feat: allow using an external bucket instead of creating a new one

fixes nozaq#47

Author: nozaq

README.md

@@ -77,6 +77,8 @@ Check [the example](./examples/root-example/regions.tf) to understand how these
 Note that you need to define a provider for each AWS region and pass them to the module. Currently this is the recommended way to handle multiple regions in one module.
 Detailed information can be found at [Providers within Modules - Terraform Docs].
 
+A new S3 bucket to store audit logs is automatically created by default, while the external S3 bucket can be specified. It is useful when you already have a centralized S3 bucket to store all logs. Please see [external-bucket](./examples/external-bucket) example for more detail.
+
 ## Submodules
 
 This module is composed of several submodules and each of which can be used independently.
@@ -128,6 +130,7 @@ This module is composed of several submodules and each of which can be used inde
 | support\_iam\_role\_name | The name of the the support role. | string | `"IAM-Support"` | no |
 | support\_iam\_role\_policy\_name | The name of the support role policy. | string | `"IAM-Support-Role"` | no |
 | support\_iam\_role\_principal\_arn | The ARN of the IAM principal element by which the support role could be assumed. | string | n/a | yes |
+| use\_external\_audit\_log\_bucket | A boolean that indicates whether the specific audit log bucket already exists. Create a new S3 bucket if it is set to false. | string | `"false"` | no |
 | vpc\_iam\_role\_name | The name of the IAM Role which VPC Flow Logs will use. | string | `"VPC-Flow-Logs-Publisher"` | no |
 | vpc\_iam\_role\_policy\_name | The name of the IAM Role Policy which VPC Flow Logs will use. | string | `"VPC-Flow-Logs-Publish-Policy"` | no |
 | vpc\_log\_group\_name | The name of CloudWatch Logs group to which VPC Flow Logs are delivered. | string | `"default-vpc-flow-logs"` | no |

bucket.tf

@@ -0,0 +1,86 @@
+# --------------------------------------------------------------------------------------------------
+# Configure the S3 bucket to store audit logs.
+# --------------------------------------------------------------------------------------------------
+locals {
+  use_external_bucket  = var.use_external_audit_log_bucket
+  audit_log_bucket_id  = local.use_external_bucket ? data.aws_s3_bucket.external[0].id : module.audit_log_bucket.this_bucket.id
+  audit_log_bucket_arn = local.use_external_bucket ? data.aws_s3_bucket.external[0].arn : module.audit_log_bucket.this_bucket.arn
+}
+
+# --------------------------------------------------------------------------------------------------
+# Case 1. Use the external S3 bucket.
+# --------------------------------------------------------------------------------------------------
+data "aws_s3_bucket" "external" {
+  count  = local.use_external_bucket ? 1 : 0
+  bucket = var.audit_log_bucket_name
+}
+
+# --------------------------------------------------------------------------------------------------
+# Case 2. Create a new S3 bucket.
+#
+# Create a S3 bucket to store various audit logs.
+# Bucket policies are derived from the default bucket policy described in
+# AWS Config Developer Guide and AWS CloudTrail User Guide.
+# https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html
+# https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html
+# --------------------------------------------------------------------------------------------------
+module "audit_log_bucket" {
+  source = "./modules/secure-bucket"
+
+  bucket_name                       = var.audit_log_bucket_name
+  log_bucket_name                   = "${var.audit_log_bucket_name}-access-logs"
+  lifecycle_glacier_transition_days = var.audit_log_lifecycle_glacier_transition_days
+  force_destroy                     = var.audit_log_bucket_force_destroy
+  enabled                           = ! local.use_external_bucket
+}
+
+resource "aws_s3_bucket_policy" "audit_log" {
+  count = local.use_external_bucket ? 0 : 1
+
+  bucket = module.audit_log_bucket.this_bucket.id
+  policy = <<END_OF_POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AWSCloudTrailAclCheckForConfig",
+      "Effect": "Allow",
+      "Principal": {"Service": "config.amazonaws.com"},
+      "Action": "s3:GetBucketAcl",
+      "Resource": "${module.audit_log_bucket.this_bucket.arn}"
+    },
+    {
+      "Sid": " AWSCloudTrailWriteForConfig",
+      "Effect": "Allow",
+      "Principal": {"Service": "config.amazonaws.com"},
+      "Action": "s3:PutObject",
+      "Resource": "${module.audit_log_bucket.this_bucket.arn}/config/AWSLogs/${var.aws_account_id}/Config/*",
+      "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
+    },
+    {
+        "Sid": "AWSCloudTrailAclCheckForCloudTrail",
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "cloudtrail.amazonaws.com"
+        },
+        "Action": "s3:GetBucketAcl",
+        "Resource": "${module.audit_log_bucket.this_bucket.arn}"
+    },
+    {
+        "Sid": "AWSCloudTrailWriteForCloudTrail",
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "cloudtrail.amazonaws.com"
+        },
+        "Action": "s3:PutObject",
+        "Resource": "${module.audit_log_bucket.this_bucket.arn}/cloudtrail/AWSLogs/${var.aws_account_id}/*",
+        "Condition": {
+            "StringEquals": {
+                "s3:x-amz-acl": "bucket-owner-full-control"
+            }
+        }
+    }
+  ]
+}
+END_OF_POLICY
+}

config_baselines.tf

@@ -28,7 +28,7 @@ POLICY
 data "aws_iam_policy_document" "recoder_publish_policy" {
   statement {
     actions = ["s3:PutObject"]
-    resources = ["${module.audit_log_bucket.this_bucket.arn}/config/AWSLogs/${var.aws_account_id}/*"]
+    resources = ["${local.audit_log_bucket_arn}/config/AWSLogs/${var.aws_account_id}/*"]
 
