xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

NEW: cloudtrail and cwl

Browse Source
This commit is contained in:
xpk 2021-01-26 21:40:02 +08:00
commit d8b9390928
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
16 changed files with 671 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored Normal file
View File

@ -0,0 +1,5 @@
*.tfstate.backup
*.tfstate.lock
.terraform/
.DS_Store
*.iml

3
.idea/.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
# Default ignored files
/shelf/
/workspace.xml

11
layers/security_identity_compliance/cloudtrail_cloudwatchlogs/main.tf Normal file
View File

@ -0,0 +1,11 @@
data aws_caller_identity this {}
module cloudtrail-cwl {
source = "../../../modules/security_identity_compliance/cloudtrail_cwlogs"
application = var.application
environment = var.environment
customer-name = var.customer-name
project = var.project
aws-region-short = var.aws-region-short
default-tags = local.default-tags
}

12
layers/security_identity_compliance/cloudtrail_cloudwatchlogs/provider.tf Normal file
View File

@ -0,0 +1,12 @@
provider "aws" {
region = var.aws-region
}
terraform {
required_version = "> 0.12, < 0.13"
required_providers {
aws = "~> 3.6.0"
}
}
data "aws_availability_zones" "current" {}

298
layers/security_identity_compliance/cloudtrail_cloudwatchlogs/terraform.tfstate Normal file
View File

