add files (initial)

cloudtrail/README.md

@@ -0,0 +1,97 @@
+# aws-inf-setup :: cloudtrail
+
+This set up the needed components for cloudtrail in a region: S3, KMS key, SNS, SQS, cloudtrail,
+cloudwatch log groups, and associated permissions.  It also generates a splunk configuration to be used
+for pulling cloudtrail events.
+
+* S3 bucket
+* S3 bucket policy
+
+# Usage
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "cloudtrail" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail"
+
+  # account_alias         = "do2-govcloud"
+  name = "mycloudtrail"
+  access_log_bucket = "myaccesslogbucket"
+  kms_key_management_identifiers = [ "arn:aws:iam::079788916859:role/r-inf-cloud-admin" ]
+}
+```
+
+This one can be used if you need to customize stuff, though really, the defaults are all built
+for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
+variable file generation.
+
+```hcl
+module "cloudtrail_full" {
+
+  # logs is generally not needed and not recommended
+  component_tags        = {
+    "s3" = {
+      "SpecialTag1" = "something"
+      "SpecialTag2" = "somethingElse"
+    }
+  }
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_null"></a> [null](#provider\_null) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudtrail.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource |
+| [aws_cloudtrail.trail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource |
+| [aws_cloudwatch_log_group.inf-cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_policy.cloudtrail_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_kms_key.cloudtrail_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_s3_bucket.trail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.cloudtrail_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudtrail_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_access_log_bucket"></a> [access\_log\_bucket](#input\_access\_log\_bucket) | Server Access Logging Bucket ID | `string` | n/a | yes |
+| <a name="input_access_log_bucket_prefix"></a> [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Server Access Log bucket prefix, to which the Object Logging bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no |
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_cloudtrail_bucket_prefix"></a> [cloudtrail\_bucket\_prefix](#input\_cloudtrail\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"cloudtrail"` | no |
+| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| <a name="input_enable_sns"></a> [enable\_sns](#input\_enable\_sns) | Flag to enable or disable the creation of SNS for Cloudtrail (TBD) | `bool` | `false` | no |
+| <a name="input_enable_sqs"></a> [enable\_sqs](#input\_enable\_sqs) | Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail, used for Splunk ingestion (TBD) | `bool` | `false` | no |
+| <a name="input_kms_key_management_identifiers"></a> [kms\_key\_management\_identifiers](#input\_kms\_key\_management\_identifiers) | AWS IAM ARNs (roles, groups, users) for full access to the created KMS Key for this bucket | `list(string)` | `[]` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name to apply to Cloudtrail, S3, SNS and SQS | `string` | `null` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+No outputs.

cloudtrail/TODO

@@ -0,0 +1,10 @@
+- cloudtrail
+- cloudtrail key
+- cloudwatch log stream
+- s3 bucket
+- s3 bucket policy
+- iam role
+- sqs
+- sns
+
+

cloudtrail/base_tags.tf

@@ -0,0 +1 @@
+../common/base_tags.tf

cloudtrail/cloudtrail.tf.off

@@ -0,0 +1,20 @@
+
+#---
+# cloudtrail, with encryption
+#---
+resource "aws_cloudtrail" "this" {
+  name                          = local.name
+  s3_bucket_name                = aws_s3_bucket.this.id
+  s3_key_prefix                 = var.cloudtrail_bucket_prefix
+  include_global_service_events = false
+  is_multi_region_trail         = false
+  kms_key_id                    = aws_kms_key.key.arn
+  enable_log_file_validation    = true
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    { "Name" = local.name },
+  )
+  depends_on = [aws_s3_bucket_policy.policy]
+}

cloudtrail/data.policies.tf

@@ -0,0 +1,31 @@
+data "aws_iam_policy_document" "cloudtrail_s3" {
+  statement {
+    sid       = "AWSCloudTrailWrite"
+    effect    = "Allow"
+    resources = ["${aws_s3_bucket.cloudtrail.arn}/*"]
+    actions   = ["s3:PutObject"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+  }
+
+  statement {
+    sid       = "AWSCloudTrailAclCheck"
+    effect    = "Allow"
+    resources = [aws_s3_bucket.cloudtrail.arn]
+    actions   = ["s3:GetBucketAcl"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+  }
+}

