Merge pull request #2 from dap-aws/dap-aws-patch-2

dap-aws · web-flow · commit adfb9cbff16d · 2025-04-08T12:38:29.000-07:00
Update ct_configrecorder_override_consumer.py to only include globals in home region
diff --git a/ct_configrecorder_override_consumer.py b/ct_configrecorder_override_consumer.py
@@ -86,6 +86,9 @@ def assume_role(account_id, role='AWSControlTowerExecution'):
         try:
             role_arn = 'arn:aws:iam::' + account_id + ':role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig'
 
+            ## added IAM global resource list
+            GLOBAL_IAM_RESOURCE_LIST = ['AWS::IAM::Group','AWS::IAM::Policy','AWS::IAM::Role','AWS::IAM::User']
+
             CONFIG_RECORDER_DAILY_RESOURCE_STRING = os.getenv('CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST')
             CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST = CONFIG_RECORDER_DAILY_RESOURCE_STRING.split(
                 ',') if CONFIG_RECORDER_DAILY_RESOURCE_STRING != '' else []
@@ -98,6 +101,18 @@ def assume_role(account_id, role='AWSControlTowerExecution'):
             res = [x for x in CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST if x not in CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST]
             CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST[:] = res
 
+            ## create two new lists - NOT_HOME and HOME
+            CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST_NOT_HOME = []
+            CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST_HOME = []
+
+            ## remove any of the global IAM resources from exclusion list for HOME region
+            home = [x for x in CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST if x not in GLOBAL_IAM_RESOURCE_LIST]
+            CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST_HOME[:] = home
+            ## take home list and add globals for NOT_HOME exclusion list for linked regions
+            CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST_NOT_HOME = home + GLOBAL_IAM_RESOURCE_LIST
+
+            home_region = os.getenv('CONTROL_TOWER_HOME_REGION') == aws_region
+
             # Event = Delete is when stack is deleted, we rollback changed made and leave it as ControlTower Intended
             if event == 'Delete':
                 response = configservice.put_configuration_recorder(
@@ -119,7 +134,8 @@ def assume_role(account_id, role='AWSControlTowerExecution'):
                         'allSupported': False,
                         'includeGlobalResourceTypes': False,
                         'exclusionByResourceTypes': {
-                            'resourceTypes': CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST
+                        ## for exclusion list exclusionByResourceTypes.resourceTypes: if home_region==true use home, else use not_home
+                            'resourceTypes': CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST_HOME if home_region == True else CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST_NOT_HOME
                         },
                         'recordingStrategy': {
                             'useOnly': 'EXCLUSION_BY_RESOURCE_TYPES'
