From dc00db4e281c7987edcca29b0d676b28dde720ab Mon Sep 17 00:00:00 2001
From: Piotr Banasik <piotr@jane.app>
Date: Mon, 10 Jul 2023 16:39:43 -0700
Subject: [PATCH 1/4] Support for scenario where module is installed into a
 different account than the cloudtrail itself. SNS option.

This is a tiny tweak which allows passing in the arn of the cloudtrail in a different account, and it will allow that cloudtrail to publish into the sns topic.
---
 main.tf      | 7 ++++---
 variables.tf | 6 ++++++
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index 482c4f5..86acb79 100644
--- a/main.tf
+++ b/main.tf
@@ -36,6 +36,7 @@ locals {
   version_file   = "${abspath(path.module)}/VERSION"
   module_name    = "terraform-aws-cloudtrail"
   module_version = fileexists(local.version_file) ? file(local.version_file) : ""
+  cloudtrail_arn = var.consolidated_trail && var.use_existing_cloudtrail && var.cross_account_cloudtrail_arn != null ? var.cross_account_cloudtrail_arn : "arn:aws:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"
 }
 
 resource "random_id" "uniq" {
@@ -475,11 +476,11 @@ data "aws_iam_policy_document" "sns_topic_policy" {
       effect = "Allow"
 
       dynamic "condition" {
-        for_each = !var.consolidated_trail ? [1] : []
+        for_each = (!var.consolidated_trail || var.cross_account_cloudtrail_arn != null) ? [1] : []
         content {
           test     = "StringEquals"
           variable = "AWS:SourceArn"
-          values   = ["arn:aws:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"]
+          values   = [local.cloudtrail_arn]
         }
       }
 
@@ -699,4 +700,4 @@ resource "lacework_integration_aws_ct" "default" {
 data "lacework_metric_module" "lwmetrics" {
   name    = local.module_name
   version = local.module_version
-}
\ No newline at end of file
+}
diff --git a/variables.tf b/variables.tf
index 1b6ecb0..e343f2e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -301,3 +301,9 @@ variable "enable_cloudtrail_s3_management_events" {
   default     = false
   description = "Enable CloudTrail Object-level logging"
 }
+
+variable "cross_account_cloudtrail_arn" {
+  type        = string
+  default     = null
+  description = "If using an existing CloudTrail in another account, provide the ARN here"
+}

From dd6135d24971c1ec887ef805edc6cbc47dbe8e5b Mon Sep 17 00:00:00 2001
From: Piotr Banasik <piotr@jane.app>
Date: Wed, 23 Aug 2023 09:37:35 -0700
Subject: [PATCH 2/4] Added examples

---
 .../README.md                                 | 58 +++++++++++++++++++
 .../org-management-account.tf                 | 13 +++++
 .../security-account.tf                       | 43 ++++++++++++++
 3 files changed, 114 insertions(+)
 create mode 100644 examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/README.md
 create mode 100644 examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/org-management-account.tf
 create mode 100644 examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/security-account.tf

