initial commit

Author: cdaniluk

.github/workflows/check.yml

@@ -0,0 +1,20 @@
+name: check
+on: [push, pull_request]
+
+jobs:
+  build:
+    runs-on: macOS-latest
+    steps:
+    - uses: actions/checkout@v1
+
+    - name: Install prereq
+      run: |
+        brew install docker tfenv tflint
+        tfenv install
+
+    - name: tf fmt
+      run: |
+        terraform fmt
+    - name: tflint
+      run: |
+        tflint

.gitignore

@@ -0,0 +1,29 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*

.pre-commit-config.yaml

@@ -0,0 +1,13 @@
+---
+repos:
+- repo: git://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.24.0
+  hooks:
+    - id: terraform_fmt
+    - id: terraform_docs
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v2.4.0
+  hooks:
+    - id: end-of-file-fixer
+    - id: trailing-whitespace
+      #    - id: no-commit-to-branch

.terraform-version

@@ -0,0 +1 @@
+0.12.13

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Rhythmic Technologies, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,40 @@
+# terraform-aws-vpcflowlog-bucket
+
+[![](https://github.com/rhythmictech/terraform-aws-vpcflowlog-bucket/workflows/check/badge.svg)](https://github.com/rhythmictech/terraform-aws-vpcflowlog-bucket/actions)
+
+Creates an S3 bucket suitable for receiving VPC flow logs from one or more AWS account. Uses a KMS CMK, which is necessary for CIS compliance. Requires an external bucket to route S3 access logs to (also for CIS compliance).
+
+Example:
+
+
+```
+module "vpcflowlog-bucket" {
+  source              = "git::https://github.com/rhythmictech/terraform-aws-vpcflowlogs.git"
+  allowed_account_ids = ["123456789012", "123456789013"]
+  logging_bucket      = "example-s3-access-logs-bucket"
+  region              = "us-east-1"
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| allowed\_account\_ids | Optional list of AWS Account IDs that are permitted to write to the bucket | list(string) | `[]` | no |
+| logging\_bucket | S3 bucket to send request logs to the VPC flow log bucket to | string | n/a | yes |
+| region | Region VPC flow logs will be sent to | string | n/a | yes |
+| tags | Tags to include on resources that support it | map(string) | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| kms\_key\_id | KMS key |
+| s3\_bucket\_arn | The ARN of the bucket |
+| s3\_bucket\_name | The name of the bucket |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Related Projects
+* [VPC Flow Logs](https://github.com/rhythmictech/terraform-aws-vpc-flowlogs)

kms.tf

@@ -0,0 +1,64 @@
+data "aws_iam_policy_document" "key" {
+
+  statement {
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.account_id}:root"]
+    }
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+    ]
+    resources = ["*"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+    ]
+    resources = ["*"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["logs.${var.region}.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_kms_key" "this" {
+  deletion_window_in_days = 7
+  description             = "VPC Flow Log Encryption Key"
+  enable_key_rotation     = true
+  policy                  = data.aws_iam_policy_document.key.json
+  tags = merge(
+    {
+      "Name" = "vpcflowlog-key"
+    },
+    var.tags
+  )
+}
+
+resource "aws_kms_alias" "this" {
+  name          = "alias/vpcflowlog_key"
+  target_key_id = aws_kms_key.this.id
+}

main.tf

@@ -0,0 +1,96 @@
+data "aws_caller_identity" "current" {
+}
+
+locals {
+  account_id = data.aws_caller_identity.current.account_id
+
+  # Account IDs that will have access to stream CloudTrail logs
+  account_ids = concat([local.account_id], var.allowed_account_ids)
+
+  # Format account IDs into necessary resource lists.
+  bucket_policy_put_resources = formatlist("${aws_s3_bucket.this.arn}/AWSLogs/%s/*", local.account_ids)
+  kms_key_encrypt_resources   = formatlist("arn:aws:cloudtrail:*:%s:trail/*", local.account_ids)
+}
+
+resource "aws_s3_bucket" "this" {
+  bucket = "${local.account_id}-${var.region}-vpcflowlog"
+  acl    = "private"
+  tags   = var.tags
+
+  lifecycle_rule {
+    enabled = true
+
+    transition {
+      days          = 30
+      storage_class = "STANDARD_IA"
+    }
+
+  }
+
+  logging {
+    target_bucket = var.logging_bucket
+    target_prefix = "${local.account_id}-${var.region}-vpcflowlog/"
+  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm     = "aws:kms"
+        kms_master_key_id = aws_kms_key.this.arn
+      }
+    }
+
+  }
+
+  versioning {
+    enabled = true
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "this" {
+  bucket                  = aws_s3_bucket.this.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+data "aws_iam_policy_document" "this" {
+  statement {
+    actions   = ["s3:GetBucketAcl"]
+    effect    = "Allow"
+    resources = [aws_s3_bucket.this.arn]
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+  }
+
+  statement {
+    actions   = ["s3:PutObject"]
+    effect    = "Allow"
+    resources = local.bucket_policy_put_resources
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+  }
+
+}
+
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+  policy = data.aws_iam_policy_document.this.json
+}

outputs.tf

@@ -0,0 +1,14 @@
+output "kms_key_id" {
+  description = "KMS key"
+  value       = aws_kms_key.this.arn
+}
+
+output "s3_bucket_arn" {
+  description = "The ARN of the bucket"
+  value       = aws_s3_bucket.this.arn
+}
+
+output "s3_bucket_name" {
+  description = "The name of the bucket"
+  value       = aws_s3_bucket.this.bucket
+}

variables.tf

@@ -0,0 +1,21 @@
+variable "allowed_account_ids" {
+  default     = []
+  description = "Optional list of AWS Account IDs that are permitted to write to the bucket"
+  type        = list(string)
+}
+
+variable "logging_bucket" {
+  description = "S3 bucket to send request logs to the VPC flow log bucket to"
+  type        = string
+}
+
+variable "region" {
+  description = "Region VPC flow logs will be sent to"
+  type        = string
+}
+
+variable "tags" {
+  default     = {}
+  description = "Tags to include on resources that support it"
+  type        = map(string)
+}