diff --git a/common/version.tf b/common/version.tf
index 34728db..03d330b 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "2.2.7"
+ _module_version = "2.3.0"
}
diff --git a/org-logging/README.md b/org-logging/README.md
index 1d09f36..e67fe9a 100644
--- a/org-logging/README.md
+++ b/org-logging/README.md
@@ -128,9 +128,7 @@ module "org_logging" {
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 3.66.0 |
-| [local](#provider\_local) | n/a |
| [null](#provider\_null) | n/a |
-| [template](#provider\_template) | n/a |
## Modules
@@ -149,6 +147,7 @@ No modules.
| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
| [aws_sns_topic.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [aws_sns_topic_policy.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
| [aws_sns_topic_subscription.additional_logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
@@ -161,9 +160,7 @@ No modules.
| [aws_sqs_queue_policy.additional_logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
| [aws_sqs_queue_policy.logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
| [aws_sqs_queue_policy.logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
-| [local_file.splunk_logging](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [null_resource.splunk_logging](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.additional_logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -176,9 +173,9 @@ No modules.
| [aws_iam_policy_document.logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.logging_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
-| [template_file.splunk_logging](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
## Inputs
diff --git a/org-logging/generate_splunk.cloudtrail.tf b/org-logging/generate_splunk.cloudtrail.tf
deleted file mode 100644
index d626d62..0000000
--- a/org-logging/generate_splunk.cloudtrail.tf
+++ /dev/null
@@ -1,45 +0,0 @@
-#---
-# generate splunk inputs file
-#---
-data "template_file" "splunk_logging" {
- template = file("${path.module}/templates/inputs.logging.conf.tpl")
- vars = {
- account_id = local.account_id
- account_alias = local.account_alias
- # entry_uuid = random_uuid.splunk_logging.result
- region = local.region
- logging_name = local.splunk_name
- queue_url = var.enable_sqs ? aws_sqs_queue.logging[0].id : null
- }
-}
-
-# resource "random_uuid" "splunk_logging" {
-# keepers = {
-# queue_url = var.enable_sqs ? aws_sqs_queue.logging[0].id : null
-# }
-# }
-
-resource "null_resource" "splunk_logging" {
- count = var.enable_sqs ? 1 : 0
- triggers = {
- filename = format("inputs.%v.%v-%v.%v.conf", local.splunk_name, local.account_id, local.account_alias, local.region)
- directory = format("%v/setup", path.root)
- }
-
- provisioner "local-exec" {
- command = "test -d ${self.triggers.directory} || mkdir ${self.triggers.directory}"
- }
-
- # provisioner "local-exec" {
- # working_dir = "setup"
- # command = "echo '${data.template_file.splunk_logging.rendered}' > inputs.${local.splunk_name}.${local.account_id}.${local.region}.conf"
- # }
-}
-
-resource "local_file" "splunk_logging" {
- count = var.enable_sqs ? 1 : 0
-
- content = data.template_file.splunk_logging.rendered
- file_permission = "0644"
- filename = var.enable_sqs ? format("%v/%v", null_resource.splunk_logging[0].triggers.directory, null_resource.splunk_logging[0].triggers.filename) : null
-}
diff --git a/org-logging/main.tf b/org-logging/main.tf
index be2c776..170b6cf 100644
--- a/org-logging/main.tf
+++ b/org-logging/main.tf
@@ -133,6 +133,7 @@ locals {
account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
partition = data.aws_arn.current.partition
account_alias = var.account_alias == "" ? "MISSING" : var.account_alias
+ organization_id = data.aws_organizations_organization.org.id
_name = var.name == null ? format("%v-%v", lookup(local._defaults["logging"], "name"), local.region) : var.name
name = var.enable_organization ? lookup(local._defaults["org_logging"], "name") : local._name
