update readme

terraform-modules · Nov 26, 2021 · 6b398bd · 6b398bd
1 parent 98eb072
commit 6b398bd
Show file tree

Hide file tree

Showing 10 changed files with 329 additions and 40 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -129,4 +129,6 @@
 
 * v1.14.0 -- 20211115
   - cloudtrail-key
-    - create module to setup a KMS ke per region for cloudtrail
+    - create module to setup a KMS key per region for cloudtrail
+  - cloudtrail
+    - create module to setup needed resources for cloudtrail, cloudwatch logs, sns, sqs, and splunk
diff --git a/README.md b/README.md
@@ -29,8 +29,23 @@ This sets the SES domain of the form `{account_id}.aws.mail.census.gov`. At this
 so be sure run it in the west region for govcloud.
 
 ### object-logging
-### cloudtrail
-### config
+
+This is in its own module [aws-setup-s3-object-logging](https://github.e.it.census.gov/terraform-modules/aws-setup-s3-object-logging).
+
+### [cloudtrail-key](cloudtrail-key)
+
+This creates a KMS key (region specific) for use by CloudTrail and all its resources (Cloudwatch Log, SNS, SQS, S3).
+
+### [cloudtrail](cloudtrail)
+
+This creates a CloudTrail (region specific) and supporing resources Cloudwatch Log, SNS, SQS, S3. It requires a KMS
+key created specifically for this, from [cloudtrail-key](cloudtrail-key) above.  It also creates Splunk input
+configuration files.
+
+### [config](config)
+
+This creates the Config setup, a few Config Rules, SNS and SQS and Splunk input configurations files.
+
 ### gpg-key
 
 ## Submodules :: Common

diff --git a/cloudtrail-key/README.md b/cloudtrail-key/README.md
@@ -47,13 +47,16 @@ module "cloudtrail_key_full" {
 
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
 
 ## Modules
 

diff --git a/cloudtrail-key/versions.tf b/cloudtrail-key/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.66.0"
+    }
+    #    ldap = {
+    #      source  = "trevex/ldap"
+    #      version = ">= 0.5.4"
+    #    }
+  }
+  required_version = ">= 0.12"
+  #  required_version = ">= 0.13"
+}
diff --git a/cloudtrail/README.md b/cloudtrail/README.md
@@ -5,48 +5,129 @@ cloudwatch log groups, and associated permissions.  It also generates a splunk c
 for pulling cloudtrail events.
 
 * S3 bucket
-* S3 bucket policy
+* SNS Topic
+* SQS Queue (and Deadletter queue)
+* Cloudwatch Log
+* setup/*.conf files for Splunk
+  * inputs.{name}.{account}.{region}.conf
 
-# Usage
-Here is a simple example, the one most commonly expected to be used.
+Once setup, the gnerated Splunk configuration files can be provided to the Splunk team for ingesting
+as CloudTrail.
+
+## Usage: Simple
+
+This siomple configuration is how it will typically be deployed.
 
 ```hcl
+module "cloudtrail_key" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+
+  tags = local.common_tags
+}
+
 module "cloudtrail" {
   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail"
 
-  # account_alias         = "do2-govcloud"
-  name = "mycloudtrail"
-  access_log_bucket = "myaccesslogbucket"
-  kms_key_management_identifiers = [ "arn:aws:iam::079788916859:role/r-inf-cloud-admin" ]
+  account_alias     = var.account_alias
+  access_log_bucket = module.logs.bucket_id
+  kms_key_arn       = module.cloudtrail_key.kms_key_arn
+
+  enable_sns = true
+  enable_sqs = true
+
+  tags = local.common_tags
 }
 ```
 
-This one can be used if you need to customize stuff, though really, the defaults are all built
-for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
-variable file generation.
+## Usage: Extended
+
+This shows the creation of a key with additional variables, along with a policy for key access (currently
+just a placholder), and the cloudtrail with more variables offered.
 
 ```hcl
-module "cloudtrail_full" {
+module "cloudtrail_key" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+
+  name                = "mycloudtrail"
+  kms_admin_roles     = ["arn:aws:iam::079788916859:role/r-inf-cloud-admin"]
+  kms_policy_document = data.aws_iam_policy_document.myct_policy.json
 
-  # logs is generally not needed and not recommended
-  component_tags        = {
-    "s3" = {
+  tags = {
+    Environment = "csvd:infrastructure"
+  }
+
+  component_tags = {
+    "kms" = {
       "SpecialTag1" = "something"
       "SpecialTag2" = "somethingElse"
     }
   }
 }
+
+data "aws_iam_policy_document" "myct_policy" {}
+
+module "cloudtrail" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail"
+
+  name              = "mycloudtrail"
+  account_alias     = var.account_alias
+  access_log_bucket = module.logs.bucket_id
+  kms_key_arn       = module.cloudtrail_key.kms_key_arn
+
+  enable_organization = false
+  enable_sns          = true
+  enable_sqs          = true
+
+  tags = merge(
+    local.common_tags,
+    tomap({ Environment = "csvd:infrastructure" }),
+  )
+}
+```hcl
+
+## Usage: Organization Cloudtrail
+
+This can be used for creation of an organization cloud trail.  It is only applicable to the master
+account of the organization, so you won't see this one used very often.
+
+```hcl
+data "aws_organizations_organization" "org" {}
+
+module "org_cloudtrail_key" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+
+  name = "org-cloudtrail"
+  tags = local.common_tags
+}
+
+module "org_cloudtrail" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail"
+
+  account_alias       = var.account_alias
+  enable_organization = true
+  access_log_bucket   = module.logs.bucket_id
+  kms_key_arn         = module.org_cloudtrail_key.kms_key_arn
+  organization_id     = data.aws_organizations_organization.org.id
+
+  enable_sns = true
+  enable_sqs = true
+
+  tags = local.common_tags
+}
 ```
 
