-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added pipelines for S3 and CloudTrail services (#55)
Co-authored-by: Priyanka Chatterjee <priyanka.chatterjee@turbot.com>
- Loading branch information
1 parent
ae625fc
commit d4e6491
Showing
6 changed files
with
279 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
pipeline "create_cloudtrail_trail" { | ||
title = "Create CloudTrail Trail" | ||
description = "Creates a trail with specified name." | ||
|
||
param "region" { | ||
type = string | ||
description = local.region_param_description | ||
} | ||
|
||
param "cred" { | ||
type = string | ||
description = local.cred_param_description | ||
default = "default" | ||
} | ||
|
||
param "name" { | ||
type = string | ||
description = "The name of the trail." | ||
} | ||
|
||
param "bucket_name" { | ||
type = string | ||
description = "The name of the bucket." | ||
} | ||
|
||
param "is_multi_region_trail" { | ||
type = bool | ||
description = "Indicate whether a multi region trail." | ||
} | ||
|
||
param "include_global_service_events" { | ||
type = bool | ||
description = "Indicate whether to include the global service events." | ||
} | ||
|
||
param "enable_log_file_validation" { | ||
type = bool | ||
description = "Indicate whether to enable log file validation." | ||
} | ||
|
||
step "container" "create_cloudtrail_trail" { | ||
image = "public.ecr.aws/aws-cli/aws-cli" | ||
|
||
cmd = concat( | ||
["cloudtrail", "create-trail", "--name", param.name], | ||
param.bucket_name != null ? ["--s3-bucket-name", param.bucket_name] : [], | ||
param.is_multi_region_trail != null ? ["--is-multi-region-trail"] : [], | ||
param.include_global_service_events != null ? ["--include-global-service-events"] : [], | ||
param.enable_log_file_validation != null ? ["--enable-log-file-validation"] : [], | ||
|
||
) | ||
|
||
env = merge(credential.aws[param.cred].env, { AWS_REGION = param.region }) | ||
} | ||
|
||
output "trail" { | ||
description = "Information about the created trail." | ||
value = jsondecode(step.container.create_cloudtrail_trail.stdout) | ||
} | ||
} |
44 changes: 44 additions & 0 deletions
44
pipelines/cloudtrail/put_cloudtrail_trail_event_selector.fp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
pipeline "put_cloudtrail_trail_event_selector" { | ||
title = "Put event selectors to CloudTrail Trail" | ||
description = "Enables log file validation for an AWS CloudTrail trail." | ||
|
||
param "region" { | ||
type = string | ||
description = "The AWS region where the CloudTrail trail is located." | ||
} | ||
|
||
param "cred" { | ||
type = string | ||
description = "The AWS credentials to use." | ||
default = "default" | ||
} | ||
|
||
param "trail_name" { | ||
type = string | ||
description = "The name of the CloudTrail trail." | ||
} | ||
|
||
param "event_selectors" { | ||
type = string | ||
description = "The JSON string format of the event selector policy." | ||
} | ||
|
||
step "container" "set_event_selectors" { | ||
image = "public.ecr.aws/aws-cli/aws-cli" | ||
|
||
cmd = concat( | ||
[ | ||
"cloudtrail", "put-event-selectors", | ||
"--trail-name", param.trail_name, | ||
"--event-selectors", param.event_selectors | ||
] | ||
) | ||
|
||
env = merge(credential.aws[param.cred].env, { AWS_REGION = param.region }) | ||
} | ||
|
||
output "trail" { | ||
description = "The CloudTrail trail with event selectors set." | ||
value = jsondecode(step.container.set_event_selectors.stdout) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
pipeline "start_cloudtrail_trail_logging" { | ||
title = "Start CloudTrail Trail logging" | ||
description = "Start logging into the bucket." | ||
|
||
param "region" { | ||
type = string | ||
description = local.region_param_description | ||
} | ||
|
||
param "cred" { | ||
type = string | ||
description = local.cred_param_description | ||
default = "default" | ||
} | ||
|
||
param "name" { | ||
type = string | ||
description = "The name of the trail." | ||
} | ||
|
||
step "container" "start_cloudtrail_trail_logging" { | ||
image = "public.ecr.aws/aws-cli/aws-cli" | ||
|
||
cmd = ["cloudtrail", "start-logging", "--name", param.name] | ||
|
||
env = merge(credential.aws[param.cred].env, { AWS_REGION = param.region }) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
