Merge pull request #16 from clouddrove/feature/updated_cloudtrail

[feature/updated_cloudtrail]Fix : cloudtrail IAM policy and s3 bucket policy, update the variables.
clouddrove · May 11, 2023 · a8dc58b · a8dc58b
2 parents 22f99af + c7bfa87
commit a8dc58b
Show file tree

Hide file tree

Showing 5 changed files with 166 additions and 95 deletions.
diff --git a/README.yaml b/README.yaml
@@ -71,6 +71,7 @@ usage : |-
       iam_role_name                     = "CloudTrail-CloudWatch-Delivery-Role"
       iam_role_policy_name              = "CloudTrail-CloudWatch-Delivery-Policy"
       account_type                      = "master"
+      is_organization_trail             = true      
       key_deletion_window_in_days       = 10
       cloudwatch_logs_retention_in_days = 365
       cloudwatch_logs_group_name        = "cloudtrail-log-group"

diff --git a/_example/master/example.tf b/_example/master/example.tf
@@ -1,83 +1,122 @@
 provider "aws" {
-  region = "eu-west-1"
+  region = "us-east-1"
 }
 
 data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
 
-module "cloudtrail" {
-  source = "./../../"
-
-  name        = "trails"
-  environment = "test"
-  label_order = ["environment", "name"]
-
-  enabled                           = true
-  iam_role_name                     = "CloudTrail-CloudWatch-Delivery-Role"
-  iam_role_policy_name              = "CloudTrail-CloudWatch-Delivery-Policy"
-  account_type                      = "master"
-  key_deletion_window_in_days       = 10
-  cloudwatch_logs_retention_in_days = 365
-  cloudwatch_logs_group_name        = "cloudtrail-log-group"
-  EVENT_IGNORE_LIST                 = jsonencode(["^Describe*", "^Assume*", "^List*", "^Get*", "^Decrypt*", "^Lookup*", "^BatchGet*", "^CreateLogStream$", "^RenewRole$", "^REST.GET.OBJECT_LOCK_CONFIGURATION$", "TestEventPattern", "TestScheduleExpression", "CreateNetworkInterface", "ValidateTemplate"])
-  EVENT_ALERT_LIST                  = jsonencode(["DetachRolePolicy", "ConsoleLogin"])
-  USER_IGNORE_LIST                  = jsonencode(["^awslambda_*", "^aws-batch$", "^bamboo*", "^i-*", "^[0-9]*$", "^ecs-service-scheduler$", "^AutoScaling$", "^AWSCloudFormation$", "^CloudTrailBot$", "^SLRManagement$"])
-  SOURCE_LIST                       = jsonencode(["aws-sdk-go"])
-
-  s3_bucket_name                 = "logs-bucket-cd"
-  secure_s3_enabled              = false
-  s3_log_bucket_name             = "logs-bucket-cd-logs"
-  sse_algorithm                  = "aws:kms"
-  slack_webhook                  = "https://hooks.slack.com/services/TEE0GHDK0F0QZ/B015frHRDBEUFHEVEG/dfdrfrefrwewqe"
-  slack_channel                  = "testing"
-  additional_member_root_arn     = ["arn:aws:iam::xxxxxxxxxxxx:root"]
-  additional_member_trail        = ["arn:aws:cloudtrail:*:xxxxxxxxxxxx:trail/*"]
-  additional_member_account_id   = ["xxxxxxxxxxxx"]
-  additional_s3_account_path_arn = ["arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/xxxxxxxxxxxx/*"]
-  s3_policy                      = data.aws_iam_policy_document.default.json
-}
+  module "cloudtrail" {
+    source = "./../../"
+    name                              = "test-cloudtrail"
+    environment                       = "main"
+    label_order                       = ["environment", "name"]
+    enabled                           = true
+    iam_role_name                     = "CloudTrail-CloudWatch-Delivery-Role"
+    iam_role_policy_name              = "CloudTrail-CloudWatch-Delivery-Policy"
+    account_type                      = "master"
+    key_deletion_window_in_days       = 10
+    cloudwatch_logs_retention_in_days = 365
+    cloudwatch_logs_group_name        = "cloudtrail-log-group"
+    EVENT_IGNORE_LIST                 = jsonencode(["^Describe*", "^Assume*", "^List*", "^Get*", "^Decrypt*", "^Lookup*", "^BatchGet*", "^CreateLogStream$", "^RenewRole$", "^REST.GET.OBJECT_LOCK_CONFIGURATION$", "TestEventPattern", "TestScheduleExpression", "CreateNetworkInterface", "ValidateTemplate"])
+    EVENT_ALERT_LIST                  = jsonencode(["DetachRolePolicy", "ConsoleLogin"])
+    USER_IGNORE_LIST                  = jsonencode(["^awslambda_*", "^aws-batch$", "^bamboo*", "^i-*", "^[0-9]*$", "^ecs-service-scheduler$", "^AutoScaling$", "^AWSCloudFormation$", "^CloudTrailBot$", "^SLRManagement$"])
+    SOURCE_LIST                       = jsonencode(["aws-sdk-go"])
+    s3_bucket_name                    = "test-cloudtrail-bucket"
+    secure_s3_enabled                 = false
+    s3_log_bucket_name                = "test-clouddtrail-logs"
+    sse_algorithm                     = "aws:kms"
+    additional_member_root_arn        = ["arn:aws:iam::xxxxxxxxxxxx:root"]
+    additional_member_trail           = ["arn:aws:cloudtrail:*:xxxxxxxxxxxx:trail/*"]
+    additional_member_account_id      = ["xxxxxxxxxxxx"]
+    additional_s3_account_path_arn    = ["arn:aws:s3:::test-cloudtrail-bucket/AWSLogs/xxxxxxxxxxxx/*"]
+    s3_policy                         = data.aws_iam_policy_document.default.json
+  }
 
