Merge branch 'drewmullen/master'

bridgecrewio · Jun 9, 2021 · c7ad501 · c7ad501
2 parents 8816857 + 9017ff1
commit c7ad501
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 21 deletions.
diff --git a/README.md b/README.md
@@ -89,6 +89,7 @@ No modules.
 | [aws_iam_policy.AmazonSSMManagedInstanceCore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy_document.kms_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ssm_s3_cwl_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_route_table.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source |
 | [aws_subnet_ids.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
@@ -98,14 +99,14 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_access_log_bucket_name"></a> [access\_log\_bucket\_name](#input\_access\_log\_bucket\_name) | Name of S3 bucket to store access logs from session logs bucket | `string` | n/a | yes |
+| <a name="input_access_log_bucket_name"></a> [access\_log\_bucket\_name](#input\_access\_log\_bucket\_name) | Name prefix of S3 bucket to store access logs from session logs bucket | `string` | n/a | yes |
 | <a name="input_access_log_expire_days"></a> [access\_log\_expire\_days](#input\_access\_log\_expire\_days) | Number of days to wait before deleting access logs | `number` | `30` | no |
-| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Name of S3 bucket to store session logs | `string` | n/a | yes |
+| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Name prefix of S3 bucket to store session logs | `string` | n/a | yes |
 | <a name="input_cloudwatch_log_group_name"></a> [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | Name of the CloudWatch Log Group for storing SSM Session Logs | `string` | `"/ssm/session-logs"` | no |
 | <a name="input_cloudwatch_logs_retention"></a> [cloudwatch\_logs\_retention](#input\_cloudwatch\_logs\_retention) | Number of days to retain Session Logs in CloudWatch | `number` | `30` | no |
 | <a name="input_enable_log_to_cloudwatch"></a> [enable\_log\_to\_cloudwatch](#input\_enable\_log\_to\_cloudwatch) | Enable Session Manager to Log to CloudWatch Logs | `bool` | `true` | no |
 | <a name="input_enable_log_to_s3"></a> [enable\_log\_to\_s3](#input\_enable\_log\_to\_s3) | Enable Session Manager to Log to S3 | `bool` | `true` | no |
-| <a name="input_kms_key_alias"></a> [kms\_key\_alias](#input\_kms\_key\_alias) | Alias of the KMS key.  Must start with alias/ followed by a name | `string` | `"alias/ssm-key"` | no |
+| <a name="input_kms_key_alias"></a> [kms\_key\_alias](#input\_kms\_key\_alias) | Alias prefix of the KMS key.  Must start with alias/ followed by a name | `string` | `"alias/ssm-key"` | no |
 | <a name="input_kms_key_deletion_window"></a> [kms\_key\_deletion\_window](#input\_kms\_key\_deletion\_window) | Waiting period for scheduled KMS Key deletion.  Can be 7-30 days. | `number` | `7` | no |
 | <a name="input_log_archive_days"></a> [log\_archive\_days](#input\_log\_archive\_days) | Number of days to wait before archiving to Glacier | `number` | `30` | no |
 | <a name="input_log_expire_days"></a> [log\_expire\_days](#input\_log\_expire\_days) | Number of days to wait before deleting | `number` | `365` | no |

diff --git a/aws_s3_bucket.access_log_bucket.tf b/aws_s3_bucket.access_log_bucket.tf
@@ -3,7 +3,7 @@ resource "aws_s3_bucket" "access_log_bucket" {
   # checkov:skip=CKV_AWS_144: Cross region replication is overkill
   # checkov:skip=CKV_AWS_18:
   # checkov:skip=CKV_AWS_52:
-  bucket        = var.access_log_bucket_name
+  bucket_prefix = "${var.access_log_bucket_name}-"
   acl           = "log-delivery-write"
   force_destroy = true
 

diff --git a/aws_s3_bucket.session_logs_bucket.tf b/aws_s3_bucket.session_logs_bucket.tf
@@ -1,7 +1,7 @@
 resource "aws_s3_bucket" "session_logs_bucket" {
   # checkov:skip=CKV_AWS_144: Cross region replication overkill
   # checkov:skip=CKV_AWS_52:
-  bucket        = var.bucket_name
+  bucket_prefix = "${var.bucket_name}-"
   acl           = "private"
   force_destroy = true
   tags          = var.tags

diff --git a/iam.tf b/iam.tf
@@ -6,7 +6,7 @@ data "aws_iam_policy_document" "kms_access" {
     sid = "KMS Key Default"
     principals {
       type        = "AWS"
-      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+      identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
     actions = [
       "kms:*",
@@ -41,9 +41,9 @@ data "aws_iam_policy_document" "kms_access" {
 
