[#316] Add Cloudtrail modules

Author: tung-nimblehq

.github/wiki/Security.md

@@ -4,6 +4,20 @@ This document provides an overview of the security modules available in the infr
 
 ## Available Security Modules
 
+### CloudTrail
+
+The CloudTrail module provides comprehensive API activity logging and monitoring for your AWS infrastructure to enhance security auditing and compliance.
+
+#### Overview
+
+AWS CloudTrail records API calls and events across your AWS account. This module:
+
+- **Comprehensive event logging**: Captures management events, data events, and insight events based on configuration
+- **Multi-region support**: Can be configured to log events across all AWS regions for complete visibility
+- **CloudWatch integration**: Sends logs to CloudWatch for real-time monitoring and alerting
+- **SNS notifications**: Integrates with SNS topics for immediate alerting on critical events
+- **S3 storage**: Stores all CloudTrail logs securely in Amazon S3 with configurable key prefix organization
+
 ### VPC Flow Log
 
 The VPC Flow Log module captures network traffic information in your VPC to help with security monitoring and network analysis.

src/commands/install/index.test.ts

@@ -103,7 +103,7 @@ describe('Install add-on command', () => {
       it('throws an error', async () => {
         expect(stdoutSpy).toHaveBeenCalledWith(
           expect.stringContaining(
-            'Expected invalid to be one of: vpc, securityGroup, alb, bastion, ecr, ecs, cloudwatch, rds, s3, ssm'
+            'Expected invalid to be one of: vpc, securityGroup, alb, bastion, cloudtrail, ecr, ecs, cloudwatch, rds, s3, ssm, vpcFlowLog'
           )
         );
       });

src/generators/addons/aws/advanced.test.ts

@@ -1,10 +1,11 @@
 import { remove } from '@/helpers/file';
 
-import { AwsOptions } from '.';
+import { AwsAddonModules, AwsOptions } from '.';
 import { applyAdvancedTemplate } from './advanced';
 import {
   applyAwsAlb,
   applyAwsBastion,
+  applyAwsCloudtrail,
   applyAwsEcr,
   applyAwsEcs,
   applyAwsCloudwatch,
@@ -73,6 +74,10 @@ describe('AWS advanced template', () => {
       it('does NOT apply VPC Flow Log add-on', () => {
         expect(applyAwsVpcFlowLog).not.toHaveBeenCalled();
       });
+
+      it('does NOT apply CloudTrail add-on', () => {
+        expect(applyAwsCloudtrail).not.toHaveBeenCalled();
+      });
     });
 
     describe('given enabledSecurityFeatures is true', () => {
@@ -83,7 +88,7 @@ describe('AWS advanced template', () => {
           infrastructureType: 'advanced',
           awsRegion: 'ap-southeast-1',
           enabledSecurityFeatures: true,
-          addonModules: ['vpcFlowLog'],
+          addonModules: [AwsAddonModules.VPC_FLOW_LOG],
         };
 
         beforeAll(async () => {
@@ -102,6 +107,7 @@ describe('AWS advanced template', () => {
           );
         });
       });
+
       describe('given addonModules does NOT include vpcFlowLog', () => {
         const optionsEnabledSecurityFeaturesWithoutVpcFlowLog: AwsOptions = {
           projectName: projectDir,
@@ -124,6 +130,58 @@ describe('AWS advanced template', () => {
           expect(applyAwsVpcFlowLog).not.toHaveBeenCalled();
         });
       });
+
+      describe('given addonModules includes cloudtrail', () => {
+        const optionsEnabledSecurityFeaturesWithCloudTrail: AwsOptions = {
+          projectName: projectDir,
+          provider: 'aws',
+          infrastructureType: 'advanced',
+          awsRegion: 'ap-southeast-1',
+          enabledSecurityFeatures: true,
+          addonModules: [AwsAddonModules.CLOUDTRAIL],
+        };
+
+        beforeAll(async () => {
+          jest.clearAllMocks();
+          await applyAdvancedTemplate(
+            optionsEnabledSecurityFeaturesWithCloudTrail
+          );
+        });
+
+        afterAll(() => {
+          jest.clearAllMocks();
+          remove('/', projectDir);
+        });
+
+        it('applies CloudTrail add-on when flag is set', () => {
+          expect(applyAwsCloudtrail).toHaveBeenCalledWith(
+            optionsEnabledSecurityFeaturesWithCloudTrail
+          );
+        });
+      });
+
+      describe('given addonModules does NOT include cloudtrail', () => {
+        const optionsEnabledSecurityFeaturesWithoutCloudTrail: AwsOptions = {
+          projectName: projectDir,
+          provider: 'aws',
+          infrastructureType: 'advanced',
+          awsRegion: 'ap-southeast-1',
+          enabledSecurityFeatures: true,
+          addonModules: [], // No cloudtrail
+        };
+
+        afterAll(() => {
+          jest.clearAllMocks();
+          remove('/', projectDir);
+        });
+
+        it('does NOT apply CloudTrail add-on when flag is set but module is not included', async () => {
+          await applyAdvancedTemplate(
+            optionsEnabledSecurityFeaturesWithoutCloudTrail
+          );
+          expect(applyAwsCloudtrail).not.toHaveBeenCalled();
+        });
+      });
     });
   });
 });

src/generators/addons/aws/advanced.ts

@@ -1,7 +1,8 @@
-import { AwsOptions } from '.';
+import { AwsAddonModules, AwsOptions } from '.';
 import {
   applyAwsAlb,
   applyAwsBastion,
+  applyAwsCloudtrail,
   applyAwsEcr,
   applyAwsEcs,
   applyAwsCloudwatch,
@@ -25,8 +26,10 @@ const applyAdvancedTemplate = async (options: AwsOptions) => {
     await Promise.all(
       options.addonModules.map((module) => {
         switch (module) {
-          case 'vpcFlowLog':
+          case AwsAddonModules.VPC_FLOW_LOG:
             return applyAwsVpcFlowLog(options);
+          case AwsAddonModules.CLOUDTRAIL:
+            return applyAwsCloudtrail(options);
           default:
             throw new Error(`Module ${module} has not been implemented!`);
         }