-data "aws_iam_policy_document" "default" {
-  statement {
-    sid = "AWSCloudTrailAclCheck"
 
-    principals {
-      type        = "Service"
-      identifiers = ["cloudtrail.amazonaws.com"]
-    }
+  data "aws_iam_policy_document" "default" {
+    statement {
+      sid = "AWSCloudTrailAclCheck20150319"
 
-    actions = [
-      "s3:GetBucketAcl"
-    ]
+      principals {
+        type        = "Service"
+        identifiers = ["cloudtrail.amazonaws.com"]
+      }
 
-    resources = ["arn:aws:s3:::logs-bucket-cd"]
-  }
+      actions = [
+        "s3:GetBucketAcl"
+      ]
 
-  statement {
-    sid = "AWSCloudTrailWrite"
+      resources = ["arn:aws:s3:::test-cloudtrail-bucket"]
+      condition {
+        test     = "StringEquals"
+        variable = "AWS:SourceArn"
 
-    principals {
-      type        = "Service"
-      identifiers = ["cloudtrail.amazonaws.com"]
+        values = [
+          "arn:aws:cloudtrail:us-east-1:xxxxxxxxxxxx:trail/xcheck-trails"
+        ]
+      }  
     }
+    statement {
+      sid = "AWSCloudTrailWrite20150319"
 
-    actions = [
-      "s3:PutObject"
-    ]
+      principals {
+        type        = "Service"
+        identifiers = ["cloudtrail.amazonaws.com"]
+      }
 
-    resources = compact(
-      concat(
-        [format("arn:aws:s3:::logs-bucket-cd/AWSLogs/%s/*", data.aws_caller_identity.current.account_id), "arn:aws:s3:::logs-bucket-cd/AWSLogs/xxxxxxxxxxxx/*"]
-      )
-    )
+      actions = [
+        "s3:PutObject"
+      ]
 
-    condition {
-      test     = "StringEquals"
-      variable = "s3:x-amz-acl"
+      resources =  ["arn:aws:s3:::test-cloudtrail-bucket/AWSLogs/xxxxxxxxxxxx/*"]
 
