AWSTemplateFormatVersion: 2010-09-09
Description: Enable AWS Config Aggregator and Recorder for an Organization (qs-1t0eilb5g)

Parameters:
  GlobalResourceTypesRegion:
    Type: String
    Default: us-east-1
    Description: AWS region used to record global resources types
  OrgAggregatorName:
    Type: String
    Default: OrganizationalRecorder
    AllowedPattern: "^[\\w\\-]+"
    ConstraintDescription: ""
    Description: Name of the organizational aggregator 
  CreateRecorder:
    Type: String
    Default: 'yes'
    AllowedValues: 
      - 'yes'
      - 'no'
    Description: Should this template create the recorder 
  

Conditions:
  IncludeGlobalResourceTypes: !Equals
    - !Ref GlobalResourceTypesRegion
    - !Ref AWS::Region
  CreateConfigRecorder: !Equals 
    - !Ref CreateRecorder
    - 'yes'


Resources:

  ConfigBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256

  ConfigBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Condition: CreateConfigRecorder 
    Properties:
      Bucket: !Ref ConfigBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: AWSConfigBucketPermissionsCheck
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: s3:GetBucketAcl
            Resource:
              - !Sub "arn:aws:s3:::${ConfigBucket}"
          - Sid: DisallowHTTP
            Effect: Deny
            Principal: '*'
            Action: 's3:*'
            Resource:
              - !Sub "arn:aws:s3:::${ConfigBucket}"
            Condition:
              Bool:
                'aws:SecureTransport': false
          - Sid: AWSConfigBucketDelivery
            Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action: s3:PutObject
            Resource:
              - !Sub "arn:aws:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*"

  ConfigRecorderRole:
    Type: AWS::IAM::Role
    Condition: CreateConfigRecorder 
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - config.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSConfigRole

  ConfigRecorder:
    Type: AWS::Config::ConfigurationRecorder
    Condition: CreateConfigRecorder 
    DependsOn:
      - ConfigBucketPolicy
    Properties:
      RoleARN: !GetAtt ConfigRecorderRole.Arn
      RecordingGroup:
        AllSupported: True
        IncludeGlobalResourceTypes: !If
          - IncludeGlobalResourceTypes
          - True
          - False

  DeliveryChannel:
    Type: AWS::Config::DeliveryChannel
    Condition: CreateConfigRecorder 
    DependsOn:
      - ConfigBucketPolicy
    Properties:
      Name: default
      S3BucketName: !Ref ConfigBucket

  S3BucketPublicReadRule:
    Type: AWS::Config::ConfigRule
    Condition: CreateConfigRecorder 
    DependsOn:
      - ConfigRecorder
    Properties:
      ConfigRuleName: stackset-s3-bucket-public-read-prohibited
      Description: s3-bucket-public-read-prohibited from stackset
      Scope:
        ComplianceResourceTypes:
          - AWS::S3::Bucket
      Source:
        Owner: AWS
        SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED


  ConfigurationAggregator:
    Type: 'AWS::Config::ConfigurationAggregator'
    Properties:
      OrganizationAggregationSource:
        RoleArn: 
          !Join 
            - ''
            - - 'arn:aws:iam::'
              - !Ref 'AWS::AccountId'
              - ':role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations'
        AllAwsRegions: true
      ConfigurationAggregatorName: !Ref OrgAggregatorName