[#316] Add Cloudtrail modules

Author: tung-nimblehq

.github/wiki/Security.md

@@ -4,6 +4,21 @@ This document provides an overview of the security modules available in the infr
 
 ## Available Security Modules
 
+### CloudTrail
+
+The CloudTrail module provides comprehensive API activity logging and monitoring for your AWS infrastructure to enhance security auditing and compliance.
+
+#### Overview
+
+AWS CloudTrail records API calls and events across your AWS account. This module:
+
+- **Comprehensive event logging**: Captures management events, data events, and insight events based on configuration
+- **Multi-region support**: Can be configured to log events across all AWS regions for complete visibility
+- **CloudWatch integration**: Sends logs to CloudWatch for real-time monitoring and alerting
+- **S3 storage**: Stores all CloudTrail logs securely in Amazon S3 with configurable key prefix organization
+- **SNS notifications**: Integrates with SNS topics for immediate alerting on critical events
+- **Insight events**: Captures unusual activity patterns like API call rate and error rate anomalies
+
 ### VPC Flow Log
 
 The VPC Flow Log module captures network traffic information in your VPC to help with security monitoring and network analysis.

src/commands/install/index.test.ts

@@ -103,7 +103,7 @@ describe('Install add-on command', () => {
       it('throws an error', async () => {
         expect(stdoutSpy).toHaveBeenCalledWith(
           expect.stringContaining(
-            'Expected invalid to be one of: vpc, securityGroup, alb, bastion, ecr, ecs, cloudwatch, rds, s3, ssm'
+            'Expected invalid to be one of: vpc, securityGroup, alb, bastion, cloudtrail, ecr, ecs, cloudwatch, rds, s3, ssm, vpcFlowLog'
           )
         );
       });

src/generators/addons/aws/advanced.test.ts

@@ -5,6 +5,7 @@ import { applyAdvancedTemplate } from './advanced';
 import {
   applyAwsAlb,
   applyAwsBastion,
+  applyAwsCloudtrail,
   applyAwsEcr,
   applyAwsEcs,
   applyAwsCloudwatch,
@@ -71,6 +72,10 @@ describe('AWS advanced template', () => {
       it('does NOT apply VPC Flow Log add-on', () => {
         expect(applyAwsVpcFlowLog).not.toHaveBeenCalled();
       });
+
+      it('does NOT apply CloudTrail add-on', () => {
+        expect(applyAwsCloudtrail).not.toHaveBeenCalled();
+      });
     });
 
     describe('given enabledSecurityFeatures is true', () => {
@@ -97,6 +102,12 @@ describe('AWS advanced template', () => {
           optionsEnabledSecurityFeatures
         );
       });
+
+      it('applies CloudTrail add-on when flag is set', () => {
+        expect(applyAwsCloudtrail).toHaveBeenCalledWith(
+          optionsEnabledSecurityFeatures
+        );
+      });
     });
   });
 });

src/generators/addons/aws/advanced.ts

@@ -2,6 +2,7 @@ import { AwsOptions } from '.';
 import {
   applyAwsAlb,
   applyAwsBastion,
+  applyAwsCloudtrail,
   applyAwsEcr,
   applyAwsEcs,
   applyAwsCloudwatch,
@@ -23,6 +24,7 @@ const applyAdvancedTemplate = async (options: AwsOptions) => {
 
   if (options.enabledSecurityFeatures) {
     await applyAwsVpcFlowLog(options);
+    await applyAwsCloudtrail(options);
   }
 };
 

src/generators/addons/aws/dependencies.ts

@@ -5,6 +5,7 @@ import { AwsOptions } from '@/generators/addons/aws';
 import {
   applyAwsAlb,
   applyAwsBastion,
+  applyAwsCloudtrail,
   applyAwsEcr,
   applyAwsEcs,
   applyAwsCloudwatch,
@@ -50,6 +51,12 @@ const AWS_MODULES: Record<AwsModuleName | string, AwsModule> = {
     mainContent: 'module "bastion"',
     applyModuleFunction: (options: AwsOptions) => applyAwsBastion(options),
   },
+  cloudtrail: {
+    name: 'cloudtrail',
+    path: 'modules/cloudtrail',
+    mainContent: 'module "cloudtrail"',
+    applyModuleFunction: (options: AwsOptions) => applyAwsCloudtrail(options),
+  },
   ecr: {
     name: 'ecr',
     path: 'modules/ecr',

src/generators/addons/aws/modules/alb.ts

@@ -11,9 +11,8 @@ import {
   INFRA_CORE_MAIN_PATH,
   INFRA_CORE_OUTPUTS_PATH,
   INFRA_CORE_VARIABLES_PATH,
-  MODULES_LOCALS_INDICATOR,
 } from '@/generators/terraform/constants';
-import { appendToFile, copy, injectToFile } from '@/helpers/file';
+import { appendToFile, copy } from '@/helpers/file';
 