-      values = [
-        "bucket-owner-full-control"
-      ]
+      condition {
+        test     = "StringEquals"
+        variable = "s3:x-amz-acl"
+
+        values = [
+          "bucket-owner-full-control"
+        ]
+      }
+      condition {
+        test     = "StringEquals"
+        variable = "AWS:SourceArn"
+
+        values = [
+          "arn:aws:cloudtrail:us-east-1:xxxxxxxxxxxx:trail/xcheck-trails"
+        ]
+      }    
     }
+
+    statement {
+      sid = "AWSCloudTrailWrite2015031"
+
+      principals {
+        type        = "Service"
+        identifiers = ["cloudtrail.amazonaws.com"]
+      }
+
+      actions = [
+        "s3:PutObject"
+      ]
+
+      resources =  ["arn:aws:s3:::logs-bucket-cd-test/AWSLogs/<AWS_ORGANIZATION_ID>/*"]
+
+      condition {
+        test     = "StringEquals"
+        variable = "s3:x-amz-acl"
+
+        values = [
+          "bucket-owner-full-control"
+        ]
+      }
+      condition {
+        test     = "StringEquals"
+        variable = "AWS:SourceArn"
+
+        values = [
+          "arn:aws:cloudtrail:us-east-1:xxxxxxxxxxxx:trail/xcheck-trails"
+        ]
+      }    
+    }  
   }
-}
diff --git a/main.tf b/main.tf
@@ -34,7 +34,7 @@ module "s3_log_bucket" {
   create_bucket  = local.is_cloudtrail_enabled
   bucket_enabled = var.enabled
   versioning     = true
-  acl            = "log-delivery-write"
+  acl            = "private"
 }
 
 module "s3_bucket" {
@@ -47,7 +47,7 @@ module "s3_bucket" {
   create_bucket           = local.is_cloudtrail_enabled && var.secure_s3_enabled == false
   bucket_logging_enabled  = var.enabled && var.secure_s3_enabled == false
   versioning              = true
-  acl                     = "log-delivery-write"
+  acl                     = "private"
   bucket_policy           = true
   aws_iam_policy_document = var.s3_policy
   force_destroy           = true
@@ -66,7 +66,7 @@ module "secure_s3_bucket" {
   create_bucket                     = local.is_cloudtrail_enabled && var.secure_s3_enabled
   bucket_logging_encryption_enabled = var.enabled && var.secure_s3_enabled
   versioning                        = true
-  acl                               = "log-delivery-write"
+  acl                               = "private"
   bucket_policy                     = true
   aws_iam_policy_document           = var.s3_policy
   force_destroy                     = true
@@ -141,7 +141,7 @@ module "kms_key" {
   description             = "KMS key for cloudtrail"
   deletion_window_in_days = 7
   enable_key_rotation     = true
-  alias                   = "alias/cloudtrail1"
+  alias                   = "alias/cloudtrail"
   policy                  = data.aws_iam_policy_document.cloudtrail_key_policy.json
 }
 
@@ -177,11 +177,17 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" {
       variable = "kms:EncryptionContext:aws:cloudtrail:arn"
       values = compact(
         concat(
-          [format("arn:aws:cloudtrail:*:%s:trail/*", data.aws_caller_identity.current.account_id)],
-          var.additional_member_trail
+          [format("arn:aws:cloudtrail:*:%s:trail/*", data.aws_caller_identity.current.account_id)]
         )
       )
     }
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceArn"
+      values = [
+        "arn:aws:cloudtrail:us-east-1:156873913342:trail/<trail_Name>"
+      ]
+    }    
   }
 
