Skip to content

Commit

Permalink
Merge pull request #15 from clouddrove/CD-307
Browse files Browse the repository at this point in the history
fix module for multi AWS account
  • Loading branch information
anmolnagpal authored Apr 12, 2021
2 parents d7d86f7 + 6916353 commit 22f99af
Show file tree
Hide file tree
Showing 6 changed files with 71 additions and 77 deletions.
39 changes: 21 additions & 18 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
<p align="center">

<a href="https://www.terraform.io">
<img src="https://img.shields.io/badge/Terraform-v0.12-green" alt="Terraform">
<img src="https://img.shields.io/badge/Terraform-v0.14-green" alt="Terraform">
</a>
<a href="LICENSE.md">
<img src="https://img.shields.io/badge/License-MIT-blue.svg" alt="Licence">
Expand Down Expand Up @@ -51,7 +51,7 @@ We have [*fifty plus terraform modules*][terraform_modules]. A few of them are c

This module has a few dependencies:

- [Terraform 0.13](https://learn.hashicorp.com/terraform/getting-started/install.html)
- [Terraform 0.14](https://learn.hashicorp.com/terraform/getting-started/install.html)
- [Go](https://golang.org/doc/install)
- [github.com/stretchr/testify/assert](https://github.com/stretchr/testify)
- [github.com/gruntwork-io/terratest/modules/terraform](https://github.com/gruntwork-io/terratest)
Expand All @@ -73,7 +73,7 @@ Here are some examples of how you can use this module in your inventory structur
### Individual Account
```hcl
module "cloudtrail" {
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.12.12"
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.14.0"
name = "trails"
application = "clouddrove"
environment = "test"
Expand All @@ -100,49 +100,52 @@ Here are some examples of how you can use this module in your inventory structur
#### Master Account
```hcl
module "cloudtrail" {
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.12.12"
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.14.0"
name = "trails"
application = "clouddrove"
environment = "test"
label_order = ["environment", "application", "name"]
label_order = ["environment", "name"]
enabled = true
iam_role_name = "CloudTrail-CloudWatch-Delivery-Role"
iam_role_policy_name = "CloudTrail-CloudWatch-Delivery-Policy"
account_type = "master"
key_deletion_window_in_days = 10
cloudwatch_logs_retention_in_days = 365
cloudwatch_logs_group_name = "cloudtrail-log-group"
s3_bucket_name = "logs-bucket-clouddrove"
slack_webhook = "https://hooks.slack.com/services/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Jr46llqX"
slack_channel = "testing"
EVENT_IGNORE_LIST = jsonencode(["^Describe*", "^Assume*", "^List*", "^Get*", "^Decrypt*", "^Lookup*", "^BatchGet*", "^CreateLogStream$", "^RenewRole$", "^REST.GET.OBJECT_LOCK_CONFIGURATION$", "TestEventPattern", "TestScheduleExpression", "CreateNetworkInterface", "ValidateTemplate"])
EVENT_ALERT_LIST = jsonencode(["DetachRolePolicy", "ConsoleLogin"])
USER_IGNORE_LIST = jsonencode(["^awslambda_*", "^aws-batch$", "^bamboo*", "^i-*", "^[0-9]*$", "^ecs-service-scheduler$", "^AutoScaling$", "^AWSCloudFormation$", "^CloudTrailBot$", "^SLRManagement$"])
SOURCE_LIST = jsonencode(["aws-sdk-go"])
additional_member_root_arn = ["arn:aws:iam::xxxxxxxxxxx:root"]
additional_member_trail = ["arn:aws:cloudtrail:*:xxxxxxxxxxx:trail/*"]
additional_member_account_id = ["xxxxxxxxxxx"]
additional_s3_account_path_arn = ["arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/xxxxxxxxxxx/*"]
s3_bucket_name = "logs-bucket-cd"
secure_s3_enabled = false
s3_log_bucket_name = "logs-bucket-cd-logs"
sse_algorithm = "aws:kms"
slack_webhook = "https://hooks.slack.com/services/TEE0GHDK0F0QZ/B015frHRDBEUFHEVEG/dfdrfrefrwewqe"
slack_channel = "testing"
additional_member_root_arn = ["arn:aws:iam::xxxxxxxxxxxx:root"]
additional_member_trail = ["arn:aws:cloudtrail:*:xxxxxxxxxxxx:trail/*"]
additional_member_account_id = ["xxxxxxxxxxxx"]
additional_s3_account_path_arn = ["arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/xxxxxxxxxxxx/*"]
s3_policy = data.aws_iam_policy_document.default.json
}
```

#### Member Account
```hcl
module "cloudtrail" {
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.12.12"
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.14.0"
name = "trails"
application = "clouddrove"
environment = "test"
label_order = ["environment", "application", "name"]
label_order = ["environment", "name"]
enabled = true
iam_role_name = "CloudTrail-cd-Delivery-Role"
iam_role_policy_name = "CloudTrail-cd-Delivery-Policy"
account_type = "member"
key_deletion_window_in_days = 10
cloudwatch_logs_retention_in_days = 365
cloudwatch_logs_group_name = "cloudtrail-log-group"
