Skip to content

Commit

Permalink
Added pipelines for S3 and CloudTrail services (#55)
Browse files Browse the repository at this point in the history
Co-authored-by: Priyanka Chatterjee <priyanka.chatterjee@turbot.com>
  • Loading branch information
ParthaI and Priyanka-Chatterjee-2000 authored May 24, 2024
1 parent ae625fc commit d4e6491
Show file tree
Hide file tree
Showing 6 changed files with 279 additions and 0 deletions.
60 changes: 60 additions & 0 deletions pipelines/cloudtrail/create_cloudtrail_trail.fp
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
pipeline "create_cloudtrail_trail" {
title = "Create CloudTrail Trail"
description = "Creates a trail with specified name."

param "region" {
type = string
description = local.region_param_description
}

param "cred" {
type = string
description = local.cred_param_description
default = "default"
}

param "name" {
type = string
description = "The name of the trail."
}

param "bucket_name" {
type = string
description = "The name of the bucket."
}

param "is_multi_region_trail" {
type = bool
description = "Indicate whether a multi region trail."
}

param "include_global_service_events" {
type = bool
description = "Indicate whether to include the global service events."
}

param "enable_log_file_validation" {
type = bool
description = "Indicate whether to enable log file validation."
}

step "container" "create_cloudtrail_trail" {
image = "public.ecr.aws/aws-cli/aws-cli"

cmd = concat(
["cloudtrail", "create-trail", "--name", param.name],
param.bucket_name != null ? ["--s3-bucket-name", param.bucket_name] : [],
param.is_multi_region_trail != null ? ["--is-multi-region-trail"] : [],
param.include_global_service_events != null ? ["--include-global-service-events"] : [],
param.enable_log_file_validation != null ? ["--enable-log-file-validation"] : [],

)

env = merge(credential.aws[param.cred].env, { AWS_REGION = param.region })
}

output "trail" {
description = "Information about the created trail."
value = jsondecode(step.container.create_cloudtrail_trail.stdout)
}
}
44 changes: 44 additions & 0 deletions pipelines/cloudtrail/put_cloudtrail_trail_event_selector.fp
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
pipeline "put_cloudtrail_trail_event_selector" {
title = "Put event selectors to CloudTrail Trail"
description = "Enables log file validation for an AWS CloudTrail trail."

param "region" {
type = string
description = "The AWS region where the CloudTrail trail is located."
}

param "cred" {
type = string
description = "The AWS credentials to use."
default = "default"
}

param "trail_name" {
type = string
description = "The name of the CloudTrail trail."
}

param "event_selectors" {
type = string
description = "The JSON string format of the event selector policy."
}

step "container" "set_event_selectors" {
image = "public.ecr.aws/aws-cli/aws-cli"

cmd = concat(
[
"cloudtrail", "put-event-selectors",
"--trail-name", param.trail_name,
"--event-selectors", param.event_selectors
]
)

env = merge(credential.aws[param.cred].env, { AWS_REGION = param.region })
}

output "trail" {
description = "The CloudTrail trail with event selectors set."
value = jsondecode(step.container.set_event_selectors.stdout)
}
}
28 changes: 28 additions & 0 deletions pipelines/cloudtrail/start_cloudtrail_trail_logging.fp
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
pipeline "start_cloudtrail_trail_logging" {
title = "Start CloudTrail Trail logging"
description = "Start logging into the bucket."