cloudtrail/data.tf

@@ -0,0 +1 @@
+../common/data.tf

cloudtrail/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

cloudtrail/edl.cloudtrail.sns.txt

@@ -0,0 +1,179 @@
+#---
+# sns: cloudtrail, one global one (us-gov-east-1)
+#---
+resource "aws_sns_topic" "cloudtrail" {
+  name         = "inf-cloudtrail"
+  display_name = "DO3MA3GC"
+}
+
+resource "aws_sns_topic_policy" "cloudtrail" {
+  arn    = aws_sns_topic.cloudtrail.arn
+  policy = data.aws_iam_policy_document.cloudtrail_topic.json
+}
+
+data "aws_iam_policy_document" "cloudtrail_topic" {
+  policy_id = "inf-cloudtrail_topic"
+
+  statement {
+    sid    = "CloudtrailSNSPermissions"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "sns:Subscribe",
+      "sns:SetTopicAttributes",
+      "sns:RemovePermission",
+      "sns:Receive",
+      "sns:Publish",
+      "sns:ListSubscriptionsByTopic",
+      "sns:GetTopicAttributes",
+      "sns:DeleteTopic",
+      "sns:AddPermission",
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceOwner"
+      values   = [var.account_id]
+    }
+
+    resources = [aws_sns_topic.cloudtrail.arn]
+  }
+
+  statement {
+    sid    = "CloudTrailSNSPolicy"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions   = ["sns:Publish"]
+    resources = [aws_sns_topic.cloudtrail.arn]
+  }
+}
+
+
+#---
+# sqs (from splunk)
+#---
+# one per region we are using
+#---
+# cloudtrail
+#---
+resource "aws_sqs_queue" "cloudtrail_deadletter" {
+  # delay=0 retention=4d max=256k visibility=1h
+  count                      = length(var.regions)
+  name                       = "inf-cloudtrail-${var.regions[count.index]}-deadletter"
+  delay_seconds              = 0
+  max_message_size           = 262144
+  message_retention_seconds  = 345600
+  receive_wait_time_seconds  = 15
+  visibility_timeout_seconds = 3600
+
+  # disable kms, doesn't seem to work with splunk
+  #  kms_master_key_id = "alias/${var.kms_inf_key}"
+  #  kms_data_key_reuse_period_seconds = 300
+
+  tags = merge(
+    local.common_tags,
+    map("Name", "inf-cloudtrail-${var.regions[count.index]}-deadletter"),
+  )
+}
+
+resource "aws_sqs_queue_policy" "cloudtrail_deadletter" {
+  count     = length(var.regions)
+  queue_url = aws_sqs_queue.cloudtrail_deadletter[count.index].id
+  policy    = data.aws_iam_policy_document.cloudtrail_deadletter[count.index].json
+}
+
+data "aws_iam_policy_document" "cloudtrail_deadletter" {
+  count     = length(var.regions)
+  policy_id = "SQSDefaultPolicy"
+
+  statement {
+    sid       = "AllowSNSSendMessage"
+    effect    = "Allow"
+    actions   = ["SQS:SendMessage"]
+    resources = [aws_sqs_queue.cloudtrail_deadletter[count.index].arn]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_sns_topic.cloudtrail.arn]
+    }
+  }
+}
+
+resource "aws_sqs_queue" "cloudtrail" {
+  # delay=0 retention=7d max=256k visibity=2h
+  count                      = length(var.regions)
+  name                       = "inf-cloudtrail-${var.regions[count.index]}"
+  delay_seconds              = 0
+  max_message_size           = 262144
+  message_retention_seconds  = 604800
+  receive_wait_time_seconds  = 15
+  visibility_timeout_seconds = 7200
+
+  redrive_policy = <<EOP
+{
+  "deadLetterTargetArn":"${aws_sqs_queue.cloudtrail_deadletter[count.index].arn}",
+  "maxReceiveCount":100
+}
+EOP
+
+  # disable kms, doesn't seem to work with splunk
+  #  kms_master_key_id = "alias/${var.kms_inf_key}"
+  #  kms_data_key_reuse_period_seconds = 300
+
+  tags = merge(
+    local.common_tags,
+    map("Name", "inf-cloudtrail-${var.regions[count.index]}"),
+  )
+}
+
+resource "aws_sqs_queue_policy" "cloudtrail_sqs" {
+  count     = length(var.regions)
+  queue_url = aws_sqs_queue.cloudtrail[count.index].id
+  policy    = data.aws_iam_policy_document.cloudtrail_sqs[count.index].json
+}
+
+data "aws_iam_policy_document" "cloudtrail_sqs" {
+  count     = length(var.regions)
+  policy_id = "SQSDefaultPolicy"
+
+  statement {
+    sid       = "AllowSNSSendMessage"
+    effect    = "Allow"
+    actions   = ["SQS:SendMessage"]
+    resources = [aws_sqs_queue.cloudtrail[count.index].arn]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_sns_topic.cloudtrail.arn]
+    }
+  }
+}
+
+resource "aws_sns_topic_subscription" "cloudtrail_sqs" {
+  count     = length(var.regions)
+  protocol  = "sqs"
+  topic_arn = aws_sns_topic.cloudtrail.arn
+  endpoint  = aws_sqs_queue.cloudtrail[count.index].arn
+}