feat: Log Subscription Filter

examples/log-subscription-filter/main.tf

@@ -0,0 +1,170 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}
+
+module "log_group" {
+  source = "../../modules/log-group"
+
+  name_prefix       = "my-log-group-"
+  retention_in_days = 7
+}
+
+module "log_subscription_filter" {
+  source = "../../modules/log-subscription-filter"
+
+  name            = "my-filter"
+  destination_arn = aws_kinesis_firehose_delivery_stream.logs.arn
+  filter_pattern  = "%test%"
+  log_group_name  = module.log_group.cloudwatch_log_group_name
+  role_arn        = module.cw_logs_to_firehose.iam_role_arn
+}
+
+################################################################################
+# Disabled
+################################################################################
+
+module "disabled" {
+  source = "../../modules/log-subscription-filter"
+
+  create = false
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+resource "random_pet" "this" {
+  length = 2
+}
+
+module "logs_bucket" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "~> 4.0"
+
+  bucket_prefix = "${random_pet.this.id}-logs"
+
+  force_destroy = true
+}
+
+resource "aws_kinesis_firehose_delivery_stream" "logs" {
+  name        = "${random_pet.this.id}-logs"
+  destination = "extended_s3"
+
+  extended_s3_configuration {
+    role_arn   = module.firehose_to_s3.iam_role_arn
+    bucket_arn = module.logs_bucket.s3_bucket_arn
+    prefix     = "from-firehose-logs/"
+  }
+}
+
+module "firehose_to_s3" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "~> 5.0"
+
+  trusted_role_services = [
+    "firehose.amazonaws.com"
+  ]
+
+  create_role = true
+
+  role_name_prefix  = "${random_pet.this.id}-firehose-to-s3-"
+  role_requires_mfa = false
+
+  custom_role_policy_arns = [
+    module.firehose_to_s3_policy.arn
+  ]
+}
+
+module "firehose_to_s3_policy" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "~> 5.0"
+
+  name        = "${random_pet.this.id}-firehose-to-s3"
+  path        = "/"
+  description = "Pipes logging firehose to s3 policy"
+
+  policy = data.aws_iam_policy_document.firehose_to_s3.json
+}
+
+data "aws_iam_policy_document" "firehose_to_s3" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "s3:AbortMultipartUpload",
+      "s3:GetBucketLocation",
+      "s3:GetObject",
+      "s3:ListBucket",
+      "s3:ListBucketMultipartUploads",
+      "s3:PutObject",
+    ]
+
+    resources = [
+      module.logs_bucket.s3_bucket_arn,
+      "${module.logs_bucket.s3_bucket_arn}/*",
+    ]
+  }
+}
+
+module "cw_logs_to_firehose" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "~> 5.0"
+
+  create_role = true
+
+  role_name_prefix                = "${random_pet.this.id}-cw-logs-to-firehose-"
+  role_requires_mfa               = false
+  create_custom_role_trust_policy = true
+  custom_role_trust_policy        = data.aws_iam_policy_document.custom_trust_policy.json
+
+  custom_role_policy_arns = [
+    module.cw_logs_to_firehose_policy.arn
+  ]
+}
+
+data "aws_iam_policy_document" "custom_trust_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"]
+    }
+
+    principals {
+      identifiers = ["logs.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+module "cw_logs_to_firehose_policy" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "~> 5.0"
+
+  name        = "${random_pet.this.id}-cw-logs-to-firehose"
+  path        = "/"
+  description = "Cloudwatch logs to firehose policy"
+
+  policy = data.aws_iam_policy_document.cw_logs_to_firehose.json
+}
+
+data "aws_iam_policy_document" "cw_logs_to_firehose" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "firehose:PutRecord",
+    ]
+
+    resources = [
+      aws_kinesis_firehose_delivery_stream.logs.arn,
+    ]
+  }
+}

