SumoLogic
diff --git a/‎aws/cloudtrail/README.md‎
Lines changed: 41 additions & 44 deletions b/‎aws/cloudtrail/README.md‎
Lines changed: 41 additions & 44 deletions
diff --git a/‎aws/cloudtrail/cloudtrail.tf‎
Lines changed: 137 additions & 0 deletions b/‎aws/cloudtrail/cloudtrail.tf‎
Lines changed: 137 additions & 0 deletions
diff --git a/‎aws/cloudtrail/data.tf‎
Lines changed: 5 additions & 0 deletions b/‎aws/cloudtrail/data.tf‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎aws/cloudtrail/inputs.tf‎
Lines changed: 0 additions & 52 deletions b/‎aws/cloudtrail/inputs.tf‎
Lines changed: 0 additions & 52 deletions
diff --git a/‎aws/cloudtrail/locals.tf‎
Lines changed: 24 additions & 0 deletions b/‎aws/cloudtrail/locals.tf‎
Lines changed: 24 additions & 0 deletions
@@ -1,53 +1,50 @@
-# AWS CloudTrail
+# SumoLogic-AWS-CloudTrail
 
-## Purpose
+This module is used to create AWS and Sumo Logic resource to collect CloudTrail logs from an AWS S3 bucket. Features include
+- Create AWS CloudTrail (when creating a new AWS S3 bucket) or use an existing AWS CloudTrail (Provide existing AWS S3 bucket name) which send data to S3.
+- Create AWS S3 bucket or use an existing AWS S3 bucket.
+- Create AWS IAM role or use an existing IAM role.
+- Create AWS SNS Topic or use an existing AWS SNS topic.
+- Create Sumo Logic hosted collector or use an existing Sumo Logic hosted collector.
+- Create Sumo Logic CloudTrail source.
 
-This module installs [Sumo Logic CloudTrail applications](https://help.sumologic.com/07Sumo-Logic-Apps/01Amazon_and_AWS/AWS_CloudTrail) in Sumo Logic.
+## Requirements
 
-Apps installed are:
-- AWS CloudTrail
-- PCI Compliance for AWS CloudTrail
-- CIS AWS Foundations Benchmark
+| Name | Version |
+|------|---------|
+| terraform | >= 0.13.0 |
+| aws | ~> 3.29.1 |
+| sumologic | ~> 2.6.0 |
+| time | 0.7.1 |
 
-## Requirements
+## Providers
 
-* [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0
-* Null >= 2.1
-* SumoLogic >= 2.1.0
-
-## Module Declaration
-
-This module requires Sumo Logic External Id and Folder id as explained [here](https://github.com/SumoLogic/terraform-sumologic-sumo-logic-integrations#prerequisites-for-using-modules).
-
-```shell
-module "sumologic-cloudtrail-apps" {
-  source = "SumoLogic/sumo-logic-integrations/sumologic//aws/cloudtrail"
-  sumo_access_id                       = "<SUMO_ACCESS_ID>"
-  sumo_access_key                      = "<SUMO_ACCESS_KEY>"
-  sumo_external_id                     = "<SUMO_EXTERNAL_ID>"
-  aws_resource_name                    = "sumo-logic-terraform-cloudtrail"
-  sumo_api_endpoint                    = "https://api.sumologic.com/api/v1/"
-  sumo_collector_name                  = "sumo-logic-terraform-cloudtrail"
-  sumo_source_name                     = "sumo-logic-terraform-cloudtrail"
-  sumo_source_category                 = "AWS/CloudTrail"
-  sumo_aws_account_id                  = "926226587429"
-  folder_id                            = sumologic_folder.folder.id
-  app_version                          = "1.0"
-}
-```
+| Name | Version |
+|------|---------|
+| aws | ~> 3.29.1 |
+| sumologic | ~> 2.6.0 |
+| time | 0.7.1 |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:-----:|
-|sumo_access_id|[Sumo Logic Access ID](https://help.sumologic.com/Manage/Security/Access-Keys)|string||yes
-|sumo_access_key|[Sumo Logic Access Key](https://help.sumologic.com/Manage/Security/Access-Keys)|string||yes
-|sumo_external_id|[Sumo Logic External ID](https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Amazon-Web-Services/Grant-Access-to-an-AWS-Product#iam-role)|string||yes
-|aws_resource_name|AWS S3 Bucket, AWS SNS Topic, AWS CloudTrail, AWS IAM Role and IAM Policy will be created with the provided name|string|sumo-logic-terraform-cloudtrail|no
-|sumo_api_endpoint|[Sumo Logic API Endpoint](https://help.sumologic.com/APIs/General-API-Information/Sumo-Logic-Endpoints-and-Firewall-Security)|string|https://api.sumologic.com/api/v1/|yes
-|folder_id|Sumo Logic Folder ID|string||yes
-|sumo_collector_name|Provide a Collector Name|string|sumo-logic-terraform-cloudtrail|no
-|sumo_source_name|Provide a CloudTrail Source Name|string|sumo-logic-terraform-cloudtrail|no
-|sumo_source_category|Provide a CloudTrail Source Category|string|AWS/CloudTrail|no