   statement {
@@ -210,8 +216,7 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" {
       variable = "kms:CallerAccount"
       values = compact(
         concat(
-          [data.aws_caller_identity.current.account_id],
-          var.additional_member_account_id
+          [data.aws_caller_identity.current.account_id]
         )
       )
     }
@@ -245,8 +250,7 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" {
       values = compact(
         concat(
           [
-          data.aws_caller_identity.current.account_id],
-          var.additional_member_account_id
+          data.aws_caller_identity.current.account_id]
         )
       )
     }
@@ -267,8 +271,7 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" {
       variable = "kms:CallerAccount"
       values = compact(
         concat(
-          [data.aws_caller_identity.current.account_id],
-          var.additional_member_account_id
+          [data.aws_caller_identity.current.account_id]
         )
       )
     }
@@ -277,8 +280,7 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" {
       variable = "kms:EncryptionContext:aws:cloudtrail:arn"
       values = compact(
         concat(
-          [format("arn:aws:cloudtrail:*:%s:trail/*", data.aws_caller_identity.current.account_id)],
-          var.additional_member_trail
+          [format("arn:aws:cloudtrail:*:%s:trail/*", data.aws_caller_identity.current.account_id)]
         )
       )
     }
@@ -290,17 +292,16 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" {
       type = "AWS"
       identifiers = compact(
         concat(
-          [format("arn:aws:iam::%s:root", data.aws_caller_identity.current.account_id)],
-          var.additional_member_root_arn
+          [format("arn:aws:iam::%s:root", data.aws_caller_identity.current.account_id)]
         )
       )
     }
     actions = [
-      "kms:Encrypt",
-      "kms:Decrypt",
-      "kms:ReEncrypt*",
-      "kms:GenerateDataKey*",
-      "kms:DescribeKey"
+    "kms:ReEncrypt*",
+    "kms:GenerateDataKey*",
+    "kms:Encrypt",
+    "kms:DescribeKey",
+    "kms:Decrypt"
     ]
     resources = ["*"]
   }
@@ -311,8 +312,7 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" {
       type = "AWS"
       identifiers = compact(
         concat(
-          [format("arn:aws:iam::%s:root", data.aws_caller_identity.current.account_id)],
-          var.additional_member_root_arn
+          [format("arn:aws:iam::%s:root", data.aws_caller_identity.current.account_id)]
         )
       )
     }
@@ -345,17 +345,17 @@ locals {
 module "cloudtrail" {
   source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail.git?ref=tags/0.14.0"
 
-  name                          = "cloudtrail"
+  name                          = var.name
   environment                   = var.environment
   label_order                   = ["name", "environment"]
   managedby                     = var.managedby
   enabled_cloudtrail            = var.enabled
   s3_bucket_name                = format("%s", var.s3_bucket_name)
-  enable_logging                = true
-  enable_log_file_validation    = true
-  include_global_service_events = true
-  is_multi_region_trail         = true
-  is_organization_trail         = false
+  enable_logging                = var.enable_logging
+  enable_log_file_validation    = var.enable_log_file_validation
+  include_global_service_events = var.include_global_service_events
+  is_multi_region_trail         = var.is_multi_region_trail
+  is_organization_trail         = var.is_organization_trail
   kms_key_id                    = var.key_arn == "" ? module.kms_key.key_arn : var.key_arn
   cloud_watch_logs_group_arn    = join("", aws_cloudwatch_log_group.cloudtrail_events.*.arn)
   cloud_watch_logs_role_arn     = join("", aws_iam_role.cloudwatch_delivery.*.arn)

diff --git a/variables.tf b/variables.tf
@@ -173,6 +173,30 @@ variable "is_organization_trail" {
   description = "Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account."
 }
 
+variable "is_multi_region_trail" {
+  type        = bool
+  default     = true
+  description = "Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account."
+}
+
+variable "include_global_service_events" {
+  type        = bool
+  default     = true
+  description = "Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account."
+}
+
+variable "enable_log_file_validation" {
+  type        = bool
+  default     = true
+  description = "Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account."
+}
+
+variable "enable_logging" {
+  type        = bool
+  default     = true
+  description = "Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account."
+}
+
 variable "account_type" {
   type        = string
   default     = "individual"

diff --git a/versions.tf b/versions.tf
@@ -1,4 +1,11 @@
 # Terraform version
 terraform {
-  required_version = ">= 0.12"
-}
+  required_version = ">= 1.3.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.48.0"
+    }
+  }
+}