Merge pull request #15 from clouddrove/CD-307

fix module for multi AWS account

Author: anmolnagpal

README.md

@@ -14,7 +14,7 @@
 <p align="center">
 
 <a href="https://www.terraform.io">
-  <img src="https://img.shields.io/badge/Terraform-v0.12-green" alt="Terraform">
+  <img src="https://img.shields.io/badge/Terraform-v0.14-green" alt="Terraform">
 </a>
 <a href="LICENSE.md">
   <img src="https://img.shields.io/badge/License-MIT-blue.svg" alt="Licence">
@@ -51,7 +51,7 @@ We have [*fifty plus terraform modules*][terraform_modules]. A few of them are c
 
 This module has a few dependencies:
 
-- [Terraform 0.13](https://learn.hashicorp.com/terraform/getting-started/install.html)
+- [Terraform 0.14](https://learn.hashicorp.com/terraform/getting-started/install.html)
 - [Go](https://golang.org/doc/install)
 - [github.com/stretchr/testify/assert](https://github.com/stretchr/testify)
 - [github.com/gruntwork-io/terratest/modules/terraform](https://github.com/gruntwork-io/terratest)
@@ -73,7 +73,7 @@ Here are some examples of how you can use this module in your inventory structur
 ### Individual Account
 ```hcl
   module "cloudtrail" {
-    source                            = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.12.12"
+    source                            = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.14.0"
     name                              = "trails"
     application                       = "clouddrove"
     environment                       = "test"
@@ -100,49 +100,52 @@ Here are some examples of how you can use this module in your inventory structur
 #### Master Account
 ```hcl
   module "cloudtrail" {
-    source                            = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.12.12"
+    source                            = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.14.0"
     name                              = "trails"
-    application                       = "clouddrove"
     environment                       = "test"
-    label_order                       = ["environment", "application", "name"]
+    label_order                       = ["environment", "name"]
     enabled                           = true
     iam_role_name                     = "CloudTrail-CloudWatch-Delivery-Role"
     iam_role_policy_name              = "CloudTrail-CloudWatch-Delivery-Policy"
     account_type                      = "master"
     key_deletion_window_in_days       = 10
     cloudwatch_logs_retention_in_days = 365
     cloudwatch_logs_group_name        = "cloudtrail-log-group"
-    s3_bucket_name                    = "logs-bucket-clouddrove"
-    slack_webhook                     = "https://hooks.slack.com/services/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Jr46llqX"
-    slack_channel                     = "testing"
     EVENT_IGNORE_LIST                 = jsonencode(["^Describe*", "^Assume*", "^List*", "^Get*", "^Decrypt*", "^Lookup*", "^BatchGet*", "^CreateLogStream$", "^RenewRole$", "^REST.GET.OBJECT_LOCK_CONFIGURATION$", "TestEventPattern", "TestScheduleExpression", "CreateNetworkInterface", "ValidateTemplate"])
     EVENT_ALERT_LIST                  = jsonencode(["DetachRolePolicy", "ConsoleLogin"])
     USER_IGNORE_LIST                  = jsonencode(["^awslambda_*", "^aws-batch$", "^bamboo*", "^i-*", "^[0-9]*$", "^ecs-service-scheduler$", "^AutoScaling$", "^AWSCloudFormation$", "^CloudTrailBot$", "^SLRManagement$"])
     SOURCE_LIST                       = jsonencode(["aws-sdk-go"])
-    additional_member_root_arn        = ["arn:aws:iam::xxxxxxxxxxx:root"]
-    additional_member_trail           = ["arn:aws:cloudtrail:*:xxxxxxxxxxx:trail/*"]
-    additional_member_account_id      = ["xxxxxxxxxxx"]
-    additional_s3_account_path_arn    = ["arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/xxxxxxxxxxx/*"]
+    s3_bucket_name                    = "logs-bucket-cd"
+    secure_s3_enabled                 = false
+    s3_log_bucket_name                = "logs-bucket-cd-logs"
+    sse_algorithm                     = "aws:kms"
+    slack_webhook                     = "https://hooks.slack.com/services/TEE0GHDK0F0QZ/B015frHRDBEUFHEVEG/dfdrfrefrwewqe"
+    slack_channel                     = "testing"
+    additional_member_root_arn        = ["arn:aws:iam::xxxxxxxxxxxx:root"]
+    additional_member_trail           = ["arn:aws:cloudtrail:*:xxxxxxxxxxxx:trail/*"]
+    additional_member_account_id      = ["xxxxxxxxxxxx"]
+    additional_s3_account_path_arn    = ["arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/xxxxxxxxxxxx/*"]
+    s3_policy                         = data.aws_iam_policy_document.default.json
   }
 ```
 
 #### Member Account
 ```hcl
   module "cloudtrail" {
-    source                            = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.12.12"
+    source                            = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.14.0"
     name                              = "trails"
-    application                       = "clouddrove"
     environment                       = "test"
-    label_order                       = ["environment", "application", "name"]
+    label_order                       = ["environment", "name"]