@ -0,0 +1,298 @@
{
"version": 4,
"terraform_version": "0.12.29",
"serial": 85,
"lineage": "26e4bec8-8ad6-a262-52c6-fbcad6b7a499",
"outputs": {},
"resources": [
{
"module": "module.cloudtrail-cwl",
"mode": "data",
"type": "aws_caller_identity",
"name": "this",
"provider": "provider.aws",
"instances": [
{
"schema_version": 0,
"attributes": {
"account_id": "573340405480",
"arn": "arn:aws:sts::573340405480:assumed-role/Rackspace/racker-ken2-eade1d93",
"id": "2021-01-26 13:37:52.170204471 +0000 UTC",
"user_id": "AROAYK7OAJ3UH36WGNMWD:racker-ken2-eade1d93"
}
}
]
},
{
"module": "module.cloudtrail-cwl",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "cloudtrail_bucket_policy",
"provider": "provider.aws",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "995859125",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"AWSCloudTrailAclCheck\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"AWSCloudTrailWrite\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480/*\",\n \"Principal\": {\n \"Service\": [\n \"config.amazonaws.com\",\n \"cloudtrail.amazonaws.com\"\n ]\n }\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [
{
"actions": [
"s3:GetBucketAcl"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [
{
"identifiers": [
"cloudtrail.amazonaws.com"
],
"type": "Service"
}
],
"resources": [
"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480"
],
"sid": "AWSCloudTrailAclCheck"
},
{
"actions": [
"s3:PutObject"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [
{
"identifiers": [
"cloudtrail.amazonaws.com",
"config.amazonaws.com"
],
"type": "Service"
}
],
"resources": [
"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480/*"
],
"sid": "AWSCloudTrailWrite"
}
],
"version": "2012-10-17"
}
}
]
},
{
"module": "module.cloudtrail-cwl",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "key-policy",
"provider": "provider.aws",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "3662241047",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"Key usage by aws services\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"*\",\n \"Principal\": {\n \"Service\": [\n \"sqs.amazonaws.com\",\n \"sns.amazonaws.com\",\n \"s3.amazonaws.com\",\n \"logs.amazonaws.com\",\n \"lambda.amazonaws.com\",\n \"guardduty.amazonaws.com\",\n \"events.amazonaws.com\",\n \"eks.amazonaws.com\",\n \"eks-nodegroup.amazonaws.com\",\n \"delivery.logs.amazonaws.com\",\n \"cloudwatch.amazonaws.com\",\n \"cloudtrail.amazonaws.com\",\n \"backup.amazonaws.com\",\n \"autoscaling.amazonaws.com\"\n ]\n }\n },\n {\n \"Sid\": \"Key administrator\",\n \"Effect\": \"Allow\",\n \"Action\": \"kms:*\",\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": \"573340405480\"\n }\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [
{
"actions": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [
{
"identifiers": [
"autoscaling.amazonaws.com",
"backup.amazonaws.com",
"cloudtrail.amazonaws.com",
"cloudwatch.amazonaws.com",
"delivery.logs.amazonaws.com",
"eks-nodegroup.amazonaws.com",
"eks.amazonaws.com",
"events.amazonaws.com",
"guardduty.amazonaws.com",
"lambda.amazonaws.com",
"logs.amazonaws.com",
"s3.amazonaws.com",
"sns.amazonaws.com",
"sqs.amazonaws.com"
],
"type": "Service"
}
],
"resources": [
"*"
],
"sid": "Key usage by aws services"
},
{
"actions": [
"kms:*"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [
{
"identifiers": [
"573340405480"
],
"type": "AWS"
}
],
"resources": [
"*"
],
"sid": "Key administrator"
}
],
"version": "2012-10-17"
}
}
]
},
{
"module": "module.cloudtrail-cwl",
"mode": "managed",
"type": "aws_kms_key",
"name": "ctbucket-key",
"provider": "provider.aws",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:kms:ap-northeast-1:573340405480:key/ba826c02-4153-4056-ad75-2614912c6274",
"customer_master_key_spec": "SYMMETRIC_DEFAULT",
"deletion_window_in_days": 7,
"description": "",
"enable_key_rotation": false,
"id": "ba826c02-4153-4056-ad75-2614912c6274",
"is_enabled": true,
"key_id": "ba826c02-4153-4056-ad75-2614912c6274",
"key_usage": "ENCRYPT_DECRYPT",
"policy": "{\"Statement\":[{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"eks-nodegroup.amazonaws.com\",\"delivery.logs.amazonaws.com\",\"eks.amazonaws.com\",\"events.amazonaws.com\",\"autoscaling.amazonaws.com\",\"logs.amazonaws.com\",\"sqs.amazonaws.com\",\"backup.amazonaws.com\",\"guardduty.amazonaws.com\",\"cloudtrail.amazonaws.com\",\"lambda.amazonaws.com\",\"cloudwatch.amazonaws.com\",\"sns.amazonaws.com\",\"s3.amazonaws.com\"]},\"Resource\":\"*\",\"Sid\":\"Key usage by aws services\"},{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::573340405480:root\"},\"Resource\":\"*\",\"Sid\":\"Key administrator\"}],\"Version\":\"2012-10-17\"}",
"tags": {
"Application": "infra",
"BuildDate": "20210126",
"Environment": "lab",
"Project": "lime",
"ServiceProvider": "Rackspace",
"TerraformMode": "managed"
}
},
"private": "bnVsbA=="
}
]
},
{
"module": "module.cloudtrail-cwl",
"mode": "managed",
"type": "aws_s3_bucket",
"name": "ct-bucket",
"provider": "provider.aws",
"instances": [
{
"schema_version": 0,
"attributes": {
"acceleration_status": "",
"acl": "private",
"arn": "arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480",
"bucket": "lab-apne1-kf-lime-ctbucket-573340405480",
"bucket_domain_name": "lab-apne1-kf-lime-ctbucket-573340405480.s3.amazonaws.com",
"bucket_prefix": null,
"bucket_regional_domain_name": "lab-apne1-kf-lime-ctbucket-573340405480.s3.ap-northeast-1.amazonaws.com",
"cors_rule": [],
"force_destroy": false,
"grant": [],
"hosted_zone_id": "Z2M4EHUR26P7ZW",
"id": "lab-apne1-kf-lime-ctbucket-573340405480",
"lifecycle_rule": [
{
"abort_incomplete_multipart_upload_days": 0,
"enabled": false,
"expiration": [
{
"date": "",
"days": 90,
"expired_object_delete_marker": false
}
],
"id": "tf-s3-lifecycle-20210126114512193400000001",
"noncurrent_version_expiration": [],
"noncurrent_version_transition": [],
"prefix": "",
"tags": {},
"transition": [
{
"date": "",
"days": 30,
"storage_class": "INTELLIGENT_TIERING"
}
]
}
],
"logging": [],
"object_lock_configuration": [],
"policy": "{\"Statement\":[{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480\",\"Sid\":\"AWSCloudTrailAclCheck\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"config.amazonaws.com\",\"cloudtrail.amazonaws.com\"]},\"Resource\":\"arn:aws:s3:::lab-apne1-kf-lime-ctbucket-573340405480/*\",\"Sid\":\"AWSCloudTrailWrite\"}],\"Version\":\"2012-10-17\"}",
"region": "ap-northeast-1",
"replication_configuration": [],
"request_payer": "BucketOwner",
"server_side_encryption_configuration": [
{
"rule": [
{
"apply_server_side_encryption_by_default": [
{
"kms_master_key_id": "arn:aws:kms:ap-northeast-1:573340405480:key/ba826c02-4153-4056-ad75-2614912c6274",
"sse_algorithm": "aws:kms"
}
]
}
]
}
],
"tags": {
"Application": "infra",
"BuildDate": "20210126",
"Environment": "lab",
"Project": "lime",
"ServiceProvider": "Rackspace",
"TerraformMode": "managed"
},
"versioning": [
{
"enabled": false,
"mfa_delete": false
}
],
"website": [],
"website_domain": null,
"website_endpoint": null
}
}
]
}
]
}

