diff --git a/cloudtrail/role.tf b/cloudtrail/role.tf deleted file mode 100644 index c443d4e..0000000 --- a/cloudtrail/role.tf +++ /dev/null @@ -1,141 +0,0 @@ -locals { - cloudwatch_prefix = replace(aws_cloudwatch_log_group.inf-cloudtrail.arn, "/:\\*$/", "") - cloudwatch_suffix = "${var.account_id}_CloudTrail_${var.region}*" - cloudwatch_resources = join(":", list(local.cloudwatch_prefix, "log-stream", local.cloudwatch_suffix)) - cloudtrail_policies = list(data.terraform_remote_state.common.outputs.policy_deny_billing_arn, aws_iam_policy.inf-cloudtrail.arn) - cloudtrail_bucket_arn = aws_s3_bucket.cloudtrail.arn - - cloudtrail_role_name = format("%v%v", local._prefixes["role"], local.role_name) - cloudtrail_policy_name = format("%v%v", local._prefixes["policy"], local.role_name) - -} - -resource "aws_iam_role" "cloudtrail" { - name = local.cloudtrail_role_name - assume_role_policy = data.aws_iam_policy_document.cloudtrail_assume.json - description = "AWS CloudTrail Role for ${local.region}" - force_detach_policies = false - max_session_duration = 3600 - # add deny billing - attached_policies = [aws_iam_policy.cloudtrail_policy.arn] - path = "/" - - tags = merge( - local.base_tags, - var.tags, - ) -} - - -data "aws_iam_policy_document" "cloudtrail_assume" { - statement { - sid = "AWSCloudTrailServiceAssumeRole" - effect = "Allow" - actions = ["sts:AssumeRole"] - - principals { - type = "Service" - identifiers = ["cloudtrail.amazonaws.com"] - } - } -} - -resource "aws_iam_policy" "cloudtrail_policy" { - name = local.cloudtrail_policy_name - policy = data.aws_iam_policy_document.cloudtrail_cloudwatch.json -} - - -resource "aws_kms_key" "cloudtrail_key" { - description = "encrypt inf-cloudtrail objects and streams" - enable_key_rotation = true - policy = data.aws_iam_policy_document.cloudtrail_key.json - - tags = merge( - local.common_tags, - map("Name", var.kms_cloudtrail_key) - ) -} - -data "aws_iam_policy_document" "cloudtrail_cloudwatch" { - statement { - sid = "AWSCloudTrailCreateLogStream" - effect = "Allow" - actions = ["logs:CreateLogStream"] - resources = [local.cloudwatch_resources] - } - - statement { - sid = "AWSCloudTrailPutLogEvents" - effect = "Allow" - actions = ["logs:PutLogEvents"] - resources = [local.cloudwatch_resources] - } -} - -resource "aws_cloudtrail" "cloudtrail" { - name = "inf-cloudtrail" - s3_bucket_name = aws_s3_bucket.cloudtrail.id - - # s3_key_prefix = - include_global_service_events = true - is_multi_region_trail = true - enable_log_file_validation = true - enable_logging = true - - kms_key_id = aws_kms_key.cloudtrail_key.arn - sns_topic_name = aws_sns_topic.cloudtrail.arn - cloud_watch_logs_group_arn = aws_cloudwatch_log_group.inf-cloudtrail.arn - cloud_watch_logs_role_arn = aws_iam_role.inf-cloudtrail.arn - - tags = merge( - local.common_tags, - { - "Project Role" = local.project_role["inf"] - }, - map("Name", "inf-cloudtrail-cloudwatch"), - ) -} - -resource "aws_cloudwatch_log_group" "inf-cloudtrail" { - name = "inf-cloudtrail" - - # kms_key_id = aws_kms_key.cloudtrail_key.arn - retention_in_days = 7 - - tags = merge( - local.common_tags, - map("Name", "inf-cloudtrail-cloudwatch-log"), - ) -} - -## # add this later after creating additional buckets for applications -## # or, create an app-specific bucket for the cloudtrail logs -## resource "aws_cloudtrail" "inf-cloudtrail-s3" { -## name = "inf-cloudtrail-s3" -## s3_bucket_name = aws_s3_bucket.cloudtrail.id -## s3_key_prefix = "inf-s3" -## -## include_global_service_events = true -## is_multi_region_trail = true -## enable_log_file_validation = true -## enable_logging = true -## -## kms_key_id = aws_kms_key.cloudtrail_key.arn -## -## tags = merge( -## local.common_tags, -## map("Name", "inf-cloudtrail-s3"), -## ) -## -## event_selector { -## read_write_type = "All" -## include_management_events = true -## -## data_resource { -## type = "AWS::S3::Object" -## values = [ "${aws_s3_bucket.edl-poc-dl-versioned.arn}/" ] -## } -## } -## } -##