     enabled                           = true
     iam_role_name                     = "CloudTrail-cd-Delivery-Role"
     iam_role_policy_name              = "CloudTrail-cd-Delivery-Policy"
     account_type                      = "member"
     key_deletion_window_in_days       = 10
     cloudwatch_logs_retention_in_days = 365
     cloudwatch_logs_group_name        = "cloudtrail-log-group"
-    key_arn                           = "arn:aws:kms:eu-west-1:xxxxxxxxxxx:key/66cc5610-3b90-460b-a177-af89e119fdaa"
-    s3_bucket_name                    = "logs-bucket-clouddrove"
+    key_arn                           = "arn:aws:kms:eu-west-1:xxxxxxxxxxx:key/9f3b66a0-3a38-4ed3-ab34-5e47c7e3604b"
+    s3_bucket_name                    = "logs-bucket-cd"
+    s3_log_bucket_name                = "logs-bucket-cd-logs"
   }
 ```
 

README.yaml

@@ -16,15 +16,15 @@ github_repo: clouddrove/terraform-aws-cloudtrail-baseline
 # Badges to display
 badges:
   - name: "Terraform"
-    image: "https://img.shields.io/badge/Terraform-v0.12-green"
+    image: "https://img.shields.io/badge/Terraform-v0.14-green"
     url: "https://www.terraform.io"
   - name: "Licence"
     image: "https://img.shields.io/badge/License-MIT-blue.svg"
     url: "LICENSE.md"
 
 #  description of this project
 description: |-
-  Terraform module to create an cloudtrail resource on AWS with S3 encryption with KMS key.
+  Terraform module to create an cloudtrail resource on AWS with S3 and KMS key.
 
 # extra content
 include:
@@ -37,9 +37,8 @@ usage : |-
   ### Individual Account
   ```hcl
     module "cloudtrail" {
-      source                            = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.12.12"
+      source                            = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.14.0"
       name                              = "trails"
-      application                       = "clouddrove"
       environment                       = "test"
       label_order                       = ["environment", "application", "name"]
       enabled                           = true
@@ -64,48 +63,51 @@ usage : |-
   #### Master Account
   ```hcl
     module "cloudtrail" {
-      source                            = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.12.12"
+      source                            = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.14.0"
       name                              = "trails"
-      application                       = "clouddrove"
       environment                       = "test"
-      label_order                       = ["environment", "application", "name"]
+      label_order                       = ["environment", "name"]
       enabled                           = true
       iam_role_name                     = "CloudTrail-CloudWatch-Delivery-Role"
       iam_role_policy_name              = "CloudTrail-CloudWatch-Delivery-Policy"
       account_type                      = "master"
       key_deletion_window_in_days       = 10
       cloudwatch_logs_retention_in_days = 365
       cloudwatch_logs_group_name        = "cloudtrail-log-group"
-      s3_bucket_name                    = "logs-bucket-clouddrove"
-      slack_webhook                     = "https://hooks.slack.com/services/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Jr46llqX"
-      slack_channel                     = "testing"
       EVENT_IGNORE_LIST                 = jsonencode(["^Describe*", "^Assume*", "^List*", "^Get*", "^Decrypt*", "^Lookup*", "^BatchGet*", "^CreateLogStream$", "^RenewRole$", "^REST.GET.OBJECT_LOCK_CONFIGURATION$", "TestEventPattern", "TestScheduleExpression", "CreateNetworkInterface", "ValidateTemplate"])
       EVENT_ALERT_LIST                  = jsonencode(["DetachRolePolicy", "ConsoleLogin"])
       USER_IGNORE_LIST                  = jsonencode(["^awslambda_*", "^aws-batch$", "^bamboo*", "^i-*", "^[0-9]*$", "^ecs-service-scheduler$", "^AutoScaling$", "^AWSCloudFormation$", "^CloudTrailBot$", "^SLRManagement$"])
       SOURCE_LIST                       = jsonencode(["aws-sdk-go"])
-      additional_member_root_arn        = ["arn:aws:iam::xxxxxxxxxxx:root"]
-      additional_member_trail           = ["arn:aws:cloudtrail:*:xxxxxxxxxxx:trail/*"]
-      additional_member_account_id      = ["xxxxxxxxxxx"]
-      additional_s3_account_path_arn    = ["arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/xxxxxxxxxxx/*"]
+      s3_bucket_name                    = "logs-bucket-cd"
+      secure_s3_enabled                 = false
+      s3_log_bucket_name                = "logs-bucket-cd-logs"
+      sse_algorithm                     = "aws:kms"
+      slack_webhook                     = "https://hooks.slack.com/services/TEE0GHDK0F0QZ/B015frHRDBEUFHEVEG/dfdrfrefrwewqe"
+      slack_channel                     = "testing"
+      additional_member_root_arn        = ["arn:aws:iam::xxxxxxxxxxxx:root"]
+      additional_member_trail           = ["arn:aws:cloudtrail:*:xxxxxxxxxxxx:trail/*"]
+      additional_member_account_id      = ["xxxxxxxxxxxx"]
+      additional_s3_account_path_arn    = ["arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/xxxxxxxxxxxx/*"]
+      s3_policy                         = data.aws_iam_policy_document.default.json
     }
   ```
 
