[#316] Add Cloudtrail modules

Author: tung-nimblehq

.github/wiki/Architecture-overview.md

@@ -17,6 +17,7 @@ The project has the following main files and folders:
 │   │   └── versionControl # the templates files for version control
 │   └── terraform # the templates folders
 │       ├── core # the templates files for the core folder
+│       ├── core-v5 # the templates files for the v5 resource core folder
 │       └── shared # the templates files for the shared folder
 ├── src # the source code of the CLI
 │   ├── commands # the commands of the CLI

src/commands/install/index.test.ts

@@ -103,7 +103,7 @@ describe('Install add-on command', () => {
       it('throws an error', async () => {
         expect(stdoutSpy).toHaveBeenCalledWith(
           expect.stringContaining(
-            'Expected invalid to be one of: vpc, securityGroup, alb, bastion, ecr, ecs, cloudwatch, rds, s3, ssm'
+            'Expected invalid to be one of: vpc, securityGroup, alb, bastion, cloudtrail, ecr, ecs, cloudwatch, rds, s3, ssm, vpcFlowLog'
           )
         );
       });

src/generators/addons/aws/advanced.test.ts

@@ -5,6 +5,7 @@ import { applyAdvancedTemplate } from './advanced';
 import {
   applyAwsAlb,
   applyAwsBastion,
+  applyAwsCloudtrail,
   applyAwsEcr,
   applyAwsEcs,
   applyAwsCloudwatch,
@@ -71,6 +72,10 @@ describe('AWS advanced template', () => {
       it('does NOT apply VPC Flow Log add-on', () => {
         expect(applyAwsVpcFlowLog).not.toHaveBeenCalled();
       });
+
+      it('does NOT apply CloudTrail add-on', () => {
+        expect(applyAwsCloudtrail).not.toHaveBeenCalled();
+      });
     });
 
     describe('given enabledSecurityFeatures is true', () => {
@@ -97,6 +102,12 @@ describe('AWS advanced template', () => {
           optionsEnabledSecurityFeatures
         );
       });
+
+      it('applies CloudTrail add-on when flag is set', () => {
+        expect(applyAwsCloudtrail).toHaveBeenCalledWith(
+          optionsEnabledSecurityFeatures
+        );
+      });
     });
   });
 });

src/generators/addons/aws/advanced.ts

@@ -2,6 +2,7 @@ import { AwsOptions } from '.';
 import {
   applyAwsAlb,
   applyAwsBastion,
+  applyAwsCloudtrail,
   applyAwsEcr,
   applyAwsEcs,
   applyAwsCloudwatch,
@@ -23,6 +24,8 @@ const applyAdvancedTemplate = async (options: AwsOptions) => {
 
   if (options.enabledSecurityFeatures) {
     await applyAwsVpcFlowLog(options);
+    // For resource require hashicorp/aws >= 5.0.0 ex:aws_chatbot_slack_channel_configuration
+    await applyAwsCloudtrail(options);
   }
 };
 

src/generators/addons/aws/constants.ts

@@ -1,5 +1,6 @@
 const AWS_DEFAULT_REGION = 'ap-southeast-1';
 const AWS_TEMPLATE_PATH = `addons/aws`;
+const AWS_PROVIDER_V5_PATH = `${AWS_TEMPLATE_PATH}/modules-v5/provider.tf`;
 const AWS_SECURITY_GROUP_PATH = `modules/security_group`;
 const AWS_SECURITY_GROUP_MAIN_PATH = `${AWS_SECURITY_GROUP_PATH}/main.tf`;
 const AWS_SECURITY_GROUP_OUTPUTS_PATH = `${AWS_SECURITY_GROUP_PATH}/outputs.tf`;
@@ -8,6 +9,7 @@ const AWS_SECURITY_GROUP_VARIABLES_PATH = `${AWS_SECURITY_GROUP_PATH}/variables.
 export {
   AWS_DEFAULT_REGION,
   AWS_TEMPLATE_PATH,
+  AWS_PROVIDER_V5_PATH,
   AWS_SECURITY_GROUP_PATH,
   AWS_SECURITY_GROUP_MAIN_PATH,
   AWS_SECURITY_GROUP_OUTPUTS_PATH,

