diff --git a/CHANGELOG.md b/CHANGELOG.md index 507b9a6..0566b2a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,3 +10,7 @@ * v1.2 -- 20210223 - module: access-logging + +* v1.3 -- 20210223 + - module: rename access-logging to s3-access-logs + - module: add s3-flow-logs diff --git a/README.md b/README.md index 196ce92..3fb89e0 100644 --- a/README.md +++ b/README.md @@ -13,11 +13,13 @@ structure so they are not really needed. The bucket is `inf-tfstate-{account_id} This has no other dependencies, since it has to be created first. Only one is needed per account. -### [access-logging](access-logging) +### [s3-access-logs](s3-access-logs) This sets up the S3 bucket used for access logs. One is needed per region, and the region and account are included in the bucket names: `inf-logs-{account_id}-{region}`. +### [s3-flow-logs](s3-flow-logs) + ### splunk-user ### object-logging ### cloudtrail diff --git a/common/version.tf b/common/version.tf index 2f4174c..6459949 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.2" + _module_version = "1.3" } diff --git a/access-logging/README.md b/s3-access-logs/README.md similarity index 97% rename from access-logging/README.md rename to s3-access-logs/README.md index 11f4239..9093aba 100644 --- a/access-logging/README.md +++ b/s3-access-logs/README.md @@ -1,4 +1,4 @@ -# aws-inf-setup :: access-logging +# aws-inf-setup :: s3-access-logs This set up the needed components for S3 access log bucket. An access log must exist in each region where there are components wishing to use access logs (S3, ALB, etc.). @@ -12,7 +12,7 @@ Here is a simple example, the one most commonly expected to be used. ```hcl module "logs" { - source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//access-logging" + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-access-logs" } ``` @@ -22,7 +22,7 @@ variable file generation. ```hcl module "logs_full" { - source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//terraform-state" + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-access-logs" # optional account_alias = "do2-govcloud" diff --git a/access-logging/data.tf b/s3-access-logs/data.tf similarity index 100% rename from access-logging/data.tf rename to s3-access-logs/data.tf diff --git a/access-logging/defaults.tf b/s3-access-logs/defaults.tf similarity index 100% rename from access-logging/defaults.tf rename to s3-access-logs/defaults.tf diff --git a/access-logging/main.tf b/s3-access-logs/main.tf similarity index 97% rename from access-logging/main.tf rename to s3-access-logs/main.tf index 81f8584..f8e0a47 100644 --- a/access-logging/main.tf +++ b/s3-access-logs/main.tf @@ -1,5 +1,5 @@ /* -* # aws-inf-setup :: access-logging +* # aws-inf-setup :: s3-access-logs * * This set up the needed components for S3 access log bucket. An access log must exist in each region * where there are components wishing to use access logs (S3, ALB, etc.). @@ -13,7 +13,7 @@ * * ```hcl * module "logs" { -* source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//access-logging" +* source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-access-logs" * } * ``` * @@ -23,7 +23,7 @@ * * ```hcl * module "logs_full" { -* source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//terraform-state" +* source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-access-logs" * * # optional * account_alias = "do2-govcloud" diff --git a/access-logging/outputs.tf b/s3-access-logs/outputs.tf similarity index 100% rename from access-logging/outputs.tf rename to s3-access-logs/outputs.tf diff --git a/access-logging/policy_data.tf b/s3-access-logs/policy_data.tf similarity index 100% rename from access-logging/policy_data.tf rename to s3-access-logs/policy_data.tf diff --git a/access-logging/prefixes.tf b/s3-access-logs/prefixes.tf similarity index 100% rename from access-logging/prefixes.tf rename to s3-access-logs/prefixes.tf diff --git a/access-logging/variables.common.tf b/s3-access-logs/variables.common.tf similarity index 100% rename from access-logging/variables.common.tf rename to s3-access-logs/variables.common.tf diff --git a/access-logging/variables.tf b/s3-access-logs/variables.tf similarity index 100% rename from access-logging/variables.tf rename to s3-access-logs/variables.tf diff --git a/access-logging/version.tf b/s3-access-logs/version.tf similarity index 100% rename from access-logging/version.tf rename to s3-access-logs/version.tf diff --git a/s3-flow-logs/README.md b/s3-flow-logs/README.md new file mode 100644 index 0000000..a5ebd76 --- /dev/null +++ b/s3-flow-logs/README.md @@ -0,0 +1,83 @@ +# aws-inf-setup :: s3-flow-logs + +This set up the needed components for S3 VPC flow log bucket. Only one flow log bucket is +needed + +* S3 bucket +* S3 bucket objects (key prefixes, aka "directories") +* S3 bucket policy + +# Usage +Here is a simple example, the one most commonly expected to be used. + +```hcl +module "flowlogs" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs" +} +``` + +This one can be used if you need to customize stuff, though really, the defaults are all built +for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in +variable file generation. + +```hcl +module "flowlogs_full" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs" + + # optional + account_alias = "do2-govcloud" + bucket_name = "inf-flowlogs-123456789012" + + # flowlogs is generally not needed and not recommended + component_tags = { + "s3" = { + "SpecialTag1" = "something" + "SpecialTag2" = "somethingElse" + } + } +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | + +## Modules + +No Modules. + +## Resources + +| Name | +|------| +| [aws_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | +| [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | +| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | +| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | +| [aws_s3_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | +| [aws_s3_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | +| [aws_s3_bucket_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| account\_alias | AWS Account Alias (required) | `string` | `""` | no | +| account\_id | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| bucket\_name | VPC Flow Logs S3 bucket name | `string` | `""` | no | +| bucket\_name\_prefix | VPC Flow Logs S3 bucket prefix, prepended to the AWS account ID to make the bucket name. | `string` | `"inf-flowlogs"` | no | +| component\_tags | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | +| override\_prefixes | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| tags | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| flowlogs\_bucket\_arn | VPC Flow Logs S3 bucket ARN | diff --git a/s3-flow-logs/data.tf b/s3-flow-logs/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/s3-flow-logs/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/s3-flow-logs/defaults.tf b/s3-flow-logs/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/s3-flow-logs/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/s3-flow-logs/main.tf b/s3-flow-logs/main.tf new file mode 100644 index 0000000..ab40cff --- /dev/null +++ b/s3-flow-logs/main.tf @@ -0,0 +1,110 @@ +/* +* # aws-inf-setup :: s3-flow-logs +* +* This set up the needed components for S3 VPC flow log bucket. Only one flow log bucket is +* needed +* +* * S3 bucket +* * S3 bucket objects (key prefixes, aka "directories") +* * S3 bucket policy +* +* # Usage +* Here is a simple example, the one most commonly expected to be used. +* +* ```hcl +* module "flowlogs" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs" +* } +* ``` +* +* This one can be used if you need to customize stuff, though really, the defaults are all built +* for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in +* variable file generation. +* +* ```hcl +* module "flowlogs_full" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs" +* +* # optional +* account_alias = "do2-govcloud" +* bucket_name = "inf-flowlogs-123456789012" +* +* # flowlogs is generally not needed and not recommended +* component_tags = { +* "s3" = { +* "SpecialTag1" = "something" +* "SpecialTag2" = "somethingElse" +* } +* } +* } +* ``` +*/ + +locals { + account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id + flowlogs_region = data.aws_region.current.name + account_environment = data.aws_arn.current.partiion == "aws-us-gov" ? "gov" : "ew" + + bucket_name = var.bucket_name != "" ? var.bucket_name : format("%v-%v-%v", var.bucket_name_prefix, local.account_id, local.flowlogs_region) + + base_tags = { + "Organization" = "census:aditcio:csvd" + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } +} + +#--- +# s3 +#--- +resource "aws_s3_bucket" "flowlogs" { + bucket = local.bucket_name + acl = "log-delivery-write" + + # need to create the inf_ key used for infrastucture things like + # vpc flow, cloudtrail, config, sns, sqs + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + # kms_master_key_id = local.inf_key_arn + sse_algorithm = "aws:kms" + } + } + } + + versioning { + enabled = false + } + + lifecycle { + prevent_destroy = true + } + + # probably want some migration of old data to some other location + # like glacier + + tags = merge( + var.tags, + local.base_tags, + lookup(var.component_tags, "s3", {}), + map("Name", local.bucket_name), + ) + + provisioner "local-exec" { + command = "sleep 30" + } +} + +resource "aws_s3_bucket_public_access_block" "flowlogs" { + bucket = aws_s3_bucket.flowlogs.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +resource "aws_s3_bucket_policy" "flowlogs" { + bucket = aws_s3_bucket.flowlogs.id + policy = data.aws_iam_policy_document.flowlogs_s3.json +} diff --git a/s3-flow-logs/outputs.tf b/s3-flow-logs/outputs.tf new file mode 100644 index 0000000..cc57cc2 --- /dev/null +++ b/s3-flow-logs/outputs.tf @@ -0,0 +1,9 @@ +output "flowlogs_bucket_id" { + description = "VPC Flow Logs S3 bucket ID" + value = aws_s3_bucket.flowlogs.id +} + +output "flowlogs_bucket_arn" { + description = "VPC Flow Logs S3 bucket ARN" + value = aws_s3_bucket.flowlogs.arn +} diff --git a/s3-flow-logs/policy_data.tf b/s3-flow-logs/policy_data.tf new file mode 100644 index 0000000..d2caf36 --- /dev/null +++ b/s3-flow-logs/policy_data.tf @@ -0,0 +1,27 @@ +data "aws_iam_policy_document" "flowlog_s3" { + statement { + sid = "AWSLogDeliveryWrite" + effect = "Allow" + actions = ["s3:PutObject"] + principals { + type = "Service" + identifiers = ["delivery.logs.amazonaws.com"] + } + resources = ["${aws_s3_bucket.flowlog.arn}/*"] + condition { + test = "StringEquals" + variable = "s3:x-amz-acl" + values = ["bucket-owner-full-control"] + } + } + statement { + sid = "AWSLogDeliveryAclCheck" + effect = "Allow" + actions = ["s3:GetBucketAcl"] + principals { + type = "Service" + identifiers = ["delivery.logs.amazonaws.com"] + } + resources = [aws_s3_bucket.flowlog.arn] + } +} diff --git a/s3-flow-logs/prefixes.tf b/s3-flow-logs/prefixes.tf new file mode 120000 index 0000000..7e265d5 --- /dev/null +++ b/s3-flow-logs/prefixes.tf @@ -0,0 +1 @@ +../common/prefixes.tf \ No newline at end of file diff --git a/s3-flow-logs/variables.common.tf b/s3-flow-logs/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/s3-flow-logs/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/s3-flow-logs/variables.tf b/s3-flow-logs/variables.tf new file mode 100644 index 0000000..e27308d --- /dev/null +++ b/s3-flow-logs/variables.tf @@ -0,0 +1,20 @@ +variable "bucket_name" { + description = "VPC Flow Logs S3 bucket name" + type = string + # default = "inf-flowlogs-{{ tf_account }}-{{ region }}" + # default = "inf-flowlogs-{{ tf_account }}" + default = "" +} + +variable "bucket_name_prefix" { + # description = "VPC Flow Logs S3 bucket prefix, prepended to the AWS account ID and region to make the bucket name." + description = "VPC Flow Logs S3 bucket prefix, prepended to the AWS account ID to make the bucket name." + type = string + default = "inf-flowlogs" +} + +variable "component_tags" { + description = "Additional tags for Components (s3, kms, ddb)" + type = map(map(string)) + default = { "s3" = {}, "kms" = {}, "ddb" = {} } +} diff --git a/s3-flow-logs/version.tf b/s3-flow-logs/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/s3-flow-logs/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file