search

binbashar / le-tf-infra-aws

Terraform code for Leverage Reference Architecture for AWS, designed under optimal configs for the most popular modern web and mobile applications needs.
https://www.binbash.co/leverage
Apache License 2.0
27 stars 8 forks source link

Fix | Policy issue | Update terraform-aws-cloudtrail-s3-bucket module version #632

Closed rodriguez-matias closed 1 month ago

rodriguez-matias commented 1 month ago

What?

Why?

Solution

github-actions[bot] commented 1 month ago

💰 Infracost report

Monthly estimate generated

Changed project Baseline cost Usage cost* Total change New monthly cost
binbashar/le-tf-infra-aws/security/us-east-1/security-audit +$0 - +$0 $7

*Usage costs can be estimated by updating Infracost Cloud settings, see docs for other options.

Estimate details (includes details of unsupported resources and skipped projects due to errors) ``` Key: * usage cost, ~ changed, + added, - removed ────────────────────────────────── Project: security-us-east-1-security-audit Module path: security/us-east-1/security-audit - module.cloudtrail_s3_bucket.module.s3_bucket.aws_s3_bucket.default[0] Monthly cost depends on usage - Standard - Storage Monthly cost depends on usage -$0.023 per GB - PUT, COPY, POST, LIST requests Monthly cost depends on usage -$0.005 per 1k requests - GET, SELECT, and all other requests Monthly cost depends on usage -$0.0004 per 1k requests - Select data scanned Monthly cost depends on usage -$0.002 per GB - Select data returned Monthly cost depends on usage -$0.0007 per GB - Standard - infrequent access - Storage Monthly cost depends on usage -$0.0125 per GB - PUT, COPY, POST, LIST requests Monthly cost depends on usage -$0.01 per 1k requests - GET, SELECT, and all other requests Monthly cost depends on usage -$0.001 per 1k requests - Lifecycle transition Monthly cost depends on usage -$0.01 per 1k requests - Retrievals Monthly cost depends on usage -$0.01 per GB - Select data scanned Monthly cost depends on usage -$0.002 per GB - Select data returned Monthly cost depends on usage -$0.01 per GB + module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket.default[0] Monthly cost depends on usage + Standard + Storage Monthly cost depends on usage +$0.023 per GB + PUT, COPY, POST, LIST requests Monthly cost depends on usage +$0.005 per 1k requests + GET, SELECT, and all other requests Monthly cost depends on usage +$0.0004 per 1k requests + Select data scanned Monthly cost depends on usage +$0.002 per GB + Select data returned Monthly cost depends on usage +$0.0007 per GB Monthly cost change for binbashar/le-tf-infra-aws/security/us-east-1/security-audit (Module path: security/us-east-1/security-audit) Amount: $0.00 ($7 → $7) Percent: 0% ────────────────────────────────── Key: * usage cost, ~ changed, + added, - removed 130 projects have no cost estimate changes. Run the following command to see their breakdown: infracost breakdown --path=/path/to/code ────────────────────────────────── *Usage costs can be estimated by updating Infracost Cloud settings, see docs for other options. 2556 cloud resources were detected: ∙ 615 were estimated ∙ 1834 were free ∙ 107 are not supported yet, see https://infracost.io/requested-resources: ∙ 36 x aws_identitystore_group_membership ∙ 33 x aws_identitystore_user ∙ 10 x aws_guardduty_member ∙ 7 x aws_identitystore_group ∙ 5 x aws_fms_policy ∙ 4 x aws_guardduty_detector ∙ 2 x aws_guardduty_organization_admin_account ∙ 2 x aws_guardduty_organization_configuration ∙ 2 x aws_organizations_delegated_administrator ∙ 1 x aws_eks_access_entry ∙ 1 x aws_fms_admin_account ∙ 1 x aws_organizations_organization ∙ 1 x aws_route53_resolver_firewall_domain_list ∙ 1 x aws_route53_resolver_firewall_rule ∙ 1 x aws_route53_resolver_firewall_rule_group ```