   #### Member Account
   ```hcl
     module "cloudtrail" {
-      source                            = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.12.12"
+      source                            = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-baseline.git?ref=tags/0.14.0"
       name                              = "trails"
-      application                       = "clouddrove"
       environment                       = "test"
-      label_order                       = ["environment", "application", "name"]
+      label_order                       = ["environment", "name"]
       enabled                           = true
       iam_role_name                     = "CloudTrail-cd-Delivery-Role"
       iam_role_policy_name              = "CloudTrail-cd-Delivery-Policy"
       account_type                      = "member"
       key_deletion_window_in_days       = 10
       cloudwatch_logs_retention_in_days = 365
       cloudwatch_logs_group_name        = "cloudtrail-log-group"
-      key_arn                           = "arn:aws:kms:eu-west-1:xxxxxxxxxxx:key/66cc5610-3b90-460b-a177-af89e119fdaa"
-      s3_bucket_name                    = "logs-bucket-clouddrove"
+      key_arn                           = "arn:aws:kms:eu-west-1:xxxxxxxxxxx:key/9f3b66a0-3a38-4ed3-ab34-5e47c7e3604b"
+      s3_bucket_name                    = "logs-bucket-cd"
+      s3_log_bucket_name                = "logs-bucket-cd-logs"
     }
   ```

_example/master/example.tf

@@ -9,9 +9,8 @@ module "cloudtrail" {
   source = "./../../"
 
   name        = "trails"
-  application = "clouddrove"
   environment = "test"
-  label_order = ["environment", "application", "name"]
+  label_order = ["environment", "name"]
 
   enabled                           = true
   iam_role_name                     = "CloudTrail-CloudWatch-Delivery-Role"
@@ -25,13 +24,16 @@ module "cloudtrail" {
   USER_IGNORE_LIST                  = jsonencode(["^awslambda_*", "^aws-batch$", "^bamboo*", "^i-*", "^[0-9]*$", "^ecs-service-scheduler$", "^AutoScaling$", "^AWSCloudFormation$", "^CloudTrailBot$", "^SLRManagement$"])
   SOURCE_LIST                       = jsonencode(["aws-sdk-go"])
 
