Skip to content

Commit

Permalink
terraform/nixpkgs-tarballs: use cloudtrails without cloudwatch
Browse files Browse the repository at this point in the history 
we don't the fancy UI, json logs are enough for our use case.
Also this way we don't need to create a role.
  • Loading branch information
@Mic92
Mic92 committed Aug 19, 2024
1 parent 101efde commit f5fd9bb
Showing 1 changed file with 58 additions and 41 deletions.
99 changes: 58 additions & 41 deletions terraform/nixpkgs-tarballs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -299,13 +299,69 @@ resource "aws_s3_bucket" "nixpkgs-tarballs-cloudtrail-logs" {
}
}

# Attach a policy to the CloudTrail logs S3 bucket
data "aws_iam_policy_document" "nixpkgs-tarballs-cloudtrail-logs-policy" {
statement {
sid = "AWSCloudTrailAclCheck"
effect = "Allow"

principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}

actions = ["s3:GetBucketAcl"]
resources = [aws_s3_bucket.nixpkgs-tarballs-cloudtrail-logs.arn]
condition {
test = "StringEquals"
variable = "aws:SourceArn"
values = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/nixpkgs-tarballs"]
}
}

statement {
sid = "AWSCloudTrailWrite"
effect = "Allow"

principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}

actions = ["s3:PutObject"]
resources = ["${aws_s3_bucket.nixpkgs-tarballs-cloudtrail-logs.arn}/*"]

condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
condition {
test = "StringEquals"
variable = "aws:SourceArn"
values = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/nixpkgs-tarballs"]
}
}
}

data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}
data "aws_region" "current" {}

resource "aws_s3_bucket_policy" "nixpkgs-tarballs-cloudtrail-logs-policy" {
bucket = aws_s3_bucket.nixpkgs-tarballs-cloudtrail-logs.id
policy = data.aws_iam_policy_document.nixpkgs-tarballs-cloudtrail-logs-policy.json
}

# Create a CloudTrail
resource "aws_cloudtrail" "nixpkgs-tarballs" {
name = "nixpkgs-tarballs"
s3_bucket_name = aws_s3_bucket.nixpkgs-tarballs-cloudtrail-logs.bucket
enable_log_file_validation = true
cloud_watch_logs_role_arn = aws_iam_role.nixpkgs-tarballs-cloudtrail.arn
depends_on = [aws_s3_bucket.nixpkgs-tarballs-cloudtrail-logs]
depends_on = [
aws_s3_bucket_policy.nixpkgs-tarballs-cloudtrail-logs-policy
]
# You must specify a log group and a role ARN.

event_selector {
read_write_type = "WriteOnly"
Expand All @@ -317,42 +373,3 @@ resource "aws_cloudtrail" "nixpkgs-tarballs" {
}
}
}

# Create an IAM role for CloudTrail to write logs to CloudWatch
resource "aws_iam_role" "nixpkgs-tarballs-cloudtrail" {
name = "nixpkgs-tarballs-cloudtrail"

assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "cloudtrail.amazonaws.com"
}
},
]
})
}

# Attach the policy to allow CloudTrail to publish to CloudWatch Logs
resource "aws_iam_role_policy" "nixpkgs-tarballs-cloudtrail" {
name = "cloudtrail-nixpkgs-policy"
role = aws_iam_role.nixpkgs-tarballs-cloudtrail.id

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
]
Effect = "Allow"
Resource = "*"
},
]
})
}

0 comments on commit f5fd9bb

Please sign in to comment.