-|sumo_aws_account_id|Provide the Sumo Logic AWS Account ID. Get the Account ID - [Visit](https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Amazon-Web-Services/Grant-Access-to-an-AWS-Product#iam-role)|string|926226587429|no
-|app_version|The app_version input parameter can be used to install a new copy of the app. When the app_version field is changed, it will force Terraform to install a new app folder with the current timestamp.|String|1.0|no
+|------|-------------|------|---------|:--------:|
+| cloudtrail\_details | Provide details for the AWS CloudTrail. If not provided, then defaults will be used. | <pre>object({<br>    name                          = string<br>    is_multi_region_trail         = bool<br>    is_organization_trail         = bool<br>    include_global_service_events = bool<br>  })</pre> | <pre>{<br>  "include_global_service_events": false,<br>  "is_multi_region_trail": false,<br>  "is_organization_trail": false,<br>  "name": "SumoLogic-Terraform-CloudTrail"<br>}</pre> | no |
+| collector\_details | Provide details for the Sumo Logic collector. If not provided, then defaults will be used. | <pre>object({<br>    collector_name = string<br>    description    = string<br>    fields         = map(string)<br>  })</pre> | <pre>{<br>  "collector_name": "SumoLogic CloudTrail Collector <AWS Account Id>",<br>  "description": "This collector is created using Sumo Logic terraform AWS cloudtrail module to collect AWS cloudtrail logs.",<br>  "fields": {}<br>}</pre> | no |
+| create\_collector | Provide "true" if you would like to create the Sumo Logic Collector. | `bool` | n/a | yes |
+| create\_trail | Provide "true" if you would like to create the AWS CloudTrail. If the bucket is created by the module, module by default creates the AWS cloudtrail. | `bool` | n/a | yes |
+| source\_details | Provide details for the Sumo Logic CloudTrail source. If not provided, then defaults will be used. | <pre>object({<br>    source_name     = string<br>    source_category = string<br>    collector_id    = string<br>    description     = string<br>    bucket_details = object({<br>      create_bucket        = bool<br>      bucket_name          = string<br>      path_expression      = string<br>      force_destroy_bucket = bool<br>    })<br>    paused               = bool<br>    scan_interval        = string<br>    sumo_account_id      = number<br>    cutoff_relative_time = string<br>    fields               = map(string)<br>    iam_role_arn         = string<br>    sns_topic_arn        = string<br>  })</pre> | <pre>{<br>  "bucket_details": {<br>    "bucket_name": "cloudtrail-logs-accountid-region",<br>    "create_bucket": true,<br>    "force_destroy_bucket": true,<br>    "path_expression": "AWSLogs/<ACCOUNT-ID>/CloudTrail/<REGION-NAME>/*"<br>  },<br>  "collector_id": "",<br>  "cutoff_relative_time": "-1d",<br>  "description": "This source is created using Sumo Logic terraform AWS cloudtrail module to collect AWS cloudtrail logs.",<br>  "fields": {},<br>  "iam_role_arn": "",<br>  "paused": false,<br>  "scan_interval": 300000,<br>  "sns_topic_arn": "",<br>  "source_category": "Labs/aws/cloudtrail",<br>  "source_name": "CloudTrail Source",<br>  "sumo_account_id": 926226587429<br>}</pre> | no |
+| sumologic\_organization\_id | Appears on the Account Overview page that displays information about your Sumo Logic organization. Used for IAM Role in Sumo Logic AWS Sources. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| aws\_cloudtrail | AWS Trail created to send CloudTrail logs to AWS S3 bucket. |
+| aws\_iam\_role | AWS IAM role with permission to allow Sumo Logic to read logs from S3 Bucket. |
+| aws\_s3\_bucket | AWS S3 Bucket name created to Store the CloudTrail logs. |
+| aws\_s3\_bucket\_notification | AWS S3 Bucket Notification attached to the AWS S3 Bucket |
+| aws\_sns\_subscription | AWS SNS subscription to Sumo Logic AWS CloudTrail source. |
+| aws\_sns\_topic | AWS SNS topic attached to the AWS S3 bucket. |
+| sumologic\_collector | Sumo Logic hosted collector. |
+| sumologic\_source | Sumo Logic AWS CloudTrail source. |
@@ -0,0 +1,137 @@
+# *************** Steps are as Below to create Sumo Logic CloudTrail source *************** #
+# 1. Create AWS S3 Bucket. If the Bucket is created, create SNS Topic and SNS policy to attach to Bucket.
