Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Support aws_cloudwatch_log_account_policy #71

Merged
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,22 @@ module "composite_alarm" {
}
```

### Log Account Policy

```hcl
module "log_account_policy" {
source = "../../modules/log-account-policy"
magreenbaum marked this conversation as resolved.
Show resolved Hide resolved

log_account_policy_name = "account-data-protection"
log_account_policy_type = "DATA_PROTECTION_POLICY"
create_log_data_protection_policy = true
log_data_protection_policy_name = "redact-addresses"

data_identifiers = ["arn:aws:dataprotection::aws:data-identifier/Address"]
findings_destination_cloudwatch_log_group = "my-cloudwatch-audit-log-group"
}
```

## Examples

- [Complete Cloudwatch log metric filter and alarm](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/complete-log-metric-filter-and-alarm)
Expand All @@ -217,6 +233,7 @@ module "composite_alarm" {
- [Cloudwatch query definition](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/query-definition)
- [Cloudwatch Metric Stream](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/metric-stream)
- [Cloudwatch Composite Alarm](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/composite-alarm)
- [Cloudwatch Log Account Policy](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/log-account-policy)

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
Expand Down
2 changes: 1 addition & 1 deletion examples/cis-alarms/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |

## Providers

Expand Down
2 changes: 1 addition & 1 deletion examples/cis-alarms/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
version = ">= 5.58"
}
}
}
2 changes: 1 addition & 1 deletion examples/complete-log-metric-filter-and-alarm/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.30 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |

## Providers

Expand Down
2 changes: 1 addition & 1 deletion examples/complete-log-metric-filter-and-alarm/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.30"
version = ">= 5.58"
}
}
}
2 changes: 1 addition & 1 deletion examples/composite-alarm/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.12 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |

## Providers

Expand Down
2 changes: 1 addition & 1 deletion examples/composite-alarm/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.12"
version = ">= 5.58"
}
}
}
2 changes: 1 addition & 1 deletion examples/fixtures/aws_cloudwatch_log_group/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
version = ">= 5.58"
}

random = {
Expand Down
2 changes: 1 addition & 1 deletion examples/fixtures/aws_kms_key/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
version = ">= 5.58"
}

random = {
Expand Down
2 changes: 1 addition & 1 deletion examples/fixtures/aws_lambda_function/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
version = ">= 5.58"
}

random = {
Expand Down
2 changes: 1 addition & 1 deletion examples/fixtures/aws_sns_topic/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
version = ">= 5.58"
}

random = {
Expand Down
2 changes: 1 addition & 1 deletion examples/lambda-metric-alarm/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |

## Providers

Expand Down
2 changes: 1 addition & 1 deletion examples/lambda-metric-alarm/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
version = ">= 5.58"
}
}
}
56 changes: 56 additions & 0 deletions examples/log-account-policy/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# Complete Cloudwatch log account policy

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.58 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.5 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.58 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 3.5 |

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_audit_destination_group"></a> [audit\_destination\_group](#module\_audit\_destination\_group) | ../../modules/log-group | n/a |
| <a name="module_cw_logs_to_firehose"></a> [cw\_logs\_to\_firehose](#module\_cw\_logs\_to\_firehose) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 5.0 |
| <a name="module_cw_logs_to_firehose_policy"></a> [cw\_logs\_to\_firehose\_policy](#module\_cw\_logs\_to\_firehose\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | ~> 5.0 |
| <a name="module_excluded_log_group"></a> [excluded\_log\_group](#module\_excluded\_log\_group) | ../../modules/log-group | n/a |
| <a name="module_firehose_to_s3"></a> [firehose\_to\_s3](#module\_firehose\_to\_s3) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 5.0 |
| <a name="module_firehose_to_s3_policy"></a> [firehose\_to\_s3\_policy](#module\_firehose\_to\_s3\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | ~> 5.0 |
| <a name="module_log_account_data_retention_policy"></a> [log\_account\_data\_retention\_policy](#module\_log\_account\_data\_retention\_policy) | ../../modules/log-account-policy | n/a |
| <a name="module_log_account_subscription_filter_policy"></a> [log\_account\_subscription\_filter\_policy](#module\_log\_account\_subscription\_filter\_policy) | ../../modules/log-account-policy | n/a |
| <a name="module_log_group"></a> [log\_group](#module\_log\_group) | ../../modules/log-group | n/a |
| <a name="module_logs_bucket"></a> [logs\_bucket](#module\_logs\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 4.0 |

## Resources

| Name | Type |
|------|------|
| [aws_kinesis_firehose_delivery_stream.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.custom_trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.cw_logs_to_firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.firehose_to_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |

