Merge branch 'master' into tagged-resources

Author: Michael Chmielewski

README.md

@@ -74,13 +74,18 @@ The Threat Stack configuration is defined as follows:
 module "threatstack_aws_integration" {
   source      = "github.com/threatstack/threatstack-terraform?ref=<integration_version>"
 
+  #...
+
   # Strings generated from the Threat Stack Add Account page
   threatstack = {
 
     account_id  = string 
     external_id = string
 
   }
+
+  #...
+
 }
 ```
 
@@ -91,24 +96,24 @@ module "threatstack_aws_integration" {
 
 #### AWS configuration
 
-This Terraform input variable is split into 3 sections: required settings, flag settings, and optional settings
+This Terraform input variable is split into 4 sections: required settings, flag settings, optional settings, and how to use an existing cloudtrail with this module.
 
 ##### Required settings
 
 ```hcl
 module "threatstack_aws_integration" {
   source      = "github.com/threatstack/threatstack-terraform?ref=<integration_version>"
 
-  aws_account_info = {
-
     # ...
 
+  aws_account_info = {
+
     account_id   = string
     region       = string
+  }
 
-    #...
+  #...
 
-  }
 }
 ```
 
@@ -122,19 +127,19 @@ module "threatstack_aws_integration" {
 module "threatstack_aws_integration" {
   source      = "github.com/threatstack/threatstack-terraform?ref=<integration_version>"
 
-  aws_flags = {
+  # ...
 
-    # ...
+  aws_flags = {
 
     enable_logging                = bool # Defaults to `true`
     enable_log_file_validation    = bool # Defaults to `true`
     include_global_service_events = bool # Defaults to `true`
     is_multi_region_trail         = bool # Defaults to `true`
     s3_force_destroy              = bool # Defaults to `false`
+  }
     
-    #...
+  #...
 
-  }
 }
 
 ```
@@ -148,29 +153,32 @@ module "threatstack_aws_integration" {
 
 * ___aws_flags.s3_force_destroy (optional):___ Bucket destroy will fail if the bucket is not empty.  Set to `"true"` if you REALLY want to destroy logs on teardown.
 
-
 ##### Optional settings
 
 ```hcl
 module "threatstack_aws_integration" {
   source      = "github.com/threatstack/threatstack-terraform?ref=<integration_version>"
 
-  aws_optional_conf = {
+  # ...
 
-    # ...
+  aws_optional_conf = {
 
     cloudtrail_name         = string # Defaults to "ThreatStackIntegration"
     iam_role_name           = string # Defaults to "ThreatStackIntegration"
     sns_topic_name          = string # Defaults to "ThreatStackIntegration"
     sns_topic_display_name  = string # Defaults to "Threat Stack integration topic."
     sqs_queue_name          = string # Defaults to "ThreatStackIntegration"
     s3_bucket_name          = string # Defaults to "threatstack-integration"
+<<<<<<< HEAD
     s3_bucket_prefix        = string # Defaults to "/"
     tags                    = map    # Defaults to {} (empty map)
+=======
+    s3_force_destroy        = string # Defaults to "/"
+  }
+>>>>>>> master
 
-    #...
+  #...
 
-  }
 }
 ```
 
@@ -190,6 +198,34 @@ module "threatstack_aws_integration" {
 
 * ___aws_optional_conf.tags(optional):___ Map of tags to apply to all resources.
 
+##### Using existing cloudtrail infrastructure
+
+If you already have your Cloudtrail set up, with its corresponding cloudwatch log group and S3 bucket, you can configure this module to use this infrastructure by setting the following settings. The module will still set up the SQS and SNS resources required, as well as the various IAM resources to allow for the integration to talk to Threat Stack's platform.
+
+> **NOTE:**
+> Do not define the ___existing_cloudtrail___ variable at all if you want this module to manage all of the resources for the Threat Stack integration. By default, the ___existing_cloudtrail___ variable is set to `null`
+
+```hcl
+module "threatstack_aws_integration" {
+  source      = "github.com/threatstack/threatstack-terraform?ref=<integration_version>"
+
+  # ...
+
+  existing_cloudtrail = {
+
+    cloudtrail_arn = string # The ARN of the existing cloudtrail with which you want to integrate.
+    s3_bucket_arn  = string # The ARN of the existing cloudtrail's S3 bucket
+  }
+
+  # ...
+
+}
+```
+
+* ___existing_cloudtrail.cloudtrail_arn (required if using existing cloudtrail):___ Only passed in so that it can be used as an output. Nothing in the integration directly refers to the existing cloudtrail itself.
+
+* ___existing_cloudtrail.s3_bucket_arn (required if using existing cloudtrail):___ Used by the IAM role that links the Threat Stack account to the bucket with that contains the needed data.
+
 ## Outputs
 
 ### Exposing this module's outputs to the rest of your terraform definitions
@@ -249,6 +285,8 @@ It is recommended that these outputs be rewrapped in outputs defined in your imp
 > **NOTE:**
 > You can also see this list in this module's `outputs.tf` file.
 
