Skip to content

Commit

Permalink
Add cloudtrail resources from commercial side
Browse files Browse the repository at this point in the history
  • Loading branch information
@aloftus23
aloftus23 committed Sep 19, 2023
1 parent ae75292 commit ea24dbb
Show file tree
Hide file tree
Showing 5 changed files with 196 additions and 2 deletions.
142 changes: 142 additions & 0 deletions infrastructure/cloudtrail.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,142 @@

resource "aws_cloudtrail" "all-events" {
name = "all-events"
s3_bucket_name = var.cloudtrail_bucket_name
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
cloud_watch_logs_role_arn = "arn:aws-us-gov:iam::${data.aws_caller_identity.current.account_id}:role/${var.cloudtrail_role_name}"
tags = {
Project = var.project
Stage = var.stage
}
event_selector {
read_write_type = "All"
include_management_events = true
data_resource {
type = "AWS::S3::Object"
values = ["arn:aws-us-gov:s3"]
}
data_resource {
type = "AWS::Lambda::Function"
values = ["arn:aws-us-gov:lambda"]
}
}
enable_log_file_validation = true
is_multi_region_trail = true
}

resource "aws_s3_bucket" "cloudtrail_bucket" {
bucket = var.cloudtrail_bucket_name
force_destroy = true
tags = {
Project = var.project
Stage = var.stage
}
}

resource "aws_cloudwatch_log_group" "cloudtrail" {
name = var.cloudtrail_log_group_name
retention_in_days = 3653
kms_key_id = aws_kms_key.key.arn
tags = {
Project = var.project
Stage = var.stage
}
}

resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail_bucket" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}

resource "aws_s3_bucket_versioning" "cloudtrail_bucket" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
versioning_configuration {
status = "Enabled"
}
}

resource "aws_s3_bucket_logging" "cloudtrail_bucket" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
target_bucket = aws_s3_bucket.logging_bucket.id
target_prefix = "cloudtrail_bucket/"
}

resource "aws_s3_bucket_policy" "cloudtrail_bucket" {
bucket = aws_s3_bucket.cloudtrail_bucket.id
policy = data.template_file.cloudtrail_bucket_policy.rendered
}

resource "aws_iam_role" "cloudtrail_role" {
name = var.cloudtrail_role_name
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
tags = {
Project = var.project
Stage = var.stage
}
}

data "template_file" "cloudtrail_bucket_policy" {
template = file("cloudtrail_bucket_policy.tpl")
vars = {
bucketName = var.cloudtrail_bucket_name
accountId = data.aws_caller_identity.current.account_id
}
}

# Attach policies to the IAM role allowing access to the S3 bucket and Cloudwatch
resource "aws_iam_role_policy" "cloudtrail_policy" {
name_prefix = "crossfeed-cloudtrail-s3-${var.stage}"
role = aws_iam_role.cloudtrail_role.id
policy = jsonencode({
Version = "2012-10-17",
Statement = [{
Action = [
"s3:PutObject",
"s3:GetBucketAcl",
"s3:ListBucket"
],
Effect = "Allow",
Resource = [
aws_s3_bucket.cloudtrail_bucket.arn,
"${aws_s3_bucket.cloudtrail_bucket.arn}/*"
]
}]
})
}

resource "aws_iam_role_policy" "cloudtrail_cloudwatch_policy" {
name_prefix = "crossfeed-cloudtrail-cloudwatch-${var.stage}"
role = aws_iam_role.cloudtrail_role.id
policy = jsonencode({
Version = "2012-10-17",
Statement = [{
Action = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
Effect = "Allow",
Resource = "arn:aws-us-gov:logs:*"
}]
})
}
28 changes: 28 additions & 0 deletions infrastructure/cloudtrail_bucket_policy.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20131101",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": ["s3:GetBucketAcl"],
"Resource": ["arn:aws-us-gov:s3:::${bucketName}"]
},
{
"Sid": "AWSCloudTrailWrite20131101",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": ["s3:PutObject"],
"Resource": ["arn:aws-us-gov:s3:::${bucketName}/AWSLogs/${accountId}/*"],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
5 changes: 4 additions & 1 deletion infrastructure/prod.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,4 +64,7 @@ create_db_accessor_instance = true
db_accessor_instance_class = "t3.2xlarge"
create_elk_instance = false
elk_instance_class = "t3.2xlarge"
ami_id = "ami-064cd328d8f9a9f00"
ami_id = "ami-064cd328d8f9a9f00"
cloudtrail_bucket_name = "cisa-crossfeed-prod-cloudtrail"
cloudtrail_role_name = "cisa-crossfeed-prod-cloudtrail"
cloudtrail_log_group_name = "cisa-crossfeed-prod-cloudtrail"
5 changes: 4 additions & 1 deletion infrastructure/stage.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,4 +65,7 @@ create_db_accessor_instance = true
db_accessor_instance_class = "t3.2xlarge"
create_elk_instance = true
elk_instance_class = "t3.2xlarge"
ami_id = "ami-064cd328d8f9a9f00"
ami_id = "ami-064cd328d8f9a9f00"
cloudtrail_bucket_name = "cisa-crossfeed-staging-cloudtrail"
cloudtrail_role_name = "cisa-crossfeed-staging-cloudtrail"
cloudtrail_log_group_name = "cisa-crossfeed-staging-cloudtrail"
18 changes: 18 additions & 0 deletions infrastructure/vars.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -406,3 +406,21 @@ variable "ami_id" {
type = string
default = "ami-064cd328d8f9a9f00"
}

variable "cloudtrail_bucket_name" {
description = "cloudtrail_bucket_name"
type = string
default = "cisa-crossfeed-staging-cloudtrail"
}

variable "cloudtrail_role_name" {
description = "cloudtrail_role_name"
type = string
default = "crossfeed-staging-cloudtrail-role"
}

variable "cloudtrail_log_group_name" {
description = "cloudtrail_log_group_name"
type = string
default = "crossfeed-staging-cloudtrail-logs"
}

0 comments on commit ea24dbb

Please sign in to comment.