AWS Config Recorder
๐ฆ Overviewโ
This Terraform module provisions an AWS Config Recorder to continuously track and record configuration changes across AWS resources.
It enables historical visibility into changes, supports security audits, and helps maintain compliance with internal and external standards.
โ Key Featuresโ
- Enables AWS Config to record configuration snapshots
- Sends data to a designated S3 bucket
- Leverages an IAM role for access to resource metadata
- Tags all resources with environment metadata
๐ผ Use Casesโ
- Track AWS resource configuration changes for audit purposes
- Maintain historical state and compliance evidence
- Trigger downstream compliance rules (with additional modules)
๐ฅ Input Variablesโ
| Name | Type | Description |
|---|---|---|
| region | string | AWS region where the config recorder will be deployed |
| config_recorder_name | string | Name of the AWS Config recorder |
| role_arn | string | ARN of the IAM role to allow AWS Config to record resource configurations |
| s3_bucket_name | string | Name of the S3 bucket to store configuration snapshots |
| environment | string | Environment label used for tagging (e.g., prod, dev) |
๐ค Outputsโ
| Name | Description |
|---|---|
| config_recorder_name | The name of the created AWS Config recorder |
| config_recorder_arn | The ARN of the AWS Config recorder |
๐ Deployment Readinessโ
- โ Compatible with Terraform 1.0+
- โ Requires AWS Provider 5.x or later
- โ๏ธ Must have an existing IAM role with AWS Config permissions
- ๐ฆ Requires an existing S3 bucket for storing configuration history
๐ ๏ธ Example Usageโ
module "config_recorder_deployment" {
source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//governance/config-recorder?ref=v1.0.0"
region = "us-east-1"
config_recorder_name = "archiphire-config-recorder"
role_arn = "arn:aws:iam::123456789012:role/ConfigRecorderRole"
s3_bucket_name = "archiphire-config-snapshots"
environment = "prod"
}
terraform init
terraform plan
terraform apply
or
tofu init
tofu plan
tofu apply
๐งน Cleanup Optionsโ
Terraform Destroy:
terraform destroy
or
tofu destroy
Manual Deletion (Recommended for Production):
aws configservice delete-configuration-recorder --configuration-recorder-name archiphire-c
๐ก๏ธ Notesโ
This is a Level 1 governance module. While it sets up the config recorder and snapshot delivery, it does not include rule evaluations or compliance checks. For a full compliance architecture, extend with managed/custom AWS Config rules and alerting mechanisms.
๐ Deployment Package Noticeโ
This module is part of the Level 1 AWS License Tier. To access the full deployment package and source code, subscribe to Archiphire.