+> If you are defining the ___existing_cloudtrail___ block, many of these outputs will be set to `""` (an empty string).
+
 * ___cloudtrail_arn:___ ARN of CloudTrail.
 
 * ___cloudtrail_home_region:___ Home region for CloudTrail

aws_cloudtrail.tf

@@ -15,6 +15,8 @@ data "template_file" "aws_iam_cloudtrail_to_cloudwatch_policy" {
 }
 
 resource "aws_cloudwatch_log_group" "ct" {
+  count = var.existing_cloudtrail != null ? 0 : 1 # Don't create this if using an existing cloudtrail
+
   name = "/aws/cloudtrail/${var.aws_optional_conf.cloudtrail_name}"
   tags = var.aws_optional_conf.tags
 
@@ -25,30 +27,35 @@ resource "aws_cloudwatch_log_group" "ct" {
 }
 
 resource "aws_iam_role" "ct" {
+  count = var.existing_cloudtrail != null ? 0 : 1 # Don't create this if using an existing cloudtrail
+
   name               = "${var.aws_optional_conf.cloudtrail_name}-CloudTrailToCloudWatch"
   tags               = var.aws_optional_conf.tags
 
   assume_role_policy = data.template_file.aws_iam_cloudtrail_to_cloudwatch_assume_role_policy.rendered
 }
 
 resource "aws_iam_role_policy" "ct" {
+  count = var.existing_cloudtrail != null ? 0 : 1 # Don't create this if using an existing cloudtrail
+
   name   = "CloudTrailToCloudWatch"
-  role   = aws_iam_role.ct.id
+  role   = aws_iam_role.ct[0].id
   policy = data.template_file.aws_iam_cloudtrail_to_cloudwatch_policy.rendered
 }
 
 resource "aws_cloudtrail" "ct" {
+  count = var.existing_cloudtrail != null ? 0 : 1 # Don't create this if using an existing cloudtrail
+
   name                          = var.aws_optional_conf.cloudtrail_name
   tags                          = var.aws_optional_conf.tags
 
-  s3_bucket_name                = aws_s3_bucket.bucket.id
+  s3_bucket_name                = aws_s3_bucket.bucket[0].id
   enable_logging                = var.aws_flags.enable_logging
   enable_log_file_validation    = var.aws_flags.enable_log_file_validation
   include_global_service_events = var.aws_flags.include_global_service_events
   is_multi_region_trail         = var.aws_flags.is_multi_region_trail
-  cloud_watch_logs_group_arn    = "${replace(aws_cloudwatch_log_group.ct.arn, "/:\\*$/", "")}:*"
-  cloud_watch_logs_role_arn     = aws_iam_role.ct.arn
+  cloud_watch_logs_group_arn    = "${replace(aws_cloudwatch_log_group.ct[0].arn, "/:\\*$/", "")}:*"
+  cloud_watch_logs_role_arn     = aws_iam_role.ct[0].arn
   sns_topic_name                = aws_sns_topic.sns.arn
   depends_on                    = [aws_s3_bucket_policy.bucket]
 }
-

aws_iam_role.tf

@@ -12,7 +12,11 @@ data "template_file" "aws_iam_role_policy" {
   template = file("${path.module}/aws_iam_role_policy.tpl")
   vars = {
     sqs_queue_arn = aws_sqs_queue.sqs.arn
-    s3_resource   = "${aws_s3_bucket.bucket.arn}/*"
+
+    # This checks to see if a new bucket exists (null check)
+    # If it is null, just give a null so coalesce skips it
+    # If not null, return the arn of the bucket, which is what we really need
+    s3_resource   = coalesce((length(aws_s3_bucket.bucket) > 0 ? aws_s3_bucket.bucket[0].arn : ""), var.existing_cloudtrail.s3_bucket_arn)
   }
 }
 
@@ -21,7 +25,6 @@ resource "aws_iam_role" "role" {
   tags               = var.aws_optional_conf.tags
 
   assume_role_policy = data.template_file.aws_iam_assume_role_policy.rendered
-  depends_on         = [aws_iam_role_policy.ct]
 }
 
 resource "aws_iam_role_policy" "role" {

aws_s3_bucket.tf

@@ -1,14 +1,18 @@
 // AWS CloudTrail S3 Bucket
 data "template_file" "aws_s3_bucket_policy" {
+  count = var.existing_cloudtrail != null ? 0 : 1 # Don't create this if using an existing cloudtrail
+
   template = file("${path.module}/aws_s3_bucket_policy.tpl")
 
