main" {
       condition {
         test     = "StringEquals"
         variable = "s3:x-amz-acl"
-        values   = "bucket-owner-full-control"
+        values   = ["bucket-owner-full-control"]
       }
       resources = ["${local.bucket_arn}/${local.config_logs_path}/${statement.value}/Config/*"]
     }

From d63f751191269f3ad9508a8d951d99d46c87ddcc Mon Sep 17 00:00:00 2001
From: "Luis M. Gallardo D" <lgallard@gmail.com>
Date: Tue, 8 Feb 2022 02:37:18 -0300
Subject: [PATCH 09/11] Add PutObjectAcl action

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index c31007e..bb0663d 100644
--- a/main.tf
+++ b/main.tf
@@ -247,7 +247,7 @@ data "aws_iam_policy_document" "main" {
         type        = "Service"
         identifiers = ["config.amazonaws.com"]
       }
-      actions = ["s3:PutObject"]
+      actions = ["s3:PutObject", "s3:PutObjectAcl"]
       condition {
         test     = "StringEquals"
         variable = "AWS:SourceAccount"

From 5045719637b1dd2bb64dfe403af813d3fcd38bb3 Mon Sep 17 00:00:00 2001
From: "Luis M. Gallardo D" <lgallard@gmail.com>
Date: Tue, 8 Feb 2022 03:47:23 -0300
Subject: [PATCH 10/11] Remove source account for get policiy

---
 main.tf | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/main.tf b/main.tf
index bb0663d..3d4af65 100644
--- a/main.tf
+++ b/main.tf
@@ -231,11 +231,6 @@ data "aws_iam_policy_document" "main" {
     }
     actions   = ["s3:GetBucketAcl", "s3:ListBucket"]
     resources = [local.bucket_arn]
-    condition {
-      test     = "StringEquals"
-      variable = "AWS:SourceAccount"
-      values   = var.config_accounts
-    }
   }
 
   dynamic "statement" {

From 279a90815615e776e729496aca08737c5f6c7337 Mon Sep 17 00:00:00 2001
From: "Luis M. Gallardo D" <lgallard@gmail.com>
Date: Tue, 8 Feb 2022 16:13:33 -0300
Subject: [PATCH 11/11] Remove unused variable

---
 variables.tf | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/variables.tf b/variables.tf
index 1c77b45..c5eaa9d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -118,12 +118,6 @@ variable "cloudtrail_accounts" {
   type        = list(string)
 }
 
-variable "config_source_accounts" {
-  description = "List of source accounts with permission to send logs Config bucket."
-  default     = []
-  type        = list(string)
-}
-
 variable "config_accounts" {
   description = "List of accounts for Config logs.  By default limits to the current account."
   default     = []