Skip to content

Commit

Permalink
Merge branch 'master' into dependabot/npm_and_yarn/frontend/prettier-…
Browse files Browse the repository at this point in the history
…3.0.3
  • Loading branch information
Matthew-Grayson authored Sep 19, 2023
2 parents a13d1f5 + 21af5aa commit 6154531
Show file tree
Hide file tree
Showing 6 changed files with 100 additions and 44 deletions.
54 changes: 34 additions & 20 deletions frontend/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion frontend/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@
"react-simple-maps": "^3.0.0",
"react-table": "^7.8.0",
"resolve-url-loader": "^5.0.0",
"universal-cookie": "^4.0.4",
"universal-cookie": "^6.1.1",
"uswds": "^2.13.3",
"web-vitals": "^2.1.4"
},
Expand Down
66 changes: 57 additions & 9 deletions infrastructure/cloudtrail.tf
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@ resource "aws_cloudtrail" "all-events" {
}

resource "aws_s3_bucket" "cloudtrail_bucket" {
bucket = var.cloudtrail_bucket_name
bucket = var.cloudtrail_bucket_name
force_destroy = true
tags = {
Project = var.project
Stage = var.stage
Expand All @@ -42,11 +43,6 @@ resource "aws_cloudwatch_log_group" "cloudtrail" {
}
}

resource "aws_s3_bucket_acl" "cloudtrail_bucket" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
acl = "private"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail_bucket" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
rule {
Expand Down Expand Up @@ -76,7 +72,23 @@ resource "aws_s3_bucket_policy" "cloudtrail_bucket" {

resource "aws_iam_role" "cloudtrail_role" {
name = var.cloudtrail_role_name
assume_role_policy = aws_s3_bucket_policy.cloudtrail_bucket.policy
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
tags = {
Project = var.project
Stage = var.stage
Expand All @@ -87,8 +99,44 @@ data "template_file" "cloudtrail_bucket_policy" {
template = file("cloudtrail_bucket_policy.tpl")
vars = {
bucketName = var.cloudtrail_bucket_name
region = var.aws_region
trailName = aws_cloudtrail.all-events.name
accountId = data.aws_caller_identity.current.account_id
}
}

# Attach policies to the IAM role allowing access to the S3 bucket and Cloudwatch
resource "aws_iam_role_policy" "cloudtrail_policy" {
name_prefix = "crossfeed-cloudtrail-s3-${var.stage}"
role = aws_iam_role.cloudtrail_role.id
policy = jsonencode({
Version = "2012-10-17",
Statement = [{
Action = [
"s3:PutObject",
"s3:GetBucketAcl",
"s3:ListBucket"
],
Effect = "Allow",
Resource = [
aws_s3_bucket.cloudtrail_bucket.arn,
"${aws_s3_bucket.cloudtrail_bucket.arn}/*"
]
}]
})
}

resource "aws_iam_role_policy" "cloudtrail_cloudwatch_policy" {
name_prefix = "crossfeed-cloudtrail-cloudwatch-${var.stage}"
role = aws_iam_role.cloudtrail_role.id
policy = jsonencode({
Version = "2012-10-17",
Statement = [{
Action = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
Effect = "Allow",
Resource = "arn:aws:logs:*"
}]
})
}
10 changes: 2 additions & 8 deletions infrastructure/cloudtrail_bucket_policy.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,7 @@
"Service": "cloudtrail.amazonaws.com"
},
"Action": ["s3:GetBucketAcl"],
"Resource": ["arn:aws:s3:::${bucketName}"],
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:cloudtrail:${region}:${accountId}:trail/${trailName}"
}
}
"Resource": ["arn:aws:s3:::${bucketName}"]
},
{
"Sid": "AWSCloudTrailWrite20150319",
Expand All @@ -25,8 +20,7 @@
"Resource": ["arn:aws:s3:::${bucketName}/AWSLogs/${accountId}/*"],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceArn": "arn:aws:cloudtrail:${region}:${accountId}:trail/${trailName}"
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
Expand Down
6 changes: 3 additions & 3 deletions infrastructure/stage.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,9 @@ worker_ecs_task_definition_family = "crossfeed-staging-worker"
worker_ecs_log_group_name = "crossfeed-staging-worker"
worker_ecs_role_name = "crossfeed-staging-worker"
logging_bucket_name = "cisa-crossfeed-staging-logging"
cloudtrail_bucket_name = "cisa-crossfeed-staging-cloudtrails"
cloudtrail_role_name = "cisa-crossfeed-staging-cloudtrails"
cloudtrail_log_group_name = "cisa-crossfeed-staging-cloudtrails"
cloudtrail_bucket_name = "cisa-crossfeed-staging-cloudtrail"
cloudtrail_role_name = "cisa-crossfeed-staging-cloudtrail"
cloudtrail_log_group_name = "cisa-crossfeed-staging-cloudtrail"
export_bucket_name = "cisa-crossfeed-staging-exports"
reports_bucket_name = "cisa-crossfeed-staging-reports"
pe_db_backups_bucket_name = "cisa-crossfeed-staging-pe-db-backups"
Expand Down
6 changes: 3 additions & 3 deletions infrastructure/vars.tf
Original file line number Diff line number Diff line change
Expand Up @@ -265,19 +265,19 @@ variable "logging_bucket_name" {
variable "cloudtrail_bucket_name" {
description = "cloudtrail_bucket_name"
type = string
default = "cisa-crossfeed-staging-cloudtrails"
default = "cisa-crossfeed-staging-cloudtrail"
}

variable "cloudtrail_role_name" {
description = "cloudtrail_role_name"
type = string
default = "crossfeed-staging-cloudtrails-role"
default = "crossfeed-staging-cloudtrail-role"
}

variable "cloudtrail_log_group_name" {
description = "cloudtrail_log_group_name"
type = string
default = "crossfeed-staging-cloudtrails-logs"
default = "crossfeed-staging-cloudtrail-logs"
}

variable "export_bucket_name" {
Expand Down

0 comments on commit 6154531

Please sign in to comment.