6
layers/security_identity_compliance/cloudtrail_cloudwatchlogs/terraform.tfvars Normal file
View File

@ -0,0 +1,6 @@
aws-region = "ap-northeast-1"
aws-region-short = "apne1"
customer-name = "kf"
environment = "lab"
project = "lime"
application = "infra"

20
layers/security_identity_compliance/cloudtrail_cloudwatchlogs/variables.tf Normal file
View File

@ -0,0 +1,20 @@
variable "aws-region" {}
variable "aws-region-short" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}
locals {
default-tags = {
ServiceProvider = "Rackspace"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
BuildDate = formatdate("YYYYMMDD", timestamp())
}
ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
}

27
modules/global-variables/README.md Normal file
View File

@ -0,0 +1,27 @@
# global-variables module
This module provides global variables that can be used in all layers
## Basic Usage
Variables are stored in a map in outputs.tf
```hcl
module "global-variables" {
source = "../../../../../../../../../terraform_modules_shared/global-variables"
}
// then retrieve global variable from the module. for example:
sys-sec-account = module.global-variables.vars.prod.sys-sec-acc
```
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|:----:|:-----:|:-----:|
## Outputs
| Name | Description |
|------|-------------|
| vars | map of variables |

18
modules/global-variables/outputs.tf Normal file
View File

@ -0,0 +1,18 @@
output vars {
value = {
"prod" = {
sys-log-acc = "174677273835"
sys-ss-acc = "827262612707"
stm-acc = "205233139210"
sys-sec-acc = "033205333431"
mp-acc = "616302076454"
}
"plike" = {
sys-log-acc = "870377016556"
sys-ss-acc = "022321612404"
stm-acc = "313794563353"
sys-sec-acc = "240016403383"
mp-acc = "684740086263"
}
}
}

80
modules/security_identity_compliance/cloudtrail_cwlogs/cloudtrail.tf Normal file
View File

@ -0,0 +1,80 @@
resource "aws_iam_role" "iam_cloudtrial_cloudwatch_role" {
name = "${local.resource-prefix}-cwl-role"
assume_role_policy = data.aws_iam_policy_document.ct-role-assumerole-policy.json
description = "Enables AWS CloudTrail to deliver log to CloudWatch log"
tags = var.default-tags
}
resource "aws_iam_role_policy" "iam_cloudtrial_cloudwatach_role_policy" {
name = "${local.resource-prefix}-cwl-role-policy"
role = aws_iam_role.iam_cloudtrial_cloudwatch_role.id
policy = data.aws_iam_policy_document.ct-role-pdoc.json
}
data "aws_iam_policy_document" "ct-role-assumerole-policy" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
}
}
data "aws_iam_policy_document" "ct-role-pdoc" {
statement {
effect = "Allow"
actions = ["logs:CreateLogStream"]
resources = [
"${aws_cloudwatch_log_group.ct-cwl.arn}:log-stream:*",
]
}
statement {
effect = "Allow"
actions = ["logs:PutLogEvents"]
resources = [
"${aws_cloudwatch_log_group.ct-cwl.arn}:log-stream:*",
]
}
}
resource "aws_cloudtrail" "default" {
name = "${local.resource-prefix}-trail-001"
enable_logging = true
s3_bucket_name = local.ct-bucket-name
enable_log_file_validation = true
is_multi_region_trail = true
include_global_service_events = true
cloud_watch_logs_role_arn = aws_iam_role.iam_cloudtrial_cloudwatch_role.arn
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.ct-cwl.arn}:*"
tags = var.default-tags
kms_key_id = aws_kms_key.ctbucket-key.arn
is_organization_trail = false
event_selector {
read_write_type = "All"
include_management_events = true
data_resource {
type = "AWS::S3::Object"
values = ["arn:aws:s3:::"]
}
data_resource {
type = "AWS::Lambda::Function"
values = ["arn:aws:lambda"]
}
}
#insight_selector {
# insight_type = "ApiCallRateInsight"
#}
}

