resource "aws_cloudwatch_log_group" "ct-cwl" {
  name_prefix       = "cloudtrail/"
  retention_in_days = var.cloudtrail-retain-days
  kms_key_id        = aws_kms_key.ctbucket-key.arn
  tags              = var.default-tags
}

resource "aws_cloudwatch_log_metric_filter" "cwl-metric-filter-cis11" {
  name           = "cis11-rootaccess-filter"
  pattern        = <<EOT
  {$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}
EOT
  log_group_name = aws_cloudwatch_log_group.ct-cwl.name

  metric_transformation {
    name      = "cis11-rootaccess-metric"
    namespace = "LogMetrics"
    value     = "1"
  }
}

resource "aws_cloudwatch_metric_alarm" "cis11-rootaccess-alarm" {
  alarm_name          = "cis11-rootaccess-alarm"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = "1"
  metric_name         = "cis11-rootaccess-metric"
  namespace           = "LogMetrics"
  period              = "300"
  statistic           = "Average"
  threshold           = "1"
  alarm_description   = "Root access is detected from cloudtrail"
  treat_missing_data  = "notBreaching"

  // alarm_actions     = []
}

// CIS 3.x benchmark from asecure.cloud https://asecure.cloud/p/monitoring_cis_benchmark/

resource "aws_cloudwatch_metric_alarm" "CwAlarm2" {
  alarm_name          = "cis-unauthorized_api_calls"
  alarm_description   = "A CloudWatch Alarm that triggers if Multiple unauthorized actions or logins attempted."
  metric_name         = "UnauthorizedAttemptCount"
  namespace           = "CloudTrailMetrics"
  statistic           = "Sum"
  period              = "60"
  threshold           = "1"
  evaluation_periods  = "1"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  // alarm_actions = [""]
  treat_missing_data = "notBreaching"
}

resource "aws_cloudwatch_log_metric_filter" "MetricFilter2" {
  log_group_name = aws_cloudwatch_log_group.ct-cwl.name
  pattern        = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"
  name           = "UnauthorizedAttemptCount"

  metric_transformation {
    name      = "UnauthorizedAttemptCount"
    value     = "1"
    namespace = "CloudTrailMetrics"
  }
}

resource "aws_cloudwatch_metric_alarm" "CwAlarm3" {
  alarm_name          = "cis-no_mfa_console_logins"
  alarm_description   = "A CloudWatch Alarm that triggers if there is a Management Console sign-in without MFA."
  metric_name         = "ConsoleSigninWithoutMFA"
  namespace           = "CloudTrailMetrics"
  statistic           = "Sum"
  period              = "60"
  threshold           = "1"
  evaluation_periods  = "1"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  // alarm_actions = [""]
  treat_missing_data = "notBreaching"
}

resource "aws_cloudwatch_log_metric_filter" "MetricFilter3" {
  log_group_name = aws_cloudwatch_log_group.ct-cwl.name
  pattern        = "{($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.responseElements.ConsoleLogin != \"Failure\") && ($.additionalEventData.SamlProviderArn NOT EXISTS) }"
  name           = "ConsoleSigninWithoutMFA"

  metric_transformation {
    name      = "ConsoleSigninWithoutMFA"
    value     = "1"
    namespace = "CloudTrailMetrics"
  }

}

resource "aws_cloudwatch_metric_alarm" "CwAlarm4" {
  alarm_name          = "cis-iam_policy_changes"
  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to IAM policies. Events include IAM policy creation/deletion/update operations as well as attaching/detaching policies from IAM users, roles or groups."
  metric_name         = "IAMPolicyEventCount"
  namespace           = "CloudTrailMetrics"
  statistic           = "Sum"
  period              = "300"
  threshold           = "1"
  evaluation_periods  = "1"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  // alarm_actions = [""]
  treat_missing_data = "notBreaching"
}

resource "aws_cloudwatch_log_metric_filter" "MetricFilter4" {
  log_group_name = aws_cloudwatch_log_group.ct-cwl.name
  pattern        = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
  name           = "IAMPolicyEventCount"

  metric_transformation {
    name      = "IAMPolicyEventCount"
    value     = "1"
    namespace = "CloudTrailMetrics"
  }
}

