feat: update code and tflint issue (#28)

* feat: update code and tflint issue * feat: update code and tflint issue * feat: update code and tflint issue --------- Co-authored-by: anmolnagpal <anmol@clouddrove.com>
clouddrove · Mar 11, 2024 · fb87d99 · fb87d99
1 parent d81bbe1
commit fb87d99
Show file tree

Hide file tree

Showing 8 changed files with 79 additions and 64 deletions.
diff --git a/_example/individual/example.tf b/_example/individual/example.tf
@@ -9,10 +9,9 @@ module "cloudtrail" {
 
   name        = "trails"
   environment = "test"
-  label_order = ["environment", "application", "name"]
+  label_order = ["environment", "name"]
 
   enabled                           = true
-  secure_s3_enabled                 = false
   iam_role_name                     = "CloudTrail-CloudWatch-Delivery-Role"
   iam_role_policy_name              = "CloudTrail-CloudWatch-Delivery-Policy"
   account_type                      = "individual"

diff --git a/_example/individual/outputs.tf b/_example/individual/outputs.tf
@@ -3,10 +3,10 @@ output "cloudtrail_arn" {
   description = "The Amazon Resource Name of the trail"
 }
 
-output "kms_arn" {
-  value       = module.cloudtrail[*].kms_arn
-  description = "The Amazon Resource Name of the kms"
-}
+#output "kms_arn" {
+#  value       = module.cloudtrail[*].kms_arn
+#  description = "The Amazon Resource Name of the kms"
+#}
 
 output "tags" {
   value       = module.cloudtrail.tags

diff --git a/_example/master/example.tf b/_example/master/example.tf
@@ -18,7 +18,6 @@ module "cloudtrail" {
   USER_IGNORE_LIST                  = jsonencode(["^awslambda_*", "^aws-batch$", "^bamboo*", "^i-*", "^[0-9]*$", "^ecs-service-scheduler$", "^AutoScaling$", "^AWSCloudFormation$", "^CloudTrailBot$", "^SLRManagement$"])
   SOURCE_LIST                       = jsonencode(["aws-sdk-go"])
   s3_bucket_name                    = "test-cloudtrail-bucket"
-  secure_s3_enabled                 = false
   s3_log_bucket_name                = "test-clouddtrail-logs"
   sse_algorithm                     = "aws:kms"
   additional_member_root_arn        = ["arn:aws:iam::xxxxxxxxxxxx:root"]

diff --git a/_example/master/outputs.tf b/_example/master/outputs.tf
@@ -3,11 +3,6 @@ output "cloudtrail_arn" {
   description = "The Amazon Resource Name of the trail"
 }
 
-output "kms_arn" {
-  value       = module.cloudtrail[*].kms_arn
-  description = "The Amazon Resource Name of the kms"
-}
-
 output "tags" {
   value       = module.cloudtrail.tags
   description = "A mapping of tags to assign to the Cloudtrail."

diff --git a/_example/member/example.tf b/_example/member/example.tf
@@ -2,6 +2,7 @@ provider "aws" {
   region = "eu-west-1"
 }
 
+data "aws_caller_identity" "current" {}
 
 module "cloudtrail" {
   source = "./../../"
@@ -20,4 +21,50 @@ module "cloudtrail" {
 
   s3_bucket_name     = "logs-bucket-cd"
   s3_log_bucket_name = "logs-bucket-cd-logs"
+  s3_policy          = data.aws_iam_policy_document.default.json
+}
+
+data "aws_iam_policy_document" "default" {
+  statement {
+    sid = "AWSCloudTrailAclCheck"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions = [
+      "s3:GetBucketAcl",
+    ]
+
+    resources = ["arn:aws:s3:::logs-bucket-clouddrove"]
+  }
+
+  statement {
+    sid = "AWSCloudTrailWrite"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions = [
+      "s3:PutObject",
+    ]
+
+    resources = compact(
+      concat(
+        [format("arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/%s/*", data.aws_caller_identity.current.account_id)]
+      )
+    )
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+
+      values = [
+        "bucket-owner-full-control",
+      ]
+    }
+  }
 }
diff --git a/main.tf b/main.tf
@@ -5,36 +5,31 @@
 data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
 