     condition {
       test = "StringLike"
@@ -39,7 +39,7 @@ data "aws_iam_policy_document" "recoder_publish_policy" {
 
   statement {
     actions = ["s3:GetBucketAcl"]
-    resources = [module.audit_log_bucket.this_bucket.arn]
+    resources = [local.audit_log_bucket_arn]
   }
 
   statement {
@@ -85,7 +85,7 @@ resource "aws_iam_role_policy_attachment" "recoder_read_policy" {
 module "config_baseline_ap-northeast-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -98,7 +98,7 @@ module "config_baseline_ap-northeast-1" {
 module "config_baseline_ap-northeast-2" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -111,7 +111,7 @@ module "config_baseline_ap-northeast-2" {
 module "config_baseline_ap-south-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -124,7 +124,7 @@ module "config_baseline_ap-south-1" {
 module "config_baseline_ap-southeast-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -137,7 +137,7 @@ module "config_baseline_ap-southeast-1" {
 module "config_baseline_ap-southeast-2" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -150,7 +150,7 @@ module "config_baseline_ap-southeast-2" {
 module "config_baseline_ca-central-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -163,7 +163,7 @@ module "config_baseline_ca-central-1" {
 module "config_baseline_eu-central-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -176,7 +176,7 @@ module "config_baseline_eu-central-1" {
 module "config_baseline_eu-north-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -189,7 +189,7 @@ module "config_baseline_eu-north-1" {
 module "config_baseline_eu-west-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -202,7 +202,7 @@ module "config_baseline_eu-west-1" {
 module "config_baseline_eu-west-2" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -215,7 +215,7 @@ module "config_baseline_eu-west-2" {
 module "config_baseline_eu-west-3" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -228,7 +228,7 @@ module "config_baseline_eu-west-3" {
 module "config_baseline_sa-east-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -241,7 +241,7 @@ module "config_baseline_sa-east-1" {
 module "config_baseline_us-east-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -254,7 +254,7 @@ module "config_baseline_us-east-1" {
 module "config_baseline_us-east-2" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -267,7 +267,7 @@ module "config_baseline_us-east-2" {
 module "config_baseline_us-west-1" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name
@@ -280,7 +280,7 @@ module "config_baseline_us-west-1" {
 module "config_baseline_us-west-2" {
   source = "./modules/config-baseline"
   iam_role_arn = aws_iam_role.recorder.arn
-  s3_bucket_name = module.audit_log_bucket.this_bucket.id
+  s3_bucket_name = local.audit_log_bucket_id
   s3_key_prefix = var.config_s3_bucket_key_prefix
   delivery_frequency = var.config_delivery_frequency
   sns_topic_name = var.config_sns_topic_name

examples/external-bucket/bucket.tf

@@ -0,0 +1,54 @@
+resource "aws_s3_bucket" "logs" {
+  bucket        = var.audit_s3_bucket_name
+  acl           = "private"
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_policy" "logs" {
+  bucket = aws_s3_bucket.logs.id
+  policy = <<END_OF_POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AWSCloudTrailAclCheckForConfig",
+      "Effect": "Allow",
+      "Principal": {"Service": "config.amazonaws.com"},
+      "Action": "s3:GetBucketAcl",
+      "Resource": "${aws_s3_bucket.logs.arn}"
+    },
+    {
+      "Sid": " AWSCloudTrailWriteForConfig",
+      "Effect": "Allow",
+      "Principal": {"Service": "config.amazonaws.com"},
+      "Action": "s3:PutObject",
+      "Resource": "${aws_s3_bucket.logs.arn}/config/AWSLogs/${data.aws_caller_identity.current.account_id}/Config/*",
+      "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
+    },
+    {
+        "Sid": "AWSCloudTrailAclCheckForCloudTrail",
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "cloudtrail.amazonaws.com"
+        },
+        "Action": "s3:GetBucketAcl",
+        "Resource": "${aws_s3_bucket.logs.arn}"
+    },
+    {
+        "Sid": "AWSCloudTrailWriteForCloudTrail",
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "cloudtrail.amazonaws.com"
+        },
+        "Action": "s3:PutObject",
+        "Resource": "${aws_s3_bucket.logs.arn}/cloudtrail/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
+        "Condition": {
+            "StringEquals": {
+                "s3:x-amz-acl": "bucket-owner-full-control"
+            }
+        }
+    }
+  ]
+}
+END_OF_POLICY
+}

examples/root-example/main.tf renamed to examples/external-bucket/main.tf

@@ -7,13 +7,18 @@ provider "aws" {
 data "aws_caller_identity" "current" {
 }
 
-module "root_example" {
+resource "aws_iam_user" "admin" {
+  name = "admin"
+}
+
+module "secure_baseline" {
   source = "../../"
 
-  audit_log_bucket_name          = var.audit_s3_bucket_name
+  audit_log_bucket_name          = aws_s3_bucket.logs.id
+  use_external_audit_log_bucket  = true
   aws_account_id                 = data.aws_caller_identity.current.account_id
   region                         = var.region
-  support_iam_role_principal_arn = var.support_iam_role_principal_arn
+  support_iam_role_principal_arn = aws_iam_user.admin.arn
 
   providers = {
     aws                = aws

examples/root-example/regions.tf renamed to examples/external-bucket/regions.tf

@@ -8,10 +8,6 @@ variable "audit_s3_bucket_name" {
   description = "The name of the S3 bucket to store various audit logs."
 }
 
-variable "support_iam_role_principal_arn" {
-  description = "The ARN of the IAM principal element by which the support role could be assumed."
-}
-
 variable "region" {
   description = "The AWS region in which global resources are set up."
   default     = "us-east-1"