Refactor CloudTrail Bucket Management (#2345)

Author: Tian-2017

terraform/compliance/s3.feature

@@ -8,8 +8,9 @@ Feature: S3
   @exclude_aws_s3_bucket.mwaa_etl_scripts_bucket
   @exclude_module.housing_nec_migration_storage.aws_s3_bucket.bucket
   @exclude_module.admin_bucket.aws_s3_bucket.bucket
+  @exclude_module.cloudtrail_storage.aws_s3_bucket.bucket
 
-  # This rule is in place for legacy buckets created with the deprecated block within the aws_s3_bucket resource 
+  # This rule is in place for legacy buckets created with the deprecated block within the aws_s3_bucket resource
   Scenario: Data must be encrypted at rest for buckets created using server_side_encryption_configuration property within bucket resource
     Given I have aws_s3_bucket defined
     Then it must have server_side_encryption_configuration
@@ -30,7 +31,6 @@ Feature: S3
   @exclude_module.trusted_zone.aws_s3_bucket.bucket
   @exclude_module.kafka_event_streaming\[0\].module.kafka_dependency_storage.aws_s3_bucket.bucket
   @exclude_module.db_snapshot_to_s3\[0\].module.rds_export_storage.aws_s3_bucket.bucket
-  @exclude_module.liberator_dump_to_rds_snapshot\[0\].aws_s3_bucket.cloudtrail
   @exclude_module.liberator_db_snapshot_to_s3\[0\].module.rds_export_storage.aws_s3_bucket.bucket
   # This rule checks for a separate sse block as supported by the s3 bucket module
   Scenario: Data must be encrypted at rest for buckets created using separate server side configuration resource

terraform/core/10-aws-s3-bucket-policies.tf

@@ -394,7 +394,7 @@ locals {
     sid    = "Allow S3 Batch Copy to access raw zone KMS key"
     effect = "Allow"
     principals = {
-      type        = "AWS"
+      type = "AWS"
       identifiers = [
         aws_iam_role.batch_s3_copy_role.arn
       ]
@@ -410,7 +410,7 @@ locals {
     sid    = "Allow S3 Batch Copy to access refined zone KMS key"
     effect = "Allow"
     principals = {
-      type        = "AWS"
+      type = "AWS"
       identifiers = [
         aws_iam_role.batch_s3_copy_role.arn
       ]
@@ -421,12 +421,12 @@ locals {
     ]
     resources = ["*"]
   }
-  
+
   allow_s3_batch_copy_kms_access_trusted_zone = {
     sid    = "Allow S3 Batch Copy to access trusted zone KMS key"
     effect = "Allow"
     principals = {
-      type        = "AWS"
+      type = "AWS"
       identifiers = [
         aws_iam_role.batch_s3_copy_role.arn
       ]
@@ -437,4 +437,33 @@ locals {
     ]
     resources = ["*"]
   }
-}
+
+  #-----------------------------------------------------------------------------
+  # CloudTrail Policies
+  #-----------------------------------------------------------------------------
+
+  cloudtrail_get_bucket_acl_statement = {
+    sid       = "AllowCloudTrailGetBucketAcl"
+    effect    = "Allow"
+    actions   = ["s3:GetBucketAcl"]
+    resources = ["arn:aws:s3:::${local.identifier_prefix}-cloudtrail"]
+    principals = {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+  }
+
+  cloudtrail_put_object_statement = {
+    sid       = "AllowCloudTrailPutObject"
+    effect    = "Allow"
+    actions   = ["s3:PutObject"]
+    resources = ["arn:aws:s3:::${local.identifier_prefix}-cloudtrail/*/AWSLogs/*"]
+    # First wildcard (*) matches any custom prefix (e.g., liberator-data-processing)
+    # AWSLogs path is automatically added by AWS CloudTrail service
+    # Second wildcard (*) matches AWS-generated path: account-id/CloudTrail/region/date/
+    principals = {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+  }
+}

terraform/core/10-aws-s3-utility-buckets.tf

@@ -51,9 +51,38 @@ module "spark_ui_output_storage" {
 }
 
 #===============================================================================
-# Application and Storage Buckets
+# CloudTrail Storage Bucket
 #===============================================================================
 
+module "cloudtrail_storage" {
+  source                         = "../modules/s3-bucket"
+  tags                           = module.tags.values
+  project                        = var.project
+  environment                    = var.environment
+  identifier_prefix              = local.identifier_prefix
+  bucket_name                    = "CloudTrail"
+  bucket_identifier              = "cloudtrail"
+  versioning_enabled             = true
+  expire_objects_days            = 365
+  expire_noncurrent_objects_days = 30
+  abort_multipart_days           = 30
+  include_backup_policy_tags     = false
+
+  bucket_policy_statements = local.is_live_environment ? [
+    local.cloudtrail_get_bucket_acl_statement,
+    local.cloudtrail_put_object_statement
+  ] : []
+}
+
+# Move CloudTrail bucket from sql-to-rds-snapshot module to centralized location, keeping the same name
+moved {
+  from = module.liberator_dump_to_rds_snapshot[0].aws_s3_bucket.cloudtrail
+  to   = module.cloudtrail_storage.aws_s3_bucket.bucket
+}
+
+#===============================================================================
+# Application and Storage Buckets
+#===============================================================================
 module "lambda_artefact_storage" {
   source                     = "../modules/s3-bucket"
   tags                       = module.tags.values

