From aad7356cfd6b29061afa46312cd4b2d3b853ec18 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Thu, 11 Aug 2022 02:27:47 +0900 Subject: [PATCH 1/3] Add cloudwatch-log-policy module --- modules/cloudwatch-log-policy/README.md | 49 ++++++++++++++++ modules/cloudwatch-log-policy/main.tf | 19 +++++++ modules/cloudwatch-log-policy/outputs.tf | 22 ++++++++ modules/cloudwatch-log-policy/policies.tf | 65 ++++++++++++++++++++++ modules/cloudwatch-log-policy/variables.tf | 27 +++++++++ modules/cloudwatch-log-policy/versions.tf | 10 ++++ 6 files changed, 192 insertions(+) create mode 100644 modules/cloudwatch-log-policy/README.md create mode 100644 modules/cloudwatch-log-policy/main.tf create mode 100644 modules/cloudwatch-log-policy/outputs.tf create mode 100644 modules/cloudwatch-log-policy/policies.tf create mode 100644 modules/cloudwatch-log-policy/variables.tf create mode 100644 modules/cloudwatch-log-policy/versions.tf diff --git a/modules/cloudwatch-log-policy/README.md b/modules/cloudwatch-log-policy/README.md new file mode 100644 index 0000000..7a7e5a4 --- /dev/null +++ b/modules/cloudwatch-log-policy/README.md @@ -0,0 +1,49 @@ +# cloudwatch-log-policy + +This module creates following resources. + +- `aws_cloudwatch_log_policy` + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.2 | +| [aws](#requirement\_aws) | >= 4.22 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.25.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_resource_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_resource_policy) | resource | +| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [name](#input\_name) | (Required) The name of the CloudWatch Logs resource policy. | `string` | n/a | yes | +| [service](#input\_service) | (Required) Specify the identity of the AWS service principal to allow delivering logs to this account. Valid values are `es.amazonaws.com`, `route53.amazonaws.com`. | `string` | n/a | yes | +| [statements](#input\_statements) | (Required) A list of statements for CloudWatch Logs resource policy. Each item of `statements` as defined below.
(Required) `log_groups` - A list of Log group patterns that the resource policy applies to. Whildcard is supported. Configure `*` to allow all log groups.
(Optional) `account_whiteilst` - A whitelist of AWS Account IDs making the call to CloudWatch Logs.
(Optional) `resource_whiteilst` - A whitelist of the ARN of AWS resources making the call to CloudWatch Logs. | `list(map(set(string)))` | `[]` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [name](#output\_name) | The name of CloudWatch Logs resource policy. | +| [service](#output\_service) | The identity of the AWS service principal which is allowed to delivery logs to this account. | +| [statements](#output\_statements) | The list of statements for CloudWatch Logs resource policy. | + diff --git a/modules/cloudwatch-log-policy/main.tf b/modules/cloudwatch-log-policy/main.tf new file mode 100644 index 0000000..36331c6 --- /dev/null +++ b/modules/cloudwatch-log-policy/main.tf @@ -0,0 +1,19 @@ +locals { + metadata = { + package = "terraform-aws-observability" + version = trimspace(file("${path.module}/../../VERSION")) + module = basename(path.module) + name = var.name + } +} + + +################################################### +# Resource Policy of CloudWatch Logs +################################################### + +resource "aws_cloudwatch_log_resource_policy" "this" { + policy_name = var.name + + policy_document = data.aws_iam_policy_document.this.json +} diff --git a/modules/cloudwatch-log-policy/outputs.tf b/modules/cloudwatch-log-policy/outputs.tf new file mode 100644 index 0000000..09c4239 --- /dev/null +++ b/modules/cloudwatch-log-policy/outputs.tf @@ -0,0 +1,22 @@ +output "name" { + description = "The name of CloudWatch Logs resource policy." + value = aws_cloudwatch_log_resource_policy.this.policy_name +} + +output "service" { + description = "The identity of the AWS service principal which is allowed to delivery logs to this account." + value = var.service +} + +output "statements" { + description = "The list of statements for CloudWatch Logs resource policy." + value = { + for idx, statement in var.statements : + "${var.name}-${idx}" => { + log_groups = statement.log_groups + + account_whitelist = try(statement.account_whitelist, null) + resource_whitelist = try(statement.resource_whitelist, null) + } + } +} diff --git a/modules/cloudwatch-log-policy/policies.tf b/modules/cloudwatch-log-policy/policies.tf new file mode 100644 index 0000000..3787f55 --- /dev/null +++ b/modules/cloudwatch-log-policy/policies.tf @@ -0,0 +1,65 @@ +data "aws_caller_identity" "this" {} +data "aws_region" "this" {} + +locals { + account_id = data.aws_caller_identity.this.account_id + region = data.aws_region.this.name + + service_actions = { + "es.amazonaws.com" = [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:PutLogEventsBatch", + ] + "route53.amazonaws.com" = [ + "logs:CreateLogStream", + "logs:PutLogEvents", + ] + } +} + +################################################### +# Resource Policy +################################################### + +data "aws_iam_policy_document" "this" { + dynamic "statement" { + for_each = var.statements + + content { + sid = "${var.name}-${statement.key}" + + actions = local.service_actions[var.service] + + resources = [ + for log_group in statement.value.log_groups : + "arn:aws:logs:${local.region}:${local.account_id}:log-group:${log_group}" + ] + + principals { + identifiers = [var.service] + type = "Service" + } + + dynamic "condition" { + for_each = try([statement.value.account_whitelist], []) + + content { + test = "StringEquals" + variable = "aws:SourceAccount" + values = condition.value + } + } + + dynamic "condition" { + for_each = try([statement.value.resource_whitelist], []) + + content { + test = "ArnLike" + variable = "aws:SourceArn" + values = condition.value + } + } + } + } +} diff --git a/modules/cloudwatch-log-policy/variables.tf b/modules/cloudwatch-log-policy/variables.tf new file mode 100644 index 0000000..3d88d51 --- /dev/null +++ b/modules/cloudwatch-log-policy/variables.tf @@ -0,0 +1,27 @@ +variable "name" { + description = "(Required) The name of the CloudWatch Logs resource policy." + type = string +} + +variable "service" { + description = "(Required) Specify the identity of the AWS service principal to allow delivering logs to this account. Valid values are `es.amazonaws.com`, `route53.amazonaws.com`." + type = string + nullable = false + + validation { + condition = contains(["es.amazonaws.com", "route53.amazonaws.com"], var.service) + error_message = "Valid values for `service` are `es.amazonaws.com`, `route53.amazonaws.com`." + } +} + +variable "statements" { + description = < Date: Thu, 11 Aug 2022 02:33:04 +0900 Subject: [PATCH 2/3] Add examples for cloudwatch-log-policy module --- examples/cloudwatch-log-policy-es/main.tf | 25 +++++++++++++++++++ examples/cloudwatch-log-policy-es/outputs.tf | 3 +++ examples/cloudwatch-log-policy-es/versions.tf | 10 ++++++++ .../cloudwatch-log-policy-route53/main.tf | 25 +++++++++++++++++++ .../cloudwatch-log-policy-route53/outputs.tf | 3 +++ .../cloudwatch-log-policy-route53/versions.tf | 10 ++++++++ 6 files changed, 76 insertions(+) create mode 100644 examples/cloudwatch-log-policy-es/main.tf create mode 100644 examples/cloudwatch-log-policy-es/outputs.tf create mode 100644 examples/cloudwatch-log-policy-es/versions.tf create mode 100644 examples/cloudwatch-log-policy-route53/main.tf create mode 100644 examples/cloudwatch-log-policy-route53/outputs.tf create mode 100644 examples/cloudwatch-log-policy-route53/versions.tf diff --git a/examples/cloudwatch-log-policy-es/main.tf