src/generators/addons/aws/dependencies.ts

@@ -5,6 +5,7 @@ import { AwsOptions } from '@/generators/addons/aws';
 import {
   applyAwsAlb,
   applyAwsBastion,
+  applyAwsCloudtrail,
   applyAwsEcr,
   applyAwsEcs,
   applyAwsCloudwatch,
@@ -50,6 +51,12 @@ const AWS_MODULES: Record<AwsModuleName | string, AwsModule> = {
     mainContent: 'module "bastion"',
     applyModuleFunction: (options: AwsOptions) => applyAwsBastion(options),
   },
+  cloudtrail: {
+    name: 'cloudtrail',
+    path: 'modules-v5/cloudtrail',
+    mainContent: 'module "cloudtrail"',
+    applyModuleFunction: (options: AwsOptions) => applyAwsCloudtrail(options),
+  },
   ecr: {
     name: 'ecr',
     path: 'modules/ecr',

src/generators/addons/aws/modules/cloudtrail.test.ts

@@ -0,0 +1,83 @@
+import { AwsOptions } from '@/generators/addons/aws';
+import { applyTerraformCore } from '@/generators/terraform';
+import { remove } from '@/helpers/file';
+
+import applyAwsCloudtrail, {
+  cloudtrailModuleContent,
+  cloudtrailOutputsContent,
+  cloudtrailVariablesContent,
+} from './cloudtrail';
+import applyTerraformAwsProvider from './core/provider';
+
+jest.mock('inquirer', () => {
+  return {
+    prompt: jest.fn().mockResolvedValue({ apply: true }),
+  };
+});
+
+describe('CloudTrail add-on', () => {
+  describe('given valid AWS options', () => {
+    const projectDir = 'cloudtrail-addon-test';
+
+    beforeAll(async () => {
+      const awsOptions: AwsOptions = {
+        projectName: projectDir,
+        provider: 'aws',
+        infrastructureType: 'advanced',
+      };
+
+      await applyTerraformCore(awsOptions);
+      await applyTerraformAwsProvider(awsOptions);
+      await applyAwsCloudtrail(awsOptions);
+    });
+
+    afterAll(() => {
+      jest.clearAllMocks();
+      remove('/', projectDir);
+    });
+
+    it('creates expected files', () => {
+      const expectedFiles = [
+        'core-v5/main.tf',
+        'core-v5/providers.tf',
+        'core-v5/outputs.tf',
+        'core-v5/variables.tf',
+        'modules-v5/cloudtrail/main.tf',
+        'modules-v5/cloudtrail/variables.tf',
+        'modules-v5/cloudtrail/outputs.tf',
+        'modules-v5/cloudtrail/s3-bucket-cloudtrail/main.tf',
+        'modules-v5/cloudtrail/s3-bucket-cloudtrail/variables.tf',
+        'modules-v5/cloudtrail/s3-bucket-cloudtrail/outputs.tf',
+        'modules-v5/cloudtrail/sns/main.tf',
+        'modules-v5/cloudtrail/sns/variables.tf',
+        'modules-v5/cloudtrail/sns/outputs.tf',
+        'modules-v5/cloudtrail/alerts/main.tf',
+        'modules-v5/cloudtrail/alerts/variables.tf',
+        'modules-v5/cloudtrail/alerts/outputs.tf',
+      ];
+
+      expect(projectDir).toHaveFiles(expectedFiles);
+    });
+
+    it('adds cloudtrail module to main.tf', () => {
+      expect(projectDir).toHaveContentInFile(
+        'core-v5/main.tf',
+        cloudtrailModuleContent
+      );
+    });
+
+    it('adds cloudtrail variables to variables.tf', () => {
+      expect(projectDir).toHaveContentInFile(
+        'core-v5/variables.tf',
+        cloudtrailVariablesContent
+      );
+    });
+
+    it('adds cloudtrail outputs to outputs.tf', () => {
+      expect(projectDir).toHaveContentInFile(
+        'core-v5/outputs.tf',
+        cloudtrailOutputsContent
+      );
+    });
+  });
+});

