diff --git a/examples/aws-cloudtrail/main.tf b/examples/aws-cloudtrail/main.tf index 0812bd7..278c113 100644 --- a/examples/aws-cloudtrail/main.tf +++ b/examples/aws-cloudtrail/main.tf @@ -29,6 +29,42 @@ locals { module = "quantum-sec/package-aws-security/examples/aws-cloudtrail" } tags = merge(local.default_tags, var.tags) + + aws_region = var.aws_region + aws_account_id = var.aws_account_id +} + +module "aws_kms_master_key" { + source = "../../modules/aws-kms-master-key" + + name = "${var.name}_kms_master_key" + deletion_window_in_days = var.deletion_window_in_days + enable_key_rotation = var.enable_key_rotation + customer_master_key_spec = var.customer_master_key_spec + key_usage = var.key_usage + tags = var.tags + service_principal_policy_statements = { + + "EncryptCloudwatchSnsTopic" : { + actions : [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + + service : "logs.${var.aws_region}.amazonaws.com" + + conditions : [] + } + } +} + +module "aws_cloudtrail_monitoring" { + source = "../../modules/aws-cloudtrail-monitoring" + cloudwatch_log_group_name = "${var.name}_cloudwatch_log_group" + kms_master_key_id = module.aws_kms_master_key.key_arn } module "aws_cloudtrail" { @@ -45,7 +81,14 @@ module "aws_cloudtrail" { worm_mode = local.worm_mode worm_retention_days = local.worm_retention_days tags = local.tags + + aws_region = local.aws_region + aws_account_id = local.aws_account_id + + cloudwatch_log_group_arn = module.aws_cloudtrail_monitoring.cloudwatch_log_group_arn + cloudwatch_logs_role_arn = module.aws_cloudtrail_monitoring.cloudwatch_role_arn } + data "aws_caller_identity" "current" { } diff --git a/examples/aws-cloudtrail/vars.tf b/examples/aws-cloudtrail/vars.tf index c77406a..292a909 100644 --- a/examples/aws-cloudtrail/vars.tf +++ b/examples/aws-cloudtrail/vars.tf @@ -7,6 +7,11 @@ variable "name" { type = string } +variable "aws_account_id" { + description = "The AWS account number in which these resources are provisioned." + type = string +} + # --------------------------------------------------------------------------------------------------------------------- # OPTIONAL MODULE PARAMETERS # --------------------------------------------------------------------------------------------------------------------- @@ -88,3 +93,37 @@ variable "tags" { application = "sentinel" } } + +# --------------------------------------------------------------------------------------------------------------------- +# CMK for Cloudwatch SNS encryption +# --------------------------------------------------------------------------------------------------------------------- + +variable "deletion_window_in_days" { + description = "The number of days to retain this CMK after it has been marked for deletion." + type = number + default = 30 +} + +variable "enable_key_rotation" { + description = "Whether or not to automatic annual rotation of the CMK is enabled." + type = bool + default = true +} + +variable "customer_master_key_spec" { + description = "Whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Any of `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`." + type = string + default = "SYMMETRIC_DEFAULT" +} + +variable "key_usage" { + description = "Specifies the intended use of the key." + type = string + default = "ENCRYPT_DECRYPT" +} + +variable "key_tags" { + description = "A key-value map of tags to apply to the KMS key." + type = map(string) + default = {} +} diff --git a/modules/aws-cloudtrail-monitoring/main.tf b/modules/aws-cloudtrail-monitoring/main.tf index 86d3d24..b67baab 100644 --- a/modules/aws-cloudtrail-monitoring/main.tf +++ b/modules/aws-cloudtrail-monitoring/main.tf @@ -100,7 +100,7 @@ data "aws_iam_policy_document" "cloudwatch_logs_policy" { "logs:PutLogEvents", ] - resources = [aws_cloudwatch_log_group.events.arn] + resources = ["${aws_cloudwatch_log_group.events.arn}:*"] } }