more change for s3 sns

terraform-modules · Sep 1, 2023 · 3ff3ec5 · 3ff3ec5
1 parent e02710b
commit 3ff3ec5
Show file tree

Hide file tree

Showing 7 changed files with 315 additions and 5 deletions.
diff --git a/cloudtrail/generate_splunk.cloudtrail.tf → cloudtrail/OFF/generate_splunk.cloudtrail.tf b/cloudtrail/generate_splunk.cloudtrail.tf → cloudtrail/OFF/generate_splunk.cloudtrail.tf
diff --git a/cloudtrail/README.md b/cloudtrail/README.md
@@ -128,9 +128,7 @@ module "org_cloudtrail" {
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
-| <a name="provider_local"></a> [local](#provider\_local) | n/a |
 | <a name="provider_null"></a> [null](#provider\_null) | n/a |
-| <a name="provider_template"></a> [template](#provider\_template) | n/a |
 
 ## Modules
 
@@ -147,39 +145,55 @@ No modules.
 | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_notification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
 | [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_sns_topic.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
+| [aws_sns_topic.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [aws_sns_topic_policy.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
+| [aws_sns_topic_policy.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
+| [aws_sns_topic_subscription.additional_cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 | [aws_sns_topic_subscription.additional_cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+| [aws_sns_topic_subscription.cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 | [aws_sns_topic_subscription.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 | [aws_sqs_queue.additional_cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [aws_sqs_queue.additional_cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
+| [aws_sqs_queue.additional_cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
+| [aws_sqs_queue.additional_cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [aws_sqs_queue.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [aws_sqs_queue.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
+| [aws_sqs_queue.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
+| [aws_sqs_queue.cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [aws_sqs_queue_policy.additional_cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
+| [aws_sqs_queue_policy.additional_cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
+| [aws_sqs_queue_policy.additional_cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
 | [aws_sqs_queue_policy.additional_cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
 | [aws_sqs_queue_policy.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
+| [aws_sqs_queue_policy.cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
+| [aws_sqs_queue_policy.cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
 | [aws_sqs_queue_policy.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
-| [local_file.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [null_resource.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.additional_cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.additional_cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.additional_cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.additional_cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudtrail_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudtrail_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudtrail_s3_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudtrail_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
-| [template_file.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
 
 ## Inputs
 
@@ -189,10 +203,13 @@ No modules.
 | <a name="input_access_log_bucket_prefix"></a> [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Server Access Log bucket prefix, to which the Object Logging bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no |
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_additional_s3_sqs_names"></a> [additional\_s3\_sqs\_names](#input\_additional\_s3\_sqs\_names) | List of additional SQS queues to create and subscribe to the S3 SNS topic (if enabled) | `list(string)` | `[]` | no |
 | <a name="input_additional_sqs_names"></a> [additional\_sqs\_names](#input\_additional\_sqs\_names) | List of additional SQS queues to create and subscribe to the SNS topic (if enabled) | `list(string)` | `[]` | no |
 | <a name="input_cloudtrail_bucket_prefix"></a> [cloudtrail\_bucket\_prefix](#input\_cloudtrail\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"cloudtrail"` | no |
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
 | <a name="input_enable_organization"></a> [enable\_organization](#input\_enable\_organization) | Enable CloudTrail as an organization trail. This will only work in the organization master account | `bool` | `false` | no |
+| <a name="input_enable_s3_sns"></a> [enable\_s3\_sns](#input\_enable\_s3\_sns) | Flag to enable or disable the creation of SNS for the Cloudtrail S3 bucket | `bool` | `false` | no |
+| <a name="input_enable_s3_sqs"></a> [enable\_s3\_sqs](#input\_enable\_s3\_sqs) | Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail S3 bucket | `bool` | `false` | no |
 | <a name="input_enable_sns"></a> [enable\_sns](#input\_enable\_sns) | Flag to enable or disable the creation of SNS for Cloudtrail (TBD) | `bool` | `false` | no |
 | <a name="input_enable_sqs"></a> [enable\_sqs](#input\_enable\_sqs) | Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail, used for Splunk ingestion (TBD) | `bool` | `false` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | AWS CloudTrail KMS ARN to be used for encrypting the ClouldTrail, S3 Bucket, and SQS | `string` | n/a | yes |