diff --git a/examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/README.md b/examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/README.md
new file mode 100644
index 0000000..2b720f5
--- /dev/null
+++ b/examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/README.md
@@ -0,0 +1,58 @@
+# Consolidated Existing CloudTrail in Another Account + Co-Existing with Datadog
+
+This example handles a bit of a specific case.
+
+1. You're following the AWS best practice to consolidate all CloudTrail logs into a single "security" account.
+* The CloudTrail config itself exists on the org's management account
+* The Bucket / KMS key exist on the security account
+
+2. You're setting up LW when either transitioning from Datadog cloudtrail integration, or you're using both LW and Datadog.
+* The coveat here is that DD's integration expects to attach a lambda hook to the CloudTrail bucket, only one such hook can be defined on the bucket, and the DD interation can be a bit aggressive about re-claiming this hook.
+* This necessitates that the LW integration is done via the SNS topic the LW module sets up instead.
+
+# Important bits of code
+
+## Org Management Account
+
+```hcl
+resource "aws_cloudtrail" "org-trail" {
+  ...
+
+  # Hook the lw cloudtrail sns topic
+  sns_topic_name = "arn:aws:sns:us-west-2:200000000000:lw-cloudtrail"
+}
+```
+
+## Security Account
+
+```hcl
+module "aws_cloudtrail" {
+  source  = "lacework/cloudtrail/aws"
+  version = "~> 2.8"
+
+  consolidated_trail = true
+
+  # Use an existing CloudTrail
+  use_existing_cloudtrail   = true
+  
+  # this is arn to the existung bucket in the security account
+  bucket_arn                = "arn:aws:s3:::org-ct-bucket"
+
+  # this is the arn to the trail in the org management account  
+  cross_account_cloudtrail_arn = "arn:aws:cloudtrail:us-west-2:100000000000:trail/org-trail" 
+
+  bucket_encryption_enabled = true
+  bucket_sse_algorithm      = "aws:kms"
+  
+  # this is the arn to the kms key in the security account
+  bucket_sse_key_arn        = "arn:aws:kms:us-west-2:200000000000:key/6e2010aa-27e4-49c6-8887-956abc1caeb9" 
+
+  # Create new SNS Topic and SQS Queue
+  # the SNS topic is referenced in the org management account
+  sns_topic_name = "lw-cloudtrail"
+  sqs_queue_name = "lw-cloudtrail"
+
+  # Name the integration inside LW UI
+  lacework_integration_name = "AWS Consolidated CloudTrail"
+}
+```
diff --git a/examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/org-management-account.tf b/examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/org-management-account.tf
new file mode 100644
index 0000000..d304b22
--- /dev/null
+++ b/examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/org-management-account.tf
@@ -0,0 +1,13 @@
+# in org management account - ID: 100000000000
+
+resource "aws_cloudtrail" "org-trail" {
+  name                       = "org-trail"
+  s3_bucket_name             = "org-ct-bucket"
+  kms_key_id                 = "arn:aws:kms:us-west-2:200000000000:key/6e2010aa-27e4-49c6-8887-956abc1caeb9"
+  is_multi_region_trail      = true
+  is_organization_trail      = true
+  enable_log_file_validation = true
+
+  # Hook the lw cloudtrail sns topic
+  sns_topic_name = "arn:aws:sns:us-west-2:200000000000:lw-cloudtrail"
+}
diff --git a/examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/security-account.tf b/examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/security-account.tf
new file mode 100644
index 0000000..5ecf46c
--- /dev/null
+++ b/examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/security-account.tf
@@ -0,0 +1,43 @@
+# in a "security" account - ID: 200000000000
+
+provider "lacework" {}
+
+provider "aws" {
+  region = "us-west-2"
+}
+
+# the CT logs live in this account
+# Note: in order to make this co-exist with Datadog (useful for the transitional period)
+#       datadog has to be allowed to maintain the lambda hook on the bucket, so we can't have
+#       LW hook that (it'd be the easiest option)
+resource "aws_s3_bucket" "ct_bucket" {
+  bucket = "org-ct-bucket"
+}
+
+# and so does their KMS Key
+# let's assume its ARN is: arn:aws:kms:us-west-2:200000000000:key/6e2010aa-27e4-49c6-8887-956abc1caeb9
+resource "aws_kms_key" "ct_key" {
+}
+
+module "aws_cloudtrail" {
+  source  = "lacework/cloudtrail/aws"
+  version = "~> 2.8"
+
+  consolidated_trail = true
+
+  # Use an existing CloudTrail
+  use_existing_cloudtrail   = true
+  bucket_arn                = "arn:aws:s3:::org-ct-bucket"
+  cross_account_cloudtrail_arn = "arn:aws:cloudtrail:us-west-2:100000000000:trail/org-trail"
+
+  bucket_encryption_enabled = true
+  bucket_sse_algorithm      = "aws:kms"
+  bucket_sse_key_arn        = "arn:aws:kms:us-west-2:200000000000:key/6e2010aa-27e4-49c6-8887-956abc1caeb9"
+
+  # Create new SNS Topic and SQS Queue
+  sns_topic_name = "lw-cloudtrail"
+  sqs_queue_name = "lw-cloudtrail"
+
+  # Name the integration inside LW UI
+  lacework_integration_name = "AWS Consolidated CloudTrail"
+}

From 8e88283928d1e528bb3fd41a39e3dfc9d73bf295 Mon Sep 17 00:00:00 2001
From: Piotr Banasik <piotr@jane.app>
Date: Wed, 23 Aug 2023 09:41:26 -0700
Subject: [PATCH 3/4] Adding the new doc for the one new input

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 6c41b19..312f005 100644
--- a/README.md
+++ b/README.md
@@ -91,6 +91,7 @@ Terraform module for configuring an integration with Lacework and AWS for CloudT
 | <a name="input_cloudtrail_name"></a> [cloudtrail\_name](#input\_cloudtrail\_name) | The name of the CloudTrail.  Required when setting use\_existing\_cloudtrail to true | `string` | `"lacework-cloudtrail"` | no |
 | <a name="input_consolidated_trail"></a> [consolidated\_trail](#input\_consolidated\_trail) | Set this to true to configure a consolidated cloudtrail | `bool` | `false` | no |
 | <a name="input_create_lacework_integration"></a> [create\_lacework\_integration](#input\_create\_lacework\_integration) | Set this to `false` if you don't want the module to automatically create a corresponding Lacework integration. | `bool` | `true` | no |
+| <a name="input_cross_account_cloudtrail_arn"></a> [cross\_account\_cloudtrail\_arn](#input\_cross\_account\_cloudtrail\_arn) | If using an existing CloudTrail in another account, provide the ARN here | `string` | `null` | no |
 | <a name="input_cross_account_policy_name"></a> [cross\_account\_policy\_name](#input\_cross\_account\_policy\_name) | n/a | `string` | `""` | no |
 | <a name="input_enable_cloudtrail_s3_management_events"></a> [enable\_cloudtrail\_s3\_management\_events](#input\_enable\_cloudtrail\_s3\_management\_events) | Enable CloudTrail Object-level logging | `bool` | `false` | no |
 | <a name="input_enable_log_file_validation"></a> [enable\_log\_file\_validation](#input\_enable\_log\_file\_validation) | Specifies whether cloudtrail log file integrity validation is enabled | `bool` | `true` | no |

From 18231017316f2c1794132606fa208335a0bf5e8e Mon Sep 17 00:00:00 2001
From: Piotr Banasik <piotr@jane.app>
Date: Fri, 3 May 2024 13:57:43 -0700
Subject: [PATCH 4/4] Fix example to use local relative path

---
 .../security-account.tf                                        | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/security-account.tf b/examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/security-account.tf
index 5ecf46c..c757d13 100644
--- a/examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/security-account.tf
+++ b/examples/consolidated-existing-cloudtrail-in-another-account-datadog-co-existance/security-account.tf
@@ -20,8 +20,7 @@ resource "aws_kms_key" "ct_key" {
 }
 
 module "aws_cloudtrail" {
-  source  = "lacework/cloudtrail/aws"
-  version = "~> 2.8"
+  source  = "../../"
 
   consolidated_trail = true