Skip to content

oozou/terraform-aws-cloudtrail

Repository files navigation

terraform-aws-cloudtrail

Usage

HUB Account

module "hub_cloudtrail" {
  source  = "oozou/cloudtrail/aws"
  version = "<version>"

  prefix       = "<customer_name>"
  environment  = "devops"
  account_mode = "hub"

  spoke_account_ids = [
    "<spoke_account_id_1>",
    "<spoke_account_id_2>",
    "<spoke_account_id_3>"
  ]

  event_selector = [{
    data_resource = [
      {
        type   = "AWS::S3::Object"
        values = ["arn:aws:s3:::"]
      },
      {
        type   = "AWS::Lambda::Function"
        values = ["arn:aws:lambda"]
      }
    ]
    include_management_events = true
    read_write_type           = "All"
  }]

  centralize_trail_bucket_lifecycle_rule = [
    {
      id = "TrailLogLifecyclePolicy"
      transition = [
        {
          days          = 31
          storage_class = "STANDARD_IA"
        },
        {
          days          = 366
          storage_class = "GLACIER"
        }
      ]
      expiration_days = 3660
    }
  ]

  enable_cloudwatch_log_metric_filters = ["authorization_failures"] # SELECT THE DEFUALT SETTING
  additional_cloudwatch_log_metric_filters = {
    authorization_failures = { # SAME KEY WILL OVERRIDE THE DEFAULT ONE
      comparison_operator = ">="
      threshold           = "50"
      evaluation_periods  = "1"
      period              = "300"
      pattern             = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"
      alarm_actions       = []
    }
    custome_metric_filter = {
      comparison_operator = ">="
      threshold           = "10"
      evaluation_periods  = "1"
      period              = "60"
      pattern             = "<pattern>"
      alarm_actions       = ["arn:aws:sns:ap-southeast-1:557291035693:alarm"]
    }
  }

  tags = var.generics_info["custom_tags"]
}

SPOKE Account

module "spoke_cloudtrail" {
  source  = "oozou/cloudtrail/aws"
  version = "<version>"

  prefix = "<customer_name>"
  environment = "dev"
  tags = {
    "Workspace" = "<workspace_name>"
  }
  account_mode = "spoke"

  centralize_trail_bucket_name = "<hub_centralize_trail_logs_bucket_name>"
  kms_key_id                           = "<hub_centralize_trail_kms_arn>"

  event_selector = [{
    data_resource = [
      {
        type   = "AWS::S3::Object"
        values = ["arn:aws:s3:::"]
      },
      {
        type   = "AWS::Lambda::Function"
        values = ["arn:aws:lambda"]
      }
    ]
    include_management_events = true
    read_write_type           = "All"
  }]
}

Requirements

Name Version
terraform >= 1.0.0
aws >= 4.0.0

Providers

Name Version
aws 4.23.0

Modules

Name Source Version
alarm oozou/cloudwatch-alarm/aws 1.0.0
centralize_log_bucket oozou/s3/aws 1.1.3
cloudtrail_kms oozou/kms-key/aws 1.0.0

Resources

Name Type
aws_cloudtrail.this resource
aws_cloudwatch_log_group.trail_log resource
aws_cloudwatch_log_metric_filter.this resource
aws_iam_policy.cloudtrail_put_log_cw resource
aws_iam_role.cloudtrail_put_log_cw resource
aws_caller_identity.this data source
aws_iam_policy_document.force_ssl_s3_communication data source
aws_iam_policy_document.kms_cloudtrail data source
aws_iam_policy_document.s3_cloudtrail data source
aws_region.this data source

Inputs

Name Description Type Default Required
account_mode Account mode for provision cloudtrail, if account_mode is hub, will provision S3, KMS, CloudTrail. if account_mode is spoke, will provision only CloudTrail string n/a yes
additional_cloudwatch_log_metric_filters (optional) Additional cloudwatch log filter any {} no
centralize_trail_bucket_lifecycle_rule List of lifecycle rules to transition the data. Leave empty to disable this feature. storage_class can be STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, or DEEP_ARCHIVE
list(object({
id = string

transition = list(object({
days = number
storage_class = string
}))

expiration_days = number
}))
[] no
centralize_trail_bucket_name S3 bucket for store Cloudtrail log (long terms), leave this default if account_mode is hub. If account_mode is SPOKE, please provide centrailize S3 bucket name (hub). string "" no
cloudwatch_log_retention_in_days (optional) describe your variable number 365 no
default_alarm_actions The list of actions to execute when this alarm transitions into an ALARM state from any other state. Each action is specified as an Amazon Resource Name (ARN). list(string) [] no
enable_cloudwatch_log_metric_filters (optional) list of metrics filter to enable list(string) [] no
enable_log_file_validation Specifies whether log file integrity validation is enabled. Creates signed digest for validated contents of logs bool true no
enable_logging Enable logging for the trail bool true no
environment Environment name used as environment resources name. string n/a yes
event_selector Specifies an event selector for enabling data event logging. See: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#event_selector for details on this variable
list(object({
include_management_events = bool
read_write_type = string

data_resource = list(object({
type = string
values = list(string)
}))
}))
[] no
include_global_service_events Specifies whether the trail is publishing events from global services such as IAM to the log files bool true no
is_cloudtrail_encrypted Whether Cloudtrail encryption enable or not. bool true no
is_create_monitor_trail Whether to create monitor trails. bool true no
is_multi_region_trail Specifies whether the trail is created in the current region or in all regions bool true no
kms_key_id The ARN for the KMS encryption key. Leave this default if account_mode is hub. If account_mode is SPOKE, please provide centrailize kms key arn (hub). string "" no
prefix The prefix name of customer to be displayed in AWS console and resource string n/a yes
spoke_account_ids Spoke account Ids, if mode is hub. list(string) [] no
tags Tags to add more; default tags contian {terraform=true, environment=var.environment} map(string) {} no

Outputs

Name Description
centralize_bucket_arn S3 Bucket ARN
centralize_bucket_name S3 Bucket Name
centralize_key_arn KMS key arn
centralize_key_id KMS key id
cloudtrail_arn S3 Bucket ARN
cloudtrail_id S3 Bucket Id