   vars = {
     aws_account_id = var.aws_account_info.account_id
-    s3_bucket_arn  = aws_s3_bucket.bucket.arn
+    s3_bucket_arn  = aws_s3_bucket.bucket[0].arn
   }
 }
 
 resource "aws_s3_bucket" "bucket" {
+  count = var.existing_cloudtrail != null ? 0 : 1 # Don't create this if using an existing cloudtrail
+
   # This is to keep things consistent and prevent conflicts across
   # environments.
   bucket = var.aws_optional_conf.s3_bucket_name
@@ -25,7 +29,9 @@ resource "aws_s3_bucket" "bucket" {
 }
 
 resource "aws_s3_bucket_policy" "bucket" {
-  bucket = aws_s3_bucket.bucket.id
-  policy = data.template_file.aws_s3_bucket_policy.rendered
+  count = var.existing_cloudtrail != null ? 0 : 1 # Don't create this if using an existing cloudtrail
+
+  bucket = aws_s3_bucket.bucket[0].id
+  policy = data.template_file.aws_s3_bucket_policy[0].rendered
 }
 

aws_sqs_queue.tf

@@ -25,4 +25,3 @@ resource "aws_sns_topic_subscription" "sqs" {
   endpoint   = aws_sqs_queue.sqs.arn
   depends_on = [aws_sqs_queue_policy.sqs]
 }
-

module_provider_constraints.tf

@@ -1,6 +1,6 @@
 terraform {
   required_providers {
-    aws       = ">= 2.0"
-    template  = "~> 2.1"
+    aws      = ">= 2.0"
+    template = "~> 2.1"
   }
 }

outputs.tf

@@ -11,43 +11,43 @@
 //    }
 
 output "cloudtrail_id" {
-  value = aws_cloudtrail.ct.id
+  value = var.existing_cloudtrail == null ? aws_cloudtrail.ct[0].id : ""
 }
 
-output "cloudtrail_home_region" {
-  value = aws_cloudtrail.ct.home_region
+output "cloudtrail_arn" {
+  value = var.existing_cloudtrail == null ? aws_cloudtrail.ct[0].arn : var.existing_cloudtrail.cloudtrail_arn
 }
 
-output "cloudtrail_arn" {
-  value = aws_cloudtrail.ct.arn
+output "cloudtrail_home_region" {
+  value = var.existing_cloudtrail == null ? aws_cloudtrail.ct[0].home_region : ""
 }
 
 output "iam_role_cloudtrail_name" {
-  value = aws_iam_role.ct.name
+  value = var.existing_cloudtrail == null ? aws_iam_role.ct[0].name : ""
 }
 
 output "iam_role_cloudtrail_arn" {
-  value = aws_iam_role.ct.arn
+  value = var.existing_cloudtrail == null ? aws_iam_role.ct[0].arn : ""
 }
 
 output "cloudwatch_log_group_arn" {
-  value = aws_cloudwatch_log_group.ct.arn
+  value = var.existing_cloudtrail == null ? aws_cloudwatch_log_group.ct[0].arn : ""
 }
 
-output "iam_role_name" {
-  value = aws_iam_role.role.name
+output "s3_bucket_id" {
+  value = var.existing_cloudtrail == null ? aws_s3_bucket.bucket[0].id : ""
 }
 
-output "iam_role_arn" {
-  value = aws_iam_role.role.arn
+output "s3_bucket_arn" {
+  value = coalesce((length(aws_s3_bucket.bucket) > 0 ? aws_s3_bucket.bucket[0].arn : ""), var.existing_cloudtrail.s3_bucket_arn)
 }
 
-output "s3_bucket_id" {
-  value = aws_s3_bucket.bucket.id
+output "iam_role_name" {
+  value = aws_iam_role.role.name
 }
 
-output "s3_bucket_arn" {
-  value = aws_s3_bucket.bucket.arn
+output "iam_role_arn" {
+  value = aws_iam_role.role.arn
 }
 
 output "sns_topic_arn" {

temp_provider.tf

@@ -0,0 +1,4 @@
+provider "aws" {
+  version = "~> 2.19"
+  region  = "us-east-1"
+}

variables.tf

@@ -24,16 +24,28 @@ variable "threatstack" {
 variable "aws_account_info" {
   description = "(REQUIRED) AWS account settings"
   type = object({
-    account_id   = string
-    region       = string
+    account_id = string
+    region     = string
   })
 
   default = {
-    account_id   = null
-    region       = null
+    account_id = null
+    region     = null
   }
 }
 
+# Setting for integrating with an existing cloudtrail resource
+#
+variable "existing_cloudtrail" {
+  description = "(Optional) Uses existing cloudtrail infrastructure instead of creating all new resources"
+  type = object({
+    cloudtrail_arn = string
+    s3_bucket_arn  = string
+  })
+
+  default = null
+}
+
 # AWS-related configuration flags (Optional)
 #
 # The flags have defaults, so the module can work without these explicitly set