From 0c156f839bced12629b3bfb4f91cf2f021d76a9d Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 1 Sep 2023 16:08:11 -0400 Subject: [PATCH] update names --- cloudtrail/OFF/README.md | 39 +++++++++++ cloudtrail/OFF/role.tf | 141 +++++++++++++++++++++++++++++++++++++++ cloudtrail/main.tf | 1 + cloudtrail/s3.tf | 2 +- cloudtrail/sns.s3.tf | 6 +- cloudtrail/sqs.s3.tf | 8 +-- 6 files changed, 189 insertions(+), 8 deletions(-) create mode 100644 cloudtrail/OFF/README.md create mode 100644 cloudtrail/OFF/role.tf diff --git a/cloudtrail/OFF/README.md b/cloudtrail/OFF/README.md new file mode 100644 index 0000000..cb413c4 --- /dev/null +++ b/cloudtrail/OFF/README.md @@ -0,0 +1,39 @@ +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [local](#provider\_local) | n/a | +| [null](#provider\_null) | n/a | +| [template](#provider\_template) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudtrail.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource | +| [aws_cloudwatch_log_group.inf-cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_policy.cloudtrail_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_kms_key.cloudtrail_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [local_file.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | +| [null_resource.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_iam_policy_document.cloudtrail_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [template_file.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | + +## Inputs + +No inputs. + +## Outputs + +No outputs. diff --git a/cloudtrail/OFF/role.tf b/cloudtrail/OFF/role.tf new file mode 100644 index 0000000..c443d4e --- /dev/null +++ b/cloudtrail/OFF/role.tf @@ -0,0 +1,141 @@ +locals { + cloudwatch_prefix = replace(aws_cloudwatch_log_group.inf-cloudtrail.arn, "/:\\*$/", "") + cloudwatch_suffix = "${var.account_id}_CloudTrail_${var.region}*" + cloudwatch_resources = join(":", list(local.cloudwatch_prefix, "log-stream", local.cloudwatch_suffix)) + cloudtrail_policies = list(data.terraform_remote_state.common.outputs.policy_deny_billing_arn, aws_iam_policy.inf-cloudtrail.arn) + cloudtrail_bucket_arn = aws_s3_bucket.cloudtrail.arn + + cloudtrail_role_name = format("%v%v", local._prefixes["role"], local.role_name) + cloudtrail_policy_name = format("%v%v", local._prefixes["policy"], local.role_name) + +} + +resource "aws_iam_role" "cloudtrail" { + name = local.cloudtrail_role_name + assume_role_policy = data.aws_iam_policy_document.cloudtrail_assume.json + description = "AWS CloudTrail Role for ${local.region}" + force_detach_policies = false + max_session_duration = 3600 + # add deny billing + attached_policies = [aws_iam_policy.cloudtrail_policy.arn] + path = "/" + + tags = merge( + local.base_tags, + var.tags, + ) +} + + +data "aws_iam_policy_document" "cloudtrail_assume" { + statement { + sid = "AWSCloudTrailServiceAssumeRole" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + } +} + +resource "aws_iam_policy" "cloudtrail_policy" { + name = local.cloudtrail_policy_name + policy = data.aws_iam_policy_document.cloudtrail_cloudwatch.json +} + + +resource "aws_kms_key" "cloudtrail_key" { + description = "encrypt inf-cloudtrail objects and streams" + enable_key_rotation = true + policy = data.aws_iam_policy_document.cloudtrail_key.json + + tags = merge( + local.common_tags, + map("Name", var.kms_cloudtrail_key) + ) +} + +data "aws_iam_policy_document" "cloudtrail_cloudwatch" { + statement { + sid = "AWSCloudTrailCreateLogStream" + effect = "Allow" + actions = ["logs:CreateLogStream"] + resources = [local.cloudwatch_resources] + } + + statement { + sid = "AWSCloudTrailPutLogEvents" + effect = "Allow" + actions = ["logs:PutLogEvents"] + resources = [local.cloudwatch_resources] + } +} + +resource "aws_cloudtrail" "cloudtrail" { + name = "inf-cloudtrail" + s3_bucket_name = aws_s3_bucket.cloudtrail.id + + # s3_key_prefix = + include_global_service_events = true + is_multi_region_trail = true + enable_log_file_validation = true + enable_logging = true + + kms_key_id = aws_kms_key.cloudtrail_key.arn + sns_topic_name = aws_sns_topic.cloudtrail.arn + cloud_watch_logs_group_arn = aws_cloudwatch_log_group.inf-cloudtrail.arn + cloud_watch_logs_role_arn = aws_iam_role.inf-cloudtrail.arn + + tags = merge( + local.common_tags, + { + "Project Role" = local.project_role["inf"] + }, + map("Name", "inf-cloudtrail-cloudwatch"), + ) +} + +resource "aws_cloudwatch_log_group" "inf-cloudtrail" { + name = "inf-cloudtrail" + + # kms_key_id = aws_kms_key.cloudtrail_key.arn + retention_in_days = 7 + + tags = merge( + local.common_tags, + map("Name", "inf-cloudtrail-cloudwatch-log"), + ) +} + +## # add this later after creating additional buckets for applications +## # or, create an app-specific bucket for the cloudtrail logs +## resource "aws_cloudtrail" "inf-cloudtrail-s3" { +## name = "inf-cloudtrail-s3" +## s3_bucket_name = aws_s3_bucket.cloudtrail.id +## s3_key_prefix = "inf-s3" +## +## include_global_service_events = true +## is_multi_region_trail = true +## enable_log_file_validation = true +## enable_logging = true +## +## kms_key_id = aws_kms_key.cloudtrail_key.arn +## +## tags = merge( +## local.common_tags, +## map("Name", "inf-cloudtrail-s3"), +## ) +## +## event_selector { +## read_write_type = "All" +## include_management_events = true +## +## data_resource { +## type = "AWS::S3::Object" +## values = [ "${aws_s3_bucket.edl-poc-dl-versioned.arn}/" ] +## } +## } +## } +## diff --git a/cloudtrail/main.tf b/cloudtrail/main.tf index 31682eb..06211a0 100644 --- a/cloudtrail/main.tf +++ b/cloudtrail/main.tf @@ -136,6 +136,7 @@ locals { _name = var.name == null ? format("%v-%v", lookup(local._defaults["cloudtrail"], "name"), local.region) : var.name name = var.enable_organization ? lookup(local._defaults["org_cloudtrail"], "name") : local._name + s3_name = format("%v-s3", local.name) kms_key_name = format("k-%v", local.name) kms_admin_root = format("arn:%v:iam::%v:root", local.partition, local.account_id) # kms_admin_roles = compact(concat([var.kms_admin_root], var.kms_admin_roles)) diff --git a/cloudtrail/s3.tf b/cloudtrail/s3.tf index 026f5cd..35bb3c9 100644 --- a/cloudtrail/s3.tf +++ b/cloudtrail/s3.tf @@ -110,7 +110,7 @@ resource "aws_s3_bucket_notification" "this" { bucket = aws_s3_bucket.this.id topic { - topic_arn = var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3.arn : null + topic_arn = try(aws_sns_topic.cloudtrail_s3[0].arn, null) events = ["s3:ObjectCreated:*"] # filter_suffix = ".log" } diff --git a/cloudtrail/sns.s3.tf b/cloudtrail/sns.s3.tf index e11f316..9369edb 100644 --- a/cloudtrail/sns.s3.tf +++ b/cloudtrail/sns.s3.tf @@ -1,12 +1,12 @@ resource "aws_sns_topic" "cloudtrail_s3" { count = var.enable_s3_sns ? 1 : 0 - name = local.name + name = local.s3_name kms_master_key_id = data.aws_kms_key.incoming_key.id tags = merge( local.base_tags, var.tags, - tomap({ Name = local.name }), + tomap({ Name = local.s3_name }), ) } @@ -17,7 +17,7 @@ resource "aws_sns_topic_policy" "cloudtrail_s3" { } data "aws_iam_policy_document" "cloudtrail_s3_topic" { - policy_id = format("%v_s3_topic", local.name) + policy_id = format("%v_s3_topic", local.s3_name) statement { sid = "CloudtrailS3SNSPermissions" effect = "Allow" diff --git a/cloudtrail/sqs.s3.tf b/cloudtrail/sqs.s3.tf index d7241d9..35fb8ec 100644 --- a/cloudtrail/sqs.s3.tf +++ b/cloudtrail/sqs.s3.tf @@ -1,7 +1,7 @@ resource "aws_sqs_queue" "cloudtrail_s3_deadletter" { count = var.enable_s3_sqs ? 1 : 0 # delay=0 retention=4d max=256k visibility=1h - name = format("%v-deadletter", local.name) + name = format("%v-deadletter", local.s3_name) delay_seconds = 0 max_message_size = 262144 message_retention_seconds = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 1 * 86400) @@ -15,7 +15,7 @@ resource "aws_sqs_queue" "cloudtrail_s3_deadletter" { tags = merge( local.base_tags, var.tags, - tomap({ Name = format("%v-deadletter", local.name) }), + tomap({ Name = format("%v-deadletter", local.s3_name) }), ) } @@ -47,7 +47,7 @@ data "aws_iam_policy_document" "cloudtrail_s3_deadletter" { resource "aws_sqs_queue" "cloudtrail_s3" { count = var.enable_s3_sqs ? 1 : 0 # delay=0 retention=7d max=256k visibity=2h - name = local.name + name = local.s3_name delay_seconds = 0 max_message_size = 262144 message_retention_seconds = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 7 * 86400) @@ -66,7 +66,7 @@ resource "aws_sqs_queue" "cloudtrail_s3" { tags = merge( local.base_tags, var.tags, - tomap({ Name = local.name }), + tomap({ Name = local.s3_name }), ) }