feat: add cloudtrail storage module (#1)

* feat: very opinionated storage for cloudtrail

* chore: more work

* ci: install checkov

* ci: disable checkov until we can get it installed in ci

* ci: fix auto lockfile cleanups

Author: nathanhruby

.github/workflows/pre-commit.yml

@@ -34,6 +34,13 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install checkov
+        run: pip install checkov
+
       - name: Terraform min/max versions
         id: minMax
         uses: clowdhaus/terraform-min-max@v1.2.7

.pre-commit-config.yaml

@@ -42,3 +42,13 @@ repos:
       - id: terraform_fmt
       - id: terraform_docs
       - id: terraform_validate
+        args:
+          - --hook-config=--retry-once-with-cleanup=true
+      # - id: terraform_checkov
+      - id: terraform_providers_lock
+        args:
+          - --hook-config=--mode=only-check-is-current-lockfile-cross-platform
+          - --args=-platform=darwin_amd64
+          - --args=-platform=darwin_arm64
+          - --args=-platform=linux_arm64
+          - --args=-platform=linux_arm64

.terraform.lock.hcl

@@ -1,25 +1,32 @@
-# AWS {{THING}} Terraform module
+# AWS S3 Bucket for Multi-Account Cloudtrail Storage Terraform module
 
-Terraform module which creates AWS {{THING}} resources.
+Terraform module which creates an AWS S3 Bucket for Multi-Account Cloudtrail logs.  
 
-## Usage
+This is an opinionated tool for setting up a central bucket in an audit account to house multiple cloudtrail logs streams.  Not recommended for trails with data events due to cost.
 
-See [`examples`](examples) directory for working examples to reference:
+Features:
+- AWS S3 default encryption for data at rest
+- 365 day object lock in GOVERNANCE mode to prevent source file issues
+- 366 day auto expiration
 
-```hcl
-module "<THING>" {
-  source = "platformod/<THING>"
+## Usage
 
-  tags = {
-    Terraform   = "true"
-    Environment = "dev"
-  }
+```hcl
+module "cloudtrail_s3" {
+  source = "platformod/cloudtrail-s3"
+  version = 0.CHANGE_ME
+
+  # will get '-cloudtrail' appended
+  name = "my-org-all-accounts"
+
+  # Needs a list of maps with the accounts and trail arn that will write to this bucket.
+  account_trails = [
+    {account = 111111111111, arn = "arn:aws:cloudtrail:us-east-99:111111111111:trail/trail-name"},
+    {account = 222222222222, arn = "arn:aws:cloudtrail:us-westish-42:222222222222:trail/trailier-name"},
+  ]
 }
-```
 
-## Examples
-
-Examples codified under the [`examples`](examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
+```
 
 - [Complete](complete)
 
@@ -33,32 +40,47 @@ Examples codified under the [`examples`](examples) are intended to give users re
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.34.0 |
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_bucket"></a> [bucket](#module\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.1.0 |
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_iam_policy_document.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_trails"></a> [account\_trails](#input\_account\_trails) | Mapping of AWS account id's to trail arns to allow write access for | <pre>list(<br>    object(<br>      {<br>        account = number<br>        arn     = string<br>      }<br>    )<br>  )</pre> | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | A name prefix for the bucket, will have '-cloudtrail' appended | `string` | n/a | yes |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_s3_bucket_arn"></a> [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | The AWS ARN of the bucket |
+| <a name="output_s3_bucket_id"></a> [s3\_bucket\_id](#output\_s3\_bucket\_id) | The name of the bucket |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
+## Tests
+
+The tests in this repo will create and destroy real resources at AWS and incur cost.  Please be careful when running them.
 
