generated from dxw/terraform-template
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* This allows setting up Flow Logs on the Infrastructure VPC, with either/both S3 and CloudWatch destinations. If the S3 destination is deployed, it will also deploy the compatible Glue table/database for AThena, so that we can easily query the logs. An Athena workgroup has also been created, where we can create useful stored queries (The athena output goes to the logging bucket).
- Loading branch information
Showing
12 changed files
with
299 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Sid": "", | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": ${services} | ||
}, | ||
"Action": "sts:AssumeRole" | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Action": [ | ||
"logs:CreateLogGroup", | ||
"logs:CreateLogStream", | ||
"logs:PutLogEvents", | ||
"logs:DescribeLogGroups", | ||
"logs:DescribeLogStreams" | ||
], | ||
"Effect": "Allow", | ||
"Resource": "*" | ||
} | ||
] | ||
} |
19 changes: 19 additions & 0 deletions
19
policies/kms-key-policy-statements/cloudwatch-logs-allow.json.tpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
%{if log_group_arn != ""}{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "logs.amazonaws.com" | ||
}, | ||
"Action": [ | ||
"kms:Encrypt*", | ||
"kms:Decrypt*", | ||
"kms:ReEncrypt*", | ||
"kms:GenerateDataKey*", | ||
"kms:Describe*" | ||
], | ||
"Resource": "*", | ||
"Condition": { | ||
"ArnEquals": { | ||
"kms:EncryptionContext:aws:logs:arn": "${log_group_arn}" | ||
} | ||
} | ||
}%{endif} |
22 changes: 22 additions & 0 deletions
22
policies/kms-key-policy-statements/log-delivery-allow.json.tpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
%{if account_id != ""}{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": [ "delivery.logs.amazonaws.com" ] | ||
}, | ||
"Action": [ | ||
"kms:Encrypt", | ||
"kms:Decrypt", | ||
"kms:ReEncrypt*", | ||
"kms:GenerateDataKey*", | ||
"kms:DescribeKey" | ||
], | ||
"Resource": "*", | ||
"Condition": { | ||
"StringEquals": { | ||
"aws:SourceAccount": ["${account_id}"] | ||
}, | ||
"ArnLike": { | ||
"aws:SourceArn": ["arn:aws:logs:${region}:${account_id}:*"] | ||
} | ||
} | ||
}%{endif} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
resource "aws_athena_workgroup" "infrastructure_vpc_flow_logs" { | ||
count = local.infrastructure_vpc_flow_logs_s3_with_athena ? 1 : 0 | ||
|
||
name = "${local.resource_prefix}-infrastructure-vpc-flow-logs" | ||
|
||
configuration { | ||
enforce_workgroup_configuration = true | ||
publish_cloudwatch_metrics_enabled = true | ||
|
||
result_configuration { | ||
output_location = "s3://${aws_s3_bucket.infrastructure_logs[0].bucket}/${local.infrastructure_vpc_flow_logs_s3_key_prefix}-athena-output" | ||
|
||
encryption_configuration { | ||
encryption_option = local.infrastructure_kms_encryption ? "SSE_KMS" : "SSE_S3" | ||
kms_key_arn = local.infrastructure_kms_encryption ? aws_kms_key.infrastructure[0].arn : null | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
resource "aws_cloudwatch_log_group" "infrastructure_vpc_flow_logs" { | ||
count = local.infrastructure_vpc_flow_logs_cloudwatch_logs ? 1 : 0 | ||
|
||
name = "${local.resource_prefix}-infrastructure-vpc-flow-logs" | ||
retention_in_days = local.infrastructure_vpc_flow_logs_retention | ||
kms_key_id = local.infrastructure_kms_encryption ? aws_kms_key.infrastructure[0].arn : null | ||
skip_destroy = true | ||
} | ||
|
||
resource "aws_iam_role" "infrastructure_vpc_flow_logs" { | ||
count = local.infrastructure_vpc_flow_logs_cloudwatch_logs ? 1 : 0 | ||
|
||
name = "${local.resource_prefix}-infrastructure-vpc-flow-logs" | ||
assume_role_policy = templatefile("${path.root}/policies/assume-roles/service-principle-standard.json.tpl", { | ||
