Added support for delegated access to ops Cloudtrail bucket

2aef5c52 · Chris Merrett · eea43bff · 2aef5c52 · 2aef5c52
Commit 2aef5c52 authored Dec 15, 2016 by Chris Merrett
Hide whitespace changes
Inline Side-by-side

Showing with 64 additions and 8 deletions

README.md README.md +11 -2

main.tf main.tf +53 -6

No files found.
--- a/README.md
+++ b/README.md
@@ -8,6 +8,8 @@ Input Variables

 - `customer_name` - The name of the custmer/enduser that you're using within Terraform.
 - `environment` - The environment name that you're assigning. As this module is designed for "ops" accounts, "ops" is the default.
+- `child_accounts` - A list of AWS account ID's that will also be writing Cloudtrail information to the ops bucket.
+

 Outputs
 -------
@@ -23,13 +25,20 @@ You can use these in your Terraform template with the following steps.
 1.) Adding a module resource to your template, e.g. `main.tf`

 ```
+variable "name" {}
+variable "environment" {}
+variable "aws_child_accounts" {
+  type = "list"
+}
+
 #############################################################################################################
 # CloudTrail (Ops Account)
 #############################################################################################################
 module "cloudtrail_ops" {
  source = "git::https://git.steamhaus.co.uk/steamhaus/tf_mod_aws_cloudtrail_ops"

-  customer_name = "${var.name}"
-  environment   = "${var.environment}"
+  customer_name  = "${var.name}"
+  environment    = "${var.environment}"
+  child_accounts = "${var.aws_child_accounts}"
 }
 ```
--- a/main.tf
+++ b/main.tf
@@ -7,18 +7,65 @@ variable "environment" {
  default     = "ops"
 }

-data "template_file" "s3_policy" {
-  template = "${file("${path.module}/s3_policy.json.tpl")}"
-  vars {
-    customer_name = "${var.customer_name}"
-    environment   = "${var.environment}"
+variable "child_accounts" {
+  description = "List of child AWS account ID's"
+  type        = "list"
+}
+
+data "aws_iam_policy_document" "main" {
+  statement {
+    sid       = "AWSCloudTrailAclCheck"
+    effect    = "Allow"
+    actions   = ["s3:GetBucketAcl"]
+    resources = "arn:aws:s3:::${var.customer_name}-${var.environment}-cloudtrail"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+  }
+
+  statement {
+    sid       = "AWSCloudTrailWrite"
+    effect    = "Allow"
+    actions   = ["s3:PutObject"]
+    resources = "arn:aws:s3:::${var.customer_name}-${var.environment}-cloudtrail/*"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+  }
+
+  statement {
+    sid       = "AWSCloudTrailWrite"
+    effect    = "Allow"
+    actions   = ["s3:PutObject"]
+    resources = ["${formatlist("arn:aws:s3:::$${var.customer_name}-$${var.environment}-cloudtrail/AWSLogs/%s/*", var.child_accounts)}"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
  }
 }

 resource "aws_s3_bucket" "main" {
  bucket        = "${var.customer_name}-${var.environment}-cloudtrail"
  force_destroy = true
-  policy        = "${data.template_file.s3_policy.rendered}"
+  policy        = "${data.aws_iam_policy_document.main.json}"
 }

 resource "aws_cloudtrail" "main" {