feat: first pass (#2)

* feat: first pass

* chore: add pre-commit fixes, address checkov

* chore: cleanup more pre-commit

Author: nathanhruby

README.md

@@ -1,27 +1,57 @@
-# AWS {{THING}} Terraform module
+# AWS Cloudtrail Terraform module
 
-Terraform module which creates AWS {{THING}} resources.
+Terraform module which creates AWS Cloudtrail resources.
 
-## Usage
+This is an opinionated tool for creating a fairly boring Cloudtrail setup.
+
+Features:
+* Multi Region Trail
+* Includes Global Events
+* Includes Management Events
+* Include Insights events
+* No Data events
+  * If you need data events, you should write another trail with specific event selectors to manage scale and cost.
 
-See [`examples`](examples) directory for working examples to reference:
+## Usage
 
 ```hcl
-module "<THING>" {
-  source = "platformod/<THING>"
+# To prevent a dependency loop and pass AWS runtime validations, create
+# the storage first, providing the computed arn of the trail to the
+# cloudtrail_s3 module
+
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+data "aws_region" "current" {}
 
-  tags = {
-    Terraform   = "true"
-    Environment = "dev"
-  }
+locals {
+  name = "zombocom-main"
+  arn = "arn:${data.aws_partition.current}:cloudtrail:${data.aws_region.current}:${data.aws_caller_identity.account_id}:trail/${local.name}"
 }
-```
 
-## Examples
+module "storage" {
+  source = "platformod/cloudtrail-s3"
+  version = 0.CHANGE_ME
+
+  # Creates a "${local.name}-cloudtrail" bucket
+  name = local.name
+
+  account_trails = [
+    {
+      account = data.aws_caller_identity.current.account_id ,
+      arn = local.arn
+    },
+  ]
+}
+
+module "trail" {
+  source  = "platformod/cloudtrail"
+  version = 0.CHANGEME
 
-Examples codified under the [`examples`](examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
+  name      = local.name
+  s3_bucket = "${local.name}-cloudtrail"
+}
 
-- [Complete](complete)
+```
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
@@ -33,32 +63,38 @@ Examples codified under the [`examples`](examples) are intended to give users re
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.34.0 |
 
 ## Modules
 
 No modules.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_cloudtrail.trail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource |
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | A name for the trail, ideally the same value you used for the bucket name prefix | `string` | n/a | yes |
+| <a name="input_s3_bucket"></a> [s3\_bucket](#input\_s3\_bucket) | The name od the S3 bucket you created to store the logs | `string` | n/a | yes |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | ARN of the trail |
+| <a name="output_home_region"></a> [home\_region](#output\_home\_region) | Region in which the trail was created |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
+## Tests
 
-## Thanks
-
-Heavily inspired from the following template repos
-* https://github.com/clowdhaus/terraform-aws-module-template
-* https://github.com/trussworks/terraform-module-template
-* https://github.com/thesis/terraform-module-template-repo
+The tests in this repo will create and destroy real resources at AWS and incur cost. Please be careful when running them.
 
 ## License
 

main.tf

@@ -1,2 +1,32 @@
-# Implementation is left as an excercise for the reader ...
-locals {}
+# An opnionated cloudtrail.
+# Single trail, all management events, no data events
+
+resource "aws_cloudtrail" "trail" {
+  #checkov:skip=CKV_AWS_252:Prefer S3 notifications and EventBridge over SNS
+  #checkov:skip=CKV_AWS_35:These are encrypted at rest in S3
+  #checkov:skip=CKV2_AWS_10:We will offworld these to a seperte log provider, do not need CloudWatch here
+
+  name           = var.name
+  s3_bucket_name = var.s3_bucket
+
+  enable_log_file_validation = true
+
+  include_global_service_events = true
+  is_multi_region_trail         = true
+
+  insight_selector {
+    insight_type = "ApiCallRateInsight"
+  }
+
+  insight_selector {
+    insight_type = "ApiErrorRateInsight"
+  }
+
+  event_selector {
+    include_management_events = true
+  }
+
+  tags = {
+    Name = var.name
+  }
+}

outputs.tf

@@ -0,0 +1,9 @@
+output "arn" {
+  description = "ARN of the trail"
+  value       = aws_cloudtrail.trail.arn
+}
+
+output "home_region" {
+  description = "Region in which the trail was created"
+  value       = aws_cloudtrail.trail.home_region
+}

tests/apply.tftest.hcl

@@ -0,0 +1,53 @@
+provider "aws" {
+  region = "us-east-2"
+  default_tags {
+    tags = {
+      Environment = "Test"
+      Repo        = "platformod/terraform-aws-cloudtrail"
+      CI          = true
+    }
+  }
+}
+
+variables {
+  name = "test-8388737"
+}
+
+run "gets" {
+  module {
+    source = "./tests/gets"
+  }
+}
+
+run "bucket" {
+  variables {
+    account_trails = [
+      {
+        account = run.gets.account_id,
+        arn     = "arn:aws:cloudtrail:us-east-2:${run.gets.account_id}:trail/${var.name}"
+      }
+    ]
+  }
+  module {
+    source = "platformod/cloudtrail-s3/aws"
+    version = "1.0.1"
+  }
+}
+
+run "apply" {
+  command = apply
+
+  variables {
+    s3_bucket = "${var.name}-cloudtrail"
+  }
+
+  assert {
+    condition     = aws_cloudtrail.trail.home_region == "us-east-2"
+    error_message = "Trail not created in correct region"
+  }
+
+  assert {
+    condition     = aws_cloudtrail.trail.arn == "arn:aws:cloudtrail:us-east-2:${run.gets.account_id}:trail/${var.name}"
+    error_message = "Trail ARN.  It ain't right"
+  }
+}

tests/gets/.terraform.lock.hcl

@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}

tests/gets/main.tf

@@ -0,0 +1,3 @@
+output "account_id" {
+  value = data.aws_caller_identity.current.account_id
+}

tests/gets/outputs.tf

@@ -0,0 +1,9 @@
+variable "name" {
+  description = "A name for the trail, ideally the same value you used for the bucket name prefix"
+  type        = string
+}
+
+variable "s3_bucket" {
+  description = "The name od the S3 bucket you created to store the logs"
+  type        = string
+}