src/generators/addons/aws/modules/cloudtrail.ts

@@ -0,0 +1,176 @@
+import { dedent } from 'ts-dedent';
+
+import { AwsOptions } from '@/generators/addons/aws';
+import { isAwsModuleAdded } from '@/generators/addons/aws/dependencies';
+import {
+  INFRA_CORE_V5_MAIN_PATH,
+  INFRA_CORE_V5_VARIABLES_PATH,
+  INFRA_CORE_V5_OUTPUTS_PATH,
+} from '@/generators/terraform/constants';
+import { appendToFile, copy } from '@/helpers/file';
+
+import { AWS_TEMPLATE_PATH } from '../constants';
+
+const cloudtrailVariablesContent = dedent`
+  variable "cloudtrail_trail_name" {
+    description = "Name of the CloudTrail trail"
+    type        = string
+  }
+
+  variable "cloudtrail_s3_bucket_name" {
+    description = "Name for the S3 bucket to store CloudTrail logs"
+    type        = string
+  }
+
+  variable "cloudtrail_s3_key_prefix" {
+    description = "S3 key prefix for the CloudTrail logs"
+    type        = string
+    default     = "cloudtrail"
+  }
+
+  variable "cloudtrail_event_type" {
+    description = "Type of events that the trail will log. Valid values are 'All', 'Management', 'Data' and 'Insight'"
+    type        = string
+    default     = "All"
+  }
+
+  variable "cloudtrail_log_retention_days" {
+    description = "The number of days to retain CloudTrail logs in CloudWatch"
+    type        = number
+    default     = 365
+  }
+
+  variable "cloudtrail_sns_topic_name" {
+    description = "Name for the SNS topic to send CloudTrail notifications"
+    type        = string
+  }
+
+  variable "cloudtrail_enable_alerts" {
+    description = "Enable CloudTrail alerts and monitoring"
+    type        = bool
+    default     = false
+  }
+
+  variable "cloudtrail_slack_channel_id" {
+    description = "Slack channel ID (starts with C)"
+    type        = string
+  }
+
+  variable "cloudtrail_slack_team_id" {
+    description = "Slack workspace/team ID (starts with T)"
+    type        = string
+  }`;
+
+const cloudtrailModuleContent = dedent`
+  module "cloudtrail_s3_bucket" {
+    source = "../modules-v5/cloudtrail/s3-bucket-cloudtrail"
+
+    env_namespace      = local.env_namespace
+    s3_bucket_name     = var.cloudtrail_s3_bucket_name
+    log_retention_days = var.cloudtrail_log_retention_days
+    trail_names        = [var.cloudtrail_trail_name]
+    s3_key_prefixes    = [var.cloudtrail_s3_key_prefix]
+  }
+
+  module "cloudtrail_sns" {
+    source = "../modules-v5/cloudtrail/sns"
+
+    env_namespace = local.env_namespace
+    sns_name      = var.cloudtrail_sns_topic_name
+    trail_names   = [var.cloudtrail_trail_name]
+  }
+
+  module "cloudtrail" {
+    depends_on = [module.cloudtrail_s3_bucket, module.cloudtrail_sns]
+    source     = "../modules-v5/cloudtrail"
+
+    env_namespace              = local.env_namespace
+    trail_name                 = var.cloudtrail_trail_name
+    cloudtrail_event_type      = var.cloudtrail_event_type
+    s3_bucket_name             = var.cloudtrail_s3_bucket_name
+    s3_bucket_id               = module.cloudtrail_s3_bucket.s3_bucket_id
+    s3_key_prefix              = var.cloudtrail_s3_key_prefix
+    sns_topic_arn              = module.cloudtrail_sns.sns_topic_arn
+    log_retention_days         = var.cloudtrail_log_retention_days
+    s3_ignore_data_bucket_arns = [module.cloudtrail_s3_bucket.s3_bucket_arn]
+  }
+
+  # CloudTrail alerts and monitoring (optional)