This comment will be updated when code changes.

rodriguez-matias commented 1 month ago

TF Apply new module version

../security/us-east-1/security-audit                                                                                      
╰─❯ leverage tf apply

[10:40:06.640] INFO     Attempting to get temporary credentials for security account.                                                                                                                          
[10:40:06.643] INFO     Using already configured temporary credentials.                                                                                                                                        
Acquiring state lock. This may take a few moments...
data.terraform_remote_state.notifications: Reading...
data.terraform_remote_state.keys: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_partition.current[0]: Reading...
data.aws_region.current: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.data.aws_partition.current[0]: Reading...
module.cloudtrail_api_alarms.data.aws_region.current: Reading...
module.cloudtrail_api_alarms.data.aws_caller_identity.current: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_partition.current[0]: Read complete after 0s [id=aws]
module.cloudtrail_s3_bucket.module.s3_bucket.data.aws_partition.current[0]: Read complete after 0s [id=aws]
module.cloudtrail_api_alarms.data.aws_region.current: Read complete after 0s [id=us-east-1]
module.cloudtrail_api_alarms.data.aws_caller_identity.default: Reading...
data.aws_region.current: Read complete after 0s [id=us-east-1]
data.aws_caller_identity.current: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_canonical_user_id.default[0]: Reading...
module.cloudtrail_s3_bucket.data.aws_partition.current: Reading...
module.cloudtrail_s3_bucket.data.aws_partition.current: Read complete after 0s [id=aws]
module.cloudtrail_s3_bucket.module.s3_bucket.data.aws_caller_identity.current[0]: Reading...
data.aws_iam_policy_document.assume_policy: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket.default[0]: Refreshing state... [id=bb-security-cloudtrail-org]
data.aws_iam_policy_document.assume_policy: Read complete after 0s [id=3361274866]
module.cloudtrail_api_alarms.aws_cloudwatch_dashboard.combined[0]: Refreshing state... [id=cis-benchmark-statistics-combined]
module.cloudtrail_api_alarms.aws_cloudwatch_dashboard.individual[0]: Refreshing state... [id=cis-benchmark-statistics-individual]
data.terraform_remote_state.keys: Read complete after 2s
module.cloudtrail_s3_bucket.data.aws_iam_policy_document.default[0]: Reading...
module.cloudtrail_s3_bucket.data.aws_iam_policy_document.default[0]: Read complete after 0s [id=854294704]
aws_iam_role.cloudtrail_cloudwatch_events: Refreshing state... [id=CloudtrailCloudwatchEvents]
data.terraform_remote_state.notifications: Read complete after 2s
aws_cloudwatch_log_group.cloudtrail: Refreshing state... [id=bb-security-cloudtrail]
module.cloudtrail_api_alarms.data.aws_caller_identity.current: Read complete after 1s [id=900980591242]
module.cloudtrail_api_alarms.data.aws_caller_identity.default: Read complete after 1s [id=900980591242]
module.cloudtrail_api_alarms.aws_sns_topic.default[0]: Refreshing state... [id=arn:aws:sns:us-east-1:900980591242:cloudtrail-breach]
module.cloudtrail_s3_bucket.module.s3_bucket.data.aws_caller_identity.current[0]: Read complete after 1s [id=900980591242]
data.aws_caller_identity.current: Read complete after 1s [id=900980591242]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_canonical_user_id.default[0]: Read complete after 1s [id=dec403a9fd9b9964897cc9b0b57c868533fcd0df80c5e8dc9d53db63842d9d36]
data.aws_iam_policy_document.cloudtrail_role_policy: Reading...
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["EC2InstanceEventCount-security-account"]: Refreshing state... [id=EC2InstanceEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["RouteTableChangesCount-security-account"]: Refreshing state... [id=RouteTableChangesCount]
data.aws_iam_policy_document.cloudtrail_role_policy: Read complete after 0s [id=601136484]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["NetworkAclEventCount-security-account"]: Refreshing state... [id=NetworkAclEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["ConsoleSignInFailureCount-security-account"]: Refreshing state... [id=ConsoleSignInFailureCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["AWSConfigChangeCount-security-account"]: Refreshing state... [id=AWSConfigChangeCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["EC2LargeInstanceEventCount-security-account"]: Refreshing state... [id=EC2LargeInstanceEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["SecurityGroupEventCount-security-account"]: Refreshing state... [id=SecurityGroupEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["GatewayEventCount-security-account"]: Refreshing state... [id=GatewayEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["AuthorizationFailureCount-security-account"]: Refreshing state... [id=AuthorizationFailureCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["RootAccountUsageCount-security-account"]: Refreshing state... [id=RootAccountUsageCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["S3BucketActivityEventCount-security-account"]: Refreshing state... [id=S3BucketActivityEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["KMSKeyPendingDeletionErrorCount-security-account"]: Refreshing state... [id=KMSKeyPendingDeletionErrorCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["CloudTrailEventCount-security-account"]: Refreshing state... [id=CloudTrailEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["IAMPolicyEventCount-security-account"]: Refreshing state... [id=IAMPolicyEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["VpcEventCount-security-account"]: Refreshing state... [id=VpcEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["ConsoleSignInWithoutMfaCount-security-account"]: Refreshing state... [id=ConsoleSignInWithoutMfaCount]