services = jsonencode(["vpc-flow-logs.amazonaws.com"]) | ||
}) | ||
} | ||
|
||
resource "aws_iam_role_policy" "infrastructure_vpc_flow_logs_allow_cloudwatch_rw" { | ||
count = local.infrastructure_vpc_flow_logs_cloudwatch_logs ? 1 : 0 | ||
|
||
name = "${local.resource_prefix}-ecs-vpc-flow-logs-cloudwatch-logs-rw" | ||
role = aws_iam_role.infrastructure_vpc_flow_logs[0].id | ||
policy = templatefile("${path.root}/policies/cloudwatch-logs-rw.json.tpl", {}) | ||
} | ||
|
||
resource "aws_flow_log" "infrastructure_vpc_flow_logs_cloudwatch" { | ||
count = local.infrastructure_vpc_flow_logs_cloudwatch_logs ? 1 : 0 | ||
|
||
iam_role_arn = aws_iam_role.infrastructure_vpc_flow_logs[0].id | ||
log_destination = aws_cloudwatch_log_group.infrastructure_vpc_flow_logs[0].arn | ||
traffic_type = local.infrastructure_vpc_flow_logs_traffic_type | ||
vpc_id = aws_vpc.infrastructure[0].id | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
resource "aws_glue_catalog_database" "infrastructure_vpc_flow_logs" { | ||
count = local.infrastructure_vpc_flow_logs_s3_with_athena ? 1 : 0 | ||
|
||
name = "${replace(local.resource_prefix, "-", "_")}_infrastructure_vpc_logs" | ||
description = "Database for ${local.resource_prefix} VPC flow log tables to be queried with Athena" | ||
} | ||
|
||
resource "aws_glue_catalog_table" "infrastructure_vpc_flow_logs" { | ||
count = local.infrastructure_vpc_flow_logs_s3_with_athena ? 1 : 0 | ||
|
||
name = "${replace(local.resource_prefix, "-", "_")}_infrastructure_vpc_logs" | ||
database_name = aws_glue_catalog_database.infrastructure_vpc_flow_logs[0].name | ||
|
||
dynamic "partition_keys" { | ||
for_each = local.infrastructure_vpc_flow_logs_glue_table_partition_keys | ||
content { | ||
name = partition_keys.key | ||
type = partition_keys.value | ||
} | ||
} | ||
|
||
parameters = { | ||
comment = "VPC Flow logs table for ${local.resource_prefix} infrastructure VPC" | ||
EXTERNAL = "TRUE" | ||
"skip.header.line.count" = "1" | ||
"projection.enabled" = "true" | ||
"projection.region.type" = "enum" | ||
"projection.region.values" = local.aws_region | ||
"projection.day.type" = "date" | ||
"projection.day.range" = "2023/01/01,NOW" | ||
"projection.day.format" = "yyyy/MM/dd" | ||
"projection.hour.type" = "integer" | ||
"projection.hour.range" = "00,23" | ||
"projection.hour.digits" = "2" | ||
"storage.location.template" = "s3://${aws_s3_bucket.infrastructure_logs[0].id}/${local.infrastructure_vpc_flow_logs_s3_key_prefix}/AWSLogs/${local.aws_account_id}/vpcflowlogs/$${region}/$${day}/$${hour}" | ||
} | ||
|
||
storage_descriptor { | ||
input_format = "org.apache.hadoop.hive.ql.io.parquet.MapredParquetInputFormat" | ||
output_format = "org.apache.hadoop.hive.ql.io.parquet.MapredParquetOutputFormat" | ||
location = "s3://${aws_s3_bucket.infrastructure_logs[0].id}/${local.infrastructure_vpc_flow_logs_s3_key_prefix}/AWSLogs/${local.aws_account_id}/vpcflowlogs" | ||
|
||
ser_de_info { | ||
parameters = { | ||
"serialization.format" = "1" | ||
} | ||
serialization_library = "org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe" | ||
} | ||
|
||
dynamic "columns" { | ||
for_each = local.infrastructure_vpc_flow_logs_glue_table_columns | ||
content { | ||
name = columns.key | ||
type = columns.value | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
resource "aws_flow_log" "infrastructure_vpc_flow_logs_s3" { | ||
count = local.infrastructure_vpc_flow_logs_s3_with_athena ? 1 : 0 | ||
|
||
log_destination_type = "s3" | ||
log_destination = "${aws_s3_bucket.infrastructure_logs[0].arn}/${local.infrastructure_vpc_flow_logs_s3_key_prefix}" | ||
traffic_type = local.infrastructure_vpc_flow_logs_traffic_type | ||
vpc_id = aws_vpc.infrastructure[0].id | ||
|
||
destination_options { | ||
file_format = "parquet" | ||
per_hour_partition = true | ||
} | ||
} |