src/generators/addons/aws/dependencies.ts

@@ -5,6 +5,7 @@ import { AwsOptions } from '@/generators/addons/aws';
 import {
   applyAwsAlb,
   applyAwsBastion,
+  applyAwsCloudtrail,
   applyAwsEcr,
   applyAwsEcs,
   applyAwsCloudwatch,
@@ -50,6 +51,12 @@ const AWS_MODULES: Record<AwsModuleName | string, AwsModule> = {
     mainContent: 'module "bastion"',
     applyModuleFunction: (options: AwsOptions) => applyAwsBastion(options),
   },
+  cloudtrail: {
+    name: 'cloudtrail',
+    path: 'modules/cloudtrail',
+    mainContent: 'module "cloudtrail"',
+    applyModuleFunction: (options: AwsOptions) => applyAwsCloudtrail(options),
+  },
   ecr: {
     name: 'ecr',
     path: 'modules/ecr',

src/generators/addons/aws/index.ts

@@ -12,11 +12,16 @@ import {
   applyAwsVpc,
 } from './modules';
 
+enum AwsAddonModules {
+  VPC_FLOW_LOG = 'vpcFlowLog',
+  CLOUDTRAIL = 'cloudtrail',
+}
+
 type AwsOptions = GeneralOptions & {
   infrastructureType?: 'blank' | 'advanced';
   awsRegion?: string;
   enabledSecurityFeatures?: boolean;
-  addonModules?: string[];
+  addonModules?: AwsAddonModules[];
 };
 
 const awsChoices = [
@@ -50,13 +55,13 @@ const awsChoices = [
     message: 'Which security features do you want to add?',
     choices: [
       {
-        key: 'vpcFlowLog',
-        value: 'vpcFlowLog',
+        key: AwsAddonModules.VPC_FLOW_LOG,
+        value: AwsAddonModules.VPC_FLOW_LOG,
         name: 'VPC Flow Logs',
       },
       {
-        key: 'cloudTrail',
-        value: 'cloudTrail',
+        key: AwsAddonModules.CLOUDTRAIL,
+        value: AwsAddonModules.CLOUDTRAIL,
         name: 'CloudTrail',
       },
     ],
@@ -107,4 +112,4 @@ const generateAwsTemplate = async (
 };
 
 export type { AwsOptions };
-export { generateAwsTemplate };
+export { generateAwsTemplate, AwsAddonModules };

src/generators/addons/aws/modules/alb.ts

@@ -11,9 +11,8 @@ import {
   INFRA_CORE_MAIN_PATH,
   INFRA_CORE_OUTPUTS_PATH,
   INFRA_CORE_VARIABLES_PATH,
-  MODULES_LOCALS_INDICATOR,
 } from '@/generators/terraform/constants';
-import { appendToFile, copy, injectToFile } from '@/helpers/file';
+import { appendToFile, copy } from '@/helpers/file';
 
 import {
   AWS_SECURITY_GROUP_MAIN_PATH,

src/generators/addons/aws/modules/cloudtrail.test.ts

@@ -0,0 +1,74 @@
+import { AwsOptions } from '@/generators/addons/aws';
+import { applyTerraformCore } from '@/generators/terraform';
+import { remove } from '@/helpers/file';
+
+import applyAwsCloudtrail, {
+  cloudtrailModuleContent,
+  cloudtrailOutputsContent,
+  cloudtrailVariablesContent,
+} from './cloudtrail';
+import applyTerraformAwsProvider from './core/provider';
+
+jest.mock('inquirer', () => {
+  return {
+    prompt: jest.fn().mockResolvedValue({ apply: true }),
+  };
+});
+
+describe('CloudTrail add-on', () => {
+  describe('given valid AWS options', () => {
+    const projectDir = 'cloudtrail-addon-test';
+
+    beforeAll(async () => {
+      const awsOptions: AwsOptions = {
+        projectName: projectDir,
+        provider: 'aws',
+        infrastructureType: 'advanced',
+      };
+
+      await applyTerraformCore(awsOptions);
+      await applyTerraformAwsProvider(awsOptions);
+      await applyAwsCloudtrail(awsOptions);
+    });
+
+    afterAll(() => {
+      jest.clearAllMocks();
+      remove('/', projectDir);
+    });
+
+    it('creates expected files', () => {
+      const expectedFiles = [
+        'core/main.tf',
+        'core/providers.tf',
+        'core/outputs.tf',
+        'core/variables.tf',
+        'modules/cloudtrail/main.tf',
+        'modules/cloudtrail/variables.tf',
+        'modules/cloudtrail/outputs.tf',
+      ];
+
+      expect(projectDir).toHaveFiles(expectedFiles);
+    });
+
+    it('adds cloudtrail module to main.tf', () => {
+      expect(projectDir).toHaveContentInFile(
+        'core/main.tf',
+        cloudtrailModuleContent
+      );
+    });
+
+    it('adds cloudtrail variables to variables.tf', () => {
+      expect(projectDir).toHaveContentInFile(
+        'core/variables.tf',
+        cloudtrailVariablesContent
+      );
+    });
+
+    it('adds cloudtrail outputs to outputs.tf', () => {
+      expect(projectDir).toHaveContentInFile(
+        'core/outputs.tf',
+        cloudtrailOutputsContent
+      );
+    });
+  });
+});