From 1f30c36b60a87eda0617af46c8a98831a380ad3a Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 16 Nov 2021 12:50:41 -0500 Subject: [PATCH] add role --- cloudtrail/README.md | 5 +++ cloudtrail/cloudtrail.tf | 71 +++++++++++++++++++++++++++++++++++++--- cloudtrail/main.tf | 3 ++ 3 files changed, 75 insertions(+), 4 deletions(-) diff --git a/cloudtrail/README.md b/cloudtrail/README.md index b2daffb..ed9c045 100644 --- a/cloudtrail/README.md +++ b/cloudtrail/README.md @@ -58,7 +58,10 @@ No modules. | Name | Type | |------|------| | [aws_cloudtrail.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource | +| [aws_cloudwatch_log_group.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_policy.cloudtrail_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | @@ -73,6 +76,8 @@ No modules. | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | diff --git a/cloudtrail/cloudtrail.tf b/cloudtrail/cloudtrail.tf index b231279..a0a051a 100644 --- a/cloudtrail/cloudtrail.tf +++ b/cloudtrail/cloudtrail.tf @@ -7,14 +7,77 @@ resource "aws_cloudtrail" "this" { enable_log_file_validation = true enable_logging = true kms_key_id = var.kms_key_arn - # sns_topic_name = aws_sns_topic.cloudtrail.arn - # cloud_watch_logs_group_arn = aws_cloudwatch_log_group.inf-cloudtrail.arn - # cloud_watch_logs_role_arn = aws_iam_role.inf-cloudtrail.arn + sns_topic_name = var.enable_sns ? aws_sns_topic.cloudtrail[0].arn : null + cloud_watch_logs_group_arn = aws_cloudwatch_log_group.cloudtrail.arn + cloud_watch_logs_role_arn = aws_iam_role.cloudtrail.arn tags = merge( local.base_tags, var.tags, - { "Name" = local.name }, + map("Name", local.name), ) depends_on = [aws_s3_bucket_policy.policy] } + +resource "aws_iam_role" "cloudtrail" { + name = local.role_name + assume_role_policy = data.aws_iam_policy_document.cloudtrail_assume.json + description = "AWS CloudTrail Role for ${local.name}" + force_detach_policies = false + max_session_duration = 3600 + # add deny billing + attached_policies = [aws_iam_policy.cloudtrail_policy.arn] + path = "/" + + tags = merge( + local.base_tags, + var.tags, + map("Name", local.role_name), + ) +} + +data "aws_iam_policy_document" "cloudtrail_assume" { + statement { + sid = "AWSCloudTrailServiceAssumeRole" + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + } +} + +resource "aws_iam_policy" "cloudtrail_policy" { + name = local.policy_name + policy = data.aws_iam_policy_document.cloudtrail_cloudwatch.json +} + + +data "aws_iam_policy_document" "cloudtrail_cloudwatch" { + statement { + sid = "AWSCloudTrailCreateLogStream" + effect = "Allow" + actions = ["logs:CreateLogStream"] + resources = [local.cloudwatch_resources] + } + statement { + sid = "AWSCloudTrailPutLogEvents" + effect = "Allow" + actions = ["logs:PutLogEvents"] + resources = [local.cloudwatch_resources] + } +} + +resource "aws_cloudwatch_log_group" "cloudtrail" { + name = local.name + + kms_key_id = var.kms_key_arn + retention_in_days = 7 + + tags = merge( + local.base_tags, + var.tags, + map("Name", format("%v-log", local.name)), + ) +} diff --git a/cloudtrail/main.tf b/cloudtrail/main.tf index 5822348..9228d37 100644 --- a/cloudtrail/main.tf +++ b/cloudtrail/main.tf @@ -61,6 +61,9 @@ locals { # kms_policy_document = var.kms_policy_document != null ? var.kms_policy_document : data.aws_iam_policy_document.empty.json bucket_name = var.name == null ? format("%v-%v-%v", lookup(local._defaults["cloudtrail"], "name"), local.account_id, local.region) : var.name + + role_name = format("%v%v", local._prefixes["role"], local.name) + policy_name = format("%v%v", local._prefixes["policy"], local.name) } data "aws_kms_key" "incoming_key" {