Merge pull request #69 from trussworks/cblkwell-173722122-encrypt-cloudwatch

cblkwell · web-flow · commit b1cdea21d393 · 2020-07-13T15:27:02.000-05:00
Mandatory encryption for S3 and Cloudwatch Logs
diff --git a/.markdownlintrc b/.markdownlintrc
@@ -3,5 +3,6 @@
   "first-header-h1": false,
   "first-line-h1": false,
   "line_length": false,
-  "no-multiple-blanks": false
+  "no-multiple-blanks": false,
+  "commands-show-output": false
 }
diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@ This module creates AWS CloudTrail and configures it so that logs go to cloudwat
 
 ## Terraform Versions
 
-Terraform 0.12. Pin module version to `~> 2.X`. Submit pull-requests to `master` branch.
+Terraform 0.12. Pin module version to `~> 3.X`. Submit pull-requests to `master` branch.
 
 Terraform 0.11. Pin module version to `~> 1.X`. Submit pull-requests to `terraform011` branch.
 
@@ -19,6 +19,15 @@ module "aws_cloudtrail" {
 }
 ```
 
+## Upgrade Instructions for v2 -> v3
+
+Starting in v3, encryption is not optional and will be on for both logs
+delivered to S3 and Cloudwatch Logs. The KMS key resource created this
+module will be used to encrypt both S3 and Cloudwatch-based logs.
+
+Because of this change, remove the `encrypt_cloudtrail` parameter from
+previous invocations of the module prior to upgrading the version.
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
@@ -38,7 +47,6 @@ module "aws_cloudtrail" {
 |------|-------------|------|---------|:--------:|
 | cloudwatch\_log\_group\_name | The name of the CloudWatch Log Group that receives CloudTrail events. | `string` | `"cloudtrail-events"` | no |
 | enabled | Enables logging for the trail. Defaults to true. Setting this to false will pause logging. | `bool` | `true` | no |
-| encrypt\_cloudtrail | Whether or not to use a custom KMS key to encrypt CloudTrail logs. | `string` | `"false"` | no |
 | key\_deletion\_window\_in\_days | Duration in days after which the key is deleted after destruction of the resource, must be 7-30 days.  Default 30 days. | `string` | `30` | no |
 | log\_retention\_days | Number of days to keep AWS logs around in specific log group. | `string` | `90` | no |
 | org\_trail | Whether or not this is an organization trail. Only valid in master account. | `string` | `"false"` | no |
diff --git a/examples/simple/main.tf b/examples/simple/main.tf
@@ -7,8 +7,6 @@ module "aws_cloudtrail" {
 
   s3_bucket_name = module.logs.aws_logs_bucket
   s3_key_prefix  = var.s3_key_prefix
-
-  encrypt_cloudtrail = var.encrypt_cloudtrail
 }
 
 module "logs" {
diff --git a/examples/simple/variables.tf b/examples/simple/variables.tf
@@ -17,7 +17,3 @@ variable "trail_name" {
 variable "cloudwatch_log_group_name" {
   type = string
 }
-
-variable "encrypt_cloudtrail" {
-  type = bool
-}
diff --git a/main.tf b/main.tf
@@ -38,6 +38,7 @@ resource "aws_iam_role" "cloudtrail_cloudwatch_role" {
 resource "aws_cloudwatch_log_group" "cloudtrail" {
   name              = var.cloudwatch_log_group_name
   retention_in_days = var.log_retention_days
+  kms_key_id        = aws_kms_key.cloudtrail.arn
 
   tags = {
     Automation = "Terraform"
@@ -206,11 +207,29 @@ data "aws_iam_policy_document" "cloudtrail_kms_policy_doc" {
 
     resources = ["*"]
   }
+
+  statement {
+    sid    = "Allow logs KMS access"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
+    }
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+    resources = ["*"]
+  }
+
 }
 
 resource "aws_kms_key" "cloudtrail" {
-  count = var.encrypt_cloudtrail ? 1 : 0
-
   description             = "A KMS key used to encrypt CloudTrail log files stored in S3."
   deletion_window_in_days = var.key_deletion_window_in_days
   enable_key_rotation     = "true"
@@ -222,10 +241,8 @@ resource "aws_kms_key" "cloudtrail" {
