add role

cloudtrail/README.md

@@ -58,7 +58,10 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_cloudtrail.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource |
+| [aws_cloudwatch_log_group.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_policy.cloudtrail_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
@@ -73,6 +76,8 @@ No modules.
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudtrail_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudtrail_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

cloudtrail/cloudtrail.tf

@@ -7,14 +7,77 @@ resource "aws_cloudtrail" "this" {
   enable_log_file_validation    = true
   enable_logging                = true
   kms_key_id                    = var.kms_key_arn
-  #  sns_topic_name             = aws_sns_topic.cloudtrail.arn
-  #  cloud_watch_logs_group_arn = aws_cloudwatch_log_group.inf-cloudtrail.arn
-  #  cloud_watch_logs_role_arn  = aws_iam_role.inf-cloudtrail.arn
+  sns_topic_name                = var.enable_sns ? aws_sns_topic.cloudtrail[0].arn : null
+  cloud_watch_logs_group_arn    = aws_cloudwatch_log_group.cloudtrail.arn
+  cloud_watch_logs_role_arn     = aws_iam_role.cloudtrail.arn
 
   tags = merge(
     local.base_tags,
     var.tags,
-    { "Name" = local.name },
+    map("Name", local.name),
   )
   depends_on = [aws_s3_bucket_policy.policy]
 }
+
+resource "aws_iam_role" "cloudtrail" {
+  name                  = local.role_name
+  assume_role_policy    = data.aws_iam_policy_document.cloudtrail_assume.json
+  description           = "AWS CloudTrail Role for ${local.name}"
+  force_detach_policies = false
+  max_session_duration  = 3600
+  # add deny billing
+  attached_policies = [aws_iam_policy.cloudtrail_policy.arn]
+  path              = "/"
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    map("Name", local.role_name),
+  )
+}
+
+data "aws_iam_policy_document" "cloudtrail_assume" {
+  statement {
+    sid     = "AWSCloudTrailServiceAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "cloudtrail_policy" {
+  name   = local.policy_name
+  policy = data.aws_iam_policy_document.cloudtrail_cloudwatch.json
+}
+
+
+data "aws_iam_policy_document" "cloudtrail_cloudwatch" {
+  statement {
+    sid       = "AWSCloudTrailCreateLogStream"
+    effect    = "Allow"
+    actions   = ["logs:CreateLogStream"]
+    resources = [local.cloudwatch_resources]
+  }
+  statement {
+    sid       = "AWSCloudTrailPutLogEvents"
+    effect    = "Allow"
+    actions   = ["logs:PutLogEvents"]
+    resources = [local.cloudwatch_resources]
+  }
+}
+
+resource "aws_cloudwatch_log_group" "cloudtrail" {
+  name = local.name
+
+  kms_key_id        = var.kms_key_arn
+  retention_in_days = 7
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    map("Name", format("%v-log", local.name)),
+  )
+}

cloudtrail/main.tf

@@ -61,6 +61,9 @@ locals {
   #  kms_policy_document = var.kms_policy_document != null ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
 
   bucket_name = var.name == null ? format("%v-%v-%v", lookup(local._defaults["cloudtrail"], "name"), local.account_id, local.region) : var.name
+
+  role_name   = format("%v%v", local._prefixes["role"], local.name)
+  policy_name = format("%v%v", local._prefixes["policy"], local.name)
 }
 
 data "aws_kms_key" "incoming_key" {