feat: add CloudTrail module with S3, CloudWatch Logs, and KMS encryption (#196)

marekaf · web-flow · commit b51cfe968f17 · 2026-02-17T11:53:46.000+01:00
diff --git a/README.md b/README.md
@@ -172,9 +172,10 @@ Lambda functions live in `src/<lambda-name>/` directories with an `index.mjs` (o
 - **`lambda-deploy.yaml`** is a manual `workflow_dispatch` workflow for deploying a Lambda to a target environment. It packages the function, uploads the zip to an S3 artifacts bucket, and optionally updates the Lambda function code via the AWS CLI. The S3 bucket and region are configurable per invocation.
 
 ## tflint
+[tflint](https://github.com/terraform-linters/tflint) is a pluggable linter for Terraform. We use the `tflint-ruleset-aws` plugin to catch AWS-specific issues (invalid instance types, missing tags, deprecated resources) before they reach `terraform plan`. Configuration is in `.tflint.hcl` files per environment.
 
 ## checkov
-[Checkov]() is an amazing tool to lint terraform (and other) resources, we use the non-official pre-commit hook by antonbabenko
+[Checkov](https://www.checkov.io) is an amazing tool to lint terraform (and other) resources, we use the non-official pre-commit hook by antonbabenko
 
 ## VPC Flow Logs
 
@@ -242,6 +243,7 @@ Reusable Terraform modules in `modules/`:
 |--------|-------------|
 | `aws-bootstrap` | S3 backend + optional DynamoDB table for state management |
 | `certificate` | ACM certificate with DNS validation |
+| `cloudtrail` | Multi-region CloudTrail with S3 storage, CloudWatch Logs, KMS encryption, and lifecycle rules |
 | `cluster-autoscaler` | Kubernetes Cluster Autoscaler with IRSA |
 | `eks` | EKS cluster with managed/self-managed node groups |
 | `github-oidc` | GitHub Actions OIDC provider + IAM role |
diff --git a/modules/cloudtrail/main.tf b/modules/cloudtrail/main.tf
@@ -0,0 +1,179 @@
+data "aws_caller_identity" "current" {}
+
+resource "aws_cloudwatch_log_group" "cloudtrail" {
+  name = "${var.name_prefix}-cloudtrail-logs"
+
+  kms_key_id        = var.kms_key_arn
+  retention_in_days = var.retention_in_days
+}
+
+resource "aws_cloudtrail" "main" {
+  # checkov:skip=CKV_AWS_252: Ensure CloudTrail defines an SNS Topic: We don't need SNS notifications here
+  name           = "${var.name_prefix}-global-events"
+  s3_bucket_name = aws_s3_bucket.cloudtrail.id
+
+  enable_log_file_validation = true
+  is_multi_region_trail      = true
+  is_organization_trail      = false // cannot be true since this is not a management account
+
+  cloud_watch_logs_role_arn  = aws_iam_role.cloudtrail.arn
+  cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*" # CloudTrail requires the Log Stream wildcard
+
+  kms_key_id = var.kms_key_arn
+
+  event_selector {
+    exclude_management_event_sources = [
+      "kms.amazonaws.com",
+      "rdsdata.amazonaws.com"
+    ]
+  }
+
+  depends_on = [
+    aws_s3_bucket_policy.cloudtrail,
+  ]
+}
+
+resource "aws_s3_bucket" "cloudtrail" {
+  # checkov:skip=CKV_AWS_18: Access logging not needed for CloudTrail bucket
+  # checkov:skip=CKV_AWS_21: Object versioning not needed here
+  # checkov:skip=CKV_AWS_144: Cross-region replication not needed here
+  # checkov:skip=CKV2_AWS_62: Event notifications not needed here
+  bucket = "${var.name_prefix}-cloudtrail-global-events"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail" {
+  bucket = aws_s3_bucket.cloudtrail.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = var.kms_key_arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "cloudtrail" {
+  bucket = aws_s3_bucket.cloudtrail.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AWSCloudTrailAclCheck"
+        Effect = "Allow"
+        Principal = {
+          Service = "cloudtrail.amazonaws.com"
+        }
+        Action   = "s3:GetBucketAcl"
+        Resource = aws_s3_bucket.cloudtrail.arn
+      },
+      {
+        Sid    = "AWSCloudTrailWrite"
+        Effect = "Allow"
+        Principal = {
+          Service = "cloudtrail.amazonaws.com"
+        }
+        Action   = "s3:PutObject"
+        Resource = "${aws_s3_bucket.cloudtrail.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"
+        Condition = {
+          StringEquals = {
+            "s3:x-amz-acl" = "bucket-owner-full-control"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_s3_bucket_public_access_block" "cloudtrail" {
+  bucket = aws_s3_bucket.cloudtrail.id
+
+  restrict_public_buckets = true
+  block_public_policy     = true
+
+  ignore_public_acls = true
+  block_public_acls  = true
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail" {
+  #checkov:skip=CKV_AWS_300:Abort incomplete multipart upload is configured in the 'all' rule
+  bucket = aws_s3_bucket.cloudtrail.id
+
+  rule {
+    id     = "all"
+    status = "Enabled"
+
+    filter {
+      prefix = ""
+    }
+
+    abort_incomplete_multipart_upload {
+      days_after_initiation = 3
+    }
+  }
+
+  rule {
+    id     = "log"
+    status = "Enabled"
+
+    expiration {
+      days = 90
+    }
+
+    filter {
+      and {
+        prefix = "AWSLogs/"
+
+        tags = {
+          rule      = "log"
+          autoclean = "true"
+        }
+      }
+    }
+
+    transition {
+      days          = 30
+      storage_class = "STANDARD_IA"
+    }
+
+    transition {
+      days          = 60
+      storage_class = "GLACIER"
+    }
+  }
+}
+
+resource "aws_iam_role" "cloudtrail" {
+  name = "cloudtrail-cloudwatch"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Principal = {
+        Service = "cloudtrail.amazonaws.com"
+      }
+      Action = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "cloudtrail_cloudwatch" {
+  name = "cloudtrail"
+  role = aws_iam_role.cloudtrail.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid      = "AWSCloudTrailCreateLogStream2014110"
+        Effect   = "Allow"
+        Action   = "logs:CreateLogStream"
+        Resource = "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
+      },
+      {
+        Sid      = "AWSCloudTrailPutLogEvents20141101"
+        Effect   = "Allow"
+        Action   = "logs:PutLogEvents"
+        Resource = "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
+      }
+    ]
+  })
+}
diff --git a/modules/cloudtrail/outputs.tf b/modules/cloudtrail/outputs.tf
@@ -0,0 +1,9 @@
+output "cloudtrail_arn" {
+  description = "CloudTrail ARN"
+  value       = aws_cloudtrail.main.arn
+}
+
+output "s3_bucket_arn" {
+  description = "CloudTrail S3 bucket ARN"
+  value       = aws_s3_bucket.cloudtrail.arn
+}
diff --git a/modules/cloudtrail/variables.tf b/modules/cloudtrail/variables.tf
@@ -0,0 +1,15 @@
+variable "name_prefix" {
+  description = "Prefix for resource names"
+  type        = string
+}
+
+variable "kms_key_arn" {
+  description = "KMS key ARN for encryption"
+  type        = string
+}
+
+variable "retention_in_days" {
+  description = "CloudWatch log retention in days"
+  type        = number
+  default     = 365
+}
diff --git a/modules/cloudtrail/versions.tf b/modules/cloudtrail/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.57.0, < 6.0.0"
+    }
+  }
+}
