v1.4.0: add cloudtrail-key, cloudtrail submodules

.pre-commit-config.yaml

@@ -8,8 +8,11 @@ repos:
       args: ['table']
       exclude: common/*.tf
       exclude: version.tf
+      exclude: examples
     - id: terraform_tflint 
       args:  [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"]
+      exclude: cloudtrail_orig
+      exclude: examples
 - repo: https://github.com/pre-commit/pre-commit-hooks
   rev: v4.0.1
   hooks:

CHANGELOG.md

@@ -126,3 +126,9 @@
 * v1.13.3 -- 20211122
   - config
     - fix by commenting policy_id from sqs policies
+
+* v1.14.0 -- 20211115
+  - cloudtrail-key
+    - create module to setup a KMS key per region for cloudtrail
+  - cloudtrail
+    - create module to setup needed resources for cloudtrail, cloudwatch logs, sns, sqs, and splunk

README.md

@@ -29,8 +29,23 @@ This sets the SES domain of the form `{account_id}.aws.mail.census.gov`. At this
 so be sure run it in the west region for govcloud.
 
 ### object-logging
-### cloudtrail
-### config
+
+This is in its own module [aws-setup-s3-object-logging](https://github.e.it.census.gov/terraform-modules/aws-setup-s3-object-logging).
+
+### [cloudtrail-key](cloudtrail-key)
+
+This creates a KMS key (region specific) for use by CloudTrail and all its resources (Cloudwatch Log, SNS, SQS, S3).
+
+### [cloudtrail](cloudtrail)
+
+This creates a CloudTrail (region specific) and supporing resources Cloudwatch Log, SNS, SQS, S3. It requires a KMS
+key created specifically for this, from [cloudtrail-key](cloudtrail-key) above.  It also creates Splunk input
+configuration files.
+
+### [config](config)
+
+This creates the Config setup, a few Config Rules, SNS and SQS and Splunk input configurations files.
+
 ### gpg-key
 
 ## Submodules :: Common

cloudtrail-key/README.md

@@ -0,0 +1,99 @@
+# aws-inf-setup :: cloudtrail-keys
+
+This set up the KMS key used by Cloudtrail for the ts S3 bucket, CloudTrail, and SQS (if possible).
+
+* Cloudtrail
+* S3 bucket
+* SQS
+
+## Usage, Simple Example
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "cloudtrail_key_simple" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+
+  tags = {
+    Environment = "csvd:infrastructure"
+  }
+}
+```
+
+## Usage, Longer Example
+This one can be used if you need to customize stuff, though really, the defaults are all built
+for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
+variable file generation.
+
+```hcl
+module "cloudtrail_key_full" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key"
+
+  name                = "mycloudtrail"
+  kms_admin_roles     = ["arn:aws:iam::079788916859:role/r-inf-cloud-admin"]
+  kms_policy_document = data.aws_iam_policy_document.myct_policy.json
+
+  tags = {
+    Environment = "csvd:infrastructure"
+  }
+
+  component_tags = {
+    "kms" = {
+      "SpecialTag1" = "something"
+      "SpecialTag2" = "somethingElse"
+    }
+  }
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_orig](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| <a name="input_kms_admin_roles"></a> [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key.  The root user is included by default. | `list(string)` | `[]` | no |
+| <a name="input_kms_policy_document"></a> [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `null` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name to apply to Cloudtrail KMS Key (default: k-inf-cloudtrail) | `string` | `null` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_kms_aliase_nam"></a> [kms\_aliase\_nam](#output\_kms\_aliase\_nam) | Cloudtrail Key Alias name |
+| <a name="output_kms_key_arn"></a> [kms\_key\_arn](#output\_kms\_key\_arn) | Cloudtrail Key ARN |
+| <a name="output_kms_key_id"></a> [kms\_key\_id](#output\_kms\_key\_id) | Cloudtrail Key ID |

cloudtrail-key/base_tags.tf

@@ -0,0 +1 @@
+../common/base_tags.tf

cloudtrail-key/data.tf

@@ -0,0 +1 @@
+../common/data.tf

cloudtrail-key/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf