diff --git a/CHANGELOG.md b/CHANGELOG.md
index a5b2f4e..ec89428 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -122,3 +122,7 @@
* v1.13.2 -- 20210713
- general
- change ip_restriction to be a dynamic condition block to also include VpcSourceIp
+
+* v1.14.0 -- 20211115
+ - cloudtrail-key
+ - create module to setup a KMS ke per region for cloudtrail
diff --git a/cloudtrail-key/README.md b/cloudtrail-key/README.md
new file mode 100644
index 0000000..ad1aabe
--- /dev/null
+++ b/cloudtrail-key/README.md
@@ -0,0 +1,95 @@
+# aws-inf-setup :: cloudtrail-keys
+
+This set up the KMS key used by Cloudtrail for the ts S3 bucket, CloudTrail, and SQS (if possible).
+
+* Cloudtrail
+* S3 bucket
+* SQS
+
+## Usage, Simple Example
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "cloudtrail_key_simple" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+
+ tags = {
+ Environment = "csvd:infrastructure"
+ }
+}
+```
+
+## Usage, Longer Example
+This one can be used if you need to customize stuff, though really, the defaults are all built
+for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
+variable file generation.
+
+```hcl
+module "cloudtrail_key_full" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+
+ name = "mycloudtrail"
+ kms_admin_roles = ["arn:aws:iam::079788916859:role/r-inf-cloud-admin"]
+ kms_policy_document = data.aws_iam_policy_document.myct_policy.json
+
+ tags = {
+ Environment = "csvd:infrastructure"
+ }
+
+ component_tags = {
+ "kms" = {
+ "SpecialTag1" = "something"
+ "SpecialTag2" = "somethingElse"
+ }
+ }
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | {
"ddb": {},
"kms": {},
"s3": {}
} | no |
+| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no |
+| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `null` | no |
+| [name](#input\_name) | Name to apply to Cloudtrail KMS Key (default: k-inf-cloudtrail) | `string` | `null` | no |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [kms\_aliase\_nam](#output\_kms\_aliase\_nam) | Cloudtrail Key Alias name |
+| [kms\_key\_arn](#output\_kms\_key\_arn) | Cloudtrail Key ARN |
+| [kms\_key\_id](#output\_kms\_key\_id) | Cloudtrail Key ID |
diff --git a/cloudtrail-key/base_tags.tf b/cloudtrail-key/base_tags.tf
new file mode 100644
index 0000000..602b87a
--- /dev/null
+++ b/cloudtrail-key/base_tags.tf
@@ -0,0 +1,6 @@
+locals {
+ base_tags = {
+ "boc:tf_module_version" = local._module_version
+ "boc:created_by" = "terraform"
+ }
+}
diff --git a/cloudtrail-key/data.tf b/cloudtrail-key/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/cloudtrail-key/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/cloudtrail-key/defaults.tf b/cloudtrail-key/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/cloudtrail-key/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/cloudtrail-key/main.tf b/cloudtrail-key/main.tf
new file mode 100644
index 0000000..088adbf
--- /dev/null
+++ b/cloudtrail-key/main.tf
@@ -0,0 +1,218 @@
+/*
+* # aws-inf-setup :: cloudtrail-keys
+*
+* This set up the KMS key used by Cloudtrail for the ts S3 bucket, CloudTrail, and SQS (if possible).
+*
+* * Cloudtrail
+* * S3 bucket
+* * SQS
+*
+* ## Usage, Simple Example
+* Here is a simple example, the one most commonly expected to be used.
+*
+* ```hcl
+* module "cloudtrail_key_simple" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+*
+* tags = {
+* Environment = "csvd:infrastructure"
+* }
+* }
+* ```
+*
+* ## Usage, Longer Example
+* This one can be used if you need to customize stuff, though really, the defaults are all built
+* for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
+* variable file generation.