b/examples/cloudwatch-log-policy-es/main.tf new file mode 100644 index 0000000..0713e49 --- /dev/null +++ b/examples/cloudwatch-log-policy-es/main.tf @@ -0,0 +1,25 @@ +provider "aws" { + region = "us-east-1" +} + +data "aws_caller_identity" "this" {} + +################################################### +# Resource Policy for CloudWatch Logs +################################################### + +module "log_policy" { + source = "../../modules/cloudwatch-log-policy" + # source = "tedilabs/observability/aws//modules/cloudwatch-log-policy" + # version = "~> 0.1.0" + + name = "es" + service = "es.amazonaws.com" + + statements = [ + { + log_groups = ["/aws/es/*"] + account_whitelist = [data.aws_caller_identity.this.account_id] + } + ] +} diff --git a/examples/cloudwatch-log-policy-es/outputs.tf b/examples/cloudwatch-log-policy-es/outputs.tf new file mode 100644 index 0000000..2de85fc --- /dev/null +++ b/examples/cloudwatch-log-policy-es/outputs.tf @@ -0,0 +1,3 @@ +output "log_policy" { + value = module.log_policy +} diff --git a/examples/cloudwatch-log-policy-es/versions.tf b/examples/cloudwatch-log-policy-es/versions.tf new file mode 100644 index 0000000..a93b011 --- /dev/null +++ b/examples/cloudwatch-log-policy-es/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.1" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } +} diff --git a/examples/cloudwatch-log-policy-route53/main.tf b/examples/cloudwatch-log-policy-route53/main.tf new file mode 100644 index 0000000..1f8ed93 --- /dev/null +++ b/examples/cloudwatch-log-policy-route53/main.tf @@ -0,0 +1,25 @@ +provider "aws" { + region = "us-east-1" +} + +data "aws_caller_identity" "this" {} + +################################################### +# Resource Policy for CloudWatch Logs +################################################### + +module "log_policy" { + source = "../../modules/cloudwatch-log-policy" + # source = "tedilabs/observability/aws//modules/cloudwatch-log-policy" + # version = "~> 0.1.0" + + name = "route53" + service = "route53.amazonaws.com" + + statements = [ + { + log_groups = ["/aws/route53/*"] + account_whitelist = [data.aws_caller_identity.this.account_id] + } + ] +} diff --git a/examples/cloudwatch-log-policy-route53/outputs.tf b/examples/cloudwatch-log-policy-route53/outputs.tf new file mode 100644 index 0000000..2de85fc --- /dev/null +++ b/examples/cloudwatch-log-policy-route53/outputs.tf @@ -0,0 +1,3 @@ +output "log_policy" { + value = module.log_policy +} diff --git a/examples/cloudwatch-log-policy-route53/versions.tf b/examples/cloudwatch-log-policy-route53/versions.tf new file mode 100644 index 0000000..a93b011 --- /dev/null +++ b/examples/cloudwatch-log-policy-route53/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.1" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } +} From 7a13bf2dfa42149a42e1b7f4e88e171e706b8ab3 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Thu, 11 Aug 2022 02:33:38 +0900 Subject: [PATCH 3/3] Add github labels --- .github/labeler.yaml | 2 ++ .github/labels.yaml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/.github/labeler.yaml b/.github/labeler.yaml index 3936aa0..288b780 100644 --- a/.github/labeler.yaml +++ b/.github/labeler.yaml @@ -1,3 +1,5 @@ # Modules ":floppy_disk: cloudwatch-log-group": - modules/cloudwatch-log-group/**/* +":floppy_disk: cloudwatch-log-policy": +- modules/cloudwatch-log-policy/**/* diff --git a/.github/labels.yaml b/.github/labels.yaml index 5612863..6864eae 100644 --- a/.github/labels.yaml +++ b/.github/labels.yaml @@ -43,3 +43,6 @@ - color: "fbca04" description: "This issue or pull request is related to cloudwatch-log-group module." name: ":floppy_disk: cloudwatch-log-group" +- color: "fbca04" + description: "This issue or pull request is related to cloudwatch-log-policy module." + name: ":floppy_disk: cloudwatch-log-policy"