-  s3_bucket_name                 = "logs-bucket-clouddrove"
-  slack_webhook                  = "https://hooks.slack.com/services/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46llqX"
+  s3_bucket_name                 = "logs-bucket-cd"
+  secure_s3_enabled              = false
+  s3_log_bucket_name             = "logs-bucket-cd-logs"
+  sse_algorithm                  = "aws:kms"
+  slack_webhook                  = "https://hooks.slack.com/services/TEE0GHDK0F0QZ/B015frHRDBEUFHEVEG/dfdrfrefrwewqe"
   slack_channel                  = "testing"
-  additional_member_root_arn     = ["arn:aws:iam::xxxxxxxxxx:root"]
-  additional_member_trail        = ["arn:aws:cloudtrail:*:xxxxxxxxxx:trail/*"]
-  additional_member_account_id   = ["xxxxxxxxxx"]
-  additional_s3_account_path_arn = ["arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/xxxxxxxxxx/*"]
+  additional_member_root_arn     = ["arn:aws:iam::xxxxxxxxxxxx:root"]
+  additional_member_trail        = ["arn:aws:cloudtrail:*:xxxxxxxxxxxx:trail/*"]
+  additional_member_account_id   = ["xxxxxxxxxxxx"]
+  additional_s3_account_path_arn = ["arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/xxxxxxxxxxxx/*"]
   s3_policy                      = data.aws_iam_policy_document.default.json
 }
 
@@ -45,10 +47,10 @@ data "aws_iam_policy_document" "default" {
     }
 
     actions = [
-      "s3:GetBucketAcl",
+      "s3:GetBucketAcl"
     ]
 
-    resources = ["arn:aws:s3:::logs-bucket-clouddrove"]
+    resources = ["arn:aws:s3:::logs-bucket-cd"]
   }
 
   statement {
@@ -60,12 +62,12 @@ data "aws_iam_policy_document" "default" {
     }
 
     actions = [
-      "s3:PutObject",
+      "s3:PutObject"
     ]
 
     resources = compact(
       concat(
-        [format("arn:aws:s3:::logs-bucket-clouddrove/AWSLogs/%s/*", data.aws_caller_identity.current.account_id)]
+        [format("arn:aws:s3:::logs-bucket-cd/AWSLogs/%s/*", data.aws_caller_identity.current.account_id), "arn:aws:s3:::logs-bucket-cd/AWSLogs/xxxxxxxxxxxx/*"]
       )
     )
 
@@ -74,7 +76,7 @@ data "aws_iam_policy_document" "default" {
       variable = "s3:x-amz-acl"
 
       values = [
-        "bucket-owner-full-control",
+        "bucket-owner-full-control"
       ]
     }
   }

_example/member/example.tf

@@ -7,9 +7,8 @@ module "cloudtrail" {
   source = "./../../"
 
   name        = "trails"
-  application = "clouddrove"
   environment = "test"
-  label_order = ["environment", "application", "name"]
+  label_order = ["environment", "name"]
 
   enabled                           = true
   iam_role_name                     = "CloudTrail-cd-Delivery-Role"
@@ -18,7 +17,8 @@ module "cloudtrail" {
   key_deletion_window_in_days       = 10
   cloudwatch_logs_retention_in_days = 365
   cloudwatch_logs_group_name        = "cloudtrail-log-group"
-  key_arn                           = "arn:aws:kms:eu-west-1:xxxxxxxxxx:key/341af1b8-d181-4dd1-8d7b-638dec0d925e"
+  key_arn                           = "arn:aws:kms:eu-west-1:xxxxxxxxxxx:key/9f3b66a0-3a38-4ed3-ab34-5e47c7e3604b"
 
