├── .gitignore
├── README.md
├── main.tf
├── output.tf
└── variables.tf


/.gitignore:
--------------------------------------------------------------------------------
1 | .terraform
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # terraform-cloud-custodian
 2 | 
 3 | ## WARNING
 4 | 
 5 | This module is in heavy development and is not yet ready for production use
 6 | 
 7 | # Example
 8 | 
 9 | ```
10 | # the module itself
11 | module "custodian" {
12 |   source         = "/Users/Lee/github/terraform-cloud-custodian"
13 |   s3_bucket_name = "lbriggs-cloud-custodian-output"
14 |   name           = "custodian"
15 |   namespace      = "lbriggs"
16 |   stage          = "dev"
17 |   region         = "us-west-2"
18 | }
19 | 
20 | 
21 | # additional policy attachments for your custodian functions
22 | resource "aws_iam_role_policy_attachment" "ec2" {
23 |   role       = "${module.custodian.role_arn}"
24 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
25 | }
26 | ```
27 | 


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
  1 | module "cloudtrail" {
  2 |   source                        = "git::https://github.com/cloudposse/terraform-aws-cloudtrail.git?ref=master"
  3 |   namespace                     = "${var.namespace}"
  4 |   stage                         = "${var.stage}"
  5 |   name                          = "${var.name}"
  6 |   enable_log_file_validation    = "true"
  7 |   include_global_service_events = "true"
  8 |   is_multi_region_trail         = "false"
  9 |   enable_logging                = "true"
 10 |   s3_bucket_name                = "${module.cloudtrail_s3_bucket.bucket_id}"
 11 | 
 12 |   event_selector = [
 13 |     {
 14 |       read_write_type           = "All"
 15 |       include_management_events = true
 16 | 
 17 |       data_resource = [{
 18 |         type   = "AWS::Lambda::Function"
 19 |         values = ["arn:aws:lambda"]
 20 |       }]
 21 |     },
 22 |   ]
 23 | }
 24 | 
 25 | module "cloudtrail_s3_bucket" {
 26 |   source    = "git::https://github.com/cloudposse/terraform-aws-cloudtrail-s3-bucket.git?ref=master"
 27 |   namespace = "${var.namespace}"
 28 |   stage     = "${var.stage}"
 29 |   name      = "${var.name}-cloudtrail-logs"
 30 |   region    = "${var.region}"
 31 | }
 32 | 
 33 | resource "aws_s3_bucket" "custodian_output" {
 34 |   bucket = "${var.namespace}-${var.stage}-${var.region}-${var.name}-custodian-output"
 35 | 
 36 |   tags {
 37 |     Name      = "${var.name}-custodian-output"
 38 |     Namespace = "${var.namespace}"
 39 |     Stage     = "${var.stage}"
 40 |   }
 41 | 
 42 |   versioning {
 43 |     enabled = true
 44 |   }
 45 | 
 46 |   force_destroy = true
 47 | }
 48 | 
 49 | module "cloudtrail_sqs_queue" {
 50 |   source = "git::https://github.com/terraform-aws-modules/terraform-aws-sqs.git?ref=master"
 51 |   name   = "${var.namespace}-${var.stage}-${var.region}-${var.name}-sqs"
 52 | 
 53 |   tags = {
 54 |     Namespace = "${var.namespace}"
 55 |     Stage     = "${var.stage}"
 56 |   }
 57 | }
 58 | 
 59 | resource "aws_iam_role" "role" {
 60 |   name = "${var.name}-role"
 61 |   path = "/${var.namespace}/${var.stage}/"
 62 | 
 63 |   assume_role_policy = <<EOF
 64 | {
 65 |   "Version": "2012-10-17",
 66 |   "Statement": [
 67 |     {
 68 |       "Action": "sts:AssumeRole",
 69 |       "Principal": {
 70 |         "Service": "lambda.amazonaws.com"
 71 |       },
 72 |       "Effect": "Allow"
 73 |       }
 74 |   ]
 75 | }