examples/log-subscription-filter/outputs.tf

@@ -0,0 +1,14 @@
+output "cloudwatch_log_group_name" {
+  description = "Name of Cloudwatch log group"
+  value       = module.log_group.cloudwatch_log_group_name
+}
+
+output "cloudwatch_log_group_arn" {
+  description = "ARN of Cloudwatch log group"
+  value       = module.log_group.cloudwatch_log_group_arn
+}
+
+output "cloudwatch_log_subscription_filter_name" {
+  description = "Log subscription filter name"
+  value       = module.log_subscription_filter.cloudwatch_log_subscription_filter_name
+}

examples/log-subscription-filter/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.5"
+    }
+  }
+}

modules/log-subscription-filter/README.md

@@ -0,0 +1,44 @@
+# log-stream
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_subscription_filter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_create"></a> [create](#input\_create) | Whether to create the Cloudwatch log stream | `bool` | `true` | no |
+| <a name="input_destination_arn"></a> [destination\_arn](#input\_destination\_arn) | The ARN of the destination to deliver matching log events to. Kinesis stream or Lambda function ARN | `string` | `null` | no |
+| <a name="input_distribution"></a> [distribution](#input\_distribution) | The method used to distribute log data to the destination. By default log data is grouped by log stream, but the grouping can be set to random for a more even distribution | `string` | `null` | no |
+| <a name="input_filter_pattern"></a> [filter\_pattern](#input\_filter\_pattern) | A valid CloudWatch Logs filter pattern for subscribing to a filtered stream of log events. Use empty string to match everything | `string` | `""` | no |
+| <a name="input_log_group_name"></a> [log\_group\_name](#input\_log\_group\_name) | The name of the log group to associate the subscription filter with | `string` | `null` | no |
+| <a name="input_name"></a> [name](#input\_name) | A name for the log stream | `string` | `null` | no |
+| <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | The ARN of an IAM role that grants Amazon CloudWatch Logs permissions to deliver ingested log events to the destination | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cloudwatch_log_subscription_filter_name"></a> [cloudwatch\_log\_subscription\_filter\_name](#output\_cloudwatch\_log\_subscription\_filter\_name) | Log subscription filter name |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/log-subscription-filter/main.tf

@@ -0,0 +1,10 @@
+resource "aws_cloudwatch_log_subscription_filter" "this" {
+  count = var.create ? 1 : 0
+
+  name            = var.name
+  destination_arn = var.destination_arn
+  filter_pattern  = var.filter_pattern
+  log_group_name  = var.log_group_name
+  role_arn        = var.role_arn
+  distribution    = var.distribution
+}

modules/log-subscription-filter/outputs.tf

@@ -0,0 +1,4 @@
+output "cloudwatch_log_subscription_filter_name" {
+  description = "Log subscription filter name"
+  value       = try(var.name, null)
+}

modules/log-subscription-filter/variables.tf

@@ -0,0 +1,41 @@
+variable "create" {
+  description = "Whether to create the Cloudwatch log stream"
+  type        = bool
+  default     = true
+}
+
+variable "name" {
+  description = "A name for the log stream"
+  type        = string
+  default     = null
+}
+
+variable "destination_arn" {
+  description = "The ARN of the destination to deliver matching log events to. Kinesis stream or Lambda function ARN"
+  type        = string
+  default     = null
+}
+
+variable "filter_pattern" {
+  description = "A valid CloudWatch Logs filter pattern for subscribing to a filtered stream of log events. Use empty string to match everything"
+  type        = string
+  default     = ""
+}
+
+variable "log_group_name" {
+  description = "The name of the log group to associate the subscription filter with"
+  type        = string
+  default     = null
+}
+
+variable "role_arn" {
+  description = "The ARN of an IAM role that grants Amazon CloudWatch Logs permissions to deliver ingested log events to the destination"
+  type        = string
+  default     = null
+}
+
+variable "distribution" {
+  description = "The method used to distribute log data to the destination. By default log data is grouped by log stream, but the grouping can be set to random for a more even distribution"
+  type        = string
+  default     = null
+}

modules/log-subscription-filter/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+}