aws_iam_role_policy.cloudtrail_cloudwatch_events_policy: Refreshing state... [id=CloudtrailCloudwatchEvents:CloudtrailCloudwatchEvents]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["IAMPolicyEventCount-security-account"]: Refreshing state... [id=IAMPolicyEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["VpcEventCount-security-account"]: Refreshing state... [id=VpcEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["CloudTrailEventCount-security-account"]: Refreshing state... [id=CloudTrailEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["GatewayEventCount-security-account"]: Refreshing state... [id=GatewayEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["AWSConfigChangeCount-security-account"]: Refreshing state... [id=AWSConfigChangeCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["ConsoleSignInFailureCount-security-account"]: Refreshing state... [id=ConsoleSignInFailureCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["S3BucketActivityEventCount-security-account"]: Refreshing state... [id=S3BucketActivityEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["ConsoleSignInWithoutMfaCount-security-account"]: Refreshing state... [id=ConsoleSignInWithoutMfaCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["NetworkAclEventCount-security-account"]: Refreshing state... [id=NetworkAclEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["SecurityGroupEventCount-security-account"]: Refreshing state... [id=SecurityGroupEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["EC2InstanceEventCount-security-account"]: Refreshing state... [id=EC2InstanceEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["RootAccountUsageCount-security-account"]: Refreshing state... [id=RootAccountUsageCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["EC2LargeInstanceEventCount-security-account"]: Refreshing state... [id=EC2LargeInstanceEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["AuthorizationFailureCount-security-account"]: Refreshing state... [id=AuthorizationFailureCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["KMSKeyPendingDeletionErrorCount-security-account"]: Refreshing state... [id=KMSKeyPendingDeletionErrorCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["RouteTableChangesCount-security-account"]: Refreshing state... [id=RouteTableChangesCount-security-account-alarm]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_public_access_block.default[0]: Refreshing state... [id=bb-security-cloudtrail-org]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_iam_policy_document.bucket_policy[0]: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_iam_policy_document.bucket_policy[0]: Read complete after 0s [id=725636890]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_iam_policy_document.aggregated_policy[0]: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_iam_policy_document.aggregated_policy[0]: Read complete after 0s [id=2663085791]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_policy.default[0]: Refreshing state... [id=bb-security-cloudtrail-org]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.time_sleep.wait_for_aws_s3_bucket_settings[0]: Refreshing state... [id=2021-11-02T20:45:02Z]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_ownership_controls.default[0]: Refreshing state... [id=bb-security-cloudtrail-org]
module.cloudtrail.aws_cloudtrail.default[0]: Refreshing state... [id=bb-security-cloudtrail-org]
module.cloudtrail_api_alarms.data.aws_iam_policy_document.sns_topic_policy: Reading...
module.cloudtrail_api_alarms.data.aws_iam_policy_document.sns_topic_policy: Read complete after 0s [id=2568754306]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket.default[0] has changed
  # (moved from module.cloudtrail_s3_bucket.module.s3_bucket.aws_s3_bucket.default[0])
  ~ resource "aws_s3_bucket" "default" {
        id                          = "bb-security-cloudtrail-org"
      ~ policy                      = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action    = "s3:GetBucketAcl"
                        Effect    = "Allow"
                        Principal = {
                            Service = "cloudtrail.amazonaws.com"
                        }
                        Resource  = "arn:aws:s3:::bb-security-cloudtrail-org"
                        Sid       = "AWSCloudTrailAclCheck"
                    },
                  ~ {
                      ~ Principal = {
                          ~ Service = [
                              - "config.amazonaws.com",
                                "cloudtrail.amazonaws.com",
                              + "config.amazonaws.com",
                            ]
                        }
                        # (5 unchanged elements hidden)
                    },
                  + {
                      + Action    = "s3:*"
                      + Condition = {
                          + Bool = {
                              + "aws:SecureTransport" = "false"
                            }
                        }
                      + Effect    = "Deny"
                      + Principal = "*"
                      + Resource  = [
                          + "arn:aws:s3:::bb-security-cloudtrail-org/*",
                          + "arn:aws:s3:::bb-security-cloudtrail-org",
                        ]
                      + Sid       = "ForceSSLOnlyAccess"
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
        tags                        = {
            "Name"      = "bb-security-cloudtrail-org"
            "Namespace" = "bb"
            "Stage"     = "security"
        }
        # (11 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.cloudtrail_s3_bucket.module.s3_bucket.aws_s3_bucket.default[0] has moved to module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket.default[0]
    resource "aws_s3_bucket" "default" {
        id                          = "bb-security-cloudtrail-org"
        tags                        = {
            "Name"      = "bb-security-cloudtrail-org"
            "Namespace" = "bb"
            "Stage"     = "security"
        }
        # (12 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_acl.default[0] will be created
  + resource "aws_s3_bucket_acl" "default" {
      + acl    = "private"
      + bucket = "bb-security-cloudtrail-org"
      + id     = (known after apply)

