-
Notifications
You must be signed in to change notification settings - Fork 1
/
20_cloudtrail_automation_athena.tf
145 lines (127 loc) · 4.2 KB
/
20_cloudtrail_automation_athena.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
resource "aws_s3_bucket" "bucket_athena_results" {
bucket = "${local.compliance_bucket_name}-athena-results"
lifecycle_rule {
enabled = true
expiration {
days = 90
}
}
}
resource "aws_athena_database" "compliance_db" {
name = "${var.shared_prefix}_compliance_db"
bucket = aws_s3_bucket.compliance_bucket.id
}
output "s3_bucket_athena_results" {
value = aws_s3_bucket.bucket_athena_results.id
}
locals {
athena_query_results_location = "s3://${aws_s3_bucket.bucket_athena_results.id}/cw/"
}
resource "aws_athena_workgroup" "compliance" {
name = "${var.shared_prefix}_compliance"
configuration {
result_configuration {
output_location = local.athena_query_results_location
}
}
}
locals {
athena_table_creation_script = <<EOF
CREATE EXTERNAL TABLE IF NOT EXISTS cloudtrail_logs (
eventversion STRING,
useridentity STRUCT<
type:STRING,
principalid:STRING,
arn:STRING,
accountid:STRING,
invokedby:STRING,
accesskeyid:STRING,
userName:STRING,
sessioncontext:STRUCT<
attributes:STRUCT<
mfaauthenticated:STRING,
creationdate:STRING>,
sessionissuer:STRUCT<
type:STRING,
principalId:STRING,
arn:STRING,
accountId:STRING,
userName:STRING>>>,
eventtime STRING,
eventsource STRING,
eventname STRING,
awsregion STRING,
sourceipaddress STRING,
useragent STRING,
errorcode STRING,
errormessage STRING,
requestparameters STRING,
responseelements STRING,
additionaleventdata STRING,
requestid STRING,
eventid STRING,
resources ARRAY<STRUCT<
ARN:STRING,
accountId:STRING,
type:STRING>>,
eventtype STRING,
apiversion STRING,
readonly STRING,
recipientaccountid STRING,
serviceeventdetails STRING,
sharedeventid STRING,
vpcendpointid STRING
)
ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'
STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION 's3://${aws_s3_bucket.compliance_bucket.id}/default-trail/AWSLogs/${data.aws_caller_identity.current.account_id}/CloudTrail';
EOF
}
locals {
athena_table_destruction_cmd = "aws athena start-query-execution --query-string \"DROP TABLE IF EXISTS cloudtrail_logs;\" --query-execution-context \"Database=${aws_athena_database.compliance_db.name}\" --work-group \"${aws_athena_workgroup.compliance.name}\" --result-configuration \"OutputLocation=${local.athena_query_results_location}\""
athena_table_creation_cmd = "aws athena start-query-execution --query-string \"${local.athena_table_creation_script}\" --query-execution-context \"Database=${aws_athena_database.compliance_db.name}\" --work-group \"${aws_athena_workgroup.compliance.name}\" --result-configuration \"OutputLocation=${local.athena_query_results_location}\""
}
resource "null_resource" "athena_table_destruction" {
triggers = {
command_hash = md5(local.athena_table_creation_cmd)
}
provisioner "local-exec" {
command = local.athena_table_destruction_cmd
}
depends_on = [aws_athena_workgroup.compliance]
}
resource "null_resource" "athena_table_creation" {
triggers = {
command_hash = md5(local.athena_table_creation_cmd)
}
provisioner "local-exec" {
command = local.athena_table_creation_cmd
}
depends_on = [
aws_athena_workgroup.compliance,
null_resource.athena_table_destruction
]
}
resource "aws_athena_named_query" "cloudtrail_iam_modifications" {
name = "${var.shared_prefix}_iam_modifications"
workgroup = aws_athena_workgroup.compliance.id
database = aws_athena_database.compliance_db.name
query = <<EOF
SELECT *
FROM cloudtrail_logs
WHERE
eventtime >= date_format(current_date - interval '1' day, '%Y-%m-%d') AND
eventtime < date_format(current_date, '%Y-%m-%d') AND
eventsource = 'iam.amazonaws.com' AND
(
eventname NOT LIKE 'Get%' AND
eventname NOT LIKE 'List%' AND
eventname NOT LIKE 'Describe%'
)
EOF
depends_on = [null_resource.athena_table_creation]
}
output "athena_query_iam_modifications" {
value = aws_athena_named_query.cloudtrail_iam_modifications.id
}