From 896de044f4140efd62277dc7b27512998c1d6167 Mon Sep 17 00:00:00 2001 From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com> Date: Wed, 14 Dec 2022 15:38:15 +0000 Subject: [PATCH 1/3] converted json files into hcl syntax --- main.tf | 72 +++++++++++++++---- policies/cloudtrail_assume_policy.json | 13 ---- .../cloudtrail_cloudwatch_logs_policy.tpl | 23 ------ policies/cloudtrail_s3_policy.tpl | 26 ------- 4 files changed, 59 insertions(+), 75 deletions(-) delete mode 100644 policies/cloudtrail_assume_policy.json delete mode 100644 policies/cloudtrail_cloudwatch_logs_policy.tpl delete mode 100644 policies/cloudtrail_s3_policy.tpl diff --git a/main.tf b/main.tf index cc38a13..3b542a2 100644 --- a/main.tf +++ b/main.tf @@ -9,6 +9,62 @@ locals { bucketname = "${var.namespace}-${var.bucketname}" } +## Data + +data "aws_iam_policy_document" "bucket" { + statement { + effect = "Allow" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = ["s3:GetBucketAcl"] + resources = ["arn:aws:s3:::${local.bucketname}"] + } + + statement { + effect = "Allow" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = ["s3:PutObject"] + resources = ["arn:aws:s3:::${local.bucketname}/*"] + + condition { + test = "StringEquals" + variable = "s3:x-amz-acl" + values = ["bucket-owner-full-control"] + } + } +} + +data "aws_iam_policy_document" "assume_role" { + statement { + effect = "Allow" + sid = "" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = ["sts:AssumeRole"] + } +} + +data "aws_iam_policy_document" "logs" { + statement { + effect = "Allow" + actions = ["logs:CreateLogStream", "logs:PutLogEvents"] + resources = [aws_cloudwatch_log_group.cloudtrail.arn] + } +} + ## Resources ### Implementation @@ -35,12 +91,7 @@ resource "aws_s3_bucket" "cloudtrail" { resource "aws_s3_bucket_policy" "cloudtrail_s3_policy" { bucket = aws_s3_bucket.cloudtrail.id - policy = templatefile( - "${path.module}/policies/cloudtrail_s3_policy.tpl", - { - bucket_name = local.bucketname - } - ) + policy = data.aws_iam_policy_document.bucket.json } resource "aws_s3_bucket_acl" "cloudtrail_acl" { @@ -51,18 +102,13 @@ resource "aws_s3_bucket_acl" "cloudtrail_acl" { resource "aws_iam_role" "cloudtrail_cloudwatch_logs_role" { name = "${var.namespace}-cloudtrail-cloudwatch-logs" path = "/" - assume_role_policy = file("${path.module}/policies/cloudtrail_assume_policy.json") + assume_role_policy = data.aws_iam_policy_document.assume_role.json } resource "aws_iam_policy" "cloudtrail_cloudwatch_logs_policy" { name = "${var.namespace}-cloudtrail-cloudwatch-logs" path = "/" - policy = templatefile( - "${path.module}/policies/cloudtrail_cloudwatch_logs_policy.tpl", - { - cloudwatch_log_group_arn = aws_cloudwatch_log_group.cloudtrail.arn - } - ) + policy = data.aws_iam_policy_document.logs.json } resource "aws_iam_role_policy_attachment" "cloudtrail_cloudwatch_logs_policy_attachment" { diff --git a/policies/cloudtrail_assume_policy.json b/policies/cloudtrail_assume_policy.json deleted file mode 100644 index 8906d65..0000000 --- a/policies/cloudtrail_assume_policy.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "", - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] -} diff --git a/policies/cloudtrail_cloudwatch_logs_policy.tpl b/policies/cloudtrail_cloudwatch_logs_policy.tpl deleted file mode 100644 index 0ac76f5..0000000 --- a/policies/cloudtrail_cloudwatch_logs_policy.