 # Create EC2 Instance Role
 resource "aws_iam_role" "ssm_role" {
-  name = "ssm_role"
-  path = "/"
-  tags = var.tags
+  name_prefix = "ssm_role-"
+  path        = "/"
+  tags        = var.tags
 
   assume_role_policy = <<EOF
 {
@@ -63,7 +63,7 @@ EOF
 }
 
 data "aws_iam_policy" "AmazonSSMManagedInstanceCore" {
-  arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
 }
 
 data "aws_iam_policy_document" "ssm_s3_cwl_access" {
@@ -129,9 +129,9 @@ data "aws_iam_policy_document" "ssm_s3_cwl_access" {
 }
 
 resource "aws_iam_policy" "ssm_s3_cwl_access" {
-  name   = "ssm_s3_cwl_access"
-  path   = "/"
-  policy = data.aws_iam_policy_document.ssm_s3_cwl_access.json
+  name_prefix = "ssm_s3_cwl_access-"
+  path        = "/"
+  policy      = data.aws_iam_policy_document.ssm_s3_cwl_access.json
 }
 
 resource "aws_iam_role_policy_attachment" "SSM-role-policy-attach" {
@@ -145,6 +145,6 @@ resource "aws_iam_role_policy_attachment" "SSM-s3-cwl-policy-attach" {
 }
 
 resource "aws_iam_instance_profile" "ssm_profile" {
-  name = "ssm_profile"
-  role = aws_iam_role.ssm_role.name
+  name_prefix = "ssm_profile-"
+  role        = aws_iam_role.ssm_role.name
 }
diff --git a/main.tf b/main.tf
@@ -2,6 +2,7 @@ data "aws_caller_identity" "current" {}
 
 data "aws_region" "current" {}
 
+data "aws_partition" "current" {}
 resource "aws_kms_key" "ssmkey" {
   description             = "SSM Key"
   deletion_window_in_days = var.kms_key_deletion_window
@@ -11,12 +12,12 @@ resource "aws_kms_key" "ssmkey" {
 }
 
 resource "aws_kms_alias" "ssmkey" {
-  name          = var.kms_key_alias
+  name_prefix   = "${var.kms_key_alias}-"
   target_key_id = aws_kms_key.ssmkey.key_id
 }
 
 resource "aws_cloudwatch_log_group" "session_manager_log_group" {
-  name              = var.cloudwatch_log_group_name
+  name_prefix       = "${var.cloudwatch_log_group_name}-"
   retention_in_days = var.cloudwatch_logs_retention
   kms_key_id        = aws_kms_key.ssmkey.arn
 
@@ -37,7 +38,7 @@ resource "aws_ssm_document" "session_manager_prefs" {
     "inputs": {
         "s3BucketName": "${var.enable_log_to_s3 ? aws_s3_bucket.session_logs_bucket.id : ""}",
         "s3EncryptionEnabled": ${var.enable_log_to_s3 ? "true" : "false"},
-        "cloudWatchLogGroupName": "${var.enable_log_to_cloudwatch ? var.cloudwatch_log_group_name : ""}",
+        "cloudWatchLogGroupName": "${var.enable_log_to_cloudwatch ? aws_cloudwatch_log_group.session_manager_log_group.name : ""}",
         "cloudWatchEncryptionEnabled": ${var.enable_log_to_cloudwatch ? "true" : "false"},
         "kmsKeyId": "${aws_kms_key.ssmkey.key_id}"
     }

diff --git a/variables.tf b/variables.tf
@@ -1,5 +1,5 @@
 variable "bucket_name" {
-  description = "Name of S3 bucket to store session logs"
+  description = "Name prefix of S3 bucket to store session logs"
   type        = string
 }
 
@@ -16,7 +16,7 @@ variable "log_expire_days" {
 }
 
 variable "access_log_bucket_name" {
-  description = "Name of S3 bucket to store access logs from session logs bucket"
+  description = "Name prefix of S3 bucket to store access logs from session logs bucket"
   type        = string
 }
 
@@ -33,7 +33,7 @@ variable "kms_key_deletion_window" {
 }
 
 variable "kms_key_alias" {
-  description = "Alias of the KMS key.  Must start with alias/ followed by a name"
+  description = "Alias prefix of the KMS key.  Must start with alias/ followed by a name"
   type        = string
   default     = "alias/ssm-key"
 }