-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathorg-event-bus.tf
More file actions
88 lines (74 loc) · 2.4 KB
/
org-event-bus.tf
File metadata and controls
88 lines (74 loc) · 2.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# We use EventBridge to send specific CloudTrail API Calls for all sub-accounts to a specific audit account,
# where we can fan out based on centralized rules.
resource "aws_cloudwatch_event_bus" "audit-events" {
name = "audit-events"
}
# A CloudTrail Trail is required for EventBridge to listen for CloudTrail API events.
module "audit-events-cloudtrail-bucket-root" {
source = "registry.terraform.io/cloudposse/cloudtrail-s3-bucket/aws"
acl = "log-delivery-write"
namespace = "zbm"
name = "audit-events"
}
module "audit-events-cloudtrail-root" {
source = "registry.terraform.io/cloudposse/cloudtrail/aws"
s3_bucket_name = module.audit-events-cloudtrail-bucket-root.bucket_id
is_multi_region_trail = true
include_global_service_events = true
namespace = "zbm"
name = "audit-events"
}
# Create the target "proof it works" queue.
resource "aws_sqs_queue" "audit-events" {
name = "audit-events"
}
# Create a policy to allow other accounts to PUT events into our custom bus.
data "aws_iam_policy_document" "audit-events" {
statement {
sid = "AllowPutEvents"
effect = "Allow"
actions = [
"events:PutEvents",
]
resources = [
aws_cloudwatch_event_bus.audit-events.arn
]
principals {
type = "AWS"
identifiers = [for acct in aws_organizations_account.app_accounts : acct.id]
}
}
statement {
sid = "AllowUpdateRules"
effect = "Allow"
actions = [
"events:PutRule",
"events:PutTargets",
"events:DeleteRule",
"events:RemoveTargets",
"events:DisableRule",
"events:EnableRule",
"events:TagResource",
"events:UntagResource",
"events:DescribeRule",
"events:ListTargetsByRule",
"events:ListTagsForResource"
]
resources = [
aws_cloudwatch_event_bus.audit-events.arn
]
principals {
type = "AWS"
identifiers = ["*"]
}
condition {
test = "StringEquals"
variable = "aws:PrincipalOrgID"
values = [aws_organizations_organization.root.id]
}
}
}
resource "aws_cloudwatch_event_bus_policy" "audit-events" {
policy = data.aws_iam_policy_document.audit-events.json
event_bus_name = aws_cloudwatch_event_bus.audit-events.name
}