---
AWSTemplateFormatVersion: '2010-09-09'
Description: A template that creates an audit log and associated logs and buckets

Parameters:
  KeyAccessTrailName:
    Type: String
    Description: The name of the CloudWatch Trail that stores the audit logs
    Default: key-access-trail
  KeyAccessAuditLogGroupName:
    Type: String
    Description: The name of the log group to push audit logs to
    Default: key-access-logs
  LogGroupRetentionPeriodInDays:
    Type: Number
    Description: The number of days to retain cloudwatch logs
    Default: 180
    AllowedValues:
      - 1
      - 3
      - 5
      - 7
      - 14
      - 30
      - 60
      - 90
      - 120
      - 150
      - 180
      - 365
      - 400
      - 545
      - 731
      - 1827
      - 3653

Resources:
  KeyAccessAuditLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Ref KeyAccessAuditLogGroupName
      RetentionInDays: !Ref LogGroupRetentionPeriodInDays

  AuditLogsBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub 'audit-logs-bucket-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      VersioningConfiguration:
        Status: Enabled

  AuditLogsBucketPolicy:
    DependsOn: AuditLogsBucket
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Sub 'audit-logs-bucket-${AWS::AccountId}'
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: AWSCloudTrailAclCheck20150319
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:GetBucketAcl
            Resource: !Sub 'arn:aws:s3:::audit-logs-bucket-${AWS::AccountId}'
            Condition:
              StringEquals:
                AWS:SourceArn: !Sub 'arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/${KeyAccessTrailName}'
          - Sid: AWSCloudTrailWrite20150319
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:PutObject
            Resource: !Sub 'arn:aws:s3:::audit-logs-bucket-${AWS::AccountId}/AWSLogs/${AWS::AccountId}/*'
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control
                AWS:SourceArn: !Sub 'arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/${KeyAccessTrailName}'

  KeyAccessCloudTrailCloudWatchLogsRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub 'key-access-cloudtrail-service-role-${AWS::Region}'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          Effect: Allow
          Principal:
            Service: cloudtrail.amazonaws.com
          Action: sts:AssumeRole
      Policies:
        - PolicyName: cloudtail-audit-log-base-policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: CloudTrailLogStreamAccess
                Effect: Allow
                Action:
                  - logs:CreateLogStream
                Resource:
                  - !GetAtt KeyAccessAuditLogGroup.Arn
                  - !Sub '${KeyAccessAuditLogGroup.Arn}:*'
              - Sid: CloudTrailLogStreamEventAccess
                Effect: Allow
                Action:
                  - logs:PutLogEvents
                Resource:
                  - !GetAtt KeyAccessAuditLogGroup.Arn
                  - !Sub '${KeyAccessAuditLogGroup.Arn}:*'

  KeyAccessCloudTrailAuditLog:
    DependsOn:
      - AuditLogsBucketPolicy
      - AuditLogsBucket
    Type: AWS::CloudTrail::Trail
    Properties:
      CloudWatchLogsLogGroupArn: !GetAtt KeyAccessAuditLogGroup.Arn
      CloudWatchLogsRoleArn: !GetAtt KeyAccessCloudTrailCloudWatchLogsRole.Arn
      EnableLogFileValidation: true
      IncludeGlobalServiceEvents: true
      IsLogging: true
      IsMultiRegionTrail: true
      TrailName: !Ref KeyAccessTrailName
      S3BucketName: !Sub 'audit-logs-bucket-${AWS::AccountId}'