Fix erros with Config Authorization resources

README.md

@@ -7,7 +7,7 @@ This module provisions by default a set of basic AWS Config Rules. In order to a
 
 If you would like to authorize other accounts to aggregate AWS Config data, the account IDs and regions can also be passed via the variable `aws_config` using the attributes `aggregator_account_ids` and `aggregator_regions` respectively. 
 
-NOTE: The `audit` account will be automatically authorized to aggregate AWS Config data from the other 2 core acccounts in the following regions: `eu-central-1` and `eu-west-1`.
+NOTE: This module already authorizes the `audit` account to aggregate Config data from all other accounts in the organization, so there is no need to specify the `audit` account ID in the `aggregator_account_ids` list.
 
 Example:
 

audit.tf

@@ -35,7 +35,8 @@ resource "aws_config_aggregate_authorization" "audit" {
 }
 
 resource "aws_config_configuration_aggregator" "audit" {
-  name = "audit"
+  providers = { aws = aws.audit }
+  name      = "audit"
 
   account_aggregation_source {
     account_ids = [

locals.tf

@@ -1,7 +1,7 @@
 locals {
   aws_config_aggregators = flatten([
-    for account in toset(concat(try(var.aws_config.aggregator_account_ids, []), [var.control_tower_account_ids.audit])) : [
-      for region in toset(concat(try(var.aws_config.aggregator_regions, []), ["eu-central-1", "eu-west-1"])) : {
+    for account in toset(try(var.aws_config.aggregator_account_ids, [])) : [
+      for region in toset(try(var.aws_config.aggregator_regions, [])) : {
         account_id = account
         region     = region
       }

logging.tf

@@ -28,7 +28,7 @@ resource "aws_cloudwatch_event_target" "monitor_iam_access_logging" {
 }
 
 resource "aws_config_aggregate_authorization" "logging" {
-  for_each   = { for aggregator in local.aws_config_aggregators : "${aggregator.account_id}-${aggregator.region}" => aggregator }
+  for_each   = { for aggregator in local.aws_config_aggregators : "${aggregator.account_id}-${aggregator.region}" => aggregator if aggregator.account_id != var.control_tower_account_ids.audit }
   provider   = aws.logging
   account_id = each.value.account_id
   region     = each.value.region

main.tf

@@ -18,11 +18,17 @@ resource "aws_cloudwatch_event_target" "monitor_iam_access_master" {
 }
 
 resource "aws_config_aggregate_authorization" "master" {
-  for_each   = { for aggregator in local.aws_config_aggregators : "${aggregator.account_id}-${aggregator.region}" => aggregator }
+  for_each   = { for aggregator in local.aws_config_aggregators : "${aggregator.account_id}-${aggregator.region}" => aggregator if aggregator.account_id != var.control_tower_account_ids.audit }
   account_id = each.value.account_id
   region     = each.value.region
 }
 
+resource "aws_config_aggregate_authorization" "master_to_audit" {
+  for_each   = toset(try(var.aws_config.aggregator_regions, ["eu-central-1", "eu-west-1"]))
+  account_id = var.control_tower_account_ids.audit
+  region     = each.value
+}
+
 resource "aws_config_configuration_recorder" "default" {
   name     = "default"
   role_arn = aws_iam_role.config_recorder.arn

modules/avm/README.md

@@ -6,6 +6,8 @@ Terraform module to provision an AWS account with a TFE workspace backed by a VC
 
 If you would like to authorize other accounts to aggregate AWS Config data, the account IDs and regions can be passed via the variable `aws_config` using the attributes `aggregator_account_ids` and `aggregator_regions` respectively.
 
+NOTE: Control Tower already authorizes the `audit` account to aggregate Config data from all other accounts in the organization, so there is no need to specify the `audit` account ID in the `aggregator_account_ids` list.
+
 Example:
 
 ```hcl