I spent a good portion of my week trying (and failing) to deploy AWS Config with Terraform.
AWS Config is a service that continuously monitors your AWS account configuration. It uses a set of rules to verify that your account configurations remain compliant. It can watch for changes like granting public access to S3 buckets and changes to your VPC and EC2 configuration. It then publishes events related to its findings that can be used to build automation to fix the issues, or to notify somebody that resources in your account are violating your standards and compliance rules. This ability to detect and report on changes can be a powerful tool as part of a comprehensive cloud security plan.
That said, setting up the service is complicated and not intuitive. There are a number of prerequisites that need to be configured, and unlike CloudTrail, which can be activated once at the organization level, Config has to be configured individually for each account and region. This leads to a lot of copy-pasted Terraform code if you have several accounts.
I think I am getting close to having a working solution. I have made a module to help with the amount of code duplication, and with a little more fine-tuning I think I will have working Config setup early next week.
Finishing up my Terraform Config project.