Hello I am trying to add AWS Config in Terraform. I've set up the following policy attachment like so:
resource aws_iam_policy policy {
name = "test-policy"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"config:PutEvaluations",
"config:PutConfigRule",
"config:DeleteConfigRule",
"config:GetComplianceDetailsByConfigRule",
"config:DescribeConfigRuleEvaluationStatus"
],
"Effect": "Allow",
"Resource": [
"arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*"
]
}
]
}
POLICY
}
I've verified that the policy in AWS matches the policy attachment as prescribed above. However, when I visit the AWS Config service in the console I get the following error for each of my config rules:
Unable to perform config:PutEvaluations due to the lack of permissions on the role.
I haven't found any good resources on this issue. I've been scouring around, but nothing has turned up. I only came across this article: https://aws.amazon.com/premiumsupport/knowledge-center/config-error-security-hub/. Any help with this issue would be greatly appreciated. For reference I am attaching the policy to the IAM role like so:
resource aws_iam_role_policy_attachment "test-attach" {
role = aws_iam_role.config.name
policy_arn = aws_iam_policy.policy.arn
}
resource aws_iam_role config {
name = "myconfig"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "config.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
POLICY
}
I was able to solve my own problem
resource aws_iam_role_policy_attachment "test-attach" {
role = aws_iam_role.config.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
}
I used the policy listed in IAM Role Policy for Getting Configuration Details in this document https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html