diff --git a/main.tf b/main.tf index cc38a13..310c352 100644 --- a/main.tf +++ b/main.tf @@ -9,6 +9,64 @@ locals { bucketname = "${var.namespace}-${var.bucketname}" } +## Data + +data "aws_iam_policy_document" "bucket" { + statement { + effect = "Allow" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = ["s3:GetBucketAcl"] + resources = ["arn:aws:s3:::${local.bucketname}"] + } + + statement { + effect = "Allow" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = ["s3:PutObject"] + resources = ["arn:aws:s3:::${local.bucketname}/*"] + + condition { + test = "StringEquals" + variable = "s3:x-amz-acl" + values = ["bucket-owner-full-control"] + } + } +} + +data "aws_iam_policy_document" "assume_role" { + statement { + effect = "Allow" + sid = "" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = ["sts:AssumeRole"] + } +} + +data "aws_iam_policy_document" "logs" { + statement { + effect = "Allow" + actions = ["logs:CreateLogStream", "logs:PutLogEvents"] + resources = [ + "${aws_cloudwatch_log_group.cloudtrail.arn}:*" + ] + } +} + ## Resources ### Implementation @@ -35,12 +93,7 @@ resource "aws_s3_bucket" "cloudtrail" { resource "aws_s3_bucket_policy" "cloudtrail_s3_policy" { bucket = aws_s3_bucket.cloudtrail.id - policy = templatefile( - "${path.module}/policies/cloudtrail_s3_policy.tpl", - { - bucket_name = local.bucketname - } - ) + policy = data.aws_iam_policy_document.bucket.json } resource "aws_s3_bucket_acl" "cloudtrail_acl" { @@ -51,18 +104,13 @@ resource "aws_s3_bucket_acl" "cloudtrail_acl" { resource "aws_iam_role" "cloudtrail_cloudwatch_logs_role" { name = "${var.namespace}-cloudtrail-cloudwatch-logs" path = "/" - assume_role_policy = file("${path.module}/policies/cloudtrail_assume_policy.json") + assume_role_policy = data.aws_iam_policy_document.assume_role.json } resource "aws_iam_policy" "cloudtrail_cloudwatch_logs_policy" { - name = "${var.namespace}-cloudtrail-cloudwatch-logs" - path = "/" - policy = templatefile( - "${path.module}/policies/cloudtrail_cloudwatch_logs_policy.tpl", - { - cloudwatch_log_group_arn = aws_cloudwatch_log_group.cloudtrail.arn - } - ) + name = "${var.namespace}-cloudtrail-cloudwatch-logs" + path = "/" + policy = data.aws_iam_policy_document.logs.json } resource "aws_iam_role_policy_attachment" "cloudtrail_cloudwatch_logs_policy_attachment" { diff --git a/policies/cloudtrail_assume_policy.json b/policies/cloudtrail_assume_policy.json deleted file mode 100644 index 8906d65..0000000 --- a/policies/cloudtrail_assume_policy.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "", - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/policies/cloudtrail_cloudwatch_logs_policy.tpl b/policies/cloudtrail_cloudwatch_logs_policy.tpl deleted file mode 100644 index 0ac76f5..0000000 --- a/policies/cloudtrail_cloudwatch_logs_policy.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream" - ], - "Resource": [ - "${cloudwatch_log_group_arn}" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:PutLogEvents" - ], - "Resource": [ - "${cloudwatch_log_group_arn}" - ] - } - ] -} diff --git a/policies/cloudtrail_s3_policy.tpl b/policies/cloudtrail_s3_policy.tpl deleted file mode 100644 index 4ac30ae..0000000 --- a/policies/cloudtrail_s3_policy.tpl +++ /dev/null @@ -1,26 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Action": "s3:GetBucketAcl", - "Resource": "arn:aws:s3:::${bucket_name}" - }, - { - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Action": "s3:PutObject", - "Resource": "arn:aws:s3:::${bucket_name}/*", - "Condition": { - "StringEquals": { - "s3:x-amz-acl": "bucket-owner-full-control" - } - } - } - ] -}