added variable and resourses for logging

storage/s3/main.tf

@@ -1,3 +1,90 @@
+resource "aws_cloudwatch_log_group" "s3_cloudtrail_logs" {
+  count = var.s3_cloudwatch_logging_enabled ? 1 : 0
+  name  = "s3-cloudtrail-logs-${var.s3_bucket_name}"
+}
+
+data "aws_iam_policy_document" "cloudtrail-assume-role-policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+  }
+}
+
+
+
+resource "aws_s3_bucket" "s3_cloudtrail_logs" {
+
+  count  = var.s3_cloudwatch_logging_enabled ? 1 : 0
+  bucket = "s3-cloudtrail-logs-${var.s3_bucket_name}"
+  tags   = var.tags
+
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AWSCloudTrailAclCheck",
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "s3:GetBucketAcl",
+            "Resource": "arn:aws:s3:::s3-cloudtrail-logs-${var.s3_bucket_name}"
+        },
+        {
+            "Sid": "AWSCloudTrailWrite",
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "s3:PutObject",
+            "Resource": "arn:aws:s3:::s3-cloudtrail-logs-${var.s3_bucket_name}/*",
+            "Condition": {
+                "StringEquals": {
+                    "s3:x-amz-acl": "bucket-owner-full-control"
+                }
+            }
+        }
+    ]
+}
+POLICY
+}
+
+
+resource "aws_iam_role" "cloudtrail_to_cloudwatch" {
+  count = var.s3_cloudwatch_logging_enabled ? 1 : 0
+  name  = "CloudWatchWriteForCloudTrail"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  assume_role_policy = data.aws_iam_policy_document.cloudtrail-assume-role-policy.json
+  inline_policy {
+    name = "cloudwatch_write_permissions"
+
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Action = [
+            "cloudwatch:PutMetricData",
+            "logs:PutLogEvents",
+            "logs:DescribeLogStreams",
+            "logs:DescribeLogGroups",
+            "logs:CreateLogStream",
+            "logs:CreateLogGroup"
+          ]
+          Effect   = "Allow"
+          Resource = "*"
+        },
+      ]
+    })
+  }
+}
+
 resource "aws_s3_bucket" "kubeflow" {
 
   bucket = var.s3_bucket_name
@@ -16,6 +103,28 @@ resource "aws_s3_bucket" "kubeflow" {
   }
 }
 
+resource "aws_cloudtrail" "s3" {
+  count                         = var.s3_cloudwatch_logging_enabled ? 1 : 0
+  name                          = "s3-bucket-trail"
+  s3_bucket_name                = aws_s3_bucket.s3_cloudtrail_logs[0].id
+  s3_key_prefix                 = "trail"
+  include_global_service_events = false
+
+
+  event_selector {
+    read_write_type           = "All"
+    include_management_events = false
+
+    data_resource {
+      type   = "AWS::S3::Object"
+      values = ["${aws_s3_bucket.kubeflow.arn}/"]
+    }
+  }
+
+  cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.s3_cloudtrail_logs[0].arn}:*" # CloudTrail requires the Log Stream wildcard
+  cloud_watch_logs_role_arn  = aws_iam_role.cloudtrail_to_cloudwatch[0].arn
+}
+
 
 // create read-write user for S3 bucket
 resource "aws_iam_user" "s3_user" {

storage/s3/variables.tf

@@ -24,3 +24,10 @@ variable "trusted_role_arns" {
   description = "ARNs of roles that are allowed to assume the role for read/write access to the S3 bucket"
   default     = []
 }
+
+
+variable "s3_cloudwatch_logging_enabled" {
+  type        = bool
+  default     = false
+  description = "By making it true, logs will be stored to cloudwatch with help of cloudtrail"
+}