Merge pull request #19 from gokendra1/includeGlobalResourceBugfix

vsr2158 · web-flow · commit d1555d7ad75a · 2025-04-18T13:40:24.000+10:00
Include global resource bugfix
diff --git a/ct_configrecorder_override_consumer.py b/ct_configrecorder_override_consumer.py
@@ -89,6 +89,12 @@ def assume_role(account_id, role='AWSControlTowerExecution'):
             CONFIG_RECORDER_DAILY_RESOURCE_STRING = os.getenv('CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST')
             CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST = CONFIG_RECORDER_DAILY_RESOURCE_STRING.split(
                 ',') if CONFIG_RECORDER_DAILY_RESOURCE_STRING != '' else []
+            
+            CONFIG_RECORDER_DAILY_GLOBAL_RESOURCE_STRING = os.getenv('CONFIG_RECORDER_OVERRIDE_DAILY_GLOBAL_RESOURCE_LIST')
+            CONFIG_RECORDER_DAILY_GLOBAL_RESOURCE_LIST = CONFIG_RECORDER_DAILY_GLOBAL_RESOURCE_STRING.split(
+                ',') if CONFIG_RECORDER_DAILY_GLOBAL_RESOURCE_STRING != '' else []
+            
+                        
             CONFIG_RECORDER_EXCLUSION_RESOURCE_STRING = os.getenv('CONFIG_RECORDER_OVERRIDE_EXCLUDED_RESOURCE_LIST')
             CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST = CONFIG_RECORDER_EXCLUSION_RESOURCE_STRING.split(
                 ',') if CONFIG_RECORDER_EXCLUSION_RESOURCE_STRING != '' else []
@@ -99,14 +105,18 @@ def assume_role(account_id, role='AWSControlTowerExecution'):
             CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST[:] = res
 
             # Event = Delete is when stack is deleted, we rollback changed made and leave it as ControlTower Intended
+            home_region = os.getenv('CONTROL_TOWER_HOME_REGION') == aws_region
+            if home_region:
+                CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST += CONFIG_RECORDER_DAILY_GLOBAL_RESOURCE_LIST
+
             if event == 'Delete':
                 response = configservice.put_configuration_recorder(
                     ConfigurationRecorder={
                         'name': 'aws-controltower-BaselineConfigRecorder',
                         'roleARN': role_arn,
                         'recordingGroup': {
                             'allSupported': True,
-                            'includeGlobalResourceTypes': False
+                            'includeGlobalResourceTypes': home_region
                         }
                     })
                 logging.info(f'Response for put_configuration_recorder :{response} ')
diff --git a/template.yaml b/template.yaml
@@ -19,6 +19,11 @@ Parameters:
     Default: "AWS::AutoScaling::AutoScalingGroup,AWS::AutoScaling::LaunchConfiguration"
     Type: String
 
+  ConfigRecorderDailyGlobalResourceTypes:
+    Description: List of Global resource types to be set to a daily cadence in the AWS Control Tower home region
+    Default: "AWS::IAM::Policy,AWS::IAM::User,AWS::IAM::Role,AWS::IAM::Group"
+    Type: String
+
   ConfigRecorderDefaultRecordingFrequency:
     Description: Default Frequency of recording configuration changes.
     Default: CONTINUOUS
@@ -109,8 +114,10 @@ Resources:
                 Variables:
                     LOG_LEVEL: INFO
                     CONFIG_RECORDER_OVERRIDE_DAILY_RESOURCE_LIST: !Ref ConfigRecorderDailyResourceTypes
+                    CONFIG_RECORDER_OVERRIDE_DAILY_GLOBAL_RESOURCE_LIST: !Ref ConfigRecorderDailyGlobalResourceTypes
                     CONFIG_RECORDER_OVERRIDE_EXCLUDED_RESOURCE_LIST: !Ref ConfigRecorderExcludedResourceTypes
                     CONFIG_RECORDER_DEFAULT_RECORDING_FREQUENCY: !Ref ConfigRecorderDefaultRecordingFrequency
+                    CONTROL_TOWER_HOME_REGION: !Ref 'AWS::Region'
 
     ConsumerLambdaEventSourceMapping:
         Type: AWS::Lambda::EventSourceMapping