diff --git a/cloudtrail/additional-sqs.s3.tf b/cloudtrail/additional-sqs.s3.tf
@@ -0,0 +1,103 @@
+locals {
+  additional_s3_sqs_names = var.enable_s3_sqs ? toset(var.additional_s3_sqs_names) : toset([])
+}
+
+resource "aws_sqs_queue" "additional_cloudtrail_s3_deadletter" {
+  for_each                   = local.additional_s3_sqs_names
+  name                       = format("%v-deadletter", each.key)
+  delay_seconds              = 0
+  max_message_size           = 262144
+  message_retention_seconds  = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 1 * 86400)
+  receive_wait_time_seconds  = 15
+  visibility_timeout_seconds = 3600
+
+  kms_master_key_id                 = data.aws_kms_key.incoming_key.id
+  kms_data_key_reuse_period_seconds = 300
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    tomap({ Name = format("%v-deadletter", each.key) }),
+  )
+}
+
+resource "aws_sqs_queue_policy" "additional_cloudtrail_s3_deadletter" {
+  for_each  = local.additional_s3_sqs_names
+  queue_url = var.enable_s3_sqs ? aws_sqs_queue.additional_cloudtrail_s3_deadletter[each.key].id : null
+  policy    = data.aws_iam_policy_document.additional_cloudtrail_s3_deadletter[each.key].json
+}
+
+data "aws_iam_policy_document" "additional_cloudtrail_s3_deadletter" {
+  for_each = local.additional_s3_sqs_names
+  statement {
+    sid       = "AllowSNSSendMessage"
+    effect    = "Allow"
+    actions   = ["sqs:SendMessage"]
+    resources = [var.enable_s3_sqs ? aws_sqs_queue.additional_cloudtrail_s3_deadletter[each.key].arn : ""]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""]
+    }
+  }
+}
+
+resource "aws_sqs_queue" "additional_cloudtrail_s3" {
+  for_each                   = local.additional_s3_sqs_names
+  name                       = each.key
+  delay_seconds              = 0
+  max_message_size           = 262144
+  message_retention_seconds  = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 7 * 86400)
+  receive_wait_time_seconds  = 15
+  visibility_timeout_seconds = 7200
+
+  redrive_policy = jsonencode({
+    deadLetterTargetArn = var.enable_s3_sqs ? aws_sqs_queue.additional_cloudtrail_s3_deadletter[each.key].arn : null
+    maxReceiveCount     = 100
+  })
+
+  kms_master_key_id                 = data.aws_kms_key.incoming_key.id
+  kms_data_key_reuse_period_seconds = 300
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    tomap({ Name = each.key }),
+  )
+}
+
+resource "aws_sqs_queue_policy" "additional_cloudtrail_s3_sqs" {
+  for_each  = local.additional_s3_sqs_names
+  queue_url = var.enable_s3_sqs ? aws_sqs_queue.additional_cloudtrail_s3[each.key].id : null
+  policy    = data.aws_iam_policy_document.additional_cloudtrail_s3_sqs[each.key].json
+}
+
+data "aws_iam_policy_document" "additional_cloudtrail_s3_sqs" {
+  for_each = local.additional_s3_sqs_names
+  statement {
+    sid       = "AllowSNSSendMessage"
+    effect    = "Allow"
+    actions   = ["sqs:SendMessage"]
+    resources = [var.enable_s3_sqs ? aws_sqs_queue.additional_cloudtrail_s3[each.key].arn : ""]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""]
+    }
+  }
+}
+
+resource "aws_sns_topic_subscription" "additional_cloudtrail_s3_sqs" {
+  for_each  = var.enable_s3_sns ? local.additional_s3_sqs_names : toset([])
+  protocol  = "sqs"
+  topic_arn = var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : null
+  endpoint  = var.enable_s3_sqs ? aws_sqs_queue.additional_cloudtrail_s3[each.key].arn : null
+}
diff --git a/cloudtrail/s3.tf b/cloudtrail/s3.tf
@@ -17,6 +17,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
       kms_master_key_id = var.kms_key_arn
       sse_algorithm     = "aws:kms"
     }
+    bucket_key_enabled = true
   }
 }
 
@@ -103,3 +104,15 @@ resource "null_resource" "policy_delay" {
   }
 }
 
+
+resource "aws_s3_bucket_notification" "this" {
+  count  = var.enable_s3_sns ? 1 : 0
+  bucket = aws_s3_bucket.this.id
+
+  topic {
+    topic_arn = var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3.arn : null
+    events    = ["s3:ObjectCreated:*"]
+    #    filter_suffix = ".log"
+  }
+}
+
diff --git a/cloudtrail/sns.s3.tf b/cloudtrail/sns.s3.tf
@@ -0,0 +1,56 @@
+resource "aws_sns_topic" "cloudtrail_s3" {
+  count             = var.enable_s3_sns ? 1 : 0
+  name              = local.name
+  kms_master_key_id = data.aws_kms_key.incoming_key.id
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    tomap({ Name = local.name }),
+  )
+}
+
+resource "aws_sns_topic_policy" "cloudtrail_s3" {
+  count  = var.enable_s3_sns ? 1 : 0
+  arn    = var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : null
+  policy = data.aws_iam_policy_document.cloudtrail_s3_topic.json
+}
+
+data "aws_iam_policy_document" "cloudtrail_s3_topic" {
+  policy_id = format("%v_s3_topic", local.name)
+  statement {
+    sid    = "CloudtrailS3SNSPermissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    actions = [
+      "sns:Subscribe",
+      "sns:SetTopicAttributes",
+      "sns:RemovePermission",
+      "sns:Receive",
+      "sns:Publish",
+      "sns:ListSubscriptionsByTopic",
+      "sns:GetTopicAttributes",
+      "sns:DeleteTopic",
+      "sns:AddPermission",
+    ]
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceOwner"
+      values   = [local.account_id]
+    }
+    resources = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""]
+  }
+  statement {
+    sid    = "CloudTrailSNSPolicy"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+    actions   = ["sns:Publish"]
+    resources = [var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3[0].arn : ""]
+  }
+}