initial setup

terraform-modules · Feb 2, 2023 · 6977f16 · 6977f16
1 parent 544b4d9
commit 6977f16
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 119 deletions.
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.2.7"
+  _module_version = "2.3.0"
 }
diff --git a/org-logging/README.md b/org-logging/README.md
@@ -128,9 +128,7 @@ module "org_logging" {
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
-| <a name="provider_local"></a> [local](#provider\_local) | n/a |
 | <a name="provider_null"></a> [null](#provider\_null) | n/a |
-| <a name="provider_template"></a> [template](#provider\_template) | n/a |
 
 ## Modules
 
@@ -149,6 +147,7 @@ No modules.
 | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_sns_topic.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [aws_sns_topic_policy.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [aws_sns_topic_subscription.additional_logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
@@ -161,9 +160,7 @@ No modules.
 | [aws_sqs_queue_policy.additional_logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
 | [aws_sqs_queue_policy.logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
 | [aws_sqs_queue_policy.logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
-| [local_file.splunk_logging](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [null_resource.splunk_logging](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.additional_logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -176,9 +173,9 @@ No modules.
 | [aws_iam_policy_document.logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.logging_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
-| [template_file.splunk_logging](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 
 ## Inputs
 

diff --git a/org-logging/generate_splunk.cloudtrail.tf b/org-logging/generate_splunk.cloudtrail.tf
diff --git a/org-logging/main.tf b/org-logging/main.tf
@@ -133,6 +133,7 @@ locals {
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
   partition           = data.aws_arn.current.partition
   account_alias       = var.account_alias == "" ? "MISSING" : var.account_alias
+  organization_id     = data.aws_organizations_organization.org.id
 
   _name          = var.name == null ? format("%v-%v", lookup(local._defaults["logging"], "name"), local.region) : var.name
   name           = var.enable_organization ? lookup(local._defaults["org_logging"], "name") : local._name
@@ -154,7 +155,4 @@ data "aws_kms_key" "incoming_key" {
   key_id = var.kms_key_arn
 }
 
-# data "aws_organizations_organization" "org" {}
-
-
-
+data "aws_organizations_organization" "org" {}
diff --git a/org-logging/cloudtrail.tf → org-logging/role.tf b/org-logging/cloudtrail.tf → org-logging/role.tf
diff --git a/org-logging/s3.tf b/org-logging/s3.tf
@@ -1,7 +1,10 @@
 resource "aws_s3_bucket" "this" {
-  bucket = local.bucket_name
-  #  acl           = "private"
-  force_destroy = false
+  bucket        = local.bucket_name
+  force_destroy = var.force_destroy
+
+  lifecycle {
+    prevent_destroy = false
+  }
 
   tags = merge(
     local.base_tags,
@@ -17,9 +20,11 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
       kms_master_key_id = var.kms_key_arn
       sse_algorithm     = "aws:kms"
     }
+    bucket_key_enabled = true
   }
 }
 
+
 resource "aws_s3_bucket_logging" "this" {
   bucket        = aws_s3_bucket.this.id
   target_bucket = var.access_log_bucket
@@ -29,7 +34,8 @@ resource "aws_s3_bucket_logging" "this" {
 resource "aws_s3_bucket_acl" "this" {
   count  = 0
   bucket = aws_s3_bucket.this.id
-  acl    = "private"
+  #  acl    = "private"
+  acl = "log-delivery-write"
 }
 
 resource "aws_s3_bucket_ownership_controls" "this" {
@@ -40,6 +46,14 @@ resource "aws_s3_bucket_ownership_controls" "this" {
   }
 }
 
+# no versioning on logs
+resource "aws_s3_bucket_versioning" "this" {
+  bucket = aws_s3_bucket.this.id
+  versioning_configuration {
+    status = "Suspended"
+  }
+}
+
 #---
 # bucket policy (apply also encryption key usage here?)
 # deny unencrypted uploads policy statement removed for default encryption
@@ -48,12 +62,17 @@ data "aws_iam_policy_document" "bucket_policy" {
   statement {
     sid     = "AWSLoggingAclCheck"
     effect  = "Allow"
-    actions = ["s3:GetBucketAcl"]
+    actions = ["s3:GetBucketAcl", "s3:ListBucket"]
     principals {
       type        = "Service"
       identifiers = ["logging.amazonaws.com"]
     }
     resources = [aws_s3_bucket.this.arn]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:PrincipalOrgId"
+      values   = [local.organization_id]
+    }
   }
   statement {
     sid     = "AWSLoggingWrite"
@@ -63,13 +82,19 @@ data "aws_iam_policy_document" "bucket_policy" {
       type        = "Service"
       identifiers = ["logging.amazonaws.com"]
     }
-    resources = [format("%v/%v/*", aws_s3_bucket.this.arn, var.logging_bucket_prefix)]
+    resources = [format("%v/*", aws_s3_bucket.this.arn)]
     condition {
       test     = "StringEquals"
       variable = "s3:x-amz-acl"
       values   = ["bucket-owner-full-control"]
     }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:PrincipalOrgId"
+      values   = [data.organization_id]
+    }
   }
+  # key access
 }
 
 #---
@@ -102,4 +127,3 @@ resource "null_resource" "policy_delay" {
     command = "sleep 180"
   }
 }
-
diff --git a/org-logging/s3.tf2 b/org-logging/s3.tf2