From ceeae45872bc2d769a47edd615d9882e33b5ec35 Mon Sep 17 00:00:00 2001
From: Garegin <gtamrazyan@provectus.com>
Date: Tue, 10 Aug 2021 09:42:47 +0400
Subject: [PATCH 1/2] added variable and resourses for logging

---
 storage/s3/main.tf      | 109 ++++++++++++++++++++++++++++++++++++++++
 storage/s3/variables.tf |   7 +++
 2 files changed, 116 insertions(+)

diff --git a/storage/s3/main.tf b/storage/s3/main.tf
index 1bdde26..2d6b1c2 100644
--- a/storage/s3/main.tf
+++ b/storage/s3/main.tf
@@ -1,3 +1,90 @@
+resource "aws_cloudwatch_log_group" "s3_cloudtrail_logs" {
+  count = var.s3_cloudwatch_logging_enabled ? 1 : 0
+  name  = "s3-cloudtrail-logs-${var.s3_bucket_name}"
+}
+
+data "aws_iam_policy_document" "cloudtrail-assume-role-policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+  }
+}
+
+
+
+resource "aws_s3_bucket" "s3_cloudtrail_logs" {
+
+  count  = var.s3_cloudwatch_logging_enabled ? 1 : 0
+  bucket = "s3-cloudtrail-logs-${var.s3_bucket_name}"
+  tags   = var.tags
+
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AWSCloudTrailAclCheck",
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "s3:GetBucketAcl",
+            "Resource": "arn:aws:s3:::s3-cloudtrail-logs-${var.s3_bucket_name}"
+        },
+        {
+            "Sid": "AWSCloudTrailWrite",
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "s3:PutObject",
+            "Resource": "arn:aws:s3:::s3-cloudtrail-logs-${var.s3_bucket_name}/*",
+            "Condition": {
+                "StringEquals": {
+                    "s3:x-amz-acl": "bucket-owner-full-control"
+                }
+            }
+        }
+    ]
+}
+POLICY
+}
+
+
+resource "aws_iam_role" "cloudtrail_to_cloudwatch" {
+  count = var.s3_cloudwatch_logging_enabled ? 1 : 0
+  name  = "CloudWatchWriteForCloudTrail"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  assume_role_policy = data.aws_iam_policy_document.cloudtrail-assume-role-policy.json
+  inline_policy {
+    name = "cloudwatch_write_permissions"
+
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Action = [
+            "cloudwatch:PutMetricData",
+            "logs:PutLogEvents",
+            "logs:DescribeLogStreams",
+            "logs:DescribeLogGroups",
+            "logs:CreateLogStream",
+            "logs:CreateLogGroup"
+          ]
+          Effect   = "Allow"
+          Resource = "*"
+        },
+      ]
+    })
+  }
+}
+
 resource "aws_s3_bucket" "kubeflow" {
 
   bucket = var.s3_bucket_name
@@ -16,6 +103,28 @@ resource "aws_s3_bucket" "kubeflow" {
   }
 }
 
+resource "aws_cloudtrail" "s3" {
+  count                         = var.s3_cloudwatch_logging_enabled ? 1 : 0
+  name                          = "s3-bucket-trail"
+  s3_bucket_name                = aws_s3_bucket.s3_cloudtrail_logs[0].id
+  s3_key_prefix                 = "trail"
+  include_global_service_events = false
+
+
+  event_selector {
+    read_write_type           = "All"
+    include_management_events = false
+
+    data_resource {
+      type   = "AWS::S3::Object"
+      values = ["${aws_s3_bucket.kubeflow.arn}/"]
+    }
+  }
+
+  cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.s3_cloudtrail_logs[0].arn}:*" # CloudTrail requires the Log Stream wildcard
+  cloud_watch_logs_role_arn  = aws_iam_role.cloudtrail_to_cloudwatch[0].arn
+}
+
 
 // create read-write user for S3 bucket
 resource "aws_iam_user" "s3_user" {
diff --git a/storage/s3/variables.tf b/storage/s3/variables.tf
index 6eb6b6a..7cea3ad 100644
--- a/storage/s3/variables.tf
+++ b/storage/s3/variables.tf
@@ -24,3 +24,10 @@ variable "trusted_role_arns" {
   description = "ARNs of roles that are allowed to assume the role for read/write access to the S3 bucket"
   default     = []
 }
+
+
+variable "s3_cloudwatch_logging_enabled" {
+  type        = bool
+  default     = false
+  description = "By making it true, logs will be stored to cloudwatch with help of cloudtrail"
+}
\ No newline at end of file

