- s3-flow-logs

- change encryption to AES256 from aws:kms (no default for log delivery) - update policy according to docs: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html
terraform-modules · Oct 28, 2022 · fc4c53d · fc4c53d
1 parent a2b188d
commit fc4c53d
Show file tree

Hide file tree

Showing 7 changed files with 59 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -230,3 +230,8 @@
 * 2.2.3 -- 2022-08-02
   - ldap-ou-create
     - remove bocApplicationData from attributes
+
+* 2.2.4 -- 2022-10-28
+  - s3-flow-logs
+    - change encryption to AES256 from aws:kms (no default for log delivery)
+    - update policy according to docs: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html  
diff --git a/common/data.tf b/common/data.tf
@@ -6,6 +6,10 @@ data "aws_arn" "current" {
 
 data "aws_region" "current" {}
 
+data "aws_regions" "current" {
+  all_regions = true
+}
+
 # output "caller_account_id" {
 #   value = data.aws_caller_identity.current.account_id
 # }

diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.2.3"
+  _module_version = "2.2.4"
 }
diff --git a/s3-flow-logs/README.md b/s3-flow-logs/README.md
@@ -69,6 +69,7 @@ No modules.
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.flowlogs_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
 
 ## Inputs
 

diff --git a/s3-flow-logs/kms.tf.off b/s3-flow-logs/kms.tf.off
@@ -0,0 +1,19 @@
+resource "aws_kms_key" "key" {
+  description         = "KMS CMK for flowlogs"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.key_policy_combined.json
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    {
+      "boc:aws:region" = local.region
+      Name             = local.name
+    },
+  )
+}
+
+resource "aws_kms_alias" "key" {
+  name          = "alias/${local.kms_key_name}"
+  target_key_id = aws_kms_key.key.key_id
+}
diff --git a/s3-flow-logs/main.tf b/s3-flow-logs/main.tf
@@ -42,10 +42,11 @@
 
 locals {
   account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
-  flowlogs_region     = data.aws_region.current.name
+  regions             = [for r in data.aws_regions.current : r if startswith(r, "us-")]
+  region              = data.aws_region.current.name
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
 
-  bucket_name = var.bucket_name != "" ? var.bucket_name : format("%v-%v-%v", var.bucket_name_prefix, local.account_id, local.flowlogs_region)
+  bucket_name = var.bucket_name != "" ? var.bucket_name : format("%v-%v-%v", var.bucket_name_prefix, local.account_id, local.region)
 
   base_tags = {
     "Organization"          = "census:aditcio:csvd"
@@ -132,8 +133,10 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "flowlogs" {
   bucket = aws_s3_bucket.flowlogs.id
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "aws:kms"
+      #      sse_algorithm = "aws:kms"
+      sse_algorithm = "AES256"
     }
+    bucket_key_enabled = true
   }
 }
 

diff --git a/s3-flow-logs/policy_data.tf b/s3-flow-logs/policy_data.tf
@@ -7,12 +7,23 @@ data "aws_iam_policy_document" "flowlogs_s3" {
       type        = "Service"
       identifiers = ["delivery.logs.amazonaws.com"]
     }
-    resources = ["${aws_s3_bucket.flowlogs.arn}/*"]
+    resources = [format("%v/*", aws_s3_bucket.flowlogs.arn)]
     condition {
       test     = "StringEquals"
       variable = "s3:x-amz-acl"
       values   = ["bucket-owner-full-control"]
     }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [local.account_id]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      #      values   = [for r in local.regions : format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, r, local.account_id)]
+      values = [format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, local.region, local.account_id)]
+    }
   }
   statement {
     sid     = "AWSLogDeliveryAclCheck"
@@ -23,5 +34,16 @@ data "aws_iam_policy_document" "flowlogs_s3" {
       identifiers = ["delivery.logs.amazonaws.com"]
     }
     resources = [aws_s3_bucket.flowlogs.arn]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [local.account_id]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      #      values   = [for r in local.regions : format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, r, local.account_id)]
+      values = [format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, local.region, local.account_id)]
+    }
   }
 }