+*
+* ```hcl
+* module "cloudtrail_key_full" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+*
+* name = "mycloudtrail"
+* kms_admin_roles = ["arn:aws:iam::079788916859:role/r-inf-cloud-admin"]
+* kms_policy_document = data.aws_iam_policy_document.myct_policy.json
+*
+* tags = {
+* Environment = "csvd:infrastructure"
+* }
+*
+* component_tags = {
+* "kms" = {
+* "SpecialTag1" = "something"
+* "SpecialTag2" = "somethingElse"
+* }
+* }
+* }
+* ```
+*/
+
+locals {
+ # basic details about the env
+ account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+ region = data.aws_region.current.name
+ account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+ partition = data.aws_arn.current.partition
+
+ name = var.name == null ? format("%v-%v", lookup(local._defaults["cloudtrail"], "name"), local.region) : var.name
+ kms_key_name = format("k-%v", local.name)
+ kms_admin_root = [format("arn:%v:iam::%v:root", local.partition, local.account_id)]
+ kms_admin_roles = compact(concat(local.kms_admin_root, var.kms_admin_roles))
+ kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
+
+}
+
+resource "aws_kms_key" "key" {
+ description = "KMS CMK for cloudtrail"
+ enable_key_rotation = true
+ policy = data.aws_iam_policy_document.key_policy_combined.json
+
+ tags = merge(
+ local.base_tags,
+ var.tags,
+ map("boc:aws:region", local.region),
+ map("Name", local.kms_key_name),
+ )
+}
+
+resource "aws_kms_alias" "key" {
+ name = "alias/${local.kms_key_name}"
+ target_key_id = aws_kms_key.key.key_id
+}
+
+data "aws_iam_policy_document" "key_policy_combined" {
+ source_policy_documents = [
+ data.aws_iam_policy_document.key.json,
+ data.aws_iam_policy_document.key_admin.json,
+ local.kms_policy_document
+ ]
+}
+
+data "aws_iam_policy_document" "key" {
+ policy_id = "Cloudtrail KMS Access"
+ statement {
+ sid = "EnableIAMUserPermissions"
+ effect = "Allow"
+ actions = ["kms:*"]
+ resources = ["*"]
+ principals {
+ type = "AWS"
+ identifiers = [local.kms_admin_root]
+ }
+ }
+ statement {
+ sid = "AllowCloudTrailEncryptLogs"
+ effect = "Allow"
+ actions = ["kms:GenerateDataKey*"]
+ resources = ["*"]
+ principals {
+ type = "Service"
+ identifiers = ["cloudtrail.amazonaws.com", "logs.amazonaws.com", "logs.${local.region}.amazonaws.com"]
+ }
+ condition {
+ test = "StringLike"
+ variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+ # values = [format("arn:%v:cloudtrail:%v:%v:trail/*",local.partition,local.region,local.account_id]
+ values = [format("arn:%v:cloudtrail:*:%v:trail/*", local.partition, local.account_id)]
+ }
+ }
+ statement {
+ sid = "AllowCloudTrailKeyActivities"
+ effect = "Allow"
+ actions = [
+ "kms:Describe*",
+ "log:AssociateKmsKey",
+ "log:DisassociateKmsKey"
+ ]
+ resources = ["*"]
+ principals {
+ type = "Service"
+ identifiers = ["cloudtrail.amazonaws.com", "logs.amazonaws.com", "logs.${local.region}.amazonaws.com"]
+ }
+ }
+ statement {
+ sid = "AllowPrincipalsDecryptLogFiles"
+ effect = "Allow"
+ principals {
+ type = "AWS"
+ identifiers = ["*"]
+ }
+ actions = [
+ "kms:Encrypt",
+ "kms:Decrypt",
+ "kms:ReEncryptFrom"
+ ]
+ resources = ["*"]
+ condition {
+ test = "StringEquals"
+ variable = "kms:CallerAccount"
+ values = [var.account_id]
+ }
+ condition {
+ test = "StringLike"
+ variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+ # values = [format("arn:%v:cloudtrail:%v:%v:trail/*",local.partition,local.region,local.account_id]
+ values = [format("arn:%v:cloudtrail:*:%v:trail/*", local.partition, local.account_id)]
+ }
+ }
+ statement {
+ sid = "EnableCrossAccountDecryptLogFiles"
+ effect = "Allow"
+ principals {
+ type = "AWS"
+ identifiers = ["*"]
+ }
+ actions = [
+ "kms:Encrypt",
+ "kms:Decrypt",
+ "kms:ReEncryptFrom"
+ ]
+ resources = ["*"]
+ condition {
+ test = "StringEquals"
+ variable = "kms:CallerAccount"
+ values = [var.account_id]
+ }
+ condition {
+ test = "StringLike"
+ variable = "kms:EncryptionContext:aws:cloudtrail:arn"