param "region" {
type = string
description = local.region_param_description
}

param "cred" {
type = string
description = local.cred_param_description
default = "default"
}

param "name" {
type = string
description = "The name of the trail."
}

step "container" "start_cloudtrail_trail_logging" {
image = "public.ecr.aws/aws-cli/aws-cli"

cmd = ["cloudtrail", "start-logging", "--name", param.name]

env = merge(credential.aws[param.cred].env, { AWS_REGION = param.region })
}
}
73 changes: 73 additions & 0 deletions pipelines/cloudtrail/update_cloudtrail_trail.fp
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
pipeline "update_cloudtrail_trail" {
title = "Update Cloudtrail Trail"
description = "Update the cloudtrail trail"

param "region" {
type = string
description = "The AWS region where the CloudTrail trail is located."
}

param "cred" {
type = string
description = "The AWS credentials to use."
default = "default"
}

param "trail_name" {
type = string
description = "The name of the CloudTrail trail."
}

param "s3_bucket_name" {
type = string
description = "The name of the S3 Bucket."
optional = true
}

param "enable_log_file_validation" {
type = bool
description = "Enable the log file validation for CloudTrail trail."
default = false
}

param "cloudwatch_logs_log_group_arn" {
type = string
description = "The ARN of the Cloudwatch Logs LogGroup"
optional = true
}

param "cloudwatch_logs_role_arn" {
type = string
description = "The ARN of the IAM role for Cloudwatch Logs."
optional = true
}

param "kms_key_id" {
type = string
description = "The KMS key ID for the trail."
optional = true
}

step "container" "update_cloudtrail_trail" {
image = "public.ecr.aws/aws-cli/aws-cli"

cmd = concat(
["cloudtrail", "update-trail",
"--name", param.trail_name],
param.enable_log_file_validation != false ? ["--enable-log-file-validation"] : [],
param.cloudwatch_logs_log_group_arn != null ? ["--cloud-watch-logs-log-group-arn", param.cloudwatch_logs_log_group_arn] : [],
param.cloudwatch_logs_role_arn != null ?
["--cloud-watch-logs-role-arn", param.cloudwatch_logs_role_arn] : [],
param.s3_bucket_name != null ?
["--s3-bucket-name", param.s3_bucket_name] : [],
param.kms_key_id != null ? ["--kms-key-id", param.kms_key_id] : []
)

env = merge(credential.aws[param.cred].env, { AWS_REGION = param.region })
}

output "trail" {
description = "The updated CloudTrail trail."
value = jsondecode(step.container.update_cloudtrail_trail.stdout)
}
}
37 changes: 37 additions & 0 deletions pipelines/s3/put_s3_bucket_logging.fp
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
pipeline "put_s3_bucket_logging" {
title = "Put S3 Bucket logging"
description = "Creates or modifies the Bucket logging configuration for an Amazon S3 bucket."

param "region" {
type = string
description = local.region_param_description
}

param "cred" {
type = string
description = local.cred_param_description
default = "default"
}

param "bucket" {
type = string
description = "The name of the S3 bucket."
}

param "bucket_logging_status" {
type = string
description = "Amazon S3 bucket logging enabled JSON string policy for this bucket."
}

step "container" "put_s3_bucket_logging" {
image = "public.ecr.aws/aws-cli/aws-cli"

cmd = concat(
["s3api", "put-bucket-logging"],
["--bucket", param.bucket],
["--bucket-logging-status", param.bucket_logging_status]
)

env = merge(credential.aws[param.cred].env, { AWS_REGION = param.region })
}
}
37 changes: 37 additions & 0 deletions pipelines/s3/put_s3_bucket_policy.fp
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
pipeline "put_s3_bucket_policy" {
title = "Put S3 Bucket policy"
description = "Creates or modifies the Bucket policy configuration for an Amazon S3 bucket."

param "region" {
type = string
description = local.region_param_description
}

param "cred" {
type = string
description = local.cred_param_description
default = "default"
}

param "bucket" {
type = string
description = "The name of the S3 bucket."
}

param "policy" {
type = string
description = "Amazon S3 bucket policy for the bucket and its objects."
}

step "container" "put_s3_bucket_policy" {
image = "public.ecr.aws/aws-cli/aws-cli"

cmd = concat(
["s3api", "put-bucket-policy"],
["--bucket", param.bucket],
["--policy", param.policy]
)

env = merge(credential.aws[param.cred].env, { AWS_REGION = param.region })
}
}

0 comments on commit d4e6491

Please sign in to comment.