-  s3_bucket_name = "logs-bucket-clouddrove"
+  s3_bucket_name     = "logs-bucket-cd"
+  s3_log_bucket_name = "logs-bucket-cd-logs"
 }

main.tf

@@ -10,10 +10,9 @@ data "aws_region" "current" {}
 #              tags for resources. You can use terraform-labels to implement a strict
 #              naming convention
 module "labels" {
-  source = "git::https://github.com/clouddrove/terraform-labels.git?ref=tags/0.12.0"
+  source = "git::https://github.com/clouddrove/terraform-labels.git?ref=tags/0.14.0"
 
   name        = var.name
-  application = var.application
   environment = var.environment
   label_order = var.label_order
   managedby   = var.managedby
@@ -26,10 +25,9 @@ module "labels" {
 #               type specific features.
 
 module "s3_log_bucket" {
-  source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/0.12.8"
+  source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/0.14.0"
 
   name           = var.s3_log_bucket_name
-  application    = var.application
   environment    = var.environment
   label_order    = ["name"]
   managedby      = var.managedby
@@ -40,10 +38,9 @@ module "s3_log_bucket" {
 }
 
 module "s3_bucket" {
-  source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/0.12.8"
+  source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/0.14.0"
 
   name                    = var.s3_bucket_name
-  application             = var.application
   environment             = var.environment
   label_order             = ["name"]
   managedby               = var.managedby
@@ -60,10 +57,9 @@ module "s3_bucket" {
 }
 
 module "secure_s3_bucket" {
-  source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/0.12.8"
+  source = "git::https://github.com/clouddrove/terraform-aws-s3.git?ref=tags/0.14.0"
 
   name                              = var.s3_bucket_name
-  application                       = var.application
   environment                       = var.environment
   label_order                       = ["name"]
   managedby                         = var.managedby
@@ -76,7 +72,7 @@ module "secure_s3_bucket" {
   force_destroy                     = true
   sse_algorithm                     = var.sse_algorithm
   kms_master_key_id                 = var.key_arn == "" ? module.kms_key.key_arn : var.key_arn
-  target_bucket                     = "aws:kms"
+  target_bucket                     = module.s3_log_bucket.id
   target_prefix                     = "logs"
   mfa_delete                        = var.mfa_delete
 }
@@ -134,10 +130,9 @@ data "aws_iam_policy_document" "cloudwatch_delivery_policy" {
 }
 
 module "kms_key" {
-  source = "git::https://github.com/clouddrove/terraform-aws-kms.git?ref=tags/0.12.4"
+  source = "git::https://github.com/clouddrove/terraform-aws-kms.git?ref=tags/0.14.0"
 
   name                    = var.name
-  application             = var.application
   environment             = var.environment
   label_order             = var.label_order
   managedby               = var.managedby
@@ -348,12 +343,11 @@ locals {
 #Description : Terraform module to provision an AWS CloudTrail with encrypted S3 bucket.
 #              This bucket is used to store CloudTrail logs.
 module "cloudtrail" {
-  source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail.git?ref=tags/0.12.5"
+  source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail.git?ref=tags/0.14.0"
 
   name                          = "cloudtrail"
-  application                   = var.application
   environment                   = var.environment
-  label_order                   = ["name", "application"]
+  label_order                   = ["name", "environment"]
   managedby                     = var.managedby
   enabled_cloudtrail            = var.enabled
   s3_bucket_name                = format("%s", var.s3_bucket_name)
@@ -368,10 +362,9 @@ module "cloudtrail" {
 }
 
 module "cloudtrail-slack-notification" {
-  source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-slack-notification.git?ref=tags/0.12.3"
+  source = "git::https://github.com/clouddrove/terraform-aws-cloudtrail-slack-notification.git?ref=tags/0.14.0"
 
   name        = "cloudtrail-slack-notification"
-  application = var.application
   environment = var.environment
   managedby   = var.managedby
   label_order = var.label_order