+ # values = [format("arn:%v:cloudtrail:%v:%v:trail/*",local.partition,local.region,local.account_id]
+ values = [format("arn:%v:cloudtrail:*:%v:trail/*", local.partition, local.account_id)]
+ }
+ }
+ statement {
+ sid = "AllowAliasCreationDuringSetup"
+ effect = "Allow"
+ actions = ["kms:CreateAlias"]
+ resources = ["*"]
+ principals {
+ type = "AWS"
+ identifiers = ["*"]
+ }
+ condition {
+ test = "StringEquals"
+ variable = "kms:CallerAccount"
+ values = [var.account_id]
+ }
+ condition {
+ test = "StringEquals"
+ variable = "kms:ViaService"
+ values = [format("ec2.%v.amazonaws.com", local.region)]
+ }
+ }
+}
+
+data "aws_iam_policy_document" "key_admin" {
+ statement {
+ sid = "BuiltinKMSAdminRoles"
+ effect = "Allow"
+ actions = ["kms:*"]
+ resources = ["*"]
+ principals {
+ type = "AWS"
+ identifiers = local.kms_admin_roles
+ }
+ }
+}
+
+data "aws_iam_policy_document" "empty" {}
diff --git a/cloudtrail-key/outputs.tf b/cloudtrail-key/outputs.tf
new file mode 100644
index 0000000..bb73d2e
--- /dev/null
+++ b/cloudtrail-key/outputs.tf
@@ -0,0 +1,14 @@
+output "kms_key_id" {
+ description = "Cloudtrail Key ID"
+ value = aws_kms_key.key.id
+}
+
+output "kms_key_arn" {
+ description = "Cloudtrail Key ARN"
+ value = aws_kms_key.key.arn
+}
+
+output "kms_aliase_nam" {
+ description = "Cloudtrail Key Alias name"
+ value = aws_kms_alias.key.arn
+}
diff --git a/cloudtrail-key/prefixes.tf b/cloudtrail-key/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/cloudtrail-key/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/cloudtrail-key/variables.common.tf b/cloudtrail-key/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/cloudtrail-key/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/cloudtrail-key/variables.tf b/cloudtrail-key/variables.tf
new file mode 100644
index 0000000..9f58d60
--- /dev/null
+++ b/cloudtrail-key/variables.tf
@@ -0,0 +1,23 @@
+variable "name" {
+ description = "Name to apply to Cloudtrail KMS Key (default: k-inf-cloudtrail)"
+ type = string
+ default = null
+}
+
+variable "kms_policy_document" {
+ description = "AWS KMS Key Policy Document JSON, merged with admin policy document"
+ type = string
+ default = null
+}
+
+variable "kms_admin_roles" {
+ description = "AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default."
+ type = list(string)
+ default = []
+}
+
+variable "component_tags" {
+ description = "Additional tags for Components (s3, kms, ddb)"
+ type = map(map(string))
+ default = { "s3" = {}, "kms" = {}, "ddb" = {} }
+}
diff --git a/cloudtrail-key/version.tf b/cloudtrail-key/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/cloudtrail-key/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file
diff --git a/common/version.tf b/common/version.tf
index 0d97837..cf6531c 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "1.13.2"
+ _module_version = "1.14.0"
}
diff --git a/examples/cloudtrail-key/cloudtrail_key_full.tf b/examples/cloudtrail-key/cloudtrail_key_full.tf
new file mode 100644
index 0000000..a1fdd69
--- /dev/null
+++ b/examples/cloudtrail-key/cloudtrail_key_full.tf
@@ -0,0 +1,18 @@
+module "cloudtrail_key_full" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+
+ name = "mycloudtrail"
+ kms_admin_roles = ["arn:aws:iam::079788916859:role/r-inf-cloud-admin"]
+ kms_policy_document = data.aws_iam_policy_document.myct_policy.json
+
+ tags = {
+ Environment = "csvd:infrastructure"
+ }
+
+ component_tags = {
+ "kms" = {
+ "SpecialTag1" = "something"
+ "SpecialTag2" = "somethingElse"
+ }
+ }
+}
diff --git a/examples/cloudtrail-key/cloudtrail_key_simple.tf b/examples/cloudtrail-key/cloudtrail_key_simple.tf
new file mode 100644
index 0000000..c5124d2
--- /dev/null
+++ b/examples/cloudtrail-key/cloudtrail_key_simple.tf
@@ -0,0 +1,7 @@
+module "cloudtrail_key_simple" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+
+ tags = {
+ Environment = "csvd:infrastructure"
+ }
+}