Initial commit

.gitlab-ci.yml

+image: alpine:latest
+
+variables:
+  TERRAFORM_URL: "https://releases.hashicorp.com/terraform/0.7.13/terraform_0.7.13_linux_amd64.zip"
+
+before_script:
+  - apk update && apk add ca-certificates && update-ca-certificates && apk add openssl
+  - wget -O /tmp/terraform.zip $TERRAFORM_URL
+  - unzip /tmp/terraform.zip -d /usr/local/bin
+
+test:
+  script: terraform validate

README.md

+tf_mod_aws_cloudtrail_ops
+==============
+A Terraform module for creating the Cloudtrail server and associated logging bucket for an account.
+The role assumes that your environment will be known as "ops", as this module is designed to facilitate
+
+Input Variables
+---------------
+
+- `customer_name` - The name of the custmer/enduser that you're using within Terraform.
+- `environment` - The environment name that you're assigning. As this module is designed for "ops" accounts, "ops" is the default.
+
+Outputs
+-------
+
+- `bucket_name` - The name of the logging bucket.
+- `cloudtrail_name` - The name of the Cloudtrail service that has been created.
+
+Usage
+-----
+
+You can use these in your Terraform template with the following steps.
+
+1.) Adding a module resource to your template, e.g. `main.tf`
+
+```
+#############################################################################################################
+# CloudTrail (Ops Account)
+#############################################################################################################
+module "cloudtrail_ops" {
+  source = "git::https://git.steamhaus.co.uk/steamhaus/tf_mod_aws_cloudtrail_ops"
+
+  customer_name = "${var.name}"
+  environment   = "${var.environment}"
+}
+```

main.tf

+variable "customer_name" {
+  description = "Account canonical name"
+}
+
+variable "environment" {
+  description = "Account environment type"
+  default     = "ops"
+}
+
+data "template_file" "s3_policy" {
+  template = "${file("${path.module}/s3_policy.json.tpl")}"
+  vars {
+    customer_name = "${var.customer_name}"
+    environment   = "${var.environment}"
+  }
+}
+
+resource "aws_s3_bucket" "main" {
+  bucket        = "${var.customer_name}-${var.environment}-cloudtrail"
+  force_destroy = true
+  policy        = "${data.template_file.s3_policy.rendered}"
+}
+
+resource "aws_cloudtrail" "main" {
+  name                          = "${var.customer_name}-${var.environment}-cloudtrail"
+  s3_bucket_name                = "${aws_s3_bucket.main.id}"
+  include_global_service_events = true
+}
+
+output "bucket_name" {
+  value = "${aws_s3_bucket.main.id}"
+}
+
+output "cloudtrail_name" {
+  value = "${aws_cloudtrail.main.id}"
+}

s3_policy.json.tpl

+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AWSCloudTrailAclCheck",
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "s3:GetBucketAcl",
+            "Resource": "arn:aws:s3:::${customer_name}-${environment}-cloudtrail"
+        },
+        {
+            "Sid": "AWSCloudTrailWrite",
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "s3:PutObject",
+            "Resource": "arn:aws:s3:::${customer_name}-${environment}-cloudtrail/*",
+            "Condition": {
+                "StringEquals": {
+                    "s3:x-amz-acl": "bucket-owner-full-control"
+                }
+            }
+        }
+    ]
+}