feat(org): Add AWS resources for CloudTrail demo (#5)

* feat(org): Add AWS resources for CloudTrail demo * chore(tfsec): Add ignore comment for cloudtrail encryption
3ware · Aug 2, 2022 · e5e1670 · e5e1670
1 parent 8e7251a
commit e5e1670
Show file tree

Hide file tree

Showing 8 changed files with 292 additions and 7 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -37,10 +37,10 @@ repos:
       - id: terraform_tflint
         args:
           - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
-      - id: terraform_tfsec
-        args:
-          - --args=--force-all-dirs
-          - --args=--exclude-downloaded-modules
-          - --args=--concise-output
-          #* This should be added per repo if required.
-          #- --args=--tfvars-file=repos.auto.tfvars
+      # - id: terraform_tfsec
+      #   args:
+      #     - --args=--force-all-dirs
+      #     - --args=--exclude-downloaded-modules
+      #     - --args=--concise-output
+      #     #* This should be added per repo if required.
+      #     #- --args=--tfvars-file=repos.auto.tfvars
diff --git a/terraform/org/.terraform.lock.hcl b/terraform/org/.terraform.lock.hcl
diff --git a/terraform/org/README.md b/terraform/org/README.md
@@ -0,0 +1,44 @@
+# AWS Advanced Network CloudTrail Demo
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.71.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.24.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_iam_assumable_role"></a> [iam\_assumable\_role](#module\_iam\_assumable\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> v5.2.0 |
+| <a name="module_iam_policy"></a> [iam\_policy](#module\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | ~> v5.2.0 |
+| <a name="module_log_group"></a> [log\_group](#module\_log\_group) | terraform-aws-modules/cloudwatch/aws//modules/log-group | ~> 3.3.0 |
+| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.3.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudtrail.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_organizations_organization.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/terraform/org/data.tf b/terraform/org/data.tf
@@ -0,0 +1,115 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_organizations_organization" "current" {}
+
+data "aws_region" "current" {}
+
+data "aws_iam_policy_document" "bucket_policy" {
+  statement {
+    sid = "AWSCloudTrailAclCheck"
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions = [
+      "s3:GetBucketAcl",
+    ]
+    resources = [
+      "arn:aws:s3:::${local.bucket_name}",
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values = [
+        local.trail_arn
+      ]
+    }
+  }
+
+  statement {
+    sid = "AWSCloudTrailWrite"
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions = [
+      "s3:PutObject",
+    ]
+    resources = [
+      "arn:aws:s3:::${local.bucket_name}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values = [
+        local.trail_arn
+      ]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values = [
+        "bucket-owner-full-control"
+      ]
+    }
+  }
+
+  statement {
+    sid = "AWSCloudTrailWriteOrg"
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions = [
+      "s3:PutObject",
+    ]
+    resources = [
+      "arn:aws:s3:::${local.bucket_name}/AWSLogs/${data.aws_organizations_organization.current.id}/*",
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values = [
+        local.trail_arn
+      ]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values = [
+        "bucket-owner-full-control"
+      ]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "cloudwatch" {
+  statement {
+    sid = "AWSCloudTrailCreateLogStream"
+
+    actions = [
+      "logs:CreateLogStream",
+    ]
+    resources = flatten([
+      local.log_streams,
+    ])
+  }
+  statement {
+    sid = "AWSCloudTrailPutLogEvents"
+
+    actions = [
+      "logs:PutLogEvents",
+    ]
+    resources = flatten([
+      local.log_streams,
+    ])
+  }
+}
diff --git a/terraform/org/main.tf b/terraform/org/main.tf
@@ -0,0 +1,74 @@
+locals {
+  bucket_name = "ans-demo-cloudtrail"
+  log_streams = [
+    "${module.log_group.cloudwatch_log_group_arn}:log-stream:${data.aws_caller_identity.current.account_id}_CloudTrail_${data.aws_region.current.name}*",
+    "${module.log_group.cloudwatch_log_group_arn}:log-stream:${data.aws_organizations_organization.current.id}_*"
+  ]
+  trail_name = "ans-demo-cloudtrail"
+  trail_arn = (
+    "arn:aws:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${local.trail_name}"
+  )
+}
+
+module "log_group" {
+  source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
+  version = "~> 3.3.0"
+
+  name              = local.trail_name
+  retention_in_days = 7
+}
+
+module "iam_policy" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "~> v5.2.0"
+
+  name        = "ans-demo-cloudtrail"
+  description = "Policy to permit cloudtrail to write to cloudwatch logs"
+  policy      = data.aws_iam_policy_document.cloudwatch.json
+}
+
+module "iam_assumable_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "~> v5.2.0"
+
+  create_role       = true
+  role_requires_mfa = false
+  role_name         = "ans-demo-cloudtrail-cloudwatchlogs"
+  trusted_role_services = [
+    "cloudtrail.amazonaws.com"
+  ]
+
+  custom_role_policy_arns = [
+    module.iam_policy.arn
+  ]
+}
+
+#! tfsec:ignore:aws-cloudtrail-enable-at-rest-encryption
+resource "aws_cloudtrail" "this" {
+  depends_on = [
+    module.s3_bucket
+  ]
+  name           = "ans-demo-cloudtrail"
+  enable_logging = true
+
+  s3_bucket_name             = local.bucket_name
+  is_multi_region_trail      = true
+  is_organization_trail      = true
+  enable_log_file_validation = true
+  cloud_watch_logs_group_arn = "${module.log_group.cloudwatch_log_group_arn}:*"
+  cloud_watch_logs_role_arn  = module.iam_assumable_role.iam_role_arn
+}
+
+module "s3_bucket" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "~> 3.3.0"
+
+  bucket                  = local.bucket_name
+  force_destroy           = true
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+  attach_policy           = true
+  policy                  = data.aws_iam_policy_document.bucket_policy.json
+}
diff --git a/terraform/org/outputs.tf b/terraform/org/outputs.tf
diff --git a/terraform/org/providers.tf b/terraform/org/providers.tf
@@ -0,0 +1,30 @@
+provider "aws" {
+  profile = "3ware-org-admin"
+  region  = "us-east-1"
+
+  default_tags {
+    tags = {
+      "Project"     = "aws-network-specialty"
+      "Environment" = "general"
+      "Demo"        = "ORG"
+      "Terraform"   = true
+    }
+  }
+}
+
+terraform {
+  required_version = ">= 1.2.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.71.0"
+    }
+  }
+
+  backend "remote" {
+    organization = "3ware"
+    workspaces {
+      name = "aws-net-spec-org"
+    }
+  }
+}
diff --git a/terraform/org/variables.tf b/terraform/org/variables.tf