      + access_control_policy {
          + grant {
              + permission = (known after apply)

              + grantee {
                  + display_name  = (known after apply)
                  + email_address = (known after apply)
                  + id            = (known after apply)
                  + type          = (known after apply)
                  + uri           = (known after apply)
                }
            }

          + owner {
              + display_name = (known after apply)
              + id           = (known after apply)
            }
        }
    }

  # module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_lifecycle_configuration.default[0] will be created
  + resource "aws_s3_bucket_lifecycle_configuration" "default" {
      + bucket = "bb-security-cloudtrail-org"
      + id     = (known after apply)

      + rule {
          + id     = "bb-security-cloudtrail-org"
          + status = "Enabled"

          + abort_incomplete_multipart_upload {
              + days_after_initiation = 5
            }

          + expiration {
              + days                         = 120
              + expired_object_delete_marker = (known after apply)
            }

          + filter {
            }

          + noncurrent_version_expiration {
              + noncurrent_days = 90
            }

          + transition {
              + days          = 30
              + storage_class = "STANDARD_IA"
            }
        }
    }

  # module.cloudtrail_s3_bucket.module.s3_bucket.aws_s3_bucket_ownership_controls.default[0] has moved to module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_ownership_controls.default[0]
    resource "aws_s3_bucket_ownership_controls" "default" {
        id     = "bb-security-cloudtrail-org"
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

