diff --git a/modules/aws/logging/cw-logs-destination/README.md b/modules/aws/logging/cw-logs-destination/README.md new file mode 100644 index 0000000..d0e2322 --- /dev/null +++ b/modules/aws/logging/cw-logs-destination/README.md @@ -0,0 +1,45 @@ + + # Terraform Module for - creating cw-logs-destination + # Example terragrunt.hcl inputs + ```hcl +inputs = { + destination_name = "cc-centralized-logs-destination" + source_account_id = "example-account-id" # the account from which the logs originate + firehose_arn = "arn:aws:firehose:eu-west-2::deliverystream/splunk-firehose-fh-cw2splunk" +} + ``` + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_destination.cw_logs_destination](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_destination) | resource | +| [aws_cloudwatch_log_destination_policy.cw_logs_destination_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_destination_policy) | resource | +| [aws_iam_role.logs_destination_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.logs_destination_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_region](#input\_aws\_region) | AWS Region | `string` | `"eu-west-2"` | no | +| [destination\_name](#input\_destination\_name) | Name of the CloudWatch Logs destination | `string` | n/a | yes | +| [firehose\_arn](#input\_firehose\_arn) | ARN of the existing Firehose delivery stream | `string` | n/a | yes | +| [source\_account\_id](#input\_source\_account\_id) | AWS Account ID of the source (management account X) | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [cw\_logs\_destination\_arn](#output\_cw\_logs\_destination\_arn) | The ARN of the CloudWatch Logs Destination | + \ No newline at end of file diff --git a/modules/aws/logging/cw-logs-destination/main.tf b/modules/aws/logging/cw-logs-destination/main.tf new file mode 100644 index 0000000..521372a --- /dev/null +++ b/modules/aws/logging/cw-logs-destination/main.tf @@ -0,0 +1,57 @@ +resource "aws_cloudwatch_log_destination" "cw_logs_destination" { + name = var.destination_name + role_arn = aws_iam_role.logs_destination_role.arn + target_arn = var.firehose_arn +} + +resource "aws_cloudwatch_log_destination_policy" "cw_logs_destination_policy" { + destination_name = aws_cloudwatch_log_destination.cw_logs_destination.name + access_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Principal = { + AWS = var.source_account_id + } + Action = "logs:PutSubscriptionFilter" + Resource = aws_cloudwatch_log_destination.cw_logs_destination.arn + } + ] + }) +} + +resource "aws_iam_role" "logs_destination_role" { + name = "CloudWatchLogsDestinationRole" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Principal = { + Service = "logs.${var.aws_region}.amazonaws.com" + } + Action = "sts:AssumeRole" + } + ] + }) +} + +resource "aws_iam_role_policy" "logs_destination_policy" { + role = aws_iam_role.logs_destination_role.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "firehose:PutRecord", + "firehose:PutRecordBatch" + ] + Resource = var.firehose_arn + } + ] + }) +} diff --git a/modules/aws/logging/cw-logs-destination/outputs.tf b/modules/aws/logging/cw-logs-destination/outputs.tf new file mode 100644 index 0000000..3aa8730 --- /dev/null +++ b/modules/aws/logging/cw-logs-destination/outputs.tf @@ -0,0 +1,4 @@ +output "cw_logs_destination_arn" { + description = "The ARN of the CloudWatch Logs Destination" + value = aws_cloudwatch_log_destination.cw_logs_destination.arn +} diff --git a/modules/aws/logging/cw-logs-destination/variables.tf b/modules/aws/logging/cw-logs-destination/variables.tf new file mode 100644 index 0000000..3f437a2 --- /dev/null +++ b/modules/aws/logging/cw-logs-destination/variables.tf @@ -0,0 +1,20 @@ +variable "aws_region" { + description = "AWS Region" + type = string + default = "eu-west-2" +} + +variable "destination_name" { + description = "Name of the CloudWatch Logs destination" + type = string +} + +variable "source_account_id" { + description = "AWS Account ID of the source (management account X)" + type = string +} + +variable "firehose_arn" { + description = "ARN of the existing Firehose delivery stream" + type = string +} diff --git a/modules/aws/secrets/fetch-secret/README.md b/modules/aws/secrets/fetch-secret/README.md new file mode 100644 index 0000000..b70714c --- /dev/null +++ b/modules/aws/secrets/fetch-secret/README.md @@ -0,0 +1,38 @@ + + # Terraform Module for - fetching secrets from secrets manager + # Example terragrunt.hcl inputs + ```hcl + inputs = { + secret_name = "dev/splunk/hec-token" # example secret-name to fetch its secret value + } + ``` +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + + +## Resources + +| Name | Type | +|------|------| +| [aws_secretsmanager_secret.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | +| [aws_secretsmanager_secret_version.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [secret\_name](#input\_secret\_name) | name of the secret to be fetched | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [hec\_token](#output\_hec\_token) | n/a | + \ No newline at end of file