+# 2. Create CloudTrail in AWS. Create CloudTrail only when the bucket is created.
+# 3. Create IAM role in AWS with access to the bucket name provided.
+# 4. Create a Collector. If the Collector ID is provided, do not create a Collector.
+# 5. Create the source either in the collector created or in the collector id provided.
+# 6. Create SNS Subscription to be attached to the source and SNS Topic.
+
+resource "aws_s3_bucket" "s3_bucket" {
+  for_each = toset(var.source_details.bucket_details.create_bucket ? ["s3_bucket"] : [])
+
+  bucket        = local.bucket_name
+  force_destroy = var.source_details.bucket_details.force_destroy_bucket
+
+  policy = templatefile("${path.module}/templates/cloudtrail_bucket_policy.tmpl", {
+    BUCKET_NAME = local.bucket_name
+  })
+}
+
+resource "aws_sns_topic" "sns_topic" {
+  for_each = toset(local.create_sns_topic ? ["sns_topic"] : [])
+
+  name = "SumoLogic-Terraform-CloudTrail-Module-${local.aws_account_id}"
+  policy = templatefile("${path.module}/templates/sns_topic_policy.tmpl", {
+    BUCKET_NAME    = local.bucket_name,
+    AWS_REGION     = local.aws_region,
+    SNS_TOPIC_NAME = "SumoLogic-Terraform-CloudTrail-Module-${local.aws_account_id}",
+    AWS_ACCOUNT    = local.aws_account_id
+  })
+}
+
+resource "aws_s3_bucket_notification" "bucket_notification" {
+  for_each = toset(local.create_sns_topic && var.source_details.bucket_details.create_bucket ? ["bucket_notification"] : [])
+
+  bucket = aws_s3_bucket.s3_bucket["s3_bucket"].id
+
+  topic {
+    topic_arn = aws_sns_topic.sns_topic["sns_topic"].arn
+    events    = ["s3:ObjectCreated:Put"]
+  }
+}
+
+resource "aws_cloudtrail" "cloudtrail" {
+  for_each = toset(local.create_trail ? ["cloudtrail"] : [])
+
+  name                          = var.cloudtrail_details.name
+  include_global_service_events = var.cloudtrail_details.include_global_service_events
+  s3_bucket_name                = var.source_details.bucket_details.create_bucket ? aws_s3_bucket.s3_bucket["s3_bucket"].id : local.bucket_name
+  is_multi_region_trail         = var.cloudtrail_details.is_multi_region_trail
+  is_organization_trail         = var.cloudtrail_details.is_organization_trail
+}
+
+resource "aws_iam_role" "source_iam_role" {
+  for_each = toset(local.create_iam_role ? ["source_iam_role"] : [])
+
+  name = "SumoLogic-Terraform-CloudTrail-Module-${local.aws_account_id}-${local.aws_region}"
+  path = "/"
+
+  assume_role_policy = templatefile("${path.module}/templates/sumologic_assume_role.tmpl", {
+    SUMO_LOGIC_ACCOUNT_ID = var.source_details.sumo_account_id,
+    ENVIRONMENT           = data.sumologic_caller_identity.current.environment,
+    SUMO_LOGIC_ORG_ID     = var.sumologic_organization_id
+  })
+
+  managed_policy_arns = [aws_iam_policy.iam_policy["iam_policy"].arn]
+}
+
+resource "aws_iam_policy" "iam_policy" {
+  for_each = toset(local.create_iam_role ? ["iam_policy"] : [])
+
+  name = "SumoLogicCloudTrailSource-${local.aws_account_id}-${local.aws_region}"
+  policy = templatefile("${path.module}/templates/sumologic_source_policy.tmpl", {
+    BUCKET_NAME = local.bucket_name
+  })
+}
+
+resource "sumologic_collector" "collector" {
+  for_each    = toset(var.create_collector ? ["collector"] : [])
+  name        = local.collector_name
+  description = var.collector_details.description
+  fields      = var.collector_details.fields
+  timezone    = "UTC"
+}
+
+resource "time_sleep" "wait_3_minutes" {
+  create_duration = "180s"
+}
+
+resource "sumologic_cloudtrail_source" "source" {
+  depends_on = [
