Implement Cloud Trails (#1)

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright {yyyy} {name of copyright owner}
+   Copyright 2017 Cloud Posse, LLC
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -1 +1,26 @@
-# tf_cloudtrail
+# tf_cloudtrail
+
+Setup and manage CloudTrail
+
+## Argument Reference
+
+* `name`: (Required) Name of CloudTrail trail.
+* `region`: (Required) AWS region. Used to find remote state.
+* `enable_logging`: Enable logging, set to `false` to Pause logging (`default = true`)
+* `enable_log_file_validation`: Create signed digest file to validated contents of logs (`default = true`)
+* `include_global_service_events`: Include evnets from global services such as IAM (`default = false`)
+* `is_multi_region_trail`: Whether the trail is created in all regions or just the current region (`default = false`)
+
+## Usage
+```
+module "cloudtrails" {
+  source                        = "git::https://github.com/cloudposse/tf_cloudtrail.git?ref=master"
+  name                          = "${var.name}"
+  stage                         = "${var.stage}"
+  namespace                     = "${var.namespace}"
+  enable_logging                = "true"
+  enable_log_file_validation    = "true"
+  include_global_service_events = "false"
+  is_multi_region_trail         = "false"
+}
+```

main.tf

@@ -0,0 +1,67 @@
+module "tf_label" {
+  source    = "git::https://github.com/cloudposse/tf_label.git?ref=0.1.0"
+  namespace = "${var.namespace}"
+  stage     = "${var.stage}"
+  name      = "${var.name}"
+}
+
+resource "aws_cloudtrail" "default" {
+  name                          = "${module.tf_label.id}"
+  s3_bucket_name                = "${aws_s3_bucket.default.id}"
+  enable_logging                = "${var.enable_logging}"
+  enable_log_file_validation    = "${var.enable_log_file_validation}"
+  is_multi_region_trail         = "${var.is_multi_region_trail}"
+  include_global_service_events = "${var.include_global_service_events}"
+}
+
+data "aws_iam_policy_document" "default" {
+  statement {
+    sid = "AWSCloudTrailAclCheck"
+
+    principals {
+      type = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions = [
+      "s3:GetBucketAcl",
+    ]
+
+    resources = [
+      "arn:aws:s3:::${module.tf_label.id}"
+    ]
+  }
+
+  statement {
+    sid = "AWSCloudTrailWrite"
+
+    principals {
+      type = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions = [
+      "s3:PutObject",
+    ]
+
+    resources = [
+      "arn:aws:s3:::${module.tf_label.id}/*"
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+
+      values = [
+        "bucket-owner-full-control"
+      ]
+    }
+  }
+}
+
+
+resource "aws_s3_bucket" "default" {
+  bucket = "${module.tf_label.id}"
+  force_destroy = false
+  policy = "${data.aws_iam_policy_document.default.json}"
+}

outputs.tf

@@ -0,0 +1,3 @@
+output "bucket_name" {
+  value = "${aws_s3_bucket.default.id}"
+}

variables.tf

@@ -0,0 +1,31 @@
+variable "region" {
+  default = ""
+}
+
+variable "name" {
+  default = "cloudtrails"
+}
+
+variable "namespace" {
+  default = ""
+}
+
+variable "stage" {
+  default = ""
+}
+
+variable "enable_logging" {
+  default = "true"
+}
+
+variable "enable_log_file_validation" {
+  default = "true"
+}
+
+variable "is_multi_region_trail" {
+  default = "false"
+}
+
+variable "include_global_service_events" {
+  default = "false"
+}