add splunk generation

cloudtrail/README.md

@@ -48,6 +48,8 @@ No requirements.
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 | <a name="provider_null"></a> [null](#provider\_null) | n/a |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_template"></a> [template](#provider\_template) | n/a |
 
 ## Modules
 
@@ -73,6 +75,8 @@ No modules.
 | [aws_sqs_queue_policy.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
 | [aws_sqs_queue_policy.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
 | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [random_uuid.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -85,6 +89,7 @@ No modules.
 | [aws_iam_policy_document.cloudwatch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [template_file.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 
 ## Inputs
 

cloudtrail/generate_splunk.cloudtrail.tf

@@ -0,0 +1,30 @@
+#---
+# generate splunk inputs file
+#---
+data "template_file" "splunk_cloudtrail" {
+  template = file("${path.module}/templates/inputs.cloudtrail.conf.tpl")
+  vars = {
+    account_id    = local.account_id
+    account_alias = local.account_alias
+    entry_uuid    = random_uuid.splunk_cloudtrail.result
+    region        = local.cloudtrail_region
+    queue_url     = var.enable_sqs ? aws_sqs_queue.cloudtrail[0].id : null
+  }
+}
+
+resource "random_uuid" "splunk_cloudtrail" {
+  keepers = {
+    queue_url = var.enable_sqs ? aws_sqs_queue.cloudtrail[0].id : null
+  }
+}
+
+resource "null_resource" "splunk_cloudtrail" {
+  count = var.enable_sqs ? 1 : 0
+  provisioner "local-exec" {
+    command = "test -d setup || mkdir setup"
+  }
+  provisioner "local-exec" {
+    working_dir = "setup"
+    command     = "echo '${data.template_file.splunk_cloudtrail.rendered}' > inputs.cloudtrail.${local.account_id}.${local.cloudtrail_region}.conf"
+  }
+}

cloudtrail/templates/inputs.cloudtrail.conf.tpl

@@ -0,0 +1,10 @@
+[aws_sqs_based_s3://${account_alias}-cloudtrail-${region}]
+account = ${account_alias}
+index = aws
+polling_interval = 300
+s3_file_decoder = CloudTrail
+sourcetype = aws:cloudtrail
+sqs_batch_size = 10
+sqs_queue_region = ${region}
+sqs_queue_url = ${queue_url}
+