key_arn = "arn:aws:kms:eu-west-1:xxxxxxxxxxx:key/66cc5610-3b90-460b-a177-af89e119fdaa"
s3_bucket_name = "logs-bucket-clouddrove"
key_arn = "arn:aws:kms:eu-west-1:xxxxxxxxxxx:key/9f3b66a0-3a38-4ed3-ab34-5e47c7e3604b"
s3_bucket_name = "logs-bucket-cd"
s3_log_bucket_name = "logs-bucket-cd-logs"
}
```

Expand Down
40 changes: 21 additions & 19 deletions README.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,15 @@ github_repo: clouddrove/terraform-aws-cloudtrail-baseline
# Badges to display
badges:
- name: "Terraform"
image: "https://img.shields.io/badge/Terraform-v0.12-green"
image: "https://img.shields.io/badge/Terraform-v0.14-green"
url: "https://www.terraform.io"
- name: "Licence"
image: "https://img.shields.io/badge/License-MIT-blue.svg"
url: "LICENSE.md"

# description of this project
description: |-
Terraform module to create an cloudtrail resource on AWS with S3 encryption with KMS key.
Terraform module to create an cloudtrail resource on AWS with S3 and KMS key.
# extra content
include:
Expand All @@ -37,9 +37,8 @@ usage : |-
### Individual Account
```hcl
module "cloudtrail" {
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.12.12"
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.14.0"
name = "trails"
application = "clouddrove"
environment = "test"
label_order = ["environment", "application", "name"]
enabled = true
Expand All @@ -64,48 +63,51 @@ usage : |-
#### Master Account
```hcl
module "cloudtrail" {
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.12.12"
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.14.0"
name = "trails"
application = "clouddrove"
environment = "test"
label_order = ["environment", "application", "name"]
label_order = ["environment", "name"]
enabled = true
iam_role_name = "CloudTrail-CloudWatch-Delivery-Role"
iam_role_policy_name = "CloudTrail-CloudWatch-Delivery-Policy"
account_type = "master"
key_deletion_window_in_days = 10
cloudwatch_logs_retention_in_days = 365
cloudwatch_logs_group_name = "cloudtrail-log-group"
s3_bucket_name = "logs-bucket-clouddrove"
slack_webhook = "https://hooks.slack.com/services/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Jr46llqX"
slack_channel = "testing"
EVENT_IGNORE_LIST = jsonencode(["^Describe*", "^Assume*", "^List*", "^Get*", "^Decrypt*", "^Lookup*", "^BatchGet*", "^CreateLogStream$", "^RenewRole$", "^REST.GET.OBJECT_LOCK_CONFIGURATION$", "TestEventPattern", "TestScheduleExpression", "CreateNetworkInterface", "ValidateTemplate"])
EVENT_ALERT_LIST = jsonencode(["DetachRolePolicy", "ConsoleLogin"])
USER_IGNORE_LIST = jsonencode(["^awslambda_*", "^aws-batch$", "^bamboo*", "^i-*", "^[0-9]*$", "^ecs-service-scheduler$", "^AutoScaling$", "^AWSCloudFormation$", "^CloudTrailBot$", "^SLRManagement$"])
SOURCE_LIST = jsonencode(["aws-sdk-go"])
additional_member_root_arn = ["arn:aws:iam::xxxxxxxxxxx:root"]
additional_member_trail = ["arn:aws:cloudtrail:*:xxxxxxxxxxx:trail/*"]
additional_member_account_id = ["xxxxxxxxxxx"]
additional_s3_account_path_arn = ["arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/xxxxxxxxxxx/*"]
s3_bucket_name = "logs-bucket-cd"
secure_s3_enabled = false
s3_log_bucket_name = "logs-bucket-cd-logs"
sse_algorithm = "aws:kms"
slack_webhook = "https://hooks.slack.com/services/TEE0GHDK0F0QZ/B015frHRDBEUFHEVEG/dfdrfrefrwewqe"
slack_channel = "testing"
additional_member_root_arn = ["arn:aws:iam::xxxxxxxxxxxx:root"]
additional_member_trail = ["arn:aws:cloudtrail:*:xxxxxxxxxxxx:trail/*"]
additional_member_account_id = ["xxxxxxxxxxxx"]
additional_s3_account_path_arn = ["arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/xxxxxxxxxxxx/*"]
s3_policy = data.aws_iam_policy_document.default.json
}
```
#### Member Account
```hcl
module "cloudtrail" {
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.12.12"
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.14.0"
name = "trails"
application = "clouddrove"
environment = "test"
label_order = ["environment", "application", "name"]
label_order = ["environment", "name"]
enabled = true
iam_role_name = "CloudTrail-cd-Delivery-Role"
iam_role_policy_name = "CloudTrail-cd-Delivery-Policy"
account_type = "member"
key_deletion_window_in_days = 10
cloudwatch_logs_retention_in_days = 365
cloudwatch_logs_group_name = "cloudtrail-log-group"
key_arn = "arn:aws:kms:eu-west-1:xxxxxxxxxxx:key/66cc5610-3b90-460b-a177-af89e119fdaa"
s3_bucket_name = "logs-bucket-clouddrove"
key_arn = "arn:aws:kms:eu-west-1:xxxxxxxxxxx:key/9f3b66a0-3a38-4ed3-ab34-5e47c7e3604b"
s3_bucket_name = "logs-bucket-cd"
s3_log_bucket_name = "logs-bucket-cd-logs"
}
```
28 changes: 15 additions & 13 deletions _example/master/example.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,8 @@ module "cloudtrail" {
source = "./../../"