resource "aws_cloudwatch_metric_alarm" "CwAlarm5" {
  alarm_name          = "cis-cloudtrail_changes"
  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to CloudTrail."
  metric_name         = "CloudTrailEventCount"
  namespace           = "CloudTrailMetrics"
  statistic           = "Sum"
  period              = "300"
  threshold           = "1"
  evaluation_periods  = "1"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  // alarm_actions = [""]
  treat_missing_data = "notBreaching"
}

resource "aws_cloudwatch_log_metric_filter" "MetricFilter5" {
  log_group_name = aws_cloudwatch_log_group.ct-cwl.name
  pattern        = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
  name           = "CloudTrailEventCount"

  metric_transformation {
    name      = "CloudTrailEventCount"
    value     = "1"
    namespace = "CloudTrailMetrics"
  }
}

resource "aws_cloudwatch_metric_alarm" "CwAlarm6" {
  alarm_name          = "cis-failed_console_logins"
  alarm_description   = "A CloudWatch Alarm that triggers if there are AWS Management Console authentication failures."
  metric_name         = "ConsoleLoginFailures"
  namespace           = "CloudTrailMetrics"
  statistic           = "Sum"
  period              = "300"
  threshold           = "1"
  evaluation_periods  = "1"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  // alarm_actions = [""]
  treat_missing_data = "notBreaching"
}

resource "aws_cloudwatch_log_metric_filter" "MetricFilter6" {
  log_group_name = aws_cloudwatch_log_group.ct-cwl.name
  pattern        = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
  name           = "ConsoleLoginFailures"

  metric_transformation {
    name      = "ConsoleLoginFailures"
    value     = "1"
    namespace = "CloudTrailMetrics"
  }
}

resource "aws_cloudwatch_metric_alarm" "CwAlarm7" {
  alarm_name          = "cis-disabled_deleted_cmks"
  alarm_description   = "A CloudWatch Alarm that triggers if customer created CMKs get disabled or scheduled for deletion."
  metric_name         = "KMSCustomerKeyDeletion"
  namespace           = "CloudTrailMetrics"
  statistic           = "Sum"
  period              = "60"
  threshold           = "1"
  evaluation_periods  = "1"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  //  alarm_actions = [""]
  treat_missing_data = "notBreaching"
}

resource "aws_cloudwatch_log_metric_filter" "MetricFilter7" {
  log_group_name = aws_cloudwatch_log_group.ct-cwl.name
  pattern        = "{ ($.eventSource = kms.amazonaws.com) &&  (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion)) }"
  name           = "KMSCustomerKeyDeletion"

  metric_transformation {
    name      = "KMSCustomerKeyDeletion"
    value     = "1"
    namespace = "CloudTrailMetrics"
  }

}

resource "aws_cloudwatch_metric_alarm" "CwAlarm8" {
  alarm_name          = "cis-s3_changes"
  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to an S3 Bucket."
  metric_name         = "S3BucketActivityEventCount"
  namespace           = "CloudTrailMetrics"
  statistic           = "Sum"
  period              = "300"
  threshold           = "1"
  evaluation_periods  = "1"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  // alarm_actions = [""]
  treat_missing_data = "notBreaching"
}

resource "aws_cloudwatch_log_metric_filter" "MetricFilter8" {
  log_group_name = aws_cloudwatch_log_group.ct-cwl.name
  pattern        = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
  name           = "S3BucketActivityEventCount"

  metric_transformation {
    name      = "S3BucketActivityEventCount"
    value     = "1"
    namespace = "CloudTrailMetrics"
  }
}

resource "aws_cloudwatch_metric_alarm" "CwAlarm9" {
  alarm_name          = "cis-config_changes"
  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to AWS Config."
  metric_name         = "CloudTrailEventCount"
  namespace           = "CloudTrailMetrics"
  statistic           = "Sum"
  period              = "300"
  threshold           = "1"
  evaluation_periods  = "1"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  // alarm_actions = [""]
  treat_missing_data = "notBreaching"
}

resource "aws_cloudwatch_log_metric_filter" "MetricFilter9" {
  log_group_name = aws_cloudwatch_log_group.ct-cwl.name
  pattern        = "{ ($.eventName = PutConfigurationRecorder) || ($.eventName = StopConfigurationRecorder) || ($.eventName = DeleteDeliveryChannel) || ($.eventName = PutDeliveryChannel) }"
  name           = "CloudTrailEventCount"

