mirror of
https://github.com/inspec/inspec
synced 2025-01-25 19:35:37 +00:00
0af7105eba
Signed-off-by: Rony Xavier <rx294@nyu.edu>
230 lines
6.3 KiB
HCL
230 lines
6.3 KiB
HCL
resource "aws_s3_bucket" "trail_1_bucket" {
|
|
bucket = "${terraform.env}-trail-01-bucket"
|
|
force_destroy = true
|
|
|
|
policy = <<POLICY
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "AWSCloudTrailAclCheck",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Service": "cloudtrail.amazonaws.com"
|
|
},
|
|
"Action": "s3:GetBucketAcl",
|
|
"Resource": "arn:aws:s3:::${terraform.env}-trail-01-bucket"
|
|
},
|
|
{
|
|
"Sid": "AWSCloudTrailWrite",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Service": "cloudtrail.amazonaws.com"
|
|
},
|
|
"Action": "s3:PutObject",
|
|
"Resource": "arn:aws:s3:::${terraform.env}-trail-01-bucket/*",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"s3:x-amz-acl": "bucket-owner-full-control"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
POLICY
|
|
}
|
|
|
|
resource "aws_iam_role" "cloud_watch_logs_role" {
|
|
name = "${terraform.env}-cloud-watch-logs-role"
|
|
|
|
assume_role_policy = <<POLICY
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Service": "cloudtrail.amazonaws.com"
|
|
},
|
|
"Action": "sts:AssumeRole"
|
|
}
|
|
]
|
|
}
|
|
POLICY
|
|
}
|
|
|
|
resource "aws_iam_role_policy" "cloud_watch_logs_role_policy" {
|
|
depends_on = ["aws_iam_role.cloud_watch_logs_role"]
|
|
|
|
name = "${terraform.env}-cloud-watch-logs-role-policy"
|
|
role = "${terraform.env}-cloud-watch-logs-role"
|
|
|
|
policy = <<POLICY
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "AWSCloudTrailCreateLogStream",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"logs:CreateLogStream"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:logs:${data.aws_region.region.name}:${data.aws_caller_identity.creds.account_id}:log-group:${aws_cloudwatch_log_group.trail_1_log_group.name}:log-stream:${data.aws_caller_identity.creds.account_id}_CloudTrail_${data.aws_region.region.name}*"
|
|
]
|
|
},
|
|
{
|
|
"Sid": "AWSCloudTrailPutLogEvents",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"logs:PutLogEvents"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:logs:${data.aws_region.region.name}:${data.aws_caller_identity.creds.account_id}:log-group:${aws_cloudwatch_log_group.trail_1_log_group.name}:log-stream:${data.aws_caller_identity.creds.account_id}_CloudTrail_${data.aws_region.region.name}*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
POLICY
|
|
}
|
|
|
|
resource "aws_cloudwatch_log_group" "trail_1_log_group" {
|
|
name = "${terraform.env}-trail-01-log-group"
|
|
}
|
|
|
|
resource "aws_kms_key" "trail_1_key" {
|
|
description = "${terraform.env}-trail-01-key"
|
|
deletion_window_in_days = 10
|
|
|
|
policy = <<POLICY
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Id": "Key policy created by CloudTrail",
|
|
"Statement": [
|
|
{
|
|
"Sid": "Enable IAM User Permissions",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"AWS": "arn:aws:iam::${data.aws_caller_identity.creds.account_id}:root"
|
|
},
|
|
"Action": "kms:*",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Sid": "Allow CloudTrail to encrypt logs",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Service": "cloudtrail.amazonaws.com"
|
|
},
|
|
"Action": "kms:GenerateDataKey*",
|
|
"Resource": "*",
|
|
"Condition": {
|
|
"StringLike": {
|
|
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${data.aws_caller_identity.creds.account_id}:trail/*"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "Allow CloudTrail to describe key",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Service": "cloudtrail.amazonaws.com"
|
|
},
|
|
"Action": "kms:DescribeKey",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Sid": "Allow principals in the account to decrypt log files",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"AWS": "*"
|
|
},
|
|
"Action": [
|
|
"kms:Decrypt",
|
|
"kms:ReEncryptFrom"
|
|
],
|
|
"Resource": "*",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"kms:CallerAccount": "${data.aws_caller_identity.creds.account_id}"
|
|
},
|
|
"StringLike": {
|
|
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${data.aws_caller_identity.creds.account_id}:trail/*"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "Allow alias creation during setup",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"AWS": "*"
|
|
},
|
|
"Action": "kms:CreateAlias",
|
|
"Resource": "*",
|
|
"Condition": {
|
|
"StringEquals": {
|
|
"kms:ViaService": "ec2.${data.aws_region.region.name}.amazonaws.com",
|
|
"kms:CallerAccount": "${data.aws_caller_identity.creds.account_id}"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
POLICY
|
|
}
|
|
|
|
resource "aws_cloudtrail" "trail_1" {
|
|
depends_on = ["aws_iam_role_policy.cloud_watch_logs_role_policy"]
|
|
name = "${terraform.env}-trail-01"
|
|
s3_bucket_name = "${aws_s3_bucket.trail_1_bucket.id}"
|
|
include_global_service_events = false
|
|
enable_logging = true
|
|
is_multi_region_trail = true
|
|
enable_log_file_validation = true
|
|
|
|
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.trail_1_log_group.arn}"
|
|
cloud_watch_logs_role_arn = "${aws_iam_role.cloud_watch_logs_role.arn}"
|
|
kms_key_id = "${aws_kms_key.trail_1_key.arn}"
|
|
}
|
|
|
|
resource "aws_cloudtrail" "trail_2" {
|
|
name = "${terraform.env}-trail-02"
|
|
s3_bucket_name = "${aws_s3_bucket.trail_1_bucket.id}"
|
|
}
|
|
|
|
output "cloudtrail_trail_1_name" {
|
|
value = "${aws_cloudtrail.trail_1.name}"
|
|
}
|
|
|
|
output "cloudtrail_trail_1_arn" {
|
|
value = "${aws_cloudtrail.trail_1.arn}"
|
|
}
|
|
|
|
output "cloudtrail_trail_1_s3_bucket_name" {
|
|
value = "${aws_s3_bucket.trail_1_bucket.id}"
|
|
}
|
|
|
|
output "cloudtrail_trail_1_key_arn" {
|
|
value = "${aws_kms_key.trail_1_key.arn}"
|
|
}
|
|
|
|
output "cloudtrail_trail_1_cloud_watch_logs_group_arn" {
|
|
value = "${aws_cloudwatch_log_group.trail_1_log_group.arn}"
|
|
}
|
|
|
|
output "cloudtrail_trail_1_cloud_watch_logs_role_arn" {
|
|
value = "${aws_iam_role.cloud_watch_logs_role.arn}"
|
|
}
|
|
|
|
output "cloudtrail_trail_2_s3_bucket_name" {
|
|
value = "${aws_s3_bucket.trail_1_bucket.id}"
|
|
}
|
|
|
|
output "cloudtrail_trail_2_name" {
|
|
value = "${aws_cloudtrail.trail_2.name}"
|
|
}
|
|
|
|
output "cloudtrail_trail_2_arn" {
|
|
value = "${aws_cloudtrail.trail_2.arn}"
|
|
}
|