 76 | EOF
 77 | }
 78 | 
 79 | resource "aws_iam_policy" "custodian_output_s3_policy" {
 80 |   name        = "${var.region}-${var.name}-s3-policy"
 81 |   path        = "/${var.namespace}/${var.stage}/"
 82 |   description = "Allow Custodian to Write to S3 Bucket"
 83 | 
 84 |   policy = <<EOF
 85 | {
 86 |   "Version": "2012-10-17",
 87 |   "Statement": [
 88 | 		{
 89 |             "Effect": "Allow",
 90 |             "Action": [
 91 |                 "s3:GetBucketLocation",
 92 |                 "s3:ListAllMyBuckets"
 93 |             ],
 94 |             "Resource": "*"
 95 |         },
 96 |         {
 97 |             "Effect": "Allow",
 98 |             "Action": ["s3:ListBucket"],
 99 |             "Resource": ["${aws_s3_bucket.custodian_output.arn}"]
100 |         },
101 |         {
102 |             "Effect": "Allow",
103 |             "Action": [
104 |                 "s3:PutObject",
105 |                 "s3:GetObject"
106 |             ],
107 |             "Resource": ["${aws_s3_bucket.custodian_output.arn}/*"]
108 |         }	
109 |   ]
110 | }
111 | EOF
112 | }
113 | 
114 | resource "aws_iam_role_policy_attachment" "s3_output" {
115 |   role       = "${aws_iam_role.role.name}"
116 |   policy_arn = "${aws_iam_policy.custodian_output_s3_policy.arn}"
117 | }
118 | 
119 | resource "aws_iam_role_policy_attachment" "cloudtrail" {
120 |   role       = "${aws_iam_role.role.name}"
121 |   policy_arn = "arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess"
122 | }
123 | 
124 | resource "aws_iam_role_policy_attachment" "cloudwatchlogs" {
125 |   role       = "${aws_iam_role.role.name}"
126 |   policy_arn = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
127 | }
128 | 
129 | resource "aws_iam_role_policy_attachment" "sqs" {
130 |   role       = "${aws_iam_role.role.name}"
131 |   policy_arn = "arn:aws:iam::aws:policy/AmazonSQSFullAccess"
132 | }
133 | 
134 | # Needs this to do Looksup
135 | # FIXME: reduce scope
136 | resource "aws_iam_role_policy_attachment" "iam" {
137 |   role       = "${aws_iam_role.role.name}"
138 |   policy_arn = "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
139 | }
140 | 
141 | resource "aws_iam_role_policy_attachment" "tags" {
142 |   role       = "${aws_iam_role.role.name}"
143 |   policy_arn = "arn:aws:iam::aws:policy/ResourceGroupsandTagEditorReadOnlyAccess"
144 | }
145 | 


--------------------------------------------------------------------------------
/output.tf:
--------------------------------------------------------------------------------
 1 | output "bucket_id" {
 2 |   description = "Name of the bucket."
 3 |   value       = "${aws_s3_bucket.custodian_output.id}"
 4 | }
 5 | 
 6 | output "bucket_arn" {
 7 |   description = "ARN of the bucket."
 8 |   value       = "${aws_s3_bucket.custodian_output.arn}"
 9 | }
10 | 
11 | output "role_arn" {
12 |   description = "ARN of the role created."
13 |   value       = "${aws_iam_role.role.name}"
14 | }
15 | 


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "namespace" {
 2 |   description = "A namespace for all the resources to live in"
 3 | }
 4 | 
 5 | variable "stage" {
 6 |   description = "A development stage (Eg. dev, stg, prod)"
 7 | }
 8 | 
 9 | variable "name" {
10 |   description = "Name of invocation"
11 | }
12 | 
13 | variable "region" {
14 |   description = "AWS Region to create objects in"
15 | }
16 | 


--------------------------------------------------------------------------------