Externalising cloudtrail s3 bucket name to tf runtime parameter, upda…

…ting readme.md
willh · Feb 18, 2018 · 6e9c643 · 6e9c643
1 parent 526c6f7
commit 6e9c643
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -12,10 +12,14 @@ This is intended to help ensure you are aware when an S3 bucket is created or mo
 
 ### Deployment
 
-Included is a terraform script that will create all of the AWS resources necessary to immediately use this in your Amazon account, from CloudTrail log to SNS topic. A variable is prompted at template apply for the target email address.
+Included is a terraform script that will create all of the AWS resources necessary to immediately use this in your Amazon account, from CloudTrail log to SNS topic.
 
 Before running the terraform script you'll need to package the lambda file: `zip lambda.zip index.js`
 
+Two variables are prompted at template apply:
+- `alert_email_address` for the target email address
+- `cloudtrail_s3_bucket_name` for the cloudtrail log bucket name (must be globally unique)
+
 ### Lambda Configuration
 
 If you are reusing the lambda by itself, the function depends on an environment variable called `snsTopicArn` which must be populated with the fully qualified ARN for your SNS topic.

diff --git a/henry.tf b/henry.tf
@@ -6,7 +6,7 @@ provider "aws" {
 # cloudwatch logging needs a role and policy to pick up cloudtrail trail
 
 resource "aws_cloudtrail" "cloudtrail_log" {
-  name                          = "zxcvbnm-cloudtrail-tf"
+  name                          = "cloudtrail-log-tf"
   s3_bucket_name                = "${aws_s3_bucket.logbucket.id}"
   s3_key_prefix                 = "ctlogs"
   include_global_service_events = false
@@ -15,9 +15,13 @@ resource "aws_cloudtrail" "cloudtrail_log" {
 }
 
 resource "aws_s3_bucket" "logbucket" {
-  bucket        = "zxcvbnm-cloudtrail-logs-tf"
+  bucket        = "${var.cloudtrail_s3_bucket_name}"
   force_destroy = true
-  policy        = <<POLICY
+}
+
+resource "aws_s3_bucket_policy" "logbucket_policy" {
+  bucket = "${aws_s3_bucket.logbucket.id}"
+  policy = <<POLICY
 {
     "Version": "2012-10-17",
     "Statement": [
@@ -28,7 +32,7 @@ resource "aws_s3_bucket" "logbucket" {
               "Service": "cloudtrail.amazonaws.com"
             },
             "Action": "s3:GetBucketAcl",
-            "Resource": "arn:aws:s3:::zxcvbnm-cloudtrail-logs-tf"
+            "Resource": "${aws_s3_bucket.logbucket.arn}"
         },
         {
             "Sid": "AWSCloudTrailWrite",
@@ -37,7 +41,7 @@ resource "aws_s3_bucket" "logbucket" {
               "Service": "cloudtrail.amazonaws.com"
             },
             "Action": "s3:PutObject",
-            "Resource": "arn:aws:s3:::zxcvbnm-cloudtrail-logs-tf/*",
+            "Resource": "${aws_s3_bucket.logbucket.arn}/*",
             "Condition": {
                 "StringEquals": {
                     "s3:x-amz-acl": "bucket-owner-full-control"

diff --git a/variables.tf b/variables.tf
@@ -1 +1,2 @@
-variable "alert_email_address" {}
+variable "alert_email_address" {}
+variable "cloudtrail_s3_bucket_name" {}