  metric_transformation {
    name      = "CloudTrailEventCount"
    value     = "1"
    namespace = "CloudTrailMetrics"
  }
}

resource "aws_cloudwatch_metric_alarm" "CwAlarm10" {
  alarm_name          = "cis-securitygroup_changes"
  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to Security Groups."
  metric_name         = "SecurityGroupEventCount"
  namespace           = "CloudTrailMetrics"
  statistic           = "Sum"
  period              = "300"
  threshold           = "1"
  evaluation_periods  = "1"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  // alarm_actions = [""]
  treat_missing_data = "notBreaching"
}

resource "aws_cloudwatch_log_metric_filter" "MetricFilter10" {
  log_group_name = aws_cloudwatch_log_group.ct-cwl.name
  pattern        = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }"
  name           = "SecurityGroupEventCount"

  metric_transformation {
    name      = "SecurityGroupEventCount"
    value     = "1"
    namespace = "CloudTrailMetrics"
  }
}

resource "aws_cloudwatch_metric_alarm" "CwAlarm11" {
  alarm_name          = "cis-nacl_changes"
  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to Network ACLs."
  metric_name         = "NetworkAclEventCount"
  namespace           = "CloudTrailMetrics"
  statistic           = "Sum"
  period              = "300"
  threshold           = "1"
  evaluation_periods  = "1"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  // alarm_actions = [""]
  treat_missing_data = "notBreaching"
}

resource "aws_cloudwatch_log_metric_filter" "MetricFilter11" {
  log_group_name = aws_cloudwatch_log_group.ct-cwl.name
  pattern        = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
  name           = "NetworkAclEventCount"

  metric_transformation {
    name      = "NetworkAclEventCount"
    value     = "1"
    namespace = "CloudTrailMetrics"
  }
}

resource "aws_cloudwatch_metric_alarm" "CwAlarm12" {
  alarm_name          = "cis-igw_changes"
  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to an Internet Gateway in a VPC."
  metric_name         = "GatewayEventCount"
  namespace           = "CloudTrailMetrics"
  statistic           = "Sum"
  period              = "300"
  threshold           = "1"
  evaluation_periods  = "1"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  // alarm_actions = [""]
  treat_missing_data = "notBreaching"
}

resource "aws_cloudwatch_log_metric_filter" "MetricFilter12" {
  log_group_name = aws_cloudwatch_log_group.ct-cwl.name
  pattern        = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
  name           = "GatewayEventCount"

  metric_transformation {
    name      = "GatewayEventCount"
    value     = "1"
    namespace = "CloudTrailMetrics"
  }
}

resource "aws_cloudwatch_metric_alarm" "CwAlarm13" {
  alarm_name          = "cis-vpc_routetable_changes"
  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to a VPC's Route Table."
  metric_name         = "VpcRouteTableEventCount"
  namespace           = "CloudTrailMetrics"
  statistic           = "Sum"
  period              = "300"
  threshold           = "1"
  evaluation_periods  = "1"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  // alarm_actions = [""]
  treat_missing_data = "notBreaching"
}

resource "aws_cloudwatch_log_metric_filter" "MetricFilter13" {
  log_group_name = aws_cloudwatch_log_group.ct-cwl.name
  pattern        = "{ ($.eventName = AssociateRouteTable) || ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DeleteRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DisassociateRouteTable) }"
  name           = "VpcRouteTableEventCount"

  metric_transformation {
    name      = "VpcRouteTableEventCount"
    value     = "1"
    namespace = "CloudTrailMetrics"
  }
}

resource "aws_cloudwatch_metric_alarm" "CwAlarm14" {
  alarm_name          = "cis-vpc_changes"
  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to a VPC."
  metric_name         = "VpcEventCount"
  namespace           = "CloudTrailMetrics"
  statistic           = "Sum"
  period              = "300"
  threshold           = "1"
  evaluation_periods  = "1"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  // alarm_actions = [""]
  treat_missing_data = "notBreaching"
}

resource "aws_cloudwatch_log_metric_filter" "MetricFilter14" {
  log_group_name = aws_cloudwatch_log_group.ct-cwl.name
  pattern        = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
  name           = "VpcEventCount"

  metric_transformation {
    name      = "VpcEventCount"
    value     = "1"
    namespace = "CloudTrailMetrics"
  }
}