skip: update autotest for cloudtrail

epam · May 29, 2024 · 590b53b · 590b53b
1 parent d8faca2
commit 590b53b
Show file tree

Hide file tree

Showing 7 changed files with 99 additions and 37 deletions.
diff --git a/.github/workflows/tf_testing.yml b/.github/workflows/tf_testing.yml
@@ -22,7 +22,7 @@ env:
   CORE_TESTING_FOLDER: ${{ github.workspace }}
   OUTPUT_DIR: ${{ github.workspace }}/auto_policy_testing/output
   AWS_DEFAULT_REGION: ${{ vars.AWS_REGION }}
-  resource_priority_list: 'directory'
+  resource_priority_list: 'cloudtrail'
   RED: '\033[0;31m'
 
 jobs:

diff --git a/auto_policy_testing/green/directory/ba.sh b/auto_policy_testing/green/directory/ba.sh
diff --git a/auto_policy_testing/red/cloudtrail/cloudtrail.tf b/auto_policy_testing/red/cloudtrail/cloudtrail.tf
@@ -1,8 +1,8 @@
-resource "aws_cloudtrail" "this" {
-  name                          = "${module.naming.resource_prefix.cloud_trail}"
+resource "aws_cloudtrail" "this1" {
+  provider                      = aws.provider2
+  name                          = "${module.naming.resource_prefix.trail}-1"
   s3_bucket_name                = aws_s3_bucket.this.id
   enable_log_file_validation    = false
-  provider                      = aws.provider2
   include_global_service_events = false
 
   event_selector {
@@ -16,18 +16,13 @@ resource "aws_cloudtrail" "this" {
   }
 }
 
-resource "aws_s3_bucket" "this" {
-  bucket        = "${module.naming.resource_prefix.s3_bucket}-${random_integer.this.result}"
-  force_destroy = true
-  provider      = aws.provider2
-}
-
-resource "random_integer" "this" {
-  min = 1
-  max = 10000000
-}
-
-resource "aws_s3_bucket_policy" "this" {
-  bucket = aws_s3_bucket.this.id
-  policy = data.aws_iam_policy_document.this.json
+resource "aws_cloudtrail" "this2" {
+  name                          = "${module.naming.resource_prefix.trail}-2"
+  s3_bucket_name                = aws_s3_bucket.this.id
+  enable_log_file_validation    = false
+  include_global_service_events = false
+  event_selector {
+    include_management_events = true
+    read_write_type           = "All"
+  }
 }
diff --git a/auto_policy_testing/red/cloudtrail/data.tf b/auto_policy_testing/red/cloudtrail/data.tf
@@ -1,6 +1,5 @@
 data "aws_caller_identity" "this" {}
 
-
 data "aws_iam_policy_document" "this" {
   statement {
     effect = "Allow"
@@ -10,7 +9,7 @@ data "aws_iam_policy_document" "this" {
       identifiers = ["cloudtrail.amazonaws.com"]
     }
 
-    actions = ["s3:GetBucketAcl"]
+    actions   = ["s3:GetBucketAcl"]
     resources = [aws_s3_bucket.this.arn]
   }
 
@@ -22,15 +21,45 @@ data "aws_iam_policy_document" "this" {
       identifiers = ["cloudtrail.amazonaws.com"]
     }
 
-    actions = ["s3:PutObject"]
+    actions   = ["s3:PutObject"]
     resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
+
     condition {
       test     = "StringEquals"
       variable = "s3:x-amz-acl"
-      
+
       values = [
         "bucket-owner-full-control"
       ]
     }
   }
+}
+
+data "aws_iam_policy_document" "deny" {
+
+  statement {
+    sid    = "AWSCloudTrailAclCheck"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions   = ["s3:GetBucketAcl"]
+    resources = [aws_s3_bucket.this.arn]
+  }
+
+  statement {
+    sid    = "AWSCloudTrailWrite"
+    effect = "Deny"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions   = ["s3:PutObject"]
+    resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
+  }
 }
diff --git a/auto_policy_testing/red/cloudtrail/outputs.tf b/auto_policy_testing/red/cloudtrail/outputs.tf
@@ -1,5 +1,7 @@
 output "cloudtrail" {
   value = {
-    cloudtrail = aws_cloudtrail.this.arn
+    cloudtrail                              = aws_cloudtrail.this1.arn
+    ecc-aws-374-cloudtrail_logs_data_events = aws_cloudtrail.this2.arn
+    ecc-aws-544-cloudtrail_delivery_failing = aws_cloudtrail.this2.arn
   }
 }
diff --git a/auto_policy_testing/red/cloudtrail/provider.tf b/auto_policy_testing/red/cloudtrail/provider.tf
@@ -14,7 +14,6 @@ provider "aws" {
   }
 }
 
-
 provider "aws" {
   region = var.region
   alias  = "provider2"

diff --git a/auto_policy_testing/red/cloudtrail/s3.tf b/auto_policy_testing/red/cloudtrail/s3.tf
@@ -0,0 +1,50 @@
+resource "aws_s3_bucket" "this" {
+  bucket        = "${module.naming.resource_prefix.s3_bucket}-${random_integer.this.result}"
+  force_destroy = true
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
+}
+
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+  policy = data.aws_iam_policy_document.this.json
+}
+
+resource "aws_s3_bucket_policy" "deny" {
+  bucket = aws_s3_bucket.this.id
+  policy = data.aws_iam_policy_document.deny.json
+
+  depends_on = [
+    aws_s3_bucket_policy.this,
+    aws_s3_bucket.this,
+    aws_cloudtrail.this1,
+    aws_cloudtrail.this2
+  ]
+}
+
+resource "null_resource" "this" {
+  depends_on = [
+    aws_s3_bucket_policy.this,
+    aws_s3_bucket_policy.deny,
+    aws_s3_bucket.this,
+    aws_cloudtrail.this1,
+    aws_cloudtrail.this2
+  ]
+  triggers = {
+    s3_name = aws_s3_bucket.this.id
+  }
+  provisioner "local-exec" {
+    interpreter = ["/bin/bash", "-c"]
+    command     = <<EOF
+set -e
+aws s3 rb s3://${self.triggers.s3_name} --force  
+aws s3 ls > /dev/null
+aws ec2 describe-security-groups > /dev/null
+aws ec2 describe-vpcs > /dev/null
+sleep 10m
+EOF
+  }
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -14,7 +14,6 @@ provider "aws" { @@
       }
     }
     provider "aws" {
       region = var.region
       alias  = "provider2"
@@ Expand Down @@