## Inputs

No inputs.

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_log_account_data_retention_policy_name"></a> [log\_account\_data\_retention\_policy\_name](#output\_log\_account\_data\_retention\_policy\_name) | Name of Cloudwatch log account policy |
| <a name="output_log_account_subscription_filter_retention_policy_name"></a> [log\_account\_subscription\_filter\_retention\_policy\_name](#output\_log\_account\_subscription\_filter\_retention\_policy\_name) | Name of Cloudwatch log account policy |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
202 changes: 202 additions & 0 deletions examples/log-account-policy/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,202 @@
provider "aws" {
region = "eu-west-1"
}

data "aws_region" "current" {}

data "aws_caller_identity" "current" {}

module "log_group" {
source = "../../modules/log-group"

name_prefix = "my-log-group-"
retention_in_days = 7
}

module "excluded_log_group" {
source = "../../modules/log-group"

name_prefix = "my-excluded-log-group-"
retention_in_days = 7
}

module "audit_destination_group" {
source = "../../modules/log-group"

name_prefix = "audit-destination-log-group-"
retention_in_days = 7
}

module "log_account_data_retention_policy" {
source = "../../modules/log-account-policy"

log_account_policy_name = "account-data-protection"
log_account_policy_type = "DATA_PROTECTION_POLICY"

# custom data identifier not yet supported by the data source for aws_cloudwatch_log_data_protection_policy within the module
# specify your own json policy document if this is needed using policy_document argument
create_log_data_protection_policy = true
log_data_protection_policy_name = "redact-addresses"

data_identifiers = ["arn:aws:dataprotection::aws:data-identifier/Address"]
findings_destination_cloudwatch_log_group = module.audit_destination_group.cloudwatch_log_group_name
}

# This example requires two terraform applies and will error on the first run due to firehose stream not in ACTIVE state even with depends_on set
# Related: https://github.com/hashicorp/terraform-provider-aws/issues/17049
module "log_account_subscription_filter_policy" {
source = "../../modules/log-account-policy"

log_account_policy_name = "account-subscription-filter"
log_account_policy_type = "SUBSCRIPTION_FILTER_POLICY"
policy_document = jsonencode(
{
DestinationArn = aws_kinesis_firehose_delivery_stream.logs.arn
FilterPattern = "%test%"
RoleArn = module.cw_logs_to_firehose.iam_role_arn
}
)
log_account_policy_selection_criteria = "LogGroupName NOT IN [\"${module.excluded_log_group.cloudwatch_log_group_name}\"]"

depends_on = [
aws_kinesis_firehose_delivery_stream.logs,
module.cw_logs_to_firehose,
module.cw_logs_to_firehose_policy
]
}

################################################################################
# Supporting Resources
################################################################################

resource "random_pet" "this" {
length = 2
}

module "logs_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "~> 4.0"

bucket_prefix = "${random_pet.this.id}-logs"

force_destroy = true
}

resource "aws_kinesis_firehose_delivery_stream" "logs" {
name = "${random_pet.this.id}-logs"
destination = "extended_s3"

extended_s3_configuration {
role_arn = module.firehose_to_s3.iam_role_arn
bucket_arn = module.logs_bucket.s3_bucket_arn
prefix = "from-firehose-logs/"
}
}

module "firehose_to_s3" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
version = "~> 5.0"

trusted_role_services = [
"firehose.amazonaws.com"
]

create_role = true

role_name_prefix = "${random_pet.this.id}-firehose-to-s3-"
role_requires_mfa = false

custom_role_policy_arns = [
module.firehose_to_s3_policy.arn
]
}

module "firehose_to_s3_policy" {
source = "terraform-aws-modules/iam/aws//modules/iam-policy"
version = "~> 5.0"

name = "${random_pet.this.id}-firehose-to-s3"
path = "/"
description = "Pipes logging firehose to s3 policy"

policy = data.aws_iam_policy_document.firehose_to_s3.json
}

data "aws_iam_policy_document" "firehose_to_s3" {
statement {
effect = "Allow"

actions = [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
]

resources = [
module.logs_bucket.s3_bucket_arn,
"${module.logs_bucket.s3_bucket_arn}/*",
]
}
}

module "cw_logs_to_firehose" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
version = "~> 5.0"

create_role = true

role_name_prefix = "${random_pet.this.id}-cw-logs-to-firehose-"
role_requires_mfa = false
create_custom_role_trust_policy = true
custom_role_trust_policy = data.aws_iam_policy_document.custom_trust_policy.json

custom_role_policy_arns = [
module.cw_logs_to_firehose_policy.arn
]
}

data "aws_iam_policy_document" "custom_trust_policy" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]

condition {
test = "StringLike"
variable = "aws:SourceArn"
values = ["arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"]
}

principals {
identifiers = ["logs.amazonaws.com"]
type = "Service"
}
}
}

module "cw_logs_to_firehose_policy" {
source = "terraform-aws-modules/iam/aws//modules/iam-policy"
version = "~> 5.0"

name = "${random_pet.this.id}-cw-logs-to-firehose"
path = "/"
description = "Cloudwatch logs to firehose policy"

policy = data.aws_iam_policy_document.cw_logs_to_firehose.json
}

data "aws_iam_policy_document" "cw_logs_to_firehose" {
statement {
effect = "Allow"

actions = [
"firehose:PutRecord",
]

resources = [
aws_kinesis_firehose_delivery_stream.logs.arn,
]
}
}
Loading