68
modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf Normal file
View File

@ -0,0 +1,68 @@
resource "aws_kms_key" "ctbucket-key" {
deletion_window_in_days = 7
tags = var.default-tags
policy = data.aws_iam_policy_document.key-policy.json
}
resource "aws_kms_alias" ctbucket-key-aliaas {
name = "alias/${local.resource-prefix}-ctkey-alias"
target_key_id = aws_kms_key.ctbucket-key.key_id
}
# https://gist.github.com/shortjared/4c1e3fe52bdfa47522cfe5b41e5d6f22
data "aws_iam_policy_document" "key-policy" {
statement {
sid = "Key usage by aws services"
principals {
identifiers = [
"autoscaling.amazonaws.com",
"cloudtrail.amazonaws.com",
"eks.amazonaws.com",
"eks-nodegroup.amazonaws.com",
"guardduty.amazonaws.com",
"delivery.logs.amazonaws.com",
"sns.amazonaws.com",
"sqs.amazonaws.com",
"lambda.amazonaws.com",
"backup.amazonaws.com",
"events.amazonaws.com",
"cloudwatch.amazonaws.com",
"s3.amazonaws.com",
"logs.amazonaws.com"
]
type = "Service"
}
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
resources = [
"*"
]
effect = "Allow"
}
statement {
sid = "Key administrator"
actions = [
"kms:*"
]
resources = [
"*"
]
principals {
type = "AWS"
identifiers = [data.aws_caller_identity.this.account_id]
}
effect = "Allow"
}
}

76
modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf Normal file
View File

@ -0,0 +1,76 @@
data "aws_iam_policy_document" "cloudtrail_bucket_policy" {
statement {
sid = "AWSCloudTrailAclCheck"
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
actions = [
"s3:GetBucketAcl",
]
resources = [
"arn:aws:s3:::${local.ct-bucket-name}",
]
}
statement {
sid = "AWSCloudTrailWrite"
principals {
type = "Service"
identifiers = ["config.amazonaws.com", "cloudtrail.amazonaws.com"]
}
actions = [
"s3:PutObject",
]
resources = [
"arn:aws:s3:::${local.ct-bucket-name}/*",
]
}
}
resource "aws_s3_bucket" "ct-bucket" {
bucket = local.ct-bucket-name
policy = join("", data.aws_iam_policy_document.cloudtrail_bucket_policy.*.json)
versioning {
enabled = false
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.ctbucket-key.arn
sse_algorithm = "aws:kms"
}
}
}
tags = var.default-tags
lifecycle_rule {
enabled = false
transition {
days = 30
storage_class = "INTELLIGENT_TIERING"
}
expiration {
days = 90
}
}
}
resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" {
bucket = aws_s3_bucket.ct-bucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}

35
modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf Normal file
View File

@ -0,0 +1,35 @@
resource "aws_cloudwatch_log_group" "ct-cwl" {
name = "${local.resource-prefix}-cwl-001"
retention_in_days = 90
kms_key_id = aws_kms_key.ctbucket-key.arn
tags = var.default-tags
}
resource "aws_cloudwatch_log_metric_filter" "cwl-metric-filter-cis11" {
name = "cis11-rootaccess-filter"
pattern = <<EOT
{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}
EOT
log_group_name = aws_cloudwatch_log_group.ct-cwl.name
metric_transformation {
name = "cis11-rootaccess-metric"
namespace = "LogMetrics"
value = "1"
}
}
resource "aws_cloudwatch_metric_alarm" "cis11-rootaccess-alarm" {
alarm_name = "cis11-rootaccess-alarm"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = "cis11-rootaccess-metric"
namespace = "LogMetrics"
period = "300"
statistic = "Average"
threshold = "1"
alarm_description = "Root access is detected from cloudtrail"
treat_missing_data = "notBreaching"
// alarm_actions = []
}

1
modules/security_identity_compliance/cloudtrail_cwlogs/main.tf Normal file
View File

@ -0,0 +1 @@
data "aws_caller_identity" "this" {}

0
modules/security_identity_compliance/cloudtrail_cwlogs/outputs.tf Normal file
View File

11
modules/security_identity_compliance/cloudtrail_cwlogs/variables.tf Normal file
View File

@ -0,0 +1,11 @@
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}
variable "aws-region-short" {}
variable "default-tags" {}
locals {
ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
}