Giter Site home page Giter Site logo

rhythmictech / terraform-aws-cloudtrail-bucket Goto Github PK

View Code? Open in Web Editor NEW
4.0 2.0 4.0 41 KB

Create and manage a bucket suitable for encrypted CloudTrail logging. Supports inbound logging from multiple accounts

Home Page: https://registry.terraform.io/modules/rhythmictech/cloudtrail-bucket/aws

License: MIT License

HCL 84.83% Shell 15.17%
terraform terraform-modules terraform-module cloudtrail aws

terraform-aws-cloudtrail-bucket's Introduction

terraform-aws-cloudtrail-bucket

tflint tfsec yamllint misspell pre-commit-check follow on Twitter

Create and manage a bucket suitable for encrypted CloudTrail logging. Supports inbound logging from multiple accounts through the allowed_account_ids var.

Usage

To create a bucket in this account that can be logged to from acct 12345678 and the current account

# in acct 23456789
module "cloudtrail-bucket" {
  source         = "git::https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket"

  allowed_account_ids = [12345678]
  logging_bucket      = module.s3logging-bucket.s3logging_bucket_name
  region              = var.region
}

module "cloudtrail-logging" {
  source            = "git::https://github.com/rhythmictech/terraform-aws-cloudtrail-logging"
  cloudtrail_bucket = module.cloudtrail-bucket.s3_bucket_name
  kms_key_id        = module.cloudtrail-bucket.kms_key_id
  region            = var.region
}

Then in acct 12345678 you can log back to the bucket like this

# in acct 12345678
module "cloudtrail-logging" {
  source            = "git::https://github.com/rhythmictech/terraform-aws-cloudtrail-logging"
  cloudtrail_bucket = "23456789-us-east-1-cloudtrail"
  kms_key_id        = "arn:aws:kms:us-east-1:23456789:key/a53f476a-e691-4d19-9003-202e6fb9c5b4"
  region            = var.region
}

Requirements

Name Version
terraform >= 1.3
aws >= 4

Providers

Name Version
aws 4.48.0

Modules

No modules.

Resources

Name Type
aws_kms_alias.this resource
aws_kms_key.this resource
aws_s3_bucket.this resource
aws_s3_bucket_acl.this resource
aws_s3_bucket_lifecycle_configuration.this resource
aws_s3_bucket_logging.this resource
aws_s3_bucket_policy.this resource
aws_s3_bucket_public_access_block.this resource
aws_s3_bucket_server_side_encryption_configuration.this resource
aws_s3_bucket_versioning.this resource
aws_caller_identity.current data source
aws_iam_policy_document.key data source
aws_iam_policy_document.key_empty data source
aws_iam_policy_document.key_merged_policy data source
aws_iam_policy_document.key_roles data source
aws_iam_policy_document.this data source
aws_partition.current data source

Inputs

Name Description Type Default Required
allowed_account_ids Optional list of AWS Account IDs that are permitted to write to the bucket list(string) [] no
bucket_name Name of the S3 bucket to create. Defaults to {account_id}-{region}-cloudtrail. string null no
lifecycle_rules lifecycle rules to apply to the bucket 
list(object(
    {
      id                            = string
      enabled                       = optional(bool, true)
      expiration                    = optional(number)
      prefix                        = optional(number)
      noncurrent_version_expiration = optional(number)
      transition = optional(list(object({
        days          = number
        storage_class = string
      })))
  }))
 
[
  {
    "id": "expire-noncurrent-objects-after-ninety-days",
    "noncurrent_version_expiration": 90
  },
  {
    "id": "transition-to-IA-after-30-days",
    "transition": [
      {
        "days": 30,
        "storage_class": "STANDARD_IA"
      }
    ]
  },
  {
    "expiration": 2557,
    "id": "delete-after-seven-years"
  }
]
 no
logging_bucket S3 bucket with suitable access for logging requests to the cloudtrail bucket string n/a yes
region Region to create KMS key in string n/a yes
roles_allowed_kms_decrypt Optional list of roles that have access to KMS decrypt and are permitted to decrypt logs list(string) [] no
tags Mapping of any extra tags you want added to resources map(string) {} no
versioning_enabled Whether or not to use versioning on the bucket. This can be useful for audit purposes since objects in a logging bucket should not be updated. bool true no

Outputs

Name Description
kms_key_id KMS key used by cloudtrail
s3_bucket_arn The ARN of the bucket
s3_bucket_name The name of the bucket

Related Projects

terraform-aws-cloudtrail-bucket's People

Contributors

cdaniluk avatar pre-commit-ci[bot] avatar sblack4 avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

fdamstra mjagiello-mission ryanoatz99 xxxvxxx

terraform-aws-cloudtrail-bucket's Issues

[BUG] Warning: Argument is deprecated. Use the attribute "source_policy_documents" instead.

Describe the bug

│ Warning: Argument is deprecated
│ 
│   with module.cloudtrail_bucket.data.aws_iam_policy_document.key_merged_policy,
│   on .terraform/modules/cloudtrail_bucket/kms.tf line 77, in data "aws_iam_policy_document" "key_merged_policy":
│   77:   source_json   = data.aws_iam_policy_document.key.json
│ 
│ Use the attribute "source_policy_documents" instead.

To Reproduce

module "cloudtrail_bucket" {
  source  = "rhythmictech/cloudtrail-bucket/aws"
  version = "~> 1.3.1"

  logging_bucket      = module.s3logging_bucket.s3_bucket_name
  region              = var.region
  tags                = local.tags
}

[BUG]

#6 introduces a bug when no roles are specified.

Error: MalformedPolicyDocumentException: Policy contains a statement with no principal.

  on .terraform/modules/cloudtrail-bucket/terraform-aws-cloudtrail-bucket-1.3.0/kms.tf line 70, in resource "aws_kms_key" "this":
  70: resource "aws_kms_key" "this" {

AlreadyExistsException

terraform-aws-cloudtrail-bucket/kms.tf

Line 73 in 5ff8801

name = "alias/cloudtrail_key"

I was trying to test this module against an environment where it'd already been applied separately and got this. It would be nice to be able to change this name and not get that error

Error: AlreadyExistsException: An alias with the name arn:aws:kms:us-east-1::alias/cloudtrail_key already exists

  on .terraform/modules/cloudtrail_bucket/terraform-aws-cloudtrail-bucket-1.2.0/kms.tf line 72, in resource "aws_kms_alias" "this":
  72: resource "aws_kms_alias" "this" {

[BUG]

Describe the bug
Timing issue causing terraform apply to fail when creating this module from scratch.

Error: Error creating CloudTrail: InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket: 028266382041-us-east-1-cloudtrail

  on .terraform/modules/cloudtrail-logging/main.tf line 8, in resource "aws_cloudtrail" "trail":
   8: resource "aws_cloudtrail" "trail" {

To Reproduce
Create a new instance of this module. It will fail all or most of the time.

Running a second time resolves the issue.

Expected behavior
Should run on first run every time.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.