feat: Support aws_cloudwatch_log_account_policy (#71)

Co-authored-by: Anton Babenko <[email protected]>

README.md

@@ -207,6 +207,23 @@ module "composite_alarm" {
 }
 ```
 
+### Log Account Policy
+
+```hcl
+module "log_account_policy" {
+  source  = "terraform-aws-modules/cloudwatch/aws//modules/log-account-policy"
+  version = "~> 4.0"
+
+  log_account_policy_name           = "account-data-protection"
+  log_account_policy_type           = "DATA_PROTECTION_POLICY"
+  create_log_data_protection_policy = true
+  log_data_protection_policy_name   = "redact-addresses"
+
+  data_identifiers                          = ["arn:aws:dataprotection::aws:data-identifier/Address"]
+  findings_destination_cloudwatch_log_group = "my-cloudwatch-audit-log-group"
+}
+```
+
 ## Examples
 
 - [Complete Cloudwatch log metric filter and alarm](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/complete-log-metric-filter-and-alarm)
@@ -217,6 +234,7 @@ module "composite_alarm" {
 - [Cloudwatch query definition](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/query-definition)
 - [Cloudwatch Metric Stream](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/metric-stream)
 - [Cloudwatch Composite Alarm](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/composite-alarm)
+- [Cloudwatch Log Account Policy](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/log-account-policy)
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/cis-alarms/README.md

@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |
 
 ## Providers
 

examples/cis-alarms/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 5.58"
     }
   }
 }

examples/complete-log-metric-filter-and-alarm/README.md

@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.30 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |
 
 ## Providers
 

examples/complete-log-metric-filter-and-alarm/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.30"
+      version = ">= 5.58"
     }
   }
 }

examples/composite-alarm/README.md

@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |
 
 ## Providers
 

examples/composite-alarm/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.12"
+      version = ">= 5.58"
     }
   }
 }

examples/fixtures/aws_cloudwatch_log_group/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 5.58"
     }
 
     random = {

examples/fixtures/aws_kms_key/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 5.58"
     }
 
     random = {

examples/fixtures/aws_lambda_function/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 5.58"
     }
 
     random = {

examples/fixtures/aws_sns_topic/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 5.58"
     }
 
     random = {

examples/lambda-metric-alarm/README.md

@@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |
 
 ## Providers
 

examples/lambda-metric-alarm/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 5.58"
     }
   }
 }

examples/log-account-policy/README.md

@@ -0,0 +1,56 @@
+# Complete Cloudwatch log account policy
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.5 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.58 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.5 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_audit_destination_group"></a> [audit\_destination\_group](#module\_audit\_destination\_group) | ../../modules/log-group | n/a |
+| <a name="module_cw_logs_to_firehose"></a> [cw\_logs\_to\_firehose](#module\_cw\_logs\_to\_firehose) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 5.0 |
+| <a name="module_cw_logs_to_firehose_policy"></a> [cw\_logs\_to\_firehose\_policy](#module\_cw\_logs\_to\_firehose\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | ~> 5.0 |
+| <a name="module_excluded_log_group"></a> [excluded\_log\_group](#module\_excluded\_log\_group) | ../../modules/log-group | n/a |
+| <a name="module_firehose_to_s3"></a> [firehose\_to\_s3](#module\_firehose\_to\_s3) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 5.0 |
+| <a name="module_firehose_to_s3_policy"></a> [firehose\_to\_s3\_policy](#module\_firehose\_to\_s3\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | ~> 5.0 |
+| <a name="module_log_account_data_retention_policy"></a> [log\_account\_data\_retention\_policy](#module\_log\_account\_data\_retention\_policy) | ../../modules/log-account-policy | n/a |
+| <a name="module_log_account_subscription_filter_policy"></a> [log\_account\_subscription\_filter\_policy](#module\_log\_account\_subscription\_filter\_policy) | ../../modules/log-account-policy | n/a |
+| <a name="module_log_group"></a> [log\_group](#module\_log\_group) | ../../modules/log-group | n/a |
+| <a name="module_logs_bucket"></a> [logs\_bucket](#module\_logs\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 4.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kinesis_firehose_delivery_stream.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.custom_trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cw_logs_to_firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.firehose_to_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_log_account_data_retention_policy_name"></a> [log\_account\_data\_retention\_policy\_name](#output\_log\_account\_data\_retention\_policy\_name) | Name of Cloudwatch log account policy |
