feat: add cloudtrail module

This commit adds a simple module that can be used to configure cloudtrail.
observeinc · Jul 25, 2024 · 8628a82 · 8628a82
1 parent 3ed5b49
commit 8628a82
Show file tree

Hide file tree

Showing 7 changed files with 146 additions and 0 deletions.
diff --git a/modules/cloudtrail/cloudtrail.tf b/modules/cloudtrail/cloudtrail.tf
@@ -0,0 +1,12 @@
+resource "aws_cloudtrail" "this" {
+  name                  = var.name
+  s3_bucket_name        = aws_s3_bucket.this.id
+  s3_key_prefix         = var.s3_key_prefix
+  is_multi_region_trail = var.is_multi_region_trail
+  event_selector {
+    exclude_management_event_sources = var.exclude_management_event_sources
+  }
+
+  depends_on = [aws_s3_bucket_policy.this]
+}
+
diff --git a/modules/cloudtrail/main.tf b/modules/cloudtrail/main.tf
@@ -0,0 +1,9 @@
+locals {
+  name_prefix = "${var.name}-"
+}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_partition" "current" {}
+
+data "aws_region" "current" {}
diff --git a/modules/cloudtrail/outputs.tf b/modules/cloudtrail/outputs.tf
@@ -0,0 +1,9 @@
+output "bucket" {
+  description = "S3 Bucket containing CloudTrail records"
+  value       = aws_s3_bucket.this
+}
+
+output "topic" {
+  description = "SNS Topic containing bucket notifications"
+  value       = aws_sns_topic.this
+}
diff --git a/modules/cloudtrail/s3.tf b/modules/cloudtrail/s3.tf
@@ -0,0 +1,52 @@
+resource "aws_s3_bucket" "this" {
+  bucket_prefix = local.name_prefix
+}
+
+data "aws_iam_policy_document" "s3" {
+  statement {
+    sid    = "AWSCloudTrailAclCheck"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions   = ["s3:GetBucketAcl"]
+    resources = [aws_s3_bucket.this.arn]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values   = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.name}"]
+    }
+  }
+
+  statement {
+    sid    = "AWSCloudTrailWrite"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions   = ["s3:PutObject"]
+    resources = ["${aws_s3_bucket.this.arn}/${var.s3_key_prefix}AWSLogs/${data.aws_caller_identity.current.account_id}/*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values   = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.name}"]
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+  policy = data.aws_iam_policy_document.s3.json
+}
diff --git a/modules/cloudtrail/sns.tf b/modules/cloudtrail/sns.tf
@@ -0,0 +1,29 @@
+resource "aws_sns_topic" "this" {
+  name_prefix = local.name_prefix
+}
+
+data "aws_iam_policy_document" "s3_to_sns" {
+  statement {
+    actions   = ["SNS:Publish"]
+    resources = [aws_sns_topic.this.arn]
+    principals {
+      type        = "Service"
+      identifiers = ["s3.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_sns_topic_policy" "s3_to_sns" {
+  arn    = aws_sns_topic.this.arn
+  policy = data.aws_iam_policy_document.s3_to_sns.json
+}
+
+resource "aws_s3_bucket_notification" "this" {
+  bucket = aws_s3_bucket.this.id
+  topic {
+    topic_arn = aws_sns_topic.this.arn
+    events    = ["s3:ObjectCreated:*"]
+  }
+
+  depends_on = [aws_sns_topic_policy.s3_to_sns]
+}
diff --git a/modules/cloudtrail/variables.tf b/modules/cloudtrail/variables.tf
@@ -0,0 +1,26 @@
+variable "name" {
+  description = "Trail name. Also used as bucket prefix"
+  type        = string
+  nullable    = false
+}
+
+variable "s3_key_prefix" {
+  description = "Optional prefix to write CloudTrail records to."
+  type        = string
+  nullable    = false
+  default     = ""
+}
+
+variable "is_multi_region_trail" {
+  description = "Whether the trail is created in the current region or in all regions"
+  type        = bool
+  default     = false
+  nullable    = false
+}
+
+variable "exclude_management_event_sources" {
+  description = "A set of event sources to exclude."
+  type        = list(string)
+  default     = ["kms.amazonaws.com", "rdsdata.amazonaws.com"]
+  nullable    = true
+}
diff --git a/modules/cloudtrail/versions.tf b/modules/cloudtrail/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.3"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+  }
+}