@@ -154,7 +155,4 @@ data "aws_kms_key" "incoming_key" {
key_id = var.kms_key_arn
}
-# data "aws_organizations_organization" "org" {}
-
-
-
+data "aws_organizations_organization" "org" {}
diff --git a/org-logging/cloudtrail.tf b/org-logging/role.tf
similarity index 100%
rename from org-logging/cloudtrail.tf
rename to org-logging/role.tf
diff --git a/org-logging/s3.tf b/org-logging/s3.tf
index efb42dc..63a86cd 100644
--- a/org-logging/s3.tf
+++ b/org-logging/s3.tf
@@ -1,7 +1,10 @@
resource "aws_s3_bucket" "this" {
- bucket = local.bucket_name
- # acl = "private"
- force_destroy = false
+ bucket = local.bucket_name
+ force_destroy = var.force_destroy
+
+ lifecycle {
+ prevent_destroy = false
+ }
tags = merge(
local.base_tags,
@@ -17,9 +20,11 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
kms_master_key_id = var.kms_key_arn
sse_algorithm = "aws:kms"
}
+ bucket_key_enabled = true
}
}
+
resource "aws_s3_bucket_logging" "this" {
bucket = aws_s3_bucket.this.id
target_bucket = var.access_log_bucket
@@ -29,7 +34,8 @@ resource "aws_s3_bucket_logging" "this" {
resource "aws_s3_bucket_acl" "this" {
count = 0
bucket = aws_s3_bucket.this.id
- acl = "private"
+ # acl = "private"
+ acl = "log-delivery-write"
}
resource "aws_s3_bucket_ownership_controls" "this" {
@@ -40,6 +46,14 @@ resource "aws_s3_bucket_ownership_controls" "this" {
}
}
+# no versioning on logs
+resource "aws_s3_bucket_versioning" "this" {
+ bucket = aws_s3_bucket.this.id
+ versioning_configuration {
+ status = "Suspended"
+ }
+}
+
#---
# bucket policy (apply also encryption key usage here?)
# deny unencrypted uploads policy statement removed for default encryption
@@ -48,12 +62,17 @@ data "aws_iam_policy_document" "bucket_policy" {
statement {
sid = "AWSLoggingAclCheck"
effect = "Allow"
- actions = ["s3:GetBucketAcl"]
+ actions = ["s3:GetBucketAcl", "s3:ListBucket"]
principals {
type = "Service"
identifiers = ["logging.amazonaws.com"]
}
resources = [aws_s3_bucket.this.arn]
+ condition {
+ test = "StringEquals"
+ variable = "aws:PrincipalOrgId"
+ values = [local.organization_id]
+ }
}
statement {
sid = "AWSLoggingWrite"
@@ -63,13 +82,19 @@ data "aws_iam_policy_document" "bucket_policy" {
type = "Service"
identifiers = ["logging.amazonaws.com"]
}
- resources = [format("%v/%v/*", aws_s3_bucket.this.arn, var.logging_bucket_prefix)]
+ resources = [format("%v/*", aws_s3_bucket.this.arn)]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
+ condition {
+ test = "StringEquals"
+ variable = "aws:PrincipalOrgId"
+ values = [data.organization_id]
+ }
}
+ # key access
}
#---
@@ -102,4 +127,3 @@ resource "null_resource" "policy_delay" {
command = "sleep 180"
}
}
-
diff --git a/org-logging/s3.tf2 b/org-logging/s3.tf2
deleted file mode 100644
index b537e45..0000000
--- a/org-logging/s3.tf2
+++ /dev/null
@@ -1,57 +0,0 @@
-#---
-# s3
-#---
-resource "aws_s3_bucket" "logging" {
- bucket = local.bucket_name
- acl = "private"
-
- server_side_encryption_logginguration {
- rule {
- apply_server_side_encryption_by_default {
- kms_master_key_id = aws_kms_key.logging_key.arn
- sse_algorithm = "aws:kms"
- }
- }
- }
-
- versioning {
- enabled = false
- }
-
- logging {
- target_bucket = aws_s3_bucket.logs.id
- target_prefix = "s3/{local.logging_bucket}/"
- }
-
- lifecycle {
- prevent_destroy = true
- ignore_changes = [tags["boc:tf_module_version"]]
- }
-
- # probably want some migration of old data to some other location
- # like glacier
-
- tags = merge(
- var.tags,
- local.base_tags,
- lookup(var.component_tags, "s3", {}),
- map("Name", local.bucket_name),
- )
-
- provisioner "local-exec" {
- command = "sleep 30"
- }
-}
-
-resource "aws_s3_bucket_public_access_block" "logging" {
- bucket = aws_s3_bucket.logging.id
- block_public_acls = true
- block_public_policy = true
- ignore_public_acls = true
- restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_policy" "logging" {
- bucket = aws_s3_bucket.logging.id
- policy = data.aws_iam_policy_document.logging_s3.json
-}