Skip to content
/ cool-cdm-cloudtrail-tf-module Public

A Terraform module that creates resources necessary for CDM to access an account's CloudTrail data.

License

CC0-1.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cisagov/cool-cdm-cloudtrail-tf-module

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

905 Commits
.github
.github
 
 
examples/basic_usage
examples/basic_usage
 
 
.ansible-lint
.ansible-lint
 
 
.bandit.yml
.bandit.yml
 
 
.flake8
.flake8
 
 
.gitignore
.gitignore
 
 
.isort.cfg
.isort.cfg
 
 
.mdl_config.yaml
.mdl_config.yaml
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
.prettierignore
.prettierignore
 
 
.terraform-docs.yml
.terraform-docs.yml
 
 
.yamllint
.yamllint
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
assume_role_policy_doc.tf
assume_role_policy_doc.tf
 
 
bucket.tf
bucket.tf
 
 
cloudtrail.tf
cloudtrail.tf
 
 
locals.tf
locals.tf
 
 
outputs.tf
outputs.tf
 
 
policy.tf
policy.tf
 
 
providers.tf
providers.tf
 
 
provisioncdmcloudtrail_policy.tf
provisioncdmcloudtrail_policy.tf
 
 
provisioncdmcloudtrail_policy_attachment.tf
provisioncdmcloudtrail_policy_attachment.tf
 
 
queue.tf
queue.tf
 
 
requirements-dev.txt
requirements-dev.txt
 
 
requirements-test.txt
requirements-test.txt
 
 
requirements.txt
requirements.txt
 
 
role.tf
role.tf
 
 
setup-env
setup-env
 
 
topic.tf
topic.tf
 
 
user.tf
user.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

cool-cdm-cloudtrail-tf-module

GitHub Build Status

This Terraform module creates the necessary resources to allow the CDM Splunk user to access and import the CloudTrail logs for an account. In order to ensure that the CDM Splunk user cannot cause any harm a separate CloudTrail trail, SNS topic, SQS queue, and S3 bucket are created for this purpose. The CDM Splunk user is expected to delete the CloudTrail logs from the S3 bucket as they are processed.

Usage

module "example" {
  source = "github.com/cisagov/cool-cdm-cloudtrail-tf-module"
  providers = {
    aws = aws.accountnameprovisionaccount
    aws.users = aws.usersprovisionaccount
  }

  assume_role_policy_description = "The IAM policy that allows the CDM user to assume the IAM role that allows access to the CDM CloudTrail data in the AccountName account."
  assume_role_policy_name        = "AccountName-AssumeCdmCloudTrail"
  cdm_user_name                  = "my-cdm-user"
}

Examples

Requirements

Name Version
terraform >= 1.1
aws >= 5.0

Providers

Name Version
aws >= 5.0
aws.users >= 5.0

Modules

No modules.

Resources

Name Type
aws_cloudtrail.trail resource
aws_iam_policy.cdm resource
aws_iam_policy.cloudtrail resource
aws_iam_policy.provisioncdmcloudtrail_policy resource
aws_iam_role.cloudtrail resource
aws_iam_role_policy_attachment.cloudtrail resource
aws_iam_role_policy_attachment.provisioncdmcloudtrail_policy_attachment resource
aws_iam_user_policy_attachment.cdm resource
aws_s3_bucket.cloudtrail resource
aws_s3_bucket_ownership_controls.cloudtrail resource
aws_s3_bucket_policy.cloudtrail resource
aws_s3_bucket_public_access_block.cloudtrail resource
aws_s3_bucket_server_side_encryption_configuration.cloudtrail resource
aws_sns_topic.cloudtrail resource
aws_sns_topic_policy.cloudtrail resource
aws_sns_topic_subscription.cloudtrail resource
aws_sqs_queue.cloudtrail resource
aws_sqs_queue.cloudtrail_dlq resource
aws_sqs_queue_policy.cloudtrail resource
aws_caller_identity.default data source
aws_caller_identity.users data source
aws_iam_policy_document.allow_access_to_queue_and_bucket data source
aws_iam_policy_document.allow_cloudtrail_to_publish_to_topic data source
aws_iam_policy_document.allow_cloudtrail_to_write_logs data source
aws_iam_policy_document.allow_cloudtrail_topic_to_send_messages data source
aws_iam_policy_document.allow_users_account_to_assume_role data source
aws_iam_policy_document.assume_role_doc data source
aws_iam_policy_document.provisioncdmcloudtrail_doc data source