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | n/a |
 | <a name="provider_random"></a> [random](#provider\_random) | n/a |
 | <a name="provider_template"></a> [template](#provider\_template) | n/a |

diff --git a/cloudtrail/main.tf b/cloudtrail/main.tf
@@ -4,39 +4,118 @@
 * This set up the needed components for cloudtrail in a region: S3, KMS key, SNS, SQS, cloudtrail, 
 * cloudwatch log groups, and associated permissions.  It also generates a splunk configuration to be used
 * for pulling cloudtrail events.
-* 
+*
 * * S3 bucket
-* * S3 bucket policy
+* * SNS Topic
+* * SQS Queue (and Deadletter queue)
+* * Cloudwatch Log
+* * setup/*.conf files for Splunk
+*   * inputs.{name}.{account}.{region}.conf
 * 
-* # Usage
-* Here is a simple example, the one most commonly expected to be used.
+* Once setup, the gnerated Splunk configuration files can be provided to the Splunk team for ingesting
+* as CloudTrail.
 *
+* ## Usage: Simple
+* 
+* This siomple configuration is how it will typically be deployed.
+* 
 * ```hcl
+* module "cloudtrail_key" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+* 
+*   tags = local.common_tags
+* }
+* 
 * module "cloudtrail" {
 *   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail"
-*
-*   # account_alias         = "do2-govcloud"
-*   name = "mycloudtrail"
-*   access_log_bucket = "myaccesslogbucket"
-*   kms_key_management_identifiers = [ "arn:aws:iam::079788916859:role/r-inf-cloud-admin" ]
+* 
+*   account_alias     = var.account_alias
+*   access_log_bucket = module.logs.bucket_id
+*   kms_key_arn       = module.cloudtrail_key.kms_key_arn
+* 
+*   enable_sns = true
+*   enable_sqs = true
+* 
+*   tags = local.common_tags
 * }
 * ```
-*
-* This one can be used if you need to customize stuff, though really, the defaults are all built 
-* for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
-* variable file generation.
-*
+* 
+* ## Usage: Extended
+* 
+* This shows the creation of a key with additional variables, along with a policy for key access (currently
+* just a placholder), and the cloudtrail with more variables offered.
+* 
 * ```hcl
-* module "cloudtrail_full" {
-*
-*   # logs is generally not needed and not recommended
-*   component_tags        = {
-*     "s3" = {
+* module "cloudtrail_key" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+* 
+*   name                = "mycloudtrail"
+*   kms_admin_roles     = ["arn:aws:iam::079788916859:role/r-inf-cloud-admin"]
+*   kms_policy_document = data.aws_iam_policy_document.myct_policy.json
+* 
+*   tags = {
+*     Environment = "csvd:infrastructure"
+*   }
+* 
+*   component_tags = {
+*     "kms" = {
 *       "SpecialTag1" = "something"
 *       "SpecialTag2" = "somethingElse"
 *     }
 *   }
 * }
+* 
+* data "aws_iam_policy_document" "myct_policy" {}
+* 
+* module "cloudtrail" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail"
+* 
+*   name              = "mycloudtrail"
+*   account_alias     = var.account_alias
+*   access_log_bucket = module.logs.bucket_id
+*   kms_key_arn       = module.cloudtrail_key.kms_key_arn
+* 
+*   enable_organization = false
+*   enable_sns          = true
+*   enable_sqs          = true
+* 
+*   tags = merge(
+*     local.common_tags,
+*     tomap({ Environment = "csvd:infrastructure" }),
+*   )
+* }
+* ```hcl
+* 
+* 
+* ## Usage: Organization Cloudtrail
+* 
+* This can be used for creation of an organization cloud trail.  It is only applicable to the master
+* account of the organization, so you won't see this one used very often.
+* 
+* ```hcl
+* data "aws_organizations_organization" "org" {}
+* 
+* module "org_cloudtrail_key" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+* 
+*   name = "org-cloudtrail"
+*   tags = local.common_tags
+* }
+* 
+* module "org_cloudtrail" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail"
+* 
+*   account_alias       = var.account_alias
+*   enable_organization = true
+*   access_log_bucket   = module.logs.bucket_id
+*   kms_key_arn         = module.org_cloudtrail_key.kms_key_arn
+*   organization_id     = data.aws_organizations_organization.org.id
+* 
+*   enable_sns = true
+*   enable_sqs = true
+* 
+*   tags = local.common_tags
+* }
 * ```
 */
 
@@ -77,3 +156,5 @@ data "aws_kms_key" "incoming_key" {
 
 # data "aws_organizations_organization" "org" {}
 
+
+
diff --git a/cloudtrail/versions.tf b/cloudtrail/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.66.0"
+    }
+    #    ldap = {
+    #      source  = "trevex/ldap"
+    #      version = ">= 0.5.4"
+    #    }
+  }
+  required_version = ">= 0.12"
+  #  required_version = ">= 0.13"
+}