  # module.cloudtrail_s3_bucket.module.s3_bucket.aws_s3_bucket_policy.default[0] has moved to module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_policy.default[0]
    resource "aws_s3_bucket_policy" "default" {
        id     = "bb-security-cloudtrail-org"
        # (2 unchanged attributes hidden)
    }

  # module.cloudtrail_s3_bucket.module.s3_bucket.aws_s3_bucket_public_access_block.default[0] has moved to module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_public_access_block.default[0]
    resource "aws_s3_bucket_public_access_block" "default" {
        id                      = "bb-security-cloudtrail-org"
        # (5 unchanged attributes hidden)
    }

  # module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_server_side_encryption_configuration.default[0] will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
      + bucket = "bb-security-cloudtrail-org"
      + id     = (known after apply)

      + rule {
          + bucket_key_enabled = false

          + apply_server_side_encryption_by_default {
              + sse_algorithm = "AES256"
            }
        }
    }

  # module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_versioning.default[0] will be created
  + resource "aws_s3_bucket_versioning" "default" {
      + bucket = "bb-security-cloudtrail-org"
      + id     = (known after apply)

      + versioning_configuration {
          + mfa_delete = (known after apply)
          + status     = "Enabled"
        }
    }

  # module.cloudtrail_s3_bucket.module.s3_bucket.time_sleep.wait_for_aws_s3_bucket_settings[0] has moved to module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.time_sleep.wait_for_aws_s3_bucket_settings[0]
    resource "time_sleep" "wait_for_aws_s3_bucket_settings" {
        id               = "2021-11-02T20:45:02Z"
        # (2 unchanged attributes hidden)
    }

Plan: 4 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_versioning.default[0]: Creating...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_acl.default[0]: Creating...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_server_side_encryption_configuration.default[0]: Creating...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_acl.default[0]: Creation complete after 1s [id=bb-security-cloudtrail-org,private]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_server_side_encryption_configuration.default[0]: Creation complete after 2s [id=bb-security-cloudtrail-org]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_versioning.default[0]: Creation complete after 3s [id=bb-security-cloudtrail-org]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_lifecycle_configuration.default[0]: Creating...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_lifecycle_configuration.default[0]: Still creating... [10s elapsed]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_lifecycle_configuration.default[0]: Still creating... [20s elapsed]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_lifecycle_configuration.default[0]: Still creating... [30s elapsed]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_lifecycle_configuration.default[0]: Creation complete after 34s [id=bb-security-cloudtrail-org]
Releasing state lock. This may take a few moments...

Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

Outputs:

bucket_arn = "arn:aws:s3:::bb-security-cloudtrail-org"
bucket_domain_name = "bb-security-cloudtrail-org.s3.amazonaws.com"
bucket_id = "bb-security-cloudtrail-org"
rodriguez-matias commented 1 month ago

TF plan after apply

../security/us-east-1/security-audit                                                                                      
╰─❯ leverage tf plan 