+| <a name="output_log_account_subscription_filter_retention_policy_name"></a> [log\_account\_subscription\_filter\_retention\_policy\_name](#output\_log\_account\_subscription\_filter\_retention\_policy\_name) | Name of Cloudwatch log account policy |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/log-account-policy/main.tf

@@ -0,0 +1,202 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}
+
+module "log_group" {
+  source = "../../modules/log-group"
+
+  name_prefix       = "my-log-group-"
+  retention_in_days = 7
+}
+
+module "excluded_log_group" {
+  source = "../../modules/log-group"
+
+  name_prefix       = "my-excluded-log-group-"
+  retention_in_days = 7
+}
+
+module "audit_destination_group" {
+  source = "../../modules/log-group"
+
+  name_prefix       = "audit-destination-log-group-"
+  retention_in_days = 7
+}
+
+module "log_account_data_retention_policy" {
+  source = "../../modules/log-account-policy"
+
+  log_account_policy_name = "account-data-protection"
+  log_account_policy_type = "DATA_PROTECTION_POLICY"
+
+  # custom data identifier not yet supported by the data source for aws_cloudwatch_log_data_protection_policy within the module
+  # specify your own json policy document if this is needed using policy_document argument
+  create_log_data_protection_policy = true
+  log_data_protection_policy_name   = "redact-addresses"
+
+  data_identifiers                          = ["arn:aws:dataprotection::aws:data-identifier/Address"]
+  findings_destination_cloudwatch_log_group = module.audit_destination_group.cloudwatch_log_group_name
+}
+
+# This example requires two terraform applies and will error on the first run due to firehose stream not in ACTIVE state even with depends_on set
+# Related: https://github.com/hashicorp/terraform-provider-aws/issues/17049
+module "log_account_subscription_filter_policy" {
+  source = "../../modules/log-account-policy"
+
+  log_account_policy_name = "account-subscription-filter"
+  log_account_policy_type = "SUBSCRIPTION_FILTER_POLICY"
+  policy_document = jsonencode(
+    {
+      DestinationArn = aws_kinesis_firehose_delivery_stream.logs.arn
+      FilterPattern  = "%test%"
+      RoleArn        = module.cw_logs_to_firehose.iam_role_arn
+    }
+  )
+  log_account_policy_selection_criteria = "LogGroupName NOT IN [\"${module.excluded_log_group.cloudwatch_log_group_name}\"]"
+
+  depends_on = [
+    aws_kinesis_firehose_delivery_stream.logs,
+    module.cw_logs_to_firehose,
+    module.cw_logs_to_firehose_policy
+  ]
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+resource "random_pet" "this" {
+  length = 2
+}
+
+module "logs_bucket" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "~> 4.0"
+
+  bucket_prefix = "${random_pet.this.id}-logs"
+
+  force_destroy = true
+}
+
+resource "aws_kinesis_firehose_delivery_stream" "logs" {
+  name        = "${random_pet.this.id}-logs"
+  destination = "extended_s3"
+
+  extended_s3_configuration {
+    role_arn   = module.firehose_to_s3.iam_role_arn
+    bucket_arn = module.logs_bucket.s3_bucket_arn
+    prefix     = "from-firehose-logs/"
+  }
+}
+
+module "firehose_to_s3" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "~> 5.0"
+
+  trusted_role_services = [
+    "firehose.amazonaws.com"
+  ]
+
+  create_role = true
+
+  role_name_prefix  = "${random_pet.this.id}-firehose-to-s3-"
+  role_requires_mfa = false
+
+  custom_role_policy_arns = [
+    module.firehose_to_s3_policy.arn
+  ]
+}
+
+module "firehose_to_s3_policy" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "~> 5.0"
+
+  name        = "${random_pet.this.id}-firehose-to-s3"
+  path        = "/"
+  description = "Pipes logging firehose to s3 policy"
+
+  policy = data.aws_iam_policy_document.firehose_to_s3.json
+}
+
+data "aws_iam_policy_document" "firehose_to_s3" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "s3:AbortMultipartUpload",
+      "s3:GetBucketLocation",
+      "s3:GetObject",
+      "s3:ListBucket",
+      "s3:ListBucketMultipartUploads",
+      "s3:PutObject",
+    ]
+
+    resources = [
+      module.logs_bucket.s3_bucket_arn,
+      "${module.logs_bucket.s3_bucket_arn}/*",
+    ]
+  }
+}
+
+module "cw_logs_to_firehose" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "~> 5.0"
+
+  create_role = true
+
+  role_name_prefix                = "${random_pet.this.id}-cw-logs-to-firehose-"
+  role_requires_mfa               = false
+  create_custom_role_trust_policy = true
+  custom_role_trust_policy        = data.aws_iam_policy_document.custom_trust_policy.json
+
+  custom_role_policy_arns = [
+    module.cw_logs_to_firehose_policy.arn
+  ]
+}
+
+data "aws_iam_policy_document" "custom_trust_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"]
+    }
+
+    principals {
+      identifiers = ["logs.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+module "cw_logs_to_firehose_policy" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "~> 5.0"
+
+  name        = "${random_pet.this.id}-cw-logs-to-firehose"
+  path        = "/"
+  description = "Cloudwatch logs to firehose policy"
+
+  policy = data.aws_iam_policy_document.cw_logs_to_firehose.json
+}
+
+data "aws_iam_policy_document" "cw_logs_to_firehose" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "firehose:PutRecord",
+    ]
+
+    resources = [
+      aws_kinesis_firehose_delivery_stream.logs.arn,
+    ]
+  }
+}