 import {
   AWS_SECURITY_GROUP_MAIN_PATH,

src/generators/addons/aws/modules/cloudtrail.test.ts

@@ -0,0 +1,74 @@
+import { AwsOptions } from '@/generators/addons/aws';
+import { applyTerraformCore } from '@/generators/terraform';
+import { remove } from '@/helpers/file';
+
+import applyAwsCloudtrail, {
+  cloudtrailModuleContent,
+  cloudtrailOutputsContent,
+  cloudtrailVariablesContent,
+} from './cloudtrail';
+import applyTerraformAwsProvider from './core/provider';
+
+jest.mock('inquirer', () => {
+  return {
+    prompt: jest.fn().mockResolvedValue({ apply: true }),
+  };
+});
+
+describe('CloudTrail add-on', () => {
+  describe('given valid AWS options', () => {
+    const projectDir = 'cloudtrail-addon-test';
+
+    beforeAll(async () => {
+      const awsOptions: AwsOptions = {
+        projectName: projectDir,
+        provider: 'aws',
+        infrastructureType: 'advanced',
+      };
+
+      await applyTerraformCore(awsOptions);
+      await applyTerraformAwsProvider(awsOptions);
+      await applyAwsCloudtrail(awsOptions);
+    });
+
+    afterAll(() => {
+      jest.clearAllMocks();
+      remove('/', projectDir);
+    });
+
+    it('creates expected files', () => {
+      const expectedFiles = [
+        'core/main.tf',
+        'core/providers.tf',
+        'core/outputs.tf',
+        'core/variables.tf',
+        'modules/cloudtrail/main.tf',
+        'modules/cloudtrail/variables.tf',
+        'modules/cloudtrail/outputs.tf',
+      ];
+
+      expect(projectDir).toHaveFiles(expectedFiles);
+    });
+
+    it('adds cloudtrail module to main.tf', () => {
+      expect(projectDir).toHaveContentInFile(
+        'core/main.tf',
+        cloudtrailModuleContent
+      );
+    });
+
+    it('adds cloudtrail variables to variables.tf', () => {
+      expect(projectDir).toHaveContentInFile(
+        'core/variables.tf',
+        cloudtrailVariablesContent
+      );
+    });
+
+    it('adds cloudtrail outputs to outputs.tf', () => {
+      expect(projectDir).toHaveContentInFile(
+        'core/outputs.tf',
+        cloudtrailOutputsContent
+      );
+    });
+  });
+});

