Skip to content

Commit

Permalink
initial copy, edit
Browse files Browse the repository at this point in the history
  • Loading branch information
@badra001
badra001 committed Jan 27, 2023
1 parent eac3329 commit 544b4d9
Show file tree
Hide file tree
Showing 20 changed files with 1,214 additions and 0 deletions.
212 changes: 212 additions & 0 deletions org-logging/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,212 @@
# aws-inf-setup :: logging

This set up the needed components for logging in a region: S3, KMS key, SNS, SQS, logging,
cloudwatch log groups, and associated permissions. It also generates a splunk configuration to be used
for pulling logging events.

* S3 bucket
* SNS Topic
* SQS Queue (and Deadletter queue)
* Cloudwatch Log
* setup/*.conf files for Splunk
* inputs.{name}.{account}.{region}.conf

Once setup, the gnerated Splunk configuration files can be provided to the Splunk team for ingesting
as Logging.

## Usage: Simple

This siomple configuration is how it will typically be deployed.

```hcl
module "logging_key" {
source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//logging-key"
tags = local.common_tags
}
module "logging" {
source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//logging"
account_alias = var.account_alias
access_log_bucket = module.logs.bucket_id
kms_key_arn = module.logging_key.kms_key_arn
enable_sns = true
enable_sqs = true
tags = local.common_tags
}
```

## Usage: Extended

This shows the creation of a key with additional variables, along with a policy for key access (currently
just a placholder), and the logging with more variables offered.

```hcl
module "logging_key" {
source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//logging-key"
name = "mylogging"
kms_admin_roles = ["arn:aws:iam::079788916859:role/r-inf-cloud-admin"]
kms_policy_document = data.aws_iam_policy_document.myct_policy.json
tags = {
Environment = "csvd:infrastructure"
}
component_tags = {
"kms" = {
"SpecialTag1" = "something"
"SpecialTag2" = "somethingElse"
}
}
}
data "aws_iam_policy_document" "myct_policy" {}
module "logging" {
source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//logging"
name = "mylogging"
account_alias = var.account_alias
access_log_bucket = module.logs.bucket_id
kms_key_arn = module.logging_key.kms_key_arn
enable_organization = false
enable_sns = true
enable_sqs = true
tags = merge(
local.common_tags,
tomap({ Environment = "csvd:infrastructure" }),
)
}
```hcl
## Usage: Organization Cloudtrail
This can be used for creation of an organization cloud trail. It is only applicable to the master
account of the organization, so you won't see this one used very often.
```hcl
data "aws_organizations_organization" "org" {}
module "org_logging_key" {
source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//logging-key"
name = "org-logging"
tags = local.common_tags
}
module "org_logging" {
source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//logging"
account_alias = var.account_alias
enable_organization = true
access_log_bucket = module.logs.bucket_id
kms_key_arn = module.org_logging_key.kms_key_arn
organization_id = data.aws_organizations_organization.org.id
enable_sns = true
enable_sqs = true
tags = local.common_tags
}
```

## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
| <a name="provider_local"></a> [local](#provider\_local) | n/a |
| <a name="provider_null"></a> [null](#provider\_null) | n/a |
| <a name="provider_template"></a> [template](#provider\_template) | n/a |

## Modules

No modules.

