From 88657d0534cda921fe4653402293e1e21197464c Mon Sep 17 00:00:00 2001
From: Darren <75614232+dmurray-lacework@users.noreply.github.com>
Date: Thu, 2 Nov 2023 17:01:54 +0000
Subject: [PATCH] fix: org cloudtrail bucket policy (#151)

* fix: org cloudtrail bucket policy

Signed-off-by: Darren Murray <darren.murray@lacework.net>

* docs: update Readme

Signed-off-by: Darren Murray <darren.murray@lacework.net>

* docs: update Readme

Signed-off-by: Darren Murray <darren.murray@lacework.net>

---------

Signed-off-by: Darren Murray <darren.murray@lacework.net>
---
 README.md |  1 +
 main.tf   | 24 ++++++++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/README.md b/README.md
index 05201eb..7252b37 100644
--- a/README.md
+++ b/README.md
@@ -70,6 +70,7 @@ Terraform module for configuring an integration with Lacework and AWS for CloudT
 | [aws_iam_policy_document.cross_account_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.kms_key_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sns_topic_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_organizations_organization.organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
diff --git a/main.tf b/main.tf
index 940db07..a8b5966 100644
--- a/main.tf
+++ b/main.tf
@@ -166,6 +166,9 @@ resource "aws_s3_bucket_versioning" "cloudtrail_bucket_versioning" {
   }
 }
 
+data "aws_organizations_organization" "organization" {
+     count = var.is_organization_trail ? 1 : 0
+}
 
 data "aws_iam_policy_document" "cloudtrail_log_policy" {
   version = "2012-10-17"
@@ -387,6 +390,27 @@ data "aws_iam_policy_document" "cloudtrail_s3_policy" {
     }
   }
 
+
+  dynamic "statement" {
+    for_each = var.is_organization_trail ? [1] : []
+    content {
+    sid       = "AWSCloudTrailOrganizationWrite20150319"
+    actions   = ["s3:PutObject"]
+    resources = ["arn:aws:s3:::${local.bucket_name}/AWSLogs/${data.aws_organizations_organization.organization[0].id}/*"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+   }
+  }
+
   statement {
     sid       = "AWSCloudTrailWrite20150319"
     actions   = ["s3:PutObject"]