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream" - ], - "Resource": [ - "${cloudwatch_log_group_arn}" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:PutLogEvents" - ], - "Resource": [ - "${cloudwatch_log_group_arn}" - ] - } - ] -} diff --git a/policies/cloudtrail_s3_policy.tpl b/policies/cloudtrail_s3_policy.tpl deleted file mode 100644 index 4ac30ae..0000000 --- a/policies/cloudtrail_s3_policy.tpl +++ /dev/null @@ -1,26 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Action": "s3:GetBucketAcl", - "Resource": "arn:aws:s3:::${bucket_name}" - }, - { - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Action": "s3:PutObject", - "Resource": "arn:aws:s3:::${bucket_name}/*", - "Condition": { - "StringEquals": { - "s3:x-amz-acl": "bucket-owner-full-control" - } - } - } - ] -} From 71317ee4bfa4b9225f9627c4421c2befcb11070c Mon Sep 17 00:00:00 2001 From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com> Date: Wed, 14 Dec 2022 16:32:34 +0000 Subject: [PATCH 2/3] split policy into 2 rules to bring closer to original json --- main.tf | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 3b542a2..1f07a42 100644 --- a/main.tf +++ b/main.tf @@ -60,7 +60,13 @@ data "aws_iam_policy_document" "assume_role" { data "aws_iam_policy_document" "logs" { statement { effect = "Allow" - actions = ["logs:CreateLogStream", "logs:PutLogEvents"] + actions = ["logs:CreateLogStream"] + resources = [aws_cloudwatch_log_group.cloudtrail.arn] + } + + statement { + effect = "Allow" + actions = ["logs:PutLogEvents"] resources = [aws_cloudwatch_log_group.cloudtrail.arn] } } From 9b99f7cfa5bc832636855e136b2bb2ee240eface Mon Sep 17 00:00:00 2001 From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com> Date: Wed, 14 Dec 2022 17:22:11 +0000 Subject: [PATCH 3/3] added wildcard to arn target --- main.tf | 34 +++++++++++++++------------------- 1 file changed, 15 insertions(+), 19 deletions(-) diff --git a/main.tf b/main.tf index 1f07a42..310c352 100644 --- a/main.tf +++ b/main.tf @@ -16,11 +16,11 @@ data "aws_iam_policy_document" "bucket" { effect = "Allow" principals { - type = "Service" + type = "Service" identifiers = ["cloudtrail.amazonaws.com"] } - actions = ["s3:GetBucketAcl"] + actions = ["s3:GetBucketAcl"] resources = ["arn:aws:s3:::${local.bucketname}"] } @@ -28,17 +28,17 @@ data "aws_iam_policy_document" "bucket" { effect = "Allow" principals { - type = "Service" + type = "Service" identifiers = ["cloudtrail.amazonaws.com"] } - actions = ["s3:PutObject"] + actions = ["s3:PutObject"] resources = ["arn:aws:s3:::${local.bucketname}/*"] condition { - test = "StringEquals" + test = "StringEquals" variable = "s3:x-amz-acl" - values = ["bucket-owner-full-control"] + values = ["bucket-owner-full-control"] } } } @@ -46,10 +46,10 @@ data "aws_iam_policy_document" "bucket" { data "aws_iam_policy_document" "assume_role" { statement { effect = "Allow" - sid = "" + sid = "" principals { - type = "Service" + type = "Service" identifiers = ["cloudtrail.amazonaws.com"] } @@ -59,15 +59,11 @@ data "aws_iam_policy_document" "assume_role" { data "aws_iam_policy_document" "logs" { statement { - effect = "Allow" - actions = ["logs:CreateLogStream"] - resources = [aws_cloudwatch_log_group.cloudtrail.arn] - } - - statement { - effect = "Allow" - actions = ["logs:PutLogEvents"] - resources = [aws_cloudwatch_log_group.cloudtrail.arn] + effect = "Allow" + actions = ["logs:CreateLogStream", "logs:PutLogEvents"] + resources = [ + "${aws_cloudwatch_log_group.cloudtrail.arn}:*" + ] } } @@ -112,8 +108,8 @@ resource "aws_iam_role" "cloudtrail_cloudwatch_logs_role" { } resource "aws_iam_policy" "cloudtrail_cloudwatch_logs_policy" { - name = "${var.namespace}-cloudtrail-cloudwatch-logs" - path = "/" + name = "${var.namespace}-cloudtrail-cloudwatch-logs" + path = "/" policy = data.aws_iam_policy_document.logs.json }