terraform/core/36-liberator-import.tf

@@ -25,6 +25,9 @@ module "liberator_dump_to_rds_snapshot" {
   aws_subnet_ids             = data.aws_subnets.network.ids
   ecs_cluster_arn            = aws_ecs_cluster.workers.arn
   vpc_id                     = data.aws_vpc.network.id
+  cloudtrail_bucket_id       = module.cloudtrail_storage.bucket_id
+  cloudtrail_bucket_arn      = module.cloudtrail_storage.bucket_arn
+  cloudtrail_kms_key_arn     = module.cloudtrail_storage.kms_key_arn
 }
 
 resource "aws_glue_workflow" "parking_liberator_data" {

terraform/modules/sql-to-rds-snapshot/01-inputs-required.tf

@@ -57,3 +57,18 @@ variable "vpc_id" {
   description = "ID of the VPC for the current environment"
   type        = string
 }
+
+variable "cloudtrail_bucket_id" {
+  description = "ID of the S3 bucket for storing CloudTrail logs"
+  type        = string
+}
+
+variable "cloudtrail_bucket_arn" {
+  description = "ARN of the S3 bucket for storing CloudTrail logs"
+  type        = string
+}
+
+variable "cloudtrail_kms_key_arn" {
+  description = "KMS Key ARN for the CloudTrail bucket"
+  type        = string
+}

terraform/modules/sql-to-rds-snapshot/20-cloudtrail.tf

@@ -1,9 +1,9 @@
 resource "aws_cloudtrail" "events" {
-  count = var.is_production_environment ? 1 : 0
+  count = var.is_live_environment ? 1 : 0
 
   name                          = var.identifier_prefix
-  s3_bucket_name                = aws_s3_bucket.cloudtrail.id
-  s3_key_prefix                 = "prefix"
+  s3_bucket_name                = var.cloudtrail_bucket_id
+  s3_key_prefix                 = "liberator-data-processing"
   include_global_service_events = false
 
   cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloud_trail_events.arn}:*" # CloudTrail requires the Log Stream wildcard
@@ -67,110 +67,3 @@ data "aws_iam_policy_document" "assume_policy" {
     }
   }
 }
-
-resource "aws_kms_key" "key" {
-  tags = var.tags
-
-  description             = "${var.project} ${var.environment} - ${var.identifier_prefix}-cloudtrail Bucket Key"
-  deletion_window_in_days = 10
-  enable_key_rotation     = true
-}
-
-resource "aws_s3_bucket" "cloudtrail" {
-  bucket        = "${var.identifier_prefix}-cloudtrail"
-  force_destroy = true
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail" {
-  bucket = aws_s3_bucket.cloudtrail.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      kms_master_key_id = aws_kms_key.key.arn
-      sse_algorithm     = "aws:kms"
-    }
-    bucket_key_enabled = true
-  }
-}
-
-resource "aws_s3_bucket_versioning" "cloudtrail" {
-  bucket = aws_s3_bucket.cloudtrail.id
-
-  versioning_configuration {
-    status = "Enabled"
-  }
-}
-
-resource "aws_s3_bucket_public_access_block" "block_public_access" {
-  bucket     = aws_s3_bucket.cloudtrail.id
-  depends_on = [aws_s3_bucket.cloudtrail]
-
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_policy" "example" {
-  bucket = aws_s3_bucket.cloudtrail.id
-  policy = data.aws_iam_policy_document.cloudtrail_bucket_policy.json
-}
-
-resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail" {
-  bucket = aws_s3_bucket.cloudtrail.id
-  rule {
-    id     = "Keep previous version 30 days"
-    status = "Enabled"
-    expiration {
-      days = 30
-    }
-  }
-}
-
-data "aws_iam_policy_document" "cloudtrail_bucket_policy" {
-  statement {
-    effect    = "Allow"
-    actions   = ["s3:GetBucketAcl"]
-    resources = ["arn:aws:s3:::${var.identifier_prefix}-cloudtrail"]
-    principals {
-      type        = "Service"
-      identifiers = ["cloudtrail.amazonaws.com"]
-    }
-  }
-
-  statement {
-    effect    = "Allow"
-    actions   = ["s3:PutObject"]
-    resources = ["arn:aws:s3:::${var.identifier_prefix}-cloudtrail/prefix/AWSLogs/*"]
-    principals {
-      type        = "Service"
-      identifiers = ["cloudtrail.amazonaws.com"]
-    }
-    condition {
-      test     = "StringEquals"
-      variable = "s3:x-amz-acl"
-      values   = ["bucket-owner-full-control"]
-    }
-  }
-
-  statement {
-    sid     = "AllowSSLRequestsOnly"
-    effect  = "Deny"
-    actions = ["s3:*"]
-    principals {
-      type        = "AWS"
-      identifiers = ["*"]
-    }
-    resources = [
-      aws_s3_bucket.cloudtrail.arn,
-      "${aws_s3_bucket.cloudtrail.arn}/*",
-    ]
-    condition {
-      test     = "Bool"
-      variable = "aws:SecureTransport"
-      values = [
-        "false"
-      ]
-    }
-  }
-}