## Resources

| Name | Type |
|------|------|
| [aws_iam_policy.logging_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
| [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
| [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
| [aws_sns_topic.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [aws_sns_topic_policy.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
| [aws_sns_topic_subscription.additional_logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
| [aws_sns_topic_subscription.logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
| [aws_sqs_queue.additional_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
| [aws_sqs_queue.additional_logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
| [aws_sqs_queue.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
| [aws_sqs_queue.logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
| [aws_sqs_queue_policy.additional_logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
| [aws_sqs_queue_policy.additional_logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
| [aws_sqs_queue_policy.logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
| [aws_sqs_queue_policy.logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
| [local_file.splunk_logging](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [null_resource.splunk_logging](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.additional_logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.additional_logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.logging_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.logging_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.logging_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.logging_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
| [template_file.splunk_logging](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_access_log_bucket"></a> [access\_log\_bucket](#input\_access\_log\_bucket) | Server Access Logging Bucket ID | `string` | n/a | yes |
| <a name="input_access_log_bucket_prefix"></a> [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Server Access Log bucket prefix, to which the Object Logging bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no |
| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
| <a name="input_additional_sqs_names"></a> [additional\_sqs\_names](#input\_additional\_sqs\_names) | List of additional SQS queues to create and subscribe to the SNS topic (if enabled) | `list(string)` | `[]` | no |
| <a name="input_cloudtrail_bucket_prefix"></a> [cloudtrail\_bucket\_prefix](#input\_cloudtrail\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"cloudtrail"` | no |
| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br> "ddb": {},<br> "kms": {},<br> "s3": {}<br>}</pre> | no |
| <a name="input_enable_organization"></a> [enable\_organization](#input\_enable\_organization) | Enable Logging as an organization trail. This will only work in the organization master account | `bool` | `false` | no |
| <a name="input_enable_sns"></a> [enable\_sns](#input\_enable\_sns) | Flag to enable or disable the creation of SNS for Cloudtrail (TBD) | `bool` | `false` | no |
| <a name="input_enable_sqs"></a> [enable\_sqs](#input\_enable\_sqs) | Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail, used for Splunk ingestion (TBD) | `bool` | `false` | no |
| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | AWS Logging KMS ARN to be used for encrypting the ClouldTrail, S3 Bucket, and SQS | `string` | n/a | yes |
| <a name="input_kms_key_management_identifiers"></a> [kms\_key\_management\_identifiers](#input\_kms\_key\_management\_identifiers) | AWS IAM ARNs (roles, groups, users) for full access to the created KMS Key for this bucket | `list(string)` | `[]` | no |
| <a name="input_name"></a> [name](#input\_name) | Name to apply to Cloudtrail, S3, SNS and SQS | `string` | `null` | no |
| <a name="input_organization_id"></a> [organization\_id](#input\_organization\_id) | AWS Organization ID | `string` | `""` | no |
| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_additional_sqs_info"></a> [additional\_sqs\_info](#output\_additional\_sqs\_info) | Additional SQS ARNs and IDs (main, deadletter) |
| <a name="output_s3_bucket_arn"></a> [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | Created S3 Bucket ARN |
| <a name="output_s3_bucket_id"></a> [s3\_bucket\_id](#output\_s3\_bucket\_id) | Created S3 Bucket ID |
| <a name="output_sns_arn"></a> [sns\_arn](#output\_sns\_arn) | SNS ARN |
| <a name="output_sqs_info"></a> [sqs\_info](#output\_sqs\_info) | Main SQS ARNs and IDs (main, deadletter) |
103 changes: 103 additions & 0 deletions org-logging/additional-sqs.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
locals {
additional_sqs_names = var.enable_sqs ? toset(var.additional_sqs_names) : toset([])
}

resource "aws_sqs_queue" "additional_logging_deadletter" {
for_each = local.additional_sqs_names
name = format("%v-deadletter", each.key)
delay_seconds = 0
max_message_size = 262144
message_retention_seconds = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 1 * 86400)
receive_wait_time_seconds = 15
visibility_timeout_seconds = 3600

kms_master_key_id = data.aws_kms_key.incoming_key.id
kms_data_key_reuse_period_seconds = 300

tags = merge(
local.base_tags,
var.tags,
tomap({ Name = format("%v-deadletter", each.key) }),
)
}

resource "aws_sqs_queue_policy" "additional_logging_deadletter" {
for_each = local.additional_sqs_names
queue_url = var.enable_sqs ? aws_sqs_queue.additional_logging_deadletter[each.key].id : null
policy = data.aws_iam_policy_document.additional_logging_deadletter[each.key].json
}

data "aws_iam_policy_document" "additional_logging_deadletter" {
for_each = local.additional_sqs_names
statement {
sid = "AllowSNSSendMessage"
effect = "Allow"
actions = ["sqs:SendMessage"]
resources = [var.enable_sqs ? aws_sqs_queue.additional_logging_deadletter[each.key].arn : ""]
principals {
type = "AWS"
identifiers = ["*"]
}
condition {
test = "ArnEquals"
variable = "aws:SourceArn"
values = [var.enable_sns ? aws_sns_topic.logging[0].arn : ""]
}
}
}

resource "aws_sqs_queue" "additional_logging" {
for_each = local.additional_sqs_names
name = each.key
delay_seconds = 0
max_message_size = 262144
message_retention_seconds = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 7 * 86400)
receive_wait_time_seconds = 15
visibility_timeout_seconds = 7200

redrive_policy = jsonencode({
deadLetterTargetArn = var.enable_sqs ? aws_sqs_queue.additional_logging_deadletter[each.key].arn : null
maxReceiveCount = 100
})

kms_master_key_id = data.aws_kms_key.incoming_key.id
kms_data_key_reuse_period_seconds = 300

tags = merge(
local.base_tags,
var.tags,
tomap({ Name = each.key }),
)
}

resource "aws_sqs_queue_policy" "additional_logging_sqs" {
for_each = local.additional_sqs_names
queue_url = var.enable_sqs ? aws_sqs_queue.additional_logging[each.key].id : null
policy = data.aws_iam_policy_document.additional_logging_sqs[each.key].json
}

data "aws_iam_policy_document" "additional_logging_sqs" {
for_each = local.additional_sqs_names
statement {
sid = "AllowSNSSendMessage"
effect = "Allow"
actions = ["sqs:SendMessage"]
resources = [var.enable_sqs ? aws_sqs_queue.additional_logging[each.key].arn : ""]
principals {
type = "AWS"
identifiers = ["*"]
}
condition {
test = "ArnEquals"
variable = "aws:SourceArn"
values = [var.enable_sns ? aws_sns_topic.logging[0].arn : ""]
}
}
}

resource "aws_sns_topic_subscription" "additional_logging_sqs" {
for_each = var.enable_sns ? local.additional_sqs_names : toset([])
protocol = "sqs"
topic_arn = var.enable_sns ? aws_sns_topic.logging[0].arn : null
endpoint = var.enable_sqs ? aws_sqs_queue.additional_logging[each.key].arn : null
}
6 changes: 6 additions & 0 deletions org-logging/base_tags.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
locals {
base_tags = {
"boc:tf_module_version" = local._module_version
"boc:created_by" = "terraform"
}
}
49 changes: 49 additions & 0 deletions org-logging/cloudtrail.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
resource "aws_iam_role" "logging" {
name = local.role_name
assume_role_policy = data.aws_iam_policy_document.logging_assume.json
description = "AWS Logging Role for ${local.name}"
force_detach_policies = false
max_session_duration = 3600
# add deny billing
managed_policy_arns = [aws_iam_policy.logging_policy.arn]
path = "/"

tags = merge(
local.base_tags,
var.tags,
tomap({ Name = local.role_name }),
)
}

data "aws_iam_policy_document" "logging_assume" {
statement {
sid = "AWSLoggingServiceAssumeRole"
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["logging.amazonaws.com"]
}
}
}

resource "aws_iam_policy" "logging_policy" {
name = local.policy_name
policy = data.aws_iam_policy_document.logging_cloudwatch.json
}


data "aws_iam_policy_document" "logging_cloudwatch" {
statement {
sid = "AWSLoggingCreateLogStream"
effect = "Allow"
actions = ["logs:CreateLogStream"]
resources = local.resources
}
statement {
sid = "AWSLoggingPutLogEvents"
effect = "Allow"
actions = ["logs:PutLogEvents"]
resources = local.resources
}
}

0 comments on commit 544b4d9

Please sign in to comment.