Inputs

Name Description Type Default Required
assume_role_policy_description The description to associate with the IAM policy that allows the CDM user to assume the IAM role that allows access to the CDM CloudTrail data (e.g., "The IAM policy that allows the CDM user to assume the IAM role that allows access to the CDM CloudTrail data in the AccountName account."). string n/a yes
assume_role_policy_name The name to associate with the IAM policy that allows the CDM user to assume the IAM role that allows access to the CDM CloudTrail data (e.g., "ACCTNAME-AssumeCdmCloudTrail"). string n/a yes
aws_region The AWS region to deploy into (e.g. "us-east-1"). string "us-east-1" no
bucket_prefix A prefix to use when creating a unique name for the S3 bucket where CloudTrail logs will be collected for CDM. Terraform will create a unique bucket name beginning with the specified prefix. string "cdm-cloudtrail-" no
cdm_user_name The user name of the CDM user who will assume the role to access the CloudTrail data. string n/a yes
deadletter_queue_name The name of the deadletter queue associated with the SQS queue that collects the messages sent when CloudTrail logs are written to the CDM CloudTrail bucket. string "cdm-cloudtrail-deadletter" no
provisionaccount_role_name The name of the IAM role that allows sufficient permissions to provision all AWS resources in the account. string "ProvisionAccount" no
provisioncdmcloudtrail_policy_description The description of the IAM policy that allows sufficient permissions to provision all CDM CloudTrail AWS resources in the account. string "Allows provisioning of the CDM CloudTrail resources in the account." no
provisioncdmcloudtrail_policy_name The name of the IAM policy that allows sufficient permissions to provision all CDM CloudTrail AWS resources in the account. string "ProvisionCdmCloudTrail" no
queue_name The name of the SQS queue that collects the messages sent when CloudTrail logs are written to the CDM CloudTrail bucket. string "cdm-cloudtrail" no
role_description The description to assign the IAM role (as well as the corresponding policy) that allows access to the CDM CloudTrail data. string "Allows access to the CDM CloudTrail data." no
role_name The name to assign the IAM role (as well as the corresponding policy) that allows access to the CDM CloudTrail data. string "CdmCloudTrail" no
topic_name The name of the SNS topic that sends a message when CloudTrail logs are written to the CDM CloudTrail bucket. string "cdm-cloudtrail" no
trail_name The name of the CloudTrail trail that generates the information for import into CDM. string "cdm-cloudtrail" no

Outputs

Name Description
access_policy The IAM policy with the necessary permissions to access the CDM CloudTrail data.
access_role The IAM role that can be assumed to access the CDM CloudTrail data.
assume_access_role_policy The IAM policy that allows the CDM user to assume the IAM role that allows access the CDM CloudTrail data.
bucket The S3 bucket where CloudTrail logs are stored for CDM.
deadletter_queue The SQS deadletter queue of messages notifying of CloudTrail logs being written to the CDM S3 bucket for which processing has failed.
queue The SQS queue of messages notifying of CloudTrail logs being written to the CDM S3 bucket.
topic The SNS topic for notifications of CloudTrail logs being written to the CDM S3 bucket.
trail The CloudTrail trail for CDM.

Notes

Running pre-commit requires running terraform init in every directory that contains Terraform code. In this repository, these are the main directory and every directory under examples/.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

About

A Terraform module that creates resources necessary for CDM to access an account's CloudTrail data.

Resources

Readme

License

CC0-1.0 license

Security policy

Security policy
Activity
Custom properties

Stars

1 star

Watchers

5 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 11

Languages