 }
 
 resource "aws_kms_alias" "cloudtrail" {
-  count = var.encrypt_cloudtrail ? 1 : 0
-
   name          = "alias/${var.trail_name}"
-  target_key_id = aws_kms_key.cloudtrail[0].key_id
+  target_key_id = aws_kms_key.cloudtrail.key_id
 }
 
 #
@@ -253,7 +270,7 @@ resource "aws_cloudtrail" "main" {
   # enable log file validation to detect tampering
   enable_log_file_validation = true
 
-  kms_key_id = var.encrypt_cloudtrail ? aws_kms_key.cloudtrail[0].arn : null
+  kms_key_id = aws_kms_key.cloudtrail.arn
 
   # Enables logging for the trail. Defaults to true. Setting this to false will pause logging.
   enable_logging = var.enabled
diff --git a/test/terraform_aws_cloudtrail_test.go b/test/terraform_aws_cloudtrail_test.go
@@ -40,35 +40,6 @@ func IsLogging(t *testing.T, region string, trailName string) (bool, error) {
 	return *trailStatus.IsLogging, nil
 }
 
-func TestTerraformAwsCloudtrail(t *testing.T) {
-	testName := fmt.Sprintf("terratest-aws-cloudtrail-%s", strings.ToLower(random.UniqueId()))
-	tempTestFolder := test_structure.CopyTerraformFolderToTemp(t, "../", "examples/simple")
-
-	terraformOptions := &terraform.Options{
-		TerraformDir: tempTestFolder,
-		Vars: map[string]interface{}{
-			"trail_name":                testName,
-			"cloudwatch_log_group_name": testName,
-			"logs_bucket":               testName,
-			"region":                    awsRegion,
-			"s3_key_prefix":             "testName",
-			"encrypt_cloudtrail":        false,
-		},
-		EnvVars: map[string]string{
-			"AWS_DEFAULT_REGION": awsRegion,
-		},
-	}
-
-	defer terraform.Destroy(t, terraformOptions)
-	terraform.InitAndApply(t, terraformOptions)
-
-	cloudtrailArn := terraform.Output(t, terraformOptions, "cloudtrail_arn")
-	isLogging, err := IsLogging(t, awsRegion, cloudtrailArn)
-	assert.NoError(t, err)
-	assert.True(t, isLogging)
-
-}
-
 func TestTerraformAwsCloudtrailEncryption(t *testing.T) {
 	testName := fmt.Sprintf("terratest-aws-cloudtrail-%s", strings.ToLower(random.UniqueId()))
 	tempTestFolder := test_structure.CopyTerraformFolderToTemp(t, "../", "examples/simple")
@@ -81,7 +52,6 @@ func TestTerraformAwsCloudtrailEncryption(t *testing.T) {
 			"logs_bucket":               testName,
 			"region":                    awsRegion,
 			"s3_key_prefix":             "testName",
-			"encrypt_cloudtrail":        true,
 		},
 		EnvVars: map[string]string{
 			"AWS_DEFAULT_REGION": awsRegion,
diff --git a/variables.tf b/variables.tf
@@ -27,12 +27,6 @@ variable "org_trail" {
   type        = string
 }
 
-variable "encrypt_cloudtrail" {
-  description = "Whether or not to use a custom KMS key to encrypt CloudTrail logs."
-  default     = "false"
-  type        = string
-}
-
 variable "key_deletion_window_in_days" {
   description = "Duration in days after which the key is deleted after destruction of the resource, must be 7-30 days.  Default 30 days."
   default     = 30

Original file line number	Diff line number	Diff line change
`@@ -3,5 +3,6 @@`
`3`	`3`	`"first-header-h1": false,`
`4`	`4`	`"first-line-h1": false,`
`5`	`5`	`"line_length": false,`
`6`		`- "no-multiple-blanks": false`
	`6`	`+ "no-multiple-blanks": false,`
	`7`	`+ "commands-show-output": false`
`7`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,8 +7,6 @@ module "aws_cloudtrail" {`
`7`	`7`
`8`	`8`	`s3_bucket_name = module.logs.aws_logs_bucket`
`9`	`9`	`s3_key_prefix = var.s3_key_prefix`
`10`		`-`
`11`		`- encrypt_cloudtrail = var.encrypt_cloudtrail`
`12`	`10`	`}`
`13`	`11`
`14`	`12`	`module "logs" {`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,3 @@ variable "trail_name" {`
`17`	`17`	`variable "cloudwatch_log_group_name" {`
`18`	`18`	`type = string`
`19`	`19`	`}`
`20`		`-`
`21`		`-variable "encrypt_cloudtrail" {`
`22`		`- type = bool`
`23`		`-}`