[10:41:29.543] INFO     Attempting to get temporary credentials for security account.                                                                                                                          
[10:41:29.547] INFO     Using already configured temporary credentials.                                                                                                                                        
Acquiring state lock. This may take a few moments...
data.terraform_remote_state.keys: Reading...
data.terraform_remote_state.notifications: Reading...
data.terraform_remote_state.keys: Read complete after 2s
data.terraform_remote_state.notifications: Read complete after 3s
module.cloudtrail_api_alarms.data.aws_caller_identity.current: Reading...
module.cloudtrail_api_alarms.data.aws_caller_identity.default: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_canonical_user_id.default[0]: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.data.aws_caller_identity.current[0]: Reading...
module.cloudtrail_s3_bucket.data.aws_partition.current: Reading...
module.cloudtrail_s3_bucket.data.aws_partition.current: Read complete after 0s [id=aws]
data.aws_caller_identity.current: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.data.aws_partition.current[0]: Reading...
aws_cloudwatch_log_group.cloudtrail: Refreshing state... [id=bb-security-cloudtrail]
module.cloudtrail_s3_bucket.module.s3_bucket.data.aws_partition.current[0]: Read complete after 0s [id=aws]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_partition.current[0]: Reading...
module.cloudtrail_api_alarms.data.aws_region.current: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_partition.current[0]: Read complete after 0s [id=aws]
data.aws_region.current: Reading...
data.aws_iam_policy_document.assume_policy: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket.default[0]: Refreshing state... [id=bb-security-cloudtrail-org]
data.aws_region.current: Read complete after 0s [id=us-east-1]
module.cloudtrail_api_alarms.data.aws_region.current: Read complete after 0s [id=us-east-1]
module.cloudtrail_s3_bucket.data.aws_iam_policy_document.default[0]: Reading...
module.cloudtrail_api_alarms.aws_cloudwatch_dashboard.combined[0]: Refreshing state... [id=cis-benchmark-statistics-combined]
data.aws_iam_policy_document.assume_policy: Read complete after 0s [id=3361274866]
module.cloudtrail_s3_bucket.data.aws_iam_policy_document.default[0]: Read complete after 0s [id=854294704]
module.cloudtrail_api_alarms.aws_cloudwatch_dashboard.individual[0]: Refreshing state... [id=cis-benchmark-statistics-individual]
aws_iam_role.cloudtrail_cloudwatch_events: Refreshing state... [id=CloudtrailCloudwatchEvents]
module.cloudtrail_s3_bucket.module.s3_bucket.data.aws_caller_identity.current[0]: Read complete after 1s [id=900980591242]
module.cloudtrail_api_alarms.data.aws_caller_identity.current: Read complete after 1s [id=900980591242]
data.aws_caller_identity.current: Read complete after 1s [id=900980591242]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_canonical_user_id.default[0]: Read complete after 1s [id=dec403a9fd9b9964897cc9b0b57c868533fcd0df80c5e8dc9d53db63842d9d36]
data.aws_iam_policy_document.cloudtrail_role_policy: Reading...
data.aws_iam_policy_document.cloudtrail_role_policy: Read complete after 0s [id=601136484]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["CloudTrailEventCount-security-account"]: Refreshing state... [id=CloudTrailEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["ConsoleSignInFailureCount-security-account"]: Refreshing state... [id=ConsoleSignInFailureCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["SecurityGroupEventCount-security-account"]: Refreshing state... [id=SecurityGroupEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["S3BucketActivityEventCount-security-account"]: Refreshing state... [id=S3BucketActivityEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["AWSConfigChangeCount-security-account"]: Refreshing state... [id=AWSConfigChangeCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["ConsoleSignInWithoutMfaCount-security-account"]: Refreshing state... [id=ConsoleSignInWithoutMfaCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["EC2LargeInstanceEventCount-security-account"]: Refreshing state... [id=EC2LargeInstanceEventCount]
module.cloudtrail_api_alarms.data.aws_caller_identity.default: Read complete after 2s [id=900980591242]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["EC2InstanceEventCount-security-account"]: Refreshing state... [id=EC2InstanceEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["RouteTableChangesCount-security-account"]: Refreshing state... [id=RouteTableChangesCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["VpcEventCount-security-account"]: Refreshing state... [id=VpcEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["NetworkAclEventCount-security-account"]: Refreshing state... [id=NetworkAclEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["AuthorizationFailureCount-security-account"]: Refreshing state... [id=AuthorizationFailureCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["GatewayEventCount-security-account"]: Refreshing state... [id=GatewayEventCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["KMSKeyPendingDeletionErrorCount-security-account"]: Refreshing state... [id=KMSKeyPendingDeletionErrorCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["RootAccountUsageCount-security-account"]: Refreshing state... [id=RootAccountUsageCount]