 ## Thanks
 
-Heavily inspired from the following template repos
-* https://github.com/clowdhaus/terraform-aws-module-template
-* https://github.com/trussworks/terraform-module-template
-* https://github.com/thesis/terraform-module-template-repo
+Heavily inspired from the following repos
+* https://github.com/cloudposse/terraform-aws-s3-log-storage
+* https://github.com/terraform-aws-modules/terraform-aws-s3-bucket
 
 ## License
 

README.md

@@ -1,2 +1,116 @@
-# Implementation is left as an excercise for the reader ...
-locals {}
+module "bucket" {
+  #checkov:skip=CKV_TF_1:We want to use the registry, not git, for modules
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "4.1.0"
+
+  bucket = local.bucket_name
+
+  control_object_ownership = true
+  object_ownership         = "BucketOwnerPreferred"
+
+  acl                 = "private"
+  block_public_acls   = true
+  block_public_policy = true
+
+  policy                                = data.aws_iam_policy_document.bucket.json
+  attach_policy                         = true
+  attach_deny_insecure_transport_policy = true
+
+  server_side_encryption_configuration = {
+    rule = {
+      apply_server_side_encryption_by_default = {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+
+  object_lock_enabled = true
+  object_lock_configuration = {
+    rule = {
+      default_retention = {
+        mode = "GOVERNANCE"
+        days = 365
+      }
+    }
+  }
+
+  lifecycle_rule = [
+    {
+      id                                     = "expire_old"
+      enabled                                = true
+      abort_incomplete_multipart_upload_days = 7
+      expiration = {
+        days                         = 366
+        expired_object_delete_marker = true
+      }
+    }
+  ]
+
+  tags = {
+    Purpose = "cloudtrail"
+    Name    = local.bucket_name
+  }
+
+}
+
+# https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html
+# https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-set-bucket-policy-for-multiple-accounts.html
+data "aws_iam_policy_document" "bucket" {
+  statement {
+    sid = "AWSCloudTrailAclCheck"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions = [
+      "s3:GetBucketAcl",
+    ]
+
+    resources = [
+      module.bucket.s3_bucket_arn,
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values   = [for o in var.account_trails : o.arn]
+    }
+  }
+
+  statement {
+    sid = "AWSCloudTrailWrite"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions = [
+      "s3:PutObject",
+    ]
+
+    resources = [for o in var.account_trails : "${local.bucket_arn}/AWSLogs/${o.account}"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values   = [for o in var.account_trails : o.arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+
+  }
+}
+
+data "aws_partition" "current" {}
+
+locals {
+  bucket_name = "${var.name}-cloudtrail"
+  bucket_arn  = "arn:${data.aws_partition.current.partition}:s3:::${local.bucket_name}"
+}

main.tf

@@ -0,0 +1,9 @@
+output "s3_bucket_id" {
+  description = "The name of the bucket"
+  value       = module.bucket.s3_bucket_id
+}
+
+output "s3_bucket_arn" {
+  description = "The AWS ARN of the bucket"
+  value       = module.bucket.s3_bucket_arn
+}

outputs.tf

@@ -0,0 +1,27 @@
+provider "aws" {
+  region = "us-east-2"
+  default_tags {
+    tags = {
+      Environment = "Test"
+      Repo        = "platformod/terraform-aws-cloudtrail-s3"
+      CI          = true
+    }
+  }
+}
+
+variables {
+  name = "test-8388737"
+  account_trails = [
+    {account = 111111111111, arn = "arn:aws:cloudtrail:us-fake-1:111111111111:trail/trail-name"},
+    {account = 222222222222, arn = "arn:aws:cloudtrail:us-fake-1:222222222222:trail/trail-name"},
+  ]
+}
+
+run "apply" {
+  command = apply
+
+  assert {
+    condition     = module.bucket.s3_bucket_id == "test-8388737-cloudtrail"
+    error_message = "S3 bucket name did not match expected"
+  }
+}

tests/plan.tftest.hcl

@@ -0,0 +1,16 @@
+variable "account_trails" {
+  description = "Mapping of AWS account id's to trail arns to allow write access for "
+  type = list(
+    object(
+      {
+        account = number
+        arn     = string
+      }
+    )
+  )
+}
+
+variable "name" {
+  description = "A name prefix for the bucket, will have '-cloudtrail' appended"
+  type        = string
+}