added cloudtrailEnable option to fix #173 (#243)

deven96 · web-flow · commit b1101fd507fd · 2021-10-28T09:39:36.000-07:00
diff --git a/templates/terraform/environments/prod/user_access.tf b/templates/terraform/environments/prod/user_access.tf
@@ -87,12 +87,12 @@ data "aws_iam_policy_document" "operator_access" {
   statement {
     effect    = "Allow"
     actions   = ["s3:ListBucket"]
-    resources = ["arn:aws:s3:::${data.terraform_remote_state.shared.outputs.cloudtrail_bucket_id}"]
+    resources = ["arn:aws:s3:::*-cloudtrail"]
   }
   statement {
     effect    = "Allow"
     actions   = ["s3:GetObject", "s3:PutObject"]
-    resources = ["arn:aws:s3:::${data.terraform_remote_state.shared.outputs.cloudtrail_bucket_id}/*"]
+    resources = ["arn:aws:s3:::*-cloudtrail/*"]
   }
 
   # Application secret management - this role can view and edit application secrets in the production environment
diff --git a/templates/terraform/environments/shared/main.tf b/templates/terraform/environments/shared/main.tf
@@ -15,6 +15,7 @@ locals {
   account_id             = "<% index .Params `accountId` %>"
   random_seed            = "<% index .Params `randomSeed` %>"
   shared_resource_prefix = "<% if ne (index .Params `sharedResourcePrefix`) "none" %><% index .Params `sharedResourcePrefix` %><% end %>"
+  enable_cloudtrail       = <%if eq (index .Params `cloudtrailEnable`) "yes" %>1<% else %>0<% end %>
 }
 
 provider "aws" {
@@ -144,6 +145,7 @@ module "secret_keys" {
 
 # Enable AWS CloudTrail to help you audit governance, compliance, and operational risk of your AWS account, with logs stored in S3 bucket.
 module "cloudtrail" {
+  count   = local.enable_cloudtrail
   source  = "commitdev/zero/aws//modules/cloudtrail"
   version = "0.1.10"
 
diff --git a/tests/fixtures/test-project/zero-project.yml b/tests/fixtures/test-project/zero-project.yml
@@ -10,6 +10,7 @@ modules:
       accountId: "123456781234"
       database: mysql
       fileUploads: "no"
+      cloudtrailEnable: "yes"
       loggingType: kibana
       metricsType: prometheus
       productionBackendSubdomain: api.
diff --git a/zero-module.yml b/zero-module.yml
@@ -209,3 +209,10 @@ parameters:
   - field: sharedResourcePrefix
     label: "Mostly for development - Allow shared resources to have a unique prefix. This is only necessary if many zero projects will be run in the same AWS account."
     value: "none"
+  - field: cloudtrailEnable
+    label: Enable cloudtrail?
+    info: "CloudTrail monitors and records account activity across your AWS infrastructure, giving you control over storage, analysis, and remediation actions. It can add $5-10 per month and may not provide much value to a smaller company"
+    default: no
+    options:
+      "yes": "Yes"
+      "no": "No"

Original file line number	Diff line number	Diff line change
`@@ -87,12 +87,12 @@ data "aws_iam_policy_document" "operator_access" {`
`87`	`87`	`statement {`
`88`	`88`	`effect = "Allow"`
`89`	`89`	`actions = ["s3:ListBucket"]`
`90`		`- resources = ["arn:aws:s3:::${data.terraform_remote_state.shared.outputs.cloudtrail_bucket_id}"]`
	`90`	`+ resources = ["arn:aws:s3:::*-cloudtrail"]`
`91`	`91`	`}`
`92`	`92`	`statement {`
`93`	`93`	`effect = "Allow"`
`94`	`94`	`actions = ["s3:GetObject", "s3:PutObject"]`
`95`		`- resources = ["arn:aws:s3:::${data.terraform_remote_state.shared.outputs.cloudtrail_bucket_id}/*"]`
	`95`	`+ resources = ["arn:aws:s3:::-cloudtrail/"]`
`96`	`96`	`}`
`97`	`97`
`98`	`98`	`# Application secret management - this role can view and edit application secrets in the production environment`