diff --git a/_example/individual/example.tf b/_example/individual/example.tf index 7f65cb8..31a7a4d 100644 --- a/_example/individual/example.tf +++ b/_example/individual/example.tf @@ -9,10 +9,9 @@ module "cloudtrail" { name = "trails" environment = "test" - label_order = ["environment", "application", "name"] + label_order = ["environment", "name"] enabled = true - secure_s3_enabled = false iam_role_name = "CloudTrail-CloudWatch-Delivery-Role" iam_role_policy_name = "CloudTrail-CloudWatch-Delivery-Policy" account_type = "individual" diff --git a/_example/individual/outputs.tf b/_example/individual/outputs.tf index 16b1a0a..4517e20 100644 --- a/_example/individual/outputs.tf +++ b/_example/individual/outputs.tf @@ -3,10 +3,10 @@ output "cloudtrail_arn" { description = "The Amazon Resource Name of the trail" } -output "kms_arn" { - value = module.cloudtrail[*].kms_arn - description = "The Amazon Resource Name of the kms" -} +#output "kms_arn" { +# value = module.cloudtrail[*].kms_arn +# description = "The Amazon Resource Name of the kms" +#} output "tags" { value = module.cloudtrail.tags diff --git a/_example/master/example.tf b/_example/master/example.tf index 10b2e3a..54c008e 100644 --- a/_example/master/example.tf +++ b/_example/master/example.tf @@ -18,7 +18,6 @@ module "cloudtrail" { USER_IGNORE_LIST = jsonencode(["^awslambda_*", "^aws-batch$", "^bamboo*", "^i-*", "^[0-9]*$", "^ecs-service-scheduler$", "^AutoScaling$", "^AWSCloudFormation$", "^CloudTrailBot$", "^SLRManagement$"]) SOURCE_LIST = jsonencode(["aws-sdk-go"]) s3_bucket_name = "test-cloudtrail-bucket" - secure_s3_enabled = false s3_log_bucket_name = "test-clouddtrail-logs" sse_algorithm = "aws:kms" additional_member_root_arn = ["arn:aws:iam::xxxxxxxxxxxx:root"] diff --git a/_example/master/outputs.tf b/_example/master/outputs.tf index 16b1a0a..a9ca449 100644 --- a/_example/master/outputs.tf +++ b/_example/master/outputs.tf @@ -3,11 +3,6 @@ output "cloudtrail_arn" { description = "The Amazon Resource Name of the trail" } -output "kms_arn" { - value = module.cloudtrail[*].kms_arn - description = "The Amazon Resource Name of the kms" -} - output "tags" { value = module.cloudtrail.tags description = "A mapping of tags to assign to the Cloudtrail." diff --git a/_example/member/example.tf b/_example/member/example.tf index 0268ec8..143858b 100644 --- a/_example/member/example.tf +++ b/_example/member/example.tf @@ -2,6 +2,7 @@ provider "aws" { region = "eu-west-1" } +data "aws_caller_identity" "current" {} module "cloudtrail" { source = "./../../" @@ -20,4 +21,50 @@ module "cloudtrail" { s3_bucket_name = "logs-bucket-cd" s3_log_bucket_name = "logs-bucket-cd-logs" + s3_policy = data.aws_iam_policy_document.default.json +} + +data "aws_iam_policy_document" "default" { + statement { + sid = "AWSCloudTrailAclCheck" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = [ + "s3:GetBucketAcl", + ] + + resources = ["arn:aws:s3:::logs-bucket-clouddrove"] + } + + statement { + sid = "AWSCloudTrailWrite" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = [ + "s3:PutObject", + ] + + resources = compact( + concat( + [format("arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/%s/*", data.aws_caller_identity.current.account_id)] + ) + ) + + condition { + test = "StringEquals" + variable = "s3:x-amz-acl" + + values = [ + "bucket-owner-full-control", + ] + } + } } diff --git a/main.tf b/main.tf index cfca0d4..3df6c89 100644 --- a/main.tf +++ b/main.tf @@ -5,21 +5,18 @@ data "aws_caller_identity" "current" {} data "aws_region" "current" {} -#Module : Label -#Description : This terraform module is designed to generate consistent label names and -# tags for resources. You can use terraform-labels to implement a strict -# naming convention +##----------------------------------------------------------------------------- +## Labels module callled that will be used for naming and tags. +##----------------------------------------------------------------------------- module "labels" { - source = "git::https://github.com/clouddrove/terraform-labels.git?ref=tags/0.15.0" - + source = "clouddrove/labels/aws" + version = "1.3.0" name = var.name environment = var.environment - label_order = var.label_order managedby = var.managedby - enabled = var.enabled + label_order = var.label_order } - # Module : S3 BUCKET # Description : Terraform module to create default S3 bucket with logging and encryption # type specific features. @@ -27,14 +24,12 @@ module "labels" { module "s3_log_bucket" { source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/2.0.0" - name = var.s3_log_bucket_name - environment = var.environment - label_order = ["name"] - managedby = var.managedby - create_bucket = local.is_cloudtrail_enabled - bucket_enabled = var.enabled - versioning = true - acl = "private" + name = var.s3_log_bucket_name + environment = var.environment + label_order = ["name"] + managedby = var.managedby + versioning = true + acl = "private" } module "s3_bucket" { @@ -51,28 +46,24 @@ module "s3_bucket" { force_destroy = true target_bucket = module.s3_log_bucket.id target_prefix = "logs" - mfa_delete = var.mfa_delete } module "secure_s3_bucket" { source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/2.0.0" - name = var.s3_bucket_name - environment = var.environment - label_order = ["name"] - managedby = var.managedby - create_bucket = local.is_cloudtrail_enabled && var.secure_s3_enabled - bucket_logging_encryption_enabled = var.enabled && var.secure_s3_enabled - versioning = true - acl = "private" - bucket_policy = true - aws_iam_policy_document = var.s3_policy - force_destroy = true - sse_algorithm = var.sse_algorithm - kms_master_key_id = var.key_arn == "" ? module.kms_key.key_arn : var.key_arn - target_bucket = module.s3_log_bucket.id - target_prefix = "logs" - mfa_delete = var.mfa_delete + name = var.s3_bucket_name + environment = var.environment + label_order = ["name"] + managedby = var.managedby + versioning = true + acl = "private" + bucket_policy = true + aws_iam_policy_document = var.s3_policy + force_destroy = true + sse_algorithm = var.sse_algorithm + kms_master_key_id = var.key_arn == "" ? module.kms_key.key_arn : var.key_arn + target_bucket = module.s3_log_bucket.id + target_prefix = "logs" } #Module : AWS_CLOUDWATCH_LOG_GROUP @@ -340,7 +331,8 @@ locals { #Description : Terraform module to provision an AWS CloudTrail with encrypted S3 bucket. # This bucket is used to store CloudTrail logs. module "cloudtrail" { - source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail.git?ref=tags/1.4.0" + source = "clouddrove/cloudtrail/aws" + version = "1.4.0" name = var.name environment = var.environment diff --git a/outputs.tf b/outputs.tf index 2d9dd7c..f1c196f 100644 --- a/outputs.tf +++ b/outputs.tf @@ -29,11 +29,6 @@ output "s3_arn" { description = "The ARN of S3 bucket." } -output "kms_arn" { - value = module.kms_key.key_arn - description = "The ARN of KMS key." -} - output "tags" { value = module.labels.tags description = "A mapping of tags to assign to the resource." diff --git a/variables.tf b/variables.tf index fb6b968..83b980c 100644 --- a/variables.tf +++ b/variables.tf @@ -30,18 +30,6 @@ variable "lambda_enabled" { description = "Whether to create lambda for cloudtrail logs." } -variable "secure_s3_enabled" { - type = bool - default = true - description = "Whether to create secure s3 for cloudtrail logs." -} - -variable "mfa_delete" { - type = bool - default = false - description = "Whether to enable mfa_delete or not." -} - variable "slack_webhook" { type = string default = ""