+  module "cloudtrail_alerts" {
+    count      = var.cloudtrail_enable_alerts ? 1 : 0
+    depends_on = [module.cloudtrail_sns]
+    source     = "../modules-v5/cloudtrail/alerts"
+
+    env_namespace              = local.env_namespace
+    cloudtrail_log_group_name  = "/aws/cloudtrail/\${var.cloudtrail_trail_name}"
+    sns_topic_arn              = module.cloudtrail_sns.sns_topic_arn
+    slack_channel_id           = var.cloudtrail_slack_channel_id
+    slack_team_id              = var.cloudtrail_slack_team_id
+    chatbot_role_name          = "AWSChatbotRole"
+    chatbot_configuration_name = "cloudtrail-alerts-channel"
+    metric_filter_name         = "FailedLoginAttempts"
+    metric_namespace           = "CloudTrailMetrics"
+    alarm_name                 = "FailedLoginAttemptsAlarm"
+    alarm_threshold            = 4
+    alarm_period               = 300
+  }`;
+
+const cloudtrailOutputsContent = dedent`
+  output "cloudtrail_s3_bucket_id" {
+    description = "The ID of the S3 bucket for CloudTrail logs"
+    value       = module.cloudtrail_s3_bucket.s3_bucket_id
+  }
+
+  output "cloudtrail_s3_bucket_arn" {
+    description = "The ARN of the S3 bucket for CloudTrail logs"
+    value       = module.cloudtrail_s3_bucket.s3_bucket_arn
+  }
+
+  output "cloudtrail_arn" {
+    description = "The ARN of the CloudTrail"
+    value       = module.cloudtrail.cloudtrail_arn
+  }
+
+  output "cloudtrail_sns_topic_arn" {
+    description = "The ARN of the SNS topic for CloudTrail notifications"
+    value       = module.cloudtrail_sns.sns_topic_arn
+  }
+
+  output "cloudtrail_arm" {
+    description = "The ARN of CloudTrail"
+    value       = module.cloudtrail.cloudtrail_arn
+  }`;
+
+const applyAwsCloudtrail = async (options: AwsOptions) => {
+  if (isAwsModuleAdded('cloudtrail', options.projectName)) {
+    return;
+  }
+
+  copy(
+    `${AWS_TEMPLATE_PATH}/modules-v5/cloudtrail`,
+    'modules-v5/cloudtrail',
+    options.projectName
+  );
+  appendToFile(
+    INFRA_CORE_V5_VARIABLES_PATH,
+    cloudtrailVariablesContent,
+    options.projectName
+  );
+  appendToFile(
+    INFRA_CORE_V5_MAIN_PATH,
+    cloudtrailModuleContent,
+    options.projectName
+  );
+  appendToFile(
+    INFRA_CORE_V5_OUTPUTS_PATH,
+    cloudtrailOutputsContent,
+    options.projectName
+  );
+};
+
+export default applyAwsCloudtrail;
+export {
+  cloudtrailVariablesContent,
+  cloudtrailModuleContent,
+  cloudtrailOutputsContent,
+};

src/generators/addons/aws/modules/core/provider.ts

@@ -1,7 +1,11 @@
 import { AwsOptions } from '@/generators/addons/aws';
-import { AWS_TEMPLATE_PATH } from '@/generators/addons/aws/constants';
+import {
+  AWS_TEMPLATE_PATH,
+  AWS_PROVIDER_V5_PATH,
+} from '@/generators/addons/aws/constants';
 import {
   INFRA_CORE_PATH,
+  INFRA_CORE_V5_PATH,
   INFRA_SHARED_PATH,
 } from '@/generators/terraform/constants';
 import { copy } from '@/helpers/file';
@@ -17,6 +21,15 @@ const applyTerraformAwsProvider = async (options: AwsOptions) => {
     `${INFRA_SHARED_PATH}/providers.tf`,
     options.projectName
   );
+
+  // For advanced infrastructure, also copy to core-v5
+  if (options.infrastructureType === 'advanced') {
+    copy(
+      AWS_PROVIDER_V5_PATH,
+      `${INFRA_CORE_V5_PATH}/providers.tf`,
+      options.projectName
+    );
+  }
 };
 
 export default applyTerraformAwsProvider;