pipeline "update_cloudtrail_trail" { | ||
title = "Update Cloudtrail Trail" | ||
description = "Update the cloudtrail trail" | ||
|
||
param "region" { | ||
type = string | ||
description = "The AWS region where the CloudTrail trail is located." | ||
} | ||
|
||
param "cred" { | ||
type = string | ||
description = "The AWS credentials to use." | ||
default = "default" | ||
} | ||
|
||
param "trail_name" { | ||
type = string | ||
description = "The name of the CloudTrail trail." | ||
} | ||
|
||
param "s3_bucket_name" { | ||
type = string | ||
description = "The name of the S3 Bucket." | ||
optional = true | ||
} | ||
|
||
param "enable_log_file_validation" { | ||
type = bool | ||
description = "Enable the log file validation for CloudTrail trail." | ||
default = false | ||
} | ||
|
||
param "cloudwatch_logs_log_group_arn" { | ||
type = string | ||
description = "The ARN of the Cloudwatch Logs LogGroup" | ||
optional = true | ||
} | ||
|
||
param "cloudwatch_logs_role_arn" { | ||
type = string | ||
description = "The ARN of the IAM role for Cloudwatch Logs." | ||
optional = true | ||
} | ||
|
||
param "kms_key_id" { | ||
type = string | ||
description = "The KMS key ID for the trail." | ||
optional = true | ||
} | ||
|
||
step "container" "update_cloudtrail_trail" { | ||
image = "public.ecr.aws/aws-cli/aws-cli" | ||
|
||
cmd = concat( | ||
["cloudtrail", "update-trail", | ||
"--name", param.trail_name], | ||
param.enable_log_file_validation != false ? ["--enable-log-file-validation"] : [], | ||
param.cloudwatch_logs_log_group_arn != null ? ["--cloud-watch-logs-log-group-arn", param.cloudwatch_logs_log_group_arn] : [], | ||
param.cloudwatch_logs_role_arn != null ? | ||
["--cloud-watch-logs-role-arn", param.cloudwatch_logs_role_arn] : [], | ||
param.s3_bucket_name != null ? | ||
["--s3-bucket-name", param.s3_bucket_name] : [], | ||
param.kms_key_id != null ? ["--kms-key-id", param.kms_key_id] : [] | ||
) | ||
|
||
env = merge(credential.aws[param.cred].env, { AWS_REGION = param.region }) | ||
} | ||
|
||
output "trail" { | ||
description = "The updated CloudTrail trail." | ||
value = jsondecode(step.container.update_cloudtrail_trail.stdout) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
pipeline "put_s3_bucket_logging" { | ||
title = "Put S3 Bucket logging" | ||
description = "Creates or modifies the Bucket logging configuration for an Amazon S3 bucket." | ||
|
||
param "region" { | ||
type = string | ||
description = local.region_param_description | ||
} | ||
|
||
param "cred" { | ||
type = string | ||
description = local.cred_param_description | ||
default = "default" | ||
} | ||
|
||
param "bucket" { | ||
type = string | ||
description = "The name of the S3 bucket." | ||
} | ||
|
||
param "bucket_logging_status" { | ||
type = string | ||
description = "Amazon S3 bucket logging enabled JSON string policy for this bucket." | ||
} | ||
|
||
step "container" "put_s3_bucket_logging" { | ||
image = "public.ecr.aws/aws-cli/aws-cli" | ||
|
||
cmd = concat( | ||
["s3api", "put-bucket-logging"], | ||
["--bucket", param.bucket], | ||
["--bucket-logging-status", param.bucket_logging_status] | ||
) | ||
|
||
env = merge(credential.aws[param.cred].env, { AWS_REGION = param.region }) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
pipeline "put_s3_bucket_policy" { | ||
title = "Put S3 Bucket policy" | ||
description = "Creates or modifies the Bucket policy configuration for an Amazon S3 bucket." | ||
|
||
param "region" { | ||
type = string | ||
description = local.region_param_description | ||
} | ||
|
||
param "cred" { | ||
type = string | ||
description = local.cred_param_description | ||
default = "default" | ||
} | ||
|
||
param "bucket" { | ||
type = string | ||
description = "The name of the S3 bucket." | ||
} | ||
|
||
param "policy" { | ||
type = string | ||
description = "Amazon S3 bucket policy for the bucket and its objects." | ||
} | ||
|
||
step "container" "put_s3_bucket_policy" { | ||
image = "public.ecr.aws/aws-cli/aws-cli" | ||
|
||
cmd = concat( | ||
["s3api", "put-bucket-policy"], | ||
["--bucket", param.bucket], | ||
["--policy", param.policy] | ||
) | ||
|
||
env = merge(credential.aws[param.cred].env, { AWS_REGION = param.region }) | ||
} | ||
} |