From b8e6d63ea21ad69c094d44c8771185db98c91727 Mon Sep 17 00:00:00 2001 From: anmolnagpal Date: Wed, 17 Jan 2024 15:45:51 +0530 Subject: [PATCH] feat: update code and tflint issue --- _example/individual/example.tf | 2 +- _example/individual/outputs.tf | 8 ++--- _example/individual/versions.tf | 2 +- _example/master/versions.tf | 2 +- _example/member/example.tf | 47 +++++++++++++++++++++++++ _example/member/versions.tf | 2 +- main.tf | 62 ++++++++++++++------------------- outputs.tf | 5 --- variables.tf | 12 ------- versions.tf | 2 +- 10 files changed, 83 insertions(+), 61 deletions(-) diff --git a/_example/individual/example.tf b/_example/individual/example.tf index 7f65cb8..7df099c 100644 --- a/_example/individual/example.tf +++ b/_example/individual/example.tf @@ -9,7 +9,7 @@ module "cloudtrail" { name = "trails" environment = "test" - label_order = ["environment", "application", "name"] + label_order = ["environment", "name"] enabled = true secure_s3_enabled = false diff --git a/_example/individual/outputs.tf b/_example/individual/outputs.tf index 16b1a0a..4517e20 100644 --- a/_example/individual/outputs.tf +++ b/_example/individual/outputs.tf @@ -3,10 +3,10 @@ output "cloudtrail_arn" { description = "The Amazon Resource Name of the trail" } -output "kms_arn" { - value = module.cloudtrail[*].kms_arn - description = "The Amazon Resource Name of the kms" -} +#output "kms_arn" { +# value = module.cloudtrail[*].kms_arn +# description = "The Amazon Resource Name of the kms" +#} output "tags" { value = module.cloudtrail.tags diff --git a/_example/individual/versions.tf b/_example/individual/versions.tf index 8a25625..005420a 100644 --- a/_example/individual/versions.tf +++ b/_example/individual/versions.tf @@ -1,6 +1,6 @@ # Terraform version terraform { - required_version = ">= 1.6.6" + required_version = ">= 1.6.5" required_providers { aws = { diff --git a/_example/master/versions.tf b/_example/master/versions.tf index 8a25625..005420a 100644 --- a/_example/master/versions.tf +++ b/_example/master/versions.tf @@ -1,6 +1,6 @@ # Terraform version terraform { - required_version = ">= 1.6.6" + required_version = ">= 1.6.5" required_providers { aws = { diff --git a/_example/member/example.tf b/_example/member/example.tf index 0268ec8..143858b 100644 --- a/_example/member/example.tf +++ b/_example/member/example.tf @@ -2,6 +2,7 @@ provider "aws" { region = "eu-west-1" } +data "aws_caller_identity" "current" {} module "cloudtrail" { source = "./../../" @@ -20,4 +21,50 @@ module "cloudtrail" { s3_bucket_name = "logs-bucket-cd" s3_log_bucket_name = "logs-bucket-cd-logs" + s3_policy = data.aws_iam_policy_document.default.json +} + +data "aws_iam_policy_document" "default" { + statement { + sid = "AWSCloudTrailAclCheck" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = [ + "s3:GetBucketAcl", + ] + + resources = ["arn:aws:s3:::logs-bucket-clouddrove"] + } + + statement { + sid = "AWSCloudTrailWrite" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = [ + "s3:PutObject", + ] + + resources = compact( + concat( + [format("arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/%s/*", data.aws_caller_identity.current.account_id)] + ) + ) + + condition { + test = "StringEquals" + variable = "s3:x-amz-acl" + + values = [ + "bucket-owner-full-control", + ] + } + } } diff --git a/_example/member/versions.tf b/_example/member/versions.tf index 8a25625..005420a 100644 --- a/_example/member/versions.tf +++ b/_example/member/versions.tf @@ -1,6 +1,6 @@ # Terraform version terraform { - required_version = ">= 1.6.6" + required_version = ">= 1.6.5" required_providers { aws = { diff --git a/main.tf b/main.tf index cfca0d4..3df6c89 100644 --- a/main.tf +++ b/main.tf @@ -5,21 +5,18 @@ data "aws_caller_identity" "current" {} data "aws_region" "current" {} -#Module : Label -#Description : This terraform module is designed to generate consistent label names and -# tags for resources. You can use terraform-labels to implement a strict -# naming convention +##----------------------------------------------------------------------------- +## Labels module callled that will be used for naming and tags. +##----------------------------------------------------------------------------- module "labels" { - source = "git::https://github.com/clouddrove/terraform-labels.git?ref=tags/0.15.0" - + source = "clouddrove/labels/aws" + version = "1.3.0" name = var.name environment = var.environment - label_order = var.label_order managedby = var.managedby - enabled = var.enabled + label_order = var.label_order } - # Module : S3 BUCKET # Description : Terraform module to create default S3 bucket with logging and encryption # type specific features. @@ -27,14 +24,12 @@ module "labels" { module "s3_log_bucket" { source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/2.0.0" - name = var.s3_log_bucket_name - environment = var.environment - label_order = ["name"] - managedby = var.managedby - create_bucket = local.is_cloudtrail_enabled - bucket_enabled = var.enabled - versioning = true - acl = "private" + name = var.s3_log_bucket_name + environment = var.environment + label_order = ["name"] + managedby = var.managedby + versioning = true + acl = "private" } module "s3_bucket" { @@ -51,28 +46,24 @@ module "s3_bucket" { force_destroy = true target_bucket = module.s3_log_bucket.id target_prefix = "logs" - mfa_delete = var.mfa_delete } module "secure_s3_bucket" { source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/2.0.0" - name = var.s3_bucket_name - environment = var.environment - label_order = ["name"] - managedby = var.managedby - create_bucket = local.is_cloudtrail_enabled && var.secure_s3_enabled - bucket_logging_encryption_enabled = var.enabled && var.secure_s3_enabled - versioning = true - acl = "private" - bucket_policy = true - aws_iam_policy_document = var.s3_policy - force_destroy = true - sse_algorithm = var.sse_algorithm - kms_master_key_id = var.key_arn == "" ? module.kms_key.key_arn : var.key_arn - target_bucket = module.s3_log_bucket.id - target_prefix = "logs" - mfa_delete = var.mfa_delete + name = var.s3_bucket_name + environment = var.environment + label_order = ["name"] + managedby = var.managedby + versioning = true + acl = "private" + bucket_policy = true + aws_iam_policy_document = var.s3_policy + force_destroy = true + sse_algorithm = var.sse_algorithm + kms_master_key_id = var.key_arn == "" ? module.kms_key.key_arn : var.key_arn + target_bucket = module.s3_log_bucket.id + target_prefix = "logs" } #Module : AWS_CLOUDWATCH_LOG_GROUP @@ -340,7 +331,8 @@ locals { #Description : Terraform module to provision an AWS CloudTrail with encrypted S3 bucket. # This bucket is used to store CloudTrail logs. module "cloudtrail" { - source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail.git?ref=tags/1.4.0" + source = "clouddrove/cloudtrail/aws" + version = "1.4.0" name = var.name environment = var.environment diff --git a/outputs.tf b/outputs.tf index 2d9dd7c..f1c196f 100644 --- a/outputs.tf +++ b/outputs.tf @@ -29,11 +29,6 @@ output "s3_arn" { description = "The ARN of S3 bucket." } -output "kms_arn" { - value = module.kms_key.key_arn - description = "The ARN of KMS key." -} - output "tags" { value = module.labels.tags description = "A mapping of tags to assign to the resource." diff --git a/variables.tf b/variables.tf index fb6b968..83b980c 100644 --- a/variables.tf +++ b/variables.tf @@ -30,18 +30,6 @@ variable "lambda_enabled" { description = "Whether to create lambda for cloudtrail logs." } -variable "secure_s3_enabled" { - type = bool - default = true - description = "Whether to create secure s3 for cloudtrail logs." -} - -variable "mfa_delete" { - type = bool - default = false - description = "Whether to enable mfa_delete or not." -} - variable "slack_webhook" { type = string default = "" diff --git a/versions.tf b/versions.tf index 8a25625..005420a 100644 --- a/versions.tf +++ b/versions.tf @@ -1,6 +1,6 @@ # Terraform version terraform { - required_version = ">= 1.6.6" + required_version = ">= 1.6.5" required_providers { aws = {