From df0ae14ed02f259d48fec19d1565a543a7dd59af Mon Sep 17 00:00:00 2001
From: Garegin <gtamrazyan@provectus.com>
Date: Mon, 23 Aug 2021 14:26:57 +0400
Subject: [PATCH 2/2] update s3 bucket resource name

---
 storage/s3/README.md | 24 ++++++++++++++++++++++++
 storage/s3/main.tf   | 12 ++++++------
 storage/s3/output.tf |  4 ++--
 3 files changed, 32 insertions(+), 8 deletions(-)
 create mode 100644 storage/s3/README.md

diff --git a/storage/s3/README.md b/storage/s3/README.md
new file mode 100644
index 0000000..dc250b4
--- /dev/null
+++ b/storage/s3/README.md
@@ -0,0 +1,24 @@
+# Annotation
+The S3 module is used to create s3 bucket on AWS.
+
+## Used modules
+
+- [iam-assumable-role](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/v4.3.0/modules/iam-assumable-role)
+
+
+## Feature
+
+- IAM assumable role for accessing S3 bucket by other resources
+- AWS cloudwatch group that collects logs from AWS Cloudtrail
+
+## Example usage
+```
+module "s3" {
+  depends_on                          = [ module.kubernetes]
+  source                              = "./sak-incubator/storage/s3"
+  s3_bucket_name                      = "${module.kubernetes.cluster_name}-main"
+  cluster_name                        = module.kubernetes.cluster_name
+  trusted_role_arns                   = [ module.kubernetes.this.cluster_iam_role_arn ]
+  s3_cloudwatch_logging_enabled       = true
+}
+```
diff --git a/storage/s3/main.tf b/storage/s3/main.tf
index 2d6b1c2..ce4f9fc 100644
--- a/storage/s3/main.tf
+++ b/storage/s3/main.tf
@@ -85,7 +85,7 @@ resource "aws_iam_role" "cloudtrail_to_cloudwatch" {
   }
 }
 
-resource "aws_s3_bucket" "kubeflow" {
+resource "aws_s3_bucket" "main" {
 
   bucket = var.s3_bucket_name
   tags   = var.tags
@@ -117,7 +117,7 @@ resource "aws_cloudtrail" "s3" {
 
     data_resource {
       type   = "AWS::S3::Object"
-      values = ["${aws_s3_bucket.kubeflow.arn}/"]
+      values = ["${aws_s3_bucket.main.arn}/"]
     }
   }
 
@@ -148,13 +148,13 @@ resource "aws_iam_user_policy" "s3_user" {
             "Sid": "ListObjectsInBucket",
             "Effect": "Allow",
             "Action": ["s3:ListBucket"],
-            "Resource": ["${aws_s3_bucket.kubeflow.arn}"]
+            "Resource": ["${aws_s3_bucket.main.arn}"]
         },
         {
             "Sid": "AllObjectActions",
             "Effect": "Allow",
             "Action": "s3:*Object",
-            "Resource": ["${aws_s3_bucket.kubeflow.arn}/*"]
+            "Resource": ["${aws_s3_bucket.main.arn}/*"]
         }
     ]
 }
@@ -178,13 +178,13 @@ resource "aws_iam_policy" "s3_role" {
             "Sid": "ListObjectsInBucket",
             "Effect": "Allow",
             "Action": ["s3:ListBucket"],
-            "Resource": ["${aws_s3_bucket.kubeflow.arn}"]
+            "Resource": ["${aws_s3_bucket.main.arn}"]
         },
         {
             "Sid": "AllObjectActions",
             "Effect": "Allow",
             "Action": "s3:*Object",
-            "Resource": ["${aws_s3_bucket.kubeflow.arn}/*"]
+            "Resource": ["${aws_s3_bucket.main.arn}/*"]
         }
     ]
 }
diff --git a/storage/s3/output.tf b/storage/s3/output.tf
index 86833ae..0d222b8 100644
--- a/storage/s3/output.tf
+++ b/storage/s3/output.tf
@@ -14,10 +14,10 @@ output "s3_user_access_key" {
   }
 }
 output "s3_bucket_arn" {
-  value = aws_s3_bucket.kubeflow.arn
+  value = aws_s3_bucket.main.arn
 }
 
 
 output "s3_bucket_name" {
-  value = aws_s3_bucket.kubeflow.bucket
+  value = aws_s3_bucket.main.bucket
 }
\ No newline at end of file