module.cloudtrail_api_alarms.aws_cloudwatch_log_metric_filter.default["IAMPolicyEventCount-security-account"]: Refreshing state... [id=IAMPolicyEventCount]
module.cloudtrail_api_alarms.aws_sns_topic.default[0]: Refreshing state... [id=arn:aws:sns:us-east-1:900980591242:cloudtrail-breach]
aws_iam_role_policy.cloudtrail_cloudwatch_events_policy: Refreshing state... [id=CloudtrailCloudwatchEvents:CloudtrailCloudwatchEvents]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["KMSKeyPendingDeletionErrorCount-security-account"]: Refreshing state... [id=KMSKeyPendingDeletionErrorCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["CloudTrailEventCount-security-account"]: Refreshing state... [id=CloudTrailEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["RootAccountUsageCount-security-account"]: Refreshing state... [id=RootAccountUsageCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["NetworkAclEventCount-security-account"]: Refreshing state... [id=NetworkAclEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["SecurityGroupEventCount-security-account"]: Refreshing state... [id=SecurityGroupEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["ConsoleSignInWithoutMfaCount-security-account"]: Refreshing state... [id=ConsoleSignInWithoutMfaCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["GatewayEventCount-security-account"]: Refreshing state... [id=GatewayEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["ConsoleSignInFailureCount-security-account"]: Refreshing state... [id=ConsoleSignInFailureCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["RouteTableChangesCount-security-account"]: Refreshing state... [id=RouteTableChangesCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["VpcEventCount-security-account"]: Refreshing state... [id=VpcEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["EC2LargeInstanceEventCount-security-account"]: Refreshing state... [id=EC2LargeInstanceEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["EC2InstanceEventCount-security-account"]: Refreshing state... [id=EC2InstanceEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["AuthorizationFailureCount-security-account"]: Refreshing state... [id=AuthorizationFailureCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["IAMPolicyEventCount-security-account"]: Refreshing state... [id=IAMPolicyEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["S3BucketActivityEventCount-security-account"]: Refreshing state... [id=S3BucketActivityEventCount-security-account-alarm]
module.cloudtrail_api_alarms.aws_cloudwatch_metric_alarm.default["AWSConfigChangeCount-security-account"]: Refreshing state... [id=AWSConfigChangeCount-security-account-alarm]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_versioning.default[0]: Refreshing state... [id=bb-security-cloudtrail-org]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_server_side_encryption_configuration.default[0]: Refreshing state... [id=bb-security-cloudtrail-org]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_public_access_block.default[0]: Refreshing state... [id=bb-security-cloudtrail-org]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_iam_policy_document.bucket_policy[0]: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_iam_policy_document.bucket_policy[0]: Read complete after 0s [id=725636890]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_iam_policy_document.aggregated_policy[0]: Reading...
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.data.aws_iam_policy_document.aggregated_policy[0]: Read complete after 0s [id=2663085791]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_policy.default[0]: Refreshing state... [id=bb-security-cloudtrail-org]
module.cloudtrail_api_alarms.data.aws_iam_policy_document.sns_topic_policy: Reading...
module.cloudtrail_api_alarms.data.aws_iam_policy_document.sns_topic_policy: Read complete after 0s [id=2568754306]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.time_sleep.wait_for_aws_s3_bucket_settings[0]: Refreshing state... [id=2021-11-02T20:45:02Z]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_ownership_controls.default[0]: Refreshing state... [id=bb-security-cloudtrail-org]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_acl.default[0]: Refreshing state... [id=bb-security-cloudtrail-org,private]
module.cloudtrail_s3_bucket.module.s3_bucket.module.aws_s3_bucket.aws_s3_bucket_lifecycle_configuration.default[0]: Refreshing state... [id=bb-security-cloudtrail-org]
module.cloudtrail.aws_cloudtrail.default[0]: Refreshing state... [id=bb-security-cloudtrail-org]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
Releasing state lock. This may take a few moments...