-#Module      : Label
-#Description : This terraform module is designed to generate consistent label names and
-#              tags for resources. You can use terraform-labels to implement a strict
-#              naming convention
+##-----------------------------------------------------------------------------
+## Labels module callled that will be used for naming and tags.
+##-----------------------------------------------------------------------------
 module "labels" {
-  source = "git::https://github.com/clouddrove/terraform-labels.git?ref=tags/0.15.0"
-
+  source      = "clouddrove/labels/aws"
+  version     = "1.3.0"
   name        = var.name
   environment = var.environment
-  label_order = var.label_order
   managedby   = var.managedby
-  enabled     = var.enabled
+  label_order = var.label_order
 }
 
-
 # Module      : S3 BUCKET
 # Description : Terraform module to create default S3 bucket with logging and encryption
 #               type specific features.
 
 module "s3_log_bucket" {
   source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/2.0.0"
 
-  name           = var.s3_log_bucket_name
-  environment    = var.environment
-  label_order    = ["name"]
-  managedby      = var.managedby
-  create_bucket  = local.is_cloudtrail_enabled
-  bucket_enabled = var.enabled
-  versioning     = true
-  acl            = "private"
+  name        = var.s3_log_bucket_name
+  environment = var.environment
+  label_order = ["name"]
+  managedby   = var.managedby
+  versioning  = true
+  acl         = "private"
 }
 
 module "s3_bucket" {
@@ -51,28 +46,24 @@ module "s3_bucket" {
   force_destroy           = true
   target_bucket           = module.s3_log_bucket.id
   target_prefix           = "logs"
-  mfa_delete              = var.mfa_delete
 }
 
 module "secure_s3_bucket" {
   source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/2.0.0"
 
-  name                              = var.s3_bucket_name
-  environment                       = var.environment
-  label_order                       = ["name"]
-  managedby                         = var.managedby
-  create_bucket                     = local.is_cloudtrail_enabled && var.secure_s3_enabled
-  bucket_logging_encryption_enabled = var.enabled && var.secure_s3_enabled
-  versioning                        = true
-  acl                               = "private"
-  bucket_policy                     = true
-  aws_iam_policy_document           = var.s3_policy
-  force_destroy                     = true
-  sse_algorithm                     = var.sse_algorithm
-  kms_master_key_id                 = var.key_arn == "" ? module.kms_key.key_arn : var.key_arn
-  target_bucket                     = module.s3_log_bucket.id
-  target_prefix                     = "logs"
-  mfa_delete                        = var.mfa_delete
+  name                    = var.s3_bucket_name
+  environment             = var.environment
+  label_order             = ["name"]
+  managedby               = var.managedby
+  versioning              = true
+  acl                     = "private"
+  bucket_policy           = true
+  aws_iam_policy_document = var.s3_policy
+  force_destroy           = true
+  sse_algorithm           = var.sse_algorithm
+  kms_master_key_id       = var.key_arn == "" ? module.kms_key.key_arn : var.key_arn
+  target_bucket           = module.s3_log_bucket.id
+  target_prefix           = "logs"
 }
 
 #Module      : AWS_CLOUDWATCH_LOG_GROUP
@@ -340,7 +331,8 @@ locals {
 #Description : Terraform module to provision an AWS CloudTrail with encrypted S3 bucket.
 #              This bucket is used to store CloudTrail logs.
 module "cloudtrail" {
-  source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail.git?ref=tags/1.4.0"
+  source  = "clouddrove/cloudtrail/aws"
+  version = "1.4.0"
 
   name                          = var.name
   environment                   = var.environment

diff --git a/outputs.tf b/outputs.tf
@@ -29,11 +29,6 @@ output "s3_arn" {
   description = "The ARN of S3 bucket."
 }
 
-output "kms_arn" {
-  value       = module.kms_key.key_arn
-  description = "The ARN of KMS key."
-}
-
 output "tags" {
   value       = module.labels.tags
   description = "A mapping of tags to assign to the resource."

diff --git a/variables.tf b/variables.tf
@@ -30,18 +30,6 @@ variable "lambda_enabled" {
   description = "Whether to create lambda for cloudtrail logs."
 }
 
-variable "secure_s3_enabled" {
-  type        = bool
-  default     = true
-  description = "Whether to create secure s3 for cloudtrail logs."
-}
-
-variable "mfa_delete" {
-  type        = bool
-  default     = false
-  description = "Whether to enable mfa_delete or not."
-}
-
 variable "slack_webhook" {
   type        = string
   default     = ""