From e30679ca78e02fda292e2187c0dfc9acb8b261c0 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 14 May 2021 12:05:10 -0400 Subject: [PATCH] create flowlogs-role --- flowlogs-role/data.tf | 1 + flowlogs-role/defaults.tf | 1 + flowlogs-role/main.tf | 104 ++++++++++++++++++++++++++++++ flowlogs-role/outputs.tf | 10 +++ flowlogs-role/prefixes.tf | 1 + flowlogs-role/variables.common.tf | 1 + flowlogs-role/variables.tf | 11 ++++ flowlogs-role/version.tf | 1 + 8 files changed, 130 insertions(+) create mode 120000 flowlogs-role/data.tf create mode 120000 flowlogs-role/defaults.tf create mode 100644 flowlogs-role/main.tf create mode 100644 flowlogs-role/outputs.tf create mode 120000 flowlogs-role/prefixes.tf create mode 120000 flowlogs-role/variables.common.tf create mode 100644 flowlogs-role/variables.tf create mode 120000 flowlogs-role/version.tf diff --git a/flowlogs-role/data.tf b/flowlogs-role/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/flowlogs-role/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/flowlogs-role/defaults.tf b/flowlogs-role/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/flowlogs-role/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/flowlogs-role/main.tf b/flowlogs-role/main.tf new file mode 100644 index 0000000..7a8d48d --- /dev/null +++ b/flowlogs-role/main.tf @@ -0,0 +1,104 @@ +/* +* # aws-vpc-setup :: flowlogs-role +* +* This sets up the default flowlogs role and policies, allowign for kinesis streams to be used in all regions +* selected. The role and policy created are `inf-flowlogs` with the appropriate prefix. +* +* # Usage +* ```hcl +* module "role_flowlogs" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//flowlogs-role" +* regions = values(var.region_map) +* attached_policies = [ module.general.custom_policies_arn["deny_billing"]] +* tags = { } +* } +* ``` +*/ + +locals { + account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id + account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + + base_tags = { + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } +} + +locals { + flowlogs_regions = var.regions + flowlogs_streams = [for r in local.flowlogs_regions : + format("arn:%v:kinesis:%v:%v:stream/%vvpc*", data.aws_arn.current.partition, r, data.aws_caller_identity.current.account_id, local._prefixes["log-stream"])] +} + +module "flowlogs" { + source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" + + role_name = "inf-flowlogs" + enable_ldap_creation = false + assume_policy_document = data.aws_iam_policy_document.flowlogs_assume.json + attached_policies = var.attached_policies + + tags = merge( + local.base_tags, + local.tags + ) +} + +#--- +# setup policy for flowlogs +# attach after creation of the role. This is because the policy references the role ARN +# and it cannot be added before it exists +#--- +resource "aws_iam_policy" "flowlogs" { + name = "p-inf-flowlog" + path = "/" + description = "Policy for INF Flowlogs" + policy = data.aws_iam_policy_document.flowlogs.json +} + +resource "aws_iam_role_policy_attachment" "flowlogs" { + role = module.flowlogs.role_name + policy_arn = aws_iam_policy.flowlogs.arn +} + +data "aws_iam_policy_document" "flowlogs" { + statement { + sid = "VPCFlowLogs" + effect = "Allow" + resources = ["*"] + actions = [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:CreateLogDelivery", + "logs:DeleteLogDelivery", + ] + } + statement { + sid = "VPCFlowLogsKinesisPassRole" + effect = "Allow" + actions = ["iam:PassRole"] + resources = [module.flowlogs.role_arn] + } + statement { + sid = "VPCFlowLogsKinesis" + effect = "Allow" + actions = ["kinesis:PutRecord"] + resources = [local.flowlogs_streams] + } +} + +data "aws_iam_policy_document" "flowlogs_assume" { + statement { + sid = "VPCFlowLogsAssumeRole" + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = "Service" + identifiers = concat(list("vpc-flow-logs.amazonaws.com"), formatlist("logs.%v.amazonaws.com", local.flowlogs_regions)) + } + } +} diff --git a/flowlogs-role/outputs.tf b/flowlogs-role/outputs.tf new file mode 100644 index 0000000..e82b991 --- /dev/null +++ b/flowlogs-role/outputs.tf @@ -0,0 +1,10 @@ +output "role_arn" { + description = "Created flowlogs role ARN" + value = module.flowlogs.role_arn +} + +output "role_name" { + description = "Created flowlogs role name" + value = module.flowlogs.role_name +} + diff --git a/flowlogs-role/prefixes.tf b/flowlogs-role/prefixes.tf new file mode 120000 index 0000000..7e265d5 --- /dev/null +++ b/flowlogs-role/prefixes.tf @@ -0,0 +1 @@ +../common/prefixes.tf \ No newline at end of file diff --git a/flowlogs-role/variables.common.tf b/flowlogs-role/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/flowlogs-role/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/flowlogs-role/variables.tf b/flowlogs-role/variables.tf new file mode 100644 index 0000000..c419c06 --- /dev/null +++ b/flowlogs-role/variables.tf @@ -0,0 +1,11 @@ +variable "attached_policies" { + description = "List of IAM Policy ARNs to attach to this role" + type = list(string) + default = [] +} + +variable "regions" { + description = "List of AWS Regions for which to grant Kinesis stream access" + type = list(string) + default = [] +} diff --git a/flowlogs-role/version.tf b/flowlogs-role/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/flowlogs-role/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file