update to allow exclusions and record Global IAM resource-types in the Control Tower Home region only. #25
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
add the CONTROL_TOWER_HOME_REGION: !Ref 'AWS::Region' variable for setting the Global Resource recording in the Home region only.
…resources in the Home region. Adds a list and list comprehension to include the 4 global IAM resource-types in recording scope for the Control Tower Home region only. This is necessary since the 'exclusionByResourceTypes' option overrides the 'includeGlobalResourceTypes' option.
Update template.yaml with CONTROL_TOWER_HOME_REGION variable
Update ct_configrecorder_override_consumer.py to only include globals in home region
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
How to exclude global resource types #14
#14
Description of changes:
Added variable to CFN template.yaml to get the Control Tower Home region which is the region that deploys the Config BASELINE StackSet and the solution. Consistent with this commit:
4c4eb77
Added a static list of the 4 Global IAM resource-types as reference to add and remove to two new lists created.
Created two new lists for exclusions: one for resource-types to exclude in the Home region and one for resource-types to exclude for all other CT governed regions, which should contain the 4 Global IAM resource-types.
Used a list comprehension to remove or add the 4 Global IAM resource-types accordingly.
Confirm if the region is the CT Home region to select the appropriate exclusion list for the recorder in that region.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.