name = "trails"
application = "clouddrove"
environment = "test"
label_order = ["environment", "application", "name"]
label_order = ["environment", "name"]

enabled = true
iam_role_name = "CloudTrail-CloudWatch-Delivery-Role"
Expand All @@ -25,13 +24,16 @@ module "cloudtrail" {
USER_IGNORE_LIST = jsonencode(["^awslambda_*", "^aws-batch$", "^bamboo*", "^i-*", "^[0-9]*$", "^ecs-service-scheduler$", "^AutoScaling$", "^AWSCloudFormation$", "^CloudTrailBot$", "^SLRManagement$"])
SOURCE_LIST = jsonencode(["aws-sdk-go"])

s3_bucket_name = "logs-bucket-clouddrove"
slack_webhook = "https://hooks.slack.com/services/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46llqX"
s3_bucket_name = "logs-bucket-cd"
secure_s3_enabled = false
s3_log_bucket_name = "logs-bucket-cd-logs"
sse_algorithm = "aws:kms"
slack_webhook = "https://hooks.slack.com/services/TEE0GHDK0F0QZ/B015frHRDBEUFHEVEG/dfdrfrefrwewqe"
slack_channel = "testing"
additional_member_root_arn = ["arn:aws:iam::xxxxxxxxxx:root"]
additional_member_trail = ["arn:aws:cloudtrail:*:xxxxxxxxxx:trail/*"]
additional_member_account_id = ["xxxxxxxxxx"]
additional_s3_account_path_arn = ["arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/xxxxxxxxxx/*"]
additional_member_root_arn = ["arn:aws:iam::xxxxxxxxxxxx:root"]
additional_member_trail = ["arn:aws:cloudtrail:*:xxxxxxxxxxxx:trail/*"]
additional_member_account_id = ["xxxxxxxxxxxx"]
additional_s3_account_path_arn = ["arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/xxxxxxxxxxxx/*"]
s3_policy = data.aws_iam_policy_document.default.json
}

Expand All @@ -45,10 +47,10 @@ data "aws_iam_policy_document" "default" {
}

actions = [
"s3:GetBucketAcl",
"s3:GetBucketAcl"
]

resources = ["arn:aws:s3:::logs-bucket-clouddrove"]
resources = ["arn:aws:s3:::logs-bucket-cd"]
}

statement {
Expand All @@ -60,12 +62,12 @@ data "aws_iam_policy_document" "default" {
}

actions = [
"s3:PutObject",
"s3:PutObject"
]

resources = compact(
concat(
[format("arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/%s/*", data.aws_caller_identity.current.account_id)]
[format("arn:aws:s3:::logs-bucket-cd/AWSLogs/%s/*", data.aws_caller_identity.current.account_id), "arn:aws:s3:::logs-bucket-cd/AWSLogs/xxxxxxxxxxxx/*"]
)
)