src/generators/addons/aws/modules/cloudtrail.ts

@@ -0,0 +1,161 @@
+import { dedent } from 'ts-dedent';
+
+import { AwsOptions } from '@/generators/addons/aws';
+import { isAwsModuleAdded } from '@/generators/addons/aws/dependencies';
+import {
+  INFRA_CORE_MAIN_PATH,
+  INFRA_CORE_VARIABLES_PATH,
+  INFRA_CORE_OUTPUTS_PATH,
+  INFRA_CORE_LOCALS_PATH,
+} from '@/generators/terraform/constants';
+import { appendToFile, copy } from '@/helpers/file';
+
+import { AWS_TEMPLATE_PATH } from '../constants';
+
+const cloudtrailLocalesContent = dedent`
+  ### Begin CloudTrail ###
+  locals {
+    cloudtrail_s3_bucket_policy = {
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Sid    = "AWSCloudTrailAclCheck"
+          Effect = "Allow"
+          Principal = {
+            Service = "cloudtrail.amazonaws.com"
+          }
+          Action = [
+            "s3:GetBucketAcl",
+            "s3:ListBucket"
+          ]
+          Resource = "arn:aws:s3:::\${module.cloudtrail_s3_bucket.aws_s3_bucket_name}"
+          Condition = {
+            StringEquals = {
+              "aws:SourceAccount" = data.aws_caller_identity.current.account_id
+            }
+            ArnLike = {
+              "aws:SourceArn" = "arn:aws:cloudtrail:\${data.aws_region.current.region}:\${data.aws_caller_identity.current.account_id}:*"
+            }
+          }
+        },
+        {
+          Sid    = "AWSCloudTrailWrite"
+          Effect = "Allow"
+          Principal = {
+            Service = "cloudtrail.amazonaws.com"
+          }
+          Action   = "s3:PutObject"
+          Resource = "arn:aws:s3:::\${module.cloudtrail_s3_bucket.aws_s3_bucket_name}/cloudtrail/*"
+          Condition = {
+            StringEquals = {
+              "aws:SourceAccount" = data.aws_caller_identity.current.account_id
+              "s3:x-amz-acl"      = "bucket-owner-full-control"
+            }
+            ArnLike = {
+              "aws:SourceArn" = "arn:aws:cloudtrail:\${data.aws_region.current.region}:\${data.aws_caller_identity.current.account_id}:*"
+            }
+          }
+        }
+      ]
+    }
+  }
+  ### End CloudTrail ###`;
+
+const cloudtrailVariablesContent = dedent`
+  variable "cloudtrail_log_retention_days" {
+    description = "The number of days to retain CloudTrail logs in CloudWatch"
+    type        = number
+    default     = 365
+  }`;
+
+const cloudtrailModuleContent = dedent`
+  module "cloudtrail_s3_bucket" {
+    source = "../modules/s3"
+
+    env_namespace      = local.env_namespace
+    bucket_name        = "\${local.env_namespace}-cloudtrail-logs-\${data.aws_caller_identity.current.account_id}"
+    force_destroy      = true
+    object_ownership   = "BucketOwnerPreferred"
+    versioning_enabled = true
+    lifecycle_configuration = {
+      id     = "log-expiration"
+      status = "Enabled"
+      filter = {
+        prefix = ""
+      }
+      expiration = {
+        days = var.cloudtrail_log_retention_days
+      }
+    }
+  }
+
+  module "cloudtrail_s3_bucket_policy" {
+    source = "../modules/s3/bucket_policy"
+
+    s3_bucket_name = module.cloudtrail_s3_bucket.aws_s3_bucket_name
+    s3_bucket_policy = local.cloudtrail_s3_bucket_policy
+  }
+
+  module "cloudtrail_cloudwatch" {
+    source = "../modules/cloudwatch"
+
+    cloud_watch_name      = "/aws/cloudtrail/\${local.env_namespace}-cloudtrail"
+    log_retention_in_days = var.cloudtrail_log_retention_days
+  }
+
+  module "cloudtrail" {
+    source = "../modules/cloudtrail"
+
+    env_namespace              = local.env_namespace
+    trail_name                 = "\${local.env_namespace}-cloudtrail"
+    s3_bucket_name             = module.cloudtrail_s3_bucket.aws_s3_bucket_name
+    s3_key_prefix              = "cloudtrail"
+    log_retention_days         = var.cloudtrail_log_retention_days
+    s3_ignore_data_bucket_arns = ["arn:aws:s3:::\${module.cloudtrail_s3_bucket.aws_s3_bucket_name}"]
+    cloud_watch_arn            = module.cloudtrail_cloudwatch.aws_cloudwatch_log_group_arn
+  }`;
+
+const cloudtrailOutputsContent = dedent`
+  output "cloudtrail_arn" {
+    description = "The ARN of the CloudTrail"
+    value       = module.cloudtrail.cloudtrail_arn
+  }`;
+
+const applyAwsCloudtrail = async (options: AwsOptions) => {
+  if (isAwsModuleAdded('cloudtrail', options.projectName)) {
+    return;
+  }
+
+  copy(
+    `${AWS_TEMPLATE_PATH}/modules/cloudtrail`,
+    'modules/cloudtrail',
+    options.projectName
+  );
+  appendToFile(
+    INFRA_CORE_LOCALS_PATH,
+    cloudtrailLocalesContent,
+    options.projectName
+  );
+  appendToFile(
+    INFRA_CORE_VARIABLES_PATH,
+    cloudtrailVariablesContent,
+    options.projectName
+  );
+  appendToFile(
+    INFRA_CORE_MAIN_PATH,
+    cloudtrailModuleContent,
+    options.projectName
+  );
+  appendToFile(
+    INFRA_CORE_OUTPUTS_PATH,
+    cloudtrailOutputsContent,
+    options.projectName
+  );
+};
+
+export default applyAwsCloudtrail;
+export {
+  cloudtrailVariablesContent,
+  cloudtrailModuleContent,
+  cloudtrailOutputsContent,
+};

src/generators/addons/aws/modules/cloudwatch.ts

@@ -20,8 +20,7 @@ const cloudwatchModuleContent = dedent`
   module "cloudwatch" {
     source = "../modules/cloudwatch"
 
-    env_namespace = local.env_namespace
-
+    cloud_watch_name      = "\${local.env_namespace}-cloudwatch-log-group"
     log_retention_in_days = var.cloudwatch_log_retention_in_days
   }`;
 

src/generators/addons/aws/modules/index.ts

@@ -1,5 +1,6 @@
 import applyAwsAlb from './alb';
 import applyAwsBastion from './bastion';
+import applyAwsCloudtrail from './cloudtrail';
 import applyAwsCloudwatch from './cloudwatch';
 import applyAwsIamUserAndGroup from './core/iamUserAndGroup';
 import applyTerraformAwsProvider from './core/provider';
@@ -16,6 +17,7 @@ import applyAwsVpcFlowLog from './vpcFlowLog';
 export {
   applyAwsAlb,
   applyAwsBastion,
+  applyAwsCloudtrail,
   applyTerraformAwsProvider,
   applyAwsCloudwatch,
   applyAwsEcr,