Revert root dependencies and infrastructure vars.

cisagov · Sep 22, 2023 · 9fd9178 · 9fd9178
1 parent 7152315
commit 9fd9178
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 1,415 deletions.
diff --git a/infrastructure/cloudtrail.tf b/infrastructure/cloudtrail.tf
@@ -25,7 +25,8 @@ resource "aws_cloudtrail" "all-events" {
 }
 
 resource "aws_s3_bucket" "cloudtrail_bucket" {
-  bucket = var.cloudtrail_bucket_name
+  bucket        = var.cloudtrail_bucket_name
+  force_destroy = true
   tags = {
     Project = var.project
     Stage   = var.stage
@@ -100,4 +101,42 @@ data "template_file" "cloudtrail_bucket_policy" {
     bucketName = var.cloudtrail_bucket_name
     accountId  = data.aws_caller_identity.current.account_id
   }
+}
+
+# Attach policies to the IAM role allowing access to the S3 bucket and Cloudwatch
+resource "aws_iam_role_policy" "cloudtrail_policy" {
+  name_prefix = "crossfeed-cloudtrail-s3-${var.stage}"
+  role        = aws_iam_role.cloudtrail_role.id
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Action = [
+        "s3:PutObject",
+        "s3:GetBucketAcl",
+        "s3:ListBucket"
+      ],
+      Effect = "Allow",
+      Resource = [
+        aws_s3_bucket.cloudtrail_bucket.arn,
+        "${aws_s3_bucket.cloudtrail_bucket.arn}/*"
+      ]
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "cloudtrail_cloudwatch_policy" {
+  name_prefix = "crossfeed-cloudtrail-cloudwatch-${var.stage}"
+  role        = aws_iam_role.cloudtrail_role.id
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Action = [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      Effect   = "Allow",
+      Resource = "arn:aws:logs:*"
+    }]
+  })
 }
diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars
@@ -46,8 +46,6 @@ cloudtrail_bucket_name            = "cisa-crossfeed-prod-cloudtrail"
 cloudtrail_role_name              = "cisa-crossfeed-prod-cloudtrail"
 cloudtrail_log_group_name         = "cisa-crossfeed-prod-cloudtrail"
 export_bucket_name                = "cisa-crossfeed-prod-exports"
-infrastructure_bucket_name        = "cisa-crossfeed-prod-infrastructure"
-infrastructure_log_group_name     = "cisa-crossfeed-prod-infrastructure"
 reports_bucket_name               = "cisa-crossfeed-prod-reports"
 pe_db_backups_bucket_name         = "cisa-crossfeed-prod-pe-db-backups"
 user_pool_name                    = "crossfeed-prod"

diff --git a/infrastructure/stage.tfvars b/infrastructure/stage.tfvars
@@ -46,8 +46,6 @@ cloudtrail_bucket_name            = "cisa-crossfeed-staging-cloudtrail"
 cloudtrail_role_name              = "cisa-crossfeed-staging-cloudtrail"
 cloudtrail_log_group_name         = "cisa-crossfeed-staging-cloudtrail"
 export_bucket_name                = "cisa-crossfeed-staging-exports"
-infrastructure_bucket_name        = "cisa-crossfeed-staging-infrastructure"
-infrastructure_log_group_name     = "cisa-crossfeed-staging-infrastructure"
 reports_bucket_name               = "cisa-crossfeed-staging-reports"
 pe_db_backups_bucket_name         = "cisa-crossfeed-staging-pe-db-backups"
 user_pool_name                    = "crossfeed-staging"

diff --git a/infrastructure/vars.tf b/infrastructure/vars.tf
@@ -286,18 +286,6 @@ variable "export_bucket_name" {
   default     = "cisa-crossfeed-staging-exports"
 }
 
-variable "infrastructure_bucket_name" {
-  description = "infrastructure_bucket_name"
-  type        = string
-  default     = "cisa-crossfeed-staging-infrastructure"
-}
-
-variable "infrastructure_log_group_name" {
-  description = "infrastructure_log_group_name"
-  type        = string
-  default     = "crossfeed-staging-infrastructure-logs"
-}
-
 variable "reports_bucket_name" {
   description = "reports_bucket_name"
   type        = string