From b93832a84fef68a20576f4c8931d9c0f19ad1979 Mon Sep 17 00:00:00 2001 From: Salim Afiune Date: Tue, 27 Jun 2023 15:51:39 -0700 Subject: [PATCH] chore: enable bucket_force_destroy by default (#133) Signed-off-by: Salim Afiune Maya Co-authored-by: Darren <75614232+dmurray-lacework@users.noreply.github.com> --- DEVELOPER_GUIDELINES.md | 1 - README.md | 2 +- .../cloudtrail-existing-kms-key/README.md | 2 - examples/cloudtrail-existing-kms-key/main.tf | 93 +++++++++---------- .../README.md | 2 +- .../complete-cloudtrail-access-logs/README.md | 2 +- .../complete-cloudtrail-unencrypted/README.md | 4 +- .../complete-cloudtrail-unencrypted/main.tf | 1 - .../complete-cloudtrail-versioning/README.md | 2 +- examples/complete-cloudtrail/README.md | 16 +--- examples/complete-cloudtrail/main.tf | 2 - .../README.md | 2 +- examples/consolidated-cloudtrail/README.md | 4 +- .../README.md | 2 +- .../existing-cloudtrail-iam-role/README.md | 2 +- .../README.md | 2 +- .../README.md | 2 +- .../README.md | 2 +- variables.tf | 4 +- 19 files changed, 66 insertions(+), 81 deletions(-) diff --git a/DEVELOPER_GUIDELINES.md b/DEVELOPER_GUIDELINES.md index 6f1af65..9b67c15 100644 --- a/DEVELOPER_GUIDELINES.md +++ b/DEVELOPER_GUIDELINES.md @@ -94,7 +94,6 @@ module "aws_cloudtrail" { source = "lacework/cloudtrail/aws" version = "~> 1.0" - bucket_force_destroy = true use_existing_iam_role = true iam_role_name = module.aws_config.iam_role_name iam_role_arn = module.aws_config.iam_role_arn diff --git a/README.md b/README.md index 5d77486..587278b 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,7 @@ Terraform module for configuring an integration with Lacework and AWS for CloudT | [bucket\_arn](#input\_bucket\_arn) | The S3 bucket ARN is required when setting use\_existing\_cloudtrail to true | `string` | `""` | no | | [bucket\_enable\_mfa\_delete](#input\_bucket\_enable\_mfa\_delete) | Set this to `true` to require MFA for object deletion (Requires versioning) | `bool` | `false` | no | | [bucket\_encryption\_enabled](#input\_bucket\_encryption\_enabled) | Set this to `true` to enable encryption on a created S3 bucket | `bool` | `true` | no | -| [bucket\_force\_destroy](#input\_bucket\_force\_destroy) | Force destroy bucket (Required when bucket not empty) | `bool` | `false` | no | +| [bucket\_force\_destroy](#input\_bucket\_force\_destroy) |Force destroy bucket (When 'false' a non-empty bucket will NOT be destroyed.) | `bool` | `true` | no | | [bucket\_logs\_enabled](#input\_bucket\_logs\_enabled) | Set this to `true` to enable access logging on a created S3 bucket | `bool` | `true` | no | | [bucket\_name](#input\_bucket\_name) | Optional value to specify name for a newly created S3 bucket. Not required when `use_existing_cloudtrail` is true. | `string` | `""` | no | | [bucket\_sse\_algorithm](#input\_bucket\_sse\_algorithm) | The encryption algorithm to use for S3 bucket server-side encryption | `string` | `"aws:kms"` | no | diff --git a/examples/cloudtrail-existing-kms-key/README.md b/examples/cloudtrail-existing-kms-key/README.md index 4b6e1b6..ab9733b 100644 --- a/examples/cloudtrail-existing-kms-key/README.md +++ b/examples/cloudtrail-existing-kms-key/README.md @@ -6,7 +6,6 @@ This example creates a new CloudTrail in an AWS account with almost all of the r | Name | Description | Type | | ---------------------- | ----------------------------------------------------- | ------ | -| `bucket_force_destroy` | Force destroy bucket (Required when bucket not empty) | `bool` | | `bucket_sse_key_arn` | The ARN of the KMS encryption key to be used for S3 | `string` | | `sns_topic_encryption_key_arn` | The ARN of an existing KMS encryption key to be used for SNS | `string` | | `sqs_encryption_key_arn` | The ARN of the KMS encryption key to be used for SQS | `string` | @@ -28,7 +27,6 @@ resource "aws_kms_key" "lacework_kms_key" { module "aws_cloudtrail" { source = ">= 2.3.2" - bucket_force_destroy = true use_existing_kms_key = true bucket_sse_key_arn = aws_kms_key.lacework_kms_key.arn sns_topic_encryption_key_arn = aws_kms_key.lacework_kms_key.arn diff --git a/examples/cloudtrail-existing-kms-key/main.tf b/examples/cloudtrail-existing-kms-key/main.tf index 0bf8619..7dc5275 100644 --- a/examples/cloudtrail-existing-kms-key/main.tf +++ b/examples/cloudtrail-existing-kms-key/main.tf @@ -5,14 +5,13 @@ provider "aws" { provider "lacework" {} resource "aws_kms_key" "lacework_kms_key" { - description = "A KMS key used to encrypt CloudTrail logs which are monitored by Lacework" - policy = data.aws_iam_policy_document.kms_key_policy.json + description = "A KMS key used to encrypt CloudTrail logs which are monitored by Lacework" + policy = data.aws_iam_policy_document.kms_key_policy.json } module "aws_cloudtrail" { source = "../../" - bucket_force_destroy = true use_existing_kms_key = true bucket_sse_key_arn = aws_kms_key.lacework_kms_key.arn sns_topic_encryption_key_arn = aws_kms_key.lacework_kms_key.arn @@ -40,63 +39,63 @@ data "aws_iam_policy_document" "kms_key_policy" { } statement { - sid = "Allow CloudTrail service to encrypt/decrypt" - effect = "Allow" + sid = "Allow CloudTrail service to encrypt/decrypt" + effect = "Allow" - principals { - type = "Service" - identifiers = ["cloudtrail.amazonaws.com"] - } + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } - actions = ["kms:GenerateDataKey*", "kms:Decrypt"] - resources = ["*"] + actions = ["kms:GenerateDataKey*", "kms:Decrypt"] + resources = ["*"] } - statement { - sid = "Allow S3 bucket to encrypt/decrypt" - effect = "Allow" - - principals { - type = "Service" - identifiers = ["s3.amazonaws.com"] - } - - condition { - test = "ArnEquals" - variable = "aws:SourceArn" - values = [ - module.aws_cloudtrail.bucket_arn - ] - } - - actions = ["kms:GenerateDataKey*", "kms:Decrypt"] - resources = ["*"] + statement { + sid = "Allow S3 bucket to encrypt/decrypt" + effect = "Allow" + + principals { + type = "Service" + identifiers = ["s3.amazonaws.com"] + } + + condition { + test = "ArnEquals" + variable = "aws:SourceArn" + values = [ + module.aws_cloudtrail.bucket_arn + ] + } + + actions = ["kms:GenerateDataKey*", "kms:Decrypt"] + resources = ["*"] } statement { - sid = "Allow CloudTrail to describe key" - effect = "Allow" + sid = "Allow CloudTrail to describe key" + effect = "Allow" - principals { - type = "Service" - identifiers = ["cloudtrail.amazonaws.com"] - } + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } - actions = ["kms:DescribeKey"] - resources = ["*"] + actions = ["kms:DescribeKey"] + resources = ["*"] } statement { - sid = "Allow SNS service to encrypt/decrypt" - effect = "Allow" + sid = "Allow SNS service to encrypt/decrypt" + effect = "Allow" - principals { - type = "Service" - identifiers = ["sns.amazonaws.com"] - } + principals { + type = "Service" + identifiers = ["sns.amazonaws.com"] + } - actions = ["kms:GenerateDataKey*", "kms:Decrypt"] - resources = ["*"] + actions = ["kms:GenerateDataKey*", "kms:Decrypt"] + resources = ["*"] } statement { @@ -126,4 +125,4 @@ data "aws_iam_policy_document" "kms_key_policy" { values = ["arn:aws:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"] } } -} \ No newline at end of file +} diff --git a/examples/complete-cloudtrail-access-logs-with-object-level-logging/README.md b/examples/complete-cloudtrail-access-logs-with-object-level-logging/README.md index fa6fb47..d41be85 100644 --- a/examples/complete-cloudtrail-access-logs-with-object-level-logging/README.md +++ b/examples/complete-cloudtrail-access-logs-with-object-level-logging/README.md @@ -25,4 +25,4 @@ module "aws_cloudtrail" { } ``` -For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://support.lacework.com/hc/en-us/articles/360057092034-AWS-Config-and-CloudTrail-Integration-with-Terraform) +For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://docs.lacework.net/onboarding/aws-guided-configuration). diff --git a/examples/complete-cloudtrail-access-logs/README.md b/examples/complete-cloudtrail-access-logs/README.md index 4a93b2a..8bfb4d3 100644 --- a/examples/complete-cloudtrail-access-logs/README.md +++ b/examples/complete-cloudtrail-access-logs/README.md @@ -25,4 +25,4 @@ module "aws_cloudtrail" { } ``` -For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://support.lacework.com/hc/en-us/articles/360057092034-AWS-Config-and-CloudTrail-Integration-with-Terraform) +For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://docs.lacework.net/onboarding/aws-guided-configuration). diff --git a/examples/complete-cloudtrail-unencrypted/README.md b/examples/complete-cloudtrail-unencrypted/README.md index 1856334..5c73b4e 100644 --- a/examples/complete-cloudtrail-unencrypted/README.md +++ b/examples/complete-cloudtrail-unencrypted/README.md @@ -9,7 +9,6 @@ This example creates a new CloudTrail in an AWS account with all of the required | Name | Description | Type | | ------------------------------ | -------------------------------------------------------------------------- | ------ | | `bucket_encryption_enabled` | Set this to `true` to use an existing CloudTrail. | `bool` | -| `bucket_force_destroy` | Force destroy bucket (Required when bucket not empty) | `bool` | | `sns_topic_encryption_enabled` | Set this to `false` to disable encryption on a sns topic. Defaults to true | `bool` | | `sqs_encryption_enabled` | Set this to `true` to enable server-side encryption on SQS. | `bool` | @@ -27,10 +26,9 @@ module "aws_cloudtrail" { version = "~> 1.0" bucket_encryption_enabled = false - bucket_force_destroy = true sns_topic_encryption_enabled = false sqs_encryption_enabled = false } ``` -For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://support.lacework.com/hc/en-us/articles/360057092034-AWS-Config-and-CloudTrail-Integration-with-Terraform). +For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://docs.lacework.net/onboarding/aws-guided-configuration). diff --git a/examples/complete-cloudtrail-unencrypted/main.tf b/examples/complete-cloudtrail-unencrypted/main.tf index 9dc0b5e..c8ae920 100644 --- a/examples/complete-cloudtrail-unencrypted/main.tf +++ b/examples/complete-cloudtrail-unencrypted/main.tf @@ -8,7 +8,6 @@ module "aws_cloudtrail" { source = "../../" bucket_encryption_enabled = false - bucket_force_destroy = true sns_topic_encryption_enabled = false sqs_encryption_enabled = false } diff --git a/examples/complete-cloudtrail-versioning/README.md b/examples/complete-cloudtrail-versioning/README.md index 10d0be6..0a8b393 100644 --- a/examples/complete-cloudtrail-versioning/README.md +++ b/examples/complete-cloudtrail-versioning/README.md @@ -27,4 +27,4 @@ module "aws_cloudtrail" { } ``` -For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://support.lacework.com/hc/en-us/articles/360057092034-AWS-Config-and-CloudTrail-Integration-with-Terraform) +For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://docs.lacework.net/onboarding/aws-guided-configuration). diff --git a/examples/complete-cloudtrail/README.md b/examples/complete-cloudtrail/README.md index 5f04223..8a0cabc 100644 --- a/examples/complete-cloudtrail/README.md +++ b/examples/complete-cloudtrail/README.md @@ -1,12 +1,8 @@ # Deploy New CloudTrail and Integrate with Lacework -This example creates a new CloudTrail in an AWS account with all of the required resources, as well as creating an IAM Role with a cross-account policy to provide Lacework read-only access to monitor the trail. - -## Inputs - -| Name | Description | Type | -| ---------------------- | ----------------------------------------------------- | ------ | -| `bucket_force_destroy` | Force destroy bucket (Required when bucket not empty) | `bool` | +This example creates a new CloudTrail in an AWS account with all of the required resources, +as well as creating an IAM Role with a cross-account policy to provide Lacework read-only +access to monitor the trail. ## Sample Code @@ -19,10 +15,8 @@ provider "lacework" {} module "aws_cloudtrail" { source = "lacework/cloudtrail/aws" - version = "~> 1.0" - - bucket_force_destroy = true + version = "~> 2.0" } ``` -For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://support.lacework.com/hc/en-us/articles/360057092034-AWS-Config-and-CloudTrail-Integration-with-Terraform). +For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://docs.lacework.net/onboarding/aws-guided-configuration). diff --git a/examples/complete-cloudtrail/main.tf b/examples/complete-cloudtrail/main.tf index 89698cb..6dff535 100644 --- a/examples/complete-cloudtrail/main.tf +++ b/examples/complete-cloudtrail/main.tf @@ -6,6 +6,4 @@ provider "lacework" {} module "aws_cloudtrail" { source = "../../" - - bucket_force_destroy = true } diff --git a/examples/consolidated-cloudtrail-multiple-lacework-tenants/README.md b/examples/consolidated-cloudtrail-multiple-lacework-tenants/README.md index 86eed96..b6028cb 100644 --- a/examples/consolidated-cloudtrail-multiple-lacework-tenants/README.md +++ b/examples/consolidated-cloudtrail-multiple-lacework-tenants/README.md @@ -85,4 +85,4 @@ resource "aws_cloudtrail" "sub_account_2" { } ``` -For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://support.lacework.com/hc/en-us/articles/360057092034-AWS-Config-and-CloudTrail-Integration-with-Terraform) +For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://docs.lacework.net/onboarding/aws-guided-configuration). diff --git a/examples/consolidated-cloudtrail/README.md b/examples/consolidated-cloudtrail/README.md index 16ea753..3033afb 100644 --- a/examples/consolidated-cloudtrail/README.md +++ b/examples/consolidated-cloudtrail/README.md @@ -22,7 +22,7 @@ provider "aws" { module "main_cloudtrail" { source = "lacework/cloudtrail/aws" - version = "~> 1.0" + version = "~> 2.0" providers = { aws = aws.main-account lacework = lacework.main-account @@ -68,4 +68,4 @@ resource "aws_cloudtrail" "sub_account_2" { } ``` -For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://support.lacework.com/hc/en-us/articles/360057092034-AWS-Config-and-CloudTrail-Integration-with-Terraform) +For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://docs.lacework.net/onboarding/aws-guided-configuration). diff --git a/examples/existing-cloudtrail-end-to-end-encryption/README.md b/examples/existing-cloudtrail-end-to-end-encryption/README.md index ea12de0..d48d5ad 100644 --- a/examples/existing-cloudtrail-end-to-end-encryption/README.md +++ b/examples/existing-cloudtrail-end-to-end-encryption/README.md @@ -68,4 +68,4 @@ module "aws_cloudtrail" { } ``` -For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://support.lacework.com/hc/en-us/articles/360057092034-AWS-Config-and-CloudTrail-Integration-with-Terraform) +For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://docs.lacework.net/onboarding/aws-guided-configuration). diff --git a/examples/existing-cloudtrail-iam-role/README.md b/examples/existing-cloudtrail-iam-role/README.md index f5dc23b..d7f75d7 100644 --- a/examples/existing-cloudtrail-iam-role/README.md +++ b/examples/existing-cloudtrail-iam-role/README.md @@ -44,4 +44,4 @@ module "aws_cloudtrail" { } ``` -For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://support.lacework.com/hc/en-us/articles/360057092034-AWS-Config-and-CloudTrail-Integration-with-Terraform) +For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://docs.lacework.net/onboarding/aws-guided-configuration). diff --git a/examples/existing-cloudtrail-s3-encryption/README.md b/examples/existing-cloudtrail-s3-encryption/README.md index 7956684..663ba0e 100644 --- a/examples/existing-cloudtrail-s3-encryption/README.md +++ b/examples/existing-cloudtrail-s3-encryption/README.md @@ -41,4 +41,4 @@ module "aws_cloudtrail" { } ``` -For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://support.lacework.com/hc/en-us/articles/360057092034-AWS-Config-and-CloudTrail-Integration-with-Terraform) +For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://docs.lacework.net/onboarding/aws-guided-configuration). diff --git a/examples/existing-cloudtrail-s3-notifications/README.md b/examples/existing-cloudtrail-s3-notifications/README.md index 017678b..15353b0 100644 --- a/examples/existing-cloudtrail-s3-notifications/README.md +++ b/examples/existing-cloudtrail-s3-notifications/README.md @@ -32,4 +32,4 @@ module "aws_cloudtrail" { } ``` -For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://support.lacework.com/hc/en-us/articles/360057092034-AWS-Config-and-CloudTrail-Integration-with-Terraform) +For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://docs.lacework.net/onboarding/aws-guided-configuration). diff --git a/examples/existing-cloudtrail-without-sns-topic/README.md b/examples/existing-cloudtrail-without-sns-topic/README.md index f8f2c6b..8e90b44 100644 --- a/examples/existing-cloudtrail-without-sns-topic/README.md +++ b/examples/existing-cloudtrail-without-sns-topic/README.md @@ -48,4 +48,4 @@ module "lacework_cloudtrail" { } ``` -For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://support.lacework.com/hc/en-us/articles/360057092034-AWS-Config-and-CloudTrail-Integration-with-Terraform) +For detailed information on integrating Lacework with AWS see [AWS Config and CloudTrail Integration with Terraform](https://docs.lacework.net/onboarding/aws-guided-configuration). diff --git a/variables.tf b/variables.tf index f24c5ef..ac9ba67 100644 --- a/variables.tf +++ b/variables.tf @@ -126,8 +126,8 @@ variable "bucket_versioning_enabled" { variable "bucket_force_destroy" { type = bool - default = false - description = "Force destroy bucket (Required when bucket not empty)" + default = true + description = "Force destroy bucket (When 'false' a non-empty bucket will NOT be destroyed.)" } variable "bucket_sse_algorithm" {