+    time_sleep.wait_3_minutes
+  ]
+
+  lifecycle {
+    ignore_changes = [cutoff_timestamp, cutoff_relative_time]
+  }
+  category             = var.source_details.source_category
+  collector_id         = var.create_collector ? sumologic_collector.collector["collector"].id : var.source_details.collector_id
+  content_type         = "AwsCloudTrailBucket"
+  cutoff_relative_time = var.source_details.cutoff_relative_time
+  description          = var.source_details.description
+  fields               = var.source_details.fields
+  name                 = var.source_details.source_name
+  paused               = var.source_details.paused
+  scan_interval        = var.source_details.scan_interval
+  authentication {
+    type     = "AWSRoleBasedAuthentication"
+    role_arn = local.create_iam_role ? aws_iam_role.source_iam_role["source_iam_role"].arn : var.source_details.iam_role_arn
+  }
+
+  path {
+    type            = "S3BucketPathExpression"
+    bucket_name     = var.source_details.bucket_details.create_bucket ? aws_s3_bucket.s3_bucket["s3_bucket"].id : local.bucket_name
+    path_expression = local.logs_path_expression
+  }
+}
+
+resource "aws_sns_topic_subscription" "subscription" {
+  delivery_policy = jsonencode({
+    "guaranteed" = false,
+    "healthyRetryPolicy" = {
+      "numRetries"         = 40,
+      "minDelayTarget"     = 10,
+      "maxDelayTarget"     = 300,
+      "numMinDelayRetries" = 3,
+      "numMaxDelayRetries" = 5,
+      "numNoDelayRetries"  = 0,
+      "backoffFunction"    = "exponential"
+    },
+    "sicklyRetryPolicy" = null,
+    "throttlePolicy"    = null
+  })
+  endpoint               = sumologic_cloudtrail_source.source.url
+  endpoint_auto_confirms = true
+  protocol               = "https"
+  topic_arn              = local.create_sns_topic ? aws_sns_topic.sns_topic["sns_topic"].arn : var.source_details.sns_topic_arn
+}
@@ -0,0 +1,5 @@
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}
+
+data "sumologic_caller_identity" "current" {}
@@ -0,0 +1,24 @@
+locals {
+
+  aws_account_id = data.aws_caller_identity.current.account_id
+
+  aws_region = data.aws_region.current.id
+
+  # Get the default collector name if no collector name is provided.
+  collector_name = var.collector_details.collector_name == "SumoLogic CloudTrail Collector <AWS Account Id>" ? "SumoLogic CloudTrail Collector ${local.aws_account_id}" : var.collector_details.collector_name
+
+  # Get the default bucket name when no bucket is provided and create_bucket is true.
+  bucket_name = var.source_details.bucket_details.create_bucket && var.source_details.bucket_details.bucket_name == "cloudtrail-logs-accountid-region" ? "cloudtrail-logs-${local.aws_account_id}-${local.aws_region}" : var.source_details.bucket_details.bucket_name
+
+  # Create IAM role condition if no IAM ROLE ARN is provided.
+  create_iam_role = var.source_details.iam_role_arn != "" ? false : true
+
+  # Create SNS topic condition if no SNS topic arn is provided.
+  create_sns_topic = var.source_details.sns_topic_arn != "" ? false : true
+
+  # Trail should be created when we create the bucket. If we do not create the bucket, user should have capability to create and not create trail.
+  create_trail = var.source_details.bucket_details.create_bucket ? true : var.create_trail
+
+  # If we create the bucket, then get the default PATH expression.
+  logs_path_expression = var.source_details.bucket_details.create_bucket ? "AWSLogs/${local.aws_account_id}/CloudTrail/${local.aws_region}/*" : var.source_details.bucket_details.path_expression
+}