Expand All @@ -74,7 +76,7 @@ data "aws_iam_policy_document" "default" {
variable = "s3:x-amz-acl"

values = [
"bucket-owner-full-control",
"bucket-owner-full-control"
]
}
}
Expand Down
8 changes: 4 additions & 4 deletions _example/member/example.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,8 @@ module "cloudtrail" {
source = "./../../"

name = "trails"
application = "clouddrove"
environment = "test"
label_order = ["environment", "application", "name"]
label_order = ["environment", "name"]

enabled = true
iam_role_name = "CloudTrail-cd-Delivery-Role"
Expand All @@ -18,7 +17,8 @@ module "cloudtrail" {
key_deletion_window_in_days = 10
cloudwatch_logs_retention_in_days = 365
cloudwatch_logs_group_name = "cloudtrail-log-group"
key_arn = "arn:aws:kms:eu-west-1:xxxxxxxxxx:key/341af1b8-d181-4dd1-8d7b-638dec0d925e"
key_arn = "arn:aws:kms:eu-west-1:xxxxxxxxxxx:key/9f3b66a0-3a38-4ed3-ab34-5e47c7e3604b"

s3_bucket_name = "logs-bucket-clouddrove"
s3_bucket_name = "logs-bucket-cd"
s3_log_bucket_name = "logs-bucket-cd-logs"
}
25 changes: 9 additions & 16 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,9 @@ data "aws_region" "current" {}
# tags for resources. You can use terraform-labels to implement a strict
# naming convention
module "labels" {
source = "git::https://github.com/clouddrove/terraform-labels.git?ref=tags/0.12.0"
source = "git::https://github.com/clouddrove/terraform-labels.git?ref=tags/0.14.0"

name = var.name
application = var.application
environment = var.environment
label_order = var.label_order
managedby = var.managedby
Expand All @@ -26,10 +25,9 @@ module "labels" {
# type specific features.

module "s3_log_bucket" {
source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/0.12.8"
source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/0.14.0"

name = var.s3_log_bucket_name
application = var.application
environment = var.environment
label_order = ["name"]
managedby = var.managedby
Expand All @@ -40,10 +38,9 @@ module "s3_log_bucket" {
}

module "s3_bucket" {
source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/0.12.8"
source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/0.14.0"

name = var.s3_bucket_name
application = var.application
environment = var.environment
label_order = ["name"]
managedby = var.managedby
Expand All @@ -60,10 +57,9 @@ module "s3_bucket" {
}

module "secure_s3_bucket" {
source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/0.12.8"
source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/0.14.0"

name = var.s3_bucket_name
application = var.application
environment = var.environment
label_order = ["name"]
managedby = var.managedby
Expand All @@ -76,7 +72,7 @@ module "secure_s3_bucket" {
force_destroy = true
sse_algorithm = var.sse_algorithm
kms_master_key_id = var.key_arn == "" ? module.kms_key.key_arn : var.key_arn
target_bucket = "aws:kms"
target_bucket = module.s3_log_bucket.id
target_prefix = "logs"
mfa_delete = var.mfa_delete
}
Expand Down Expand Up @@ -134,10 +130,9 @@ data "aws_iam_policy_document" "cloudwatch_delivery_policy" {
}

module "kms_key" {
source = "git::https://github.com/clouddrove/terraform-aws-kms.git?ref=tags/0.12.4"
source = "git::https://github.com/clouddrove/terraform-aws-kms.git?ref=tags/0.14.0"

name = var.name
application = var.application
environment = var.environment
label_order = var.label_order
managedby = var.managedby
Expand Down Expand Up @@ -348,12 +343,11 @@ locals {
#Description : Terraform module to provision an AWS CloudTrail with encrypted S3 bucket.
# This bucket is used to store CloudTrail logs.
module "cloudtrail" {
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail.git?ref=tags/0.12.5"
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail.git?ref=tags/0.14.0"

name = "cloudtrail"
application = var.application
environment = var.environment
label_order = ["name", "application"]
label_order = ["name", "environment"]
managedby = var.managedby
enabled_cloudtrail = var.enabled
s3_bucket_name = format("%s", var.s3_bucket_name)
Expand All @@ -368,10 +362,9 @@ module "cloudtrail" {
}

module "cloudtrail-slack-notification" {
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-slack-notification.git?ref=tags/0.12.3"
source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-slack-notification.git?ref=tags/0.14.0"

name = "cloudtrail-slack-notification"
application = var.application
environment = var.environment
managedby = var.managedby
label_order = var.label_order
Expand Down
Loading

0 comments on commit 22f99af

Please sign in to comment.