From c2ce7fa126012ed02c03ecf5f76a1ebd38ecd904 Mon Sep 17 00:00:00 2001 From: jamesgreen-moj <144033531+jamesgreen-moj@users.noreply.github.com> Date: Fri, 2 Feb 2024 16:00:10 +0000 Subject: [PATCH] Xsiam firehose (#259) * firehose module for xsiam logs ingestion * Added terraform force unlock * adjusted iam polcies, and module to main.tf * Added Cloudwatch error logging Added config so we can view Cloudwatch logging errors via cloudwatch * updated module to use secrets manager via data AWS secrets mananger now store the http endpoint and access_key for the firehose http endpoint. * Added server_side_enrytion to firehose * added logging group resource and permissions for firehose to log to it * added cloudwatch subscription * Commit changes made by code formatters * renamed the logs subscription name to reflect nacs to xsiam * updated secret version for xsiam endpoint in production and pre-production * updated secret version for xsiam endpoint in development,production and pre-production * locked down permissive permissions --------- Co-authored-by: Jahir Co-authored-by: github-actions[bot] --- Makefile | 4 + data.tf | 15 ++ main.tf | 13 ++ .../log_group_subscription.tf | 53 +++++++ modules/kinesis_firehose_xsiam/main.tf | 134 ++++++++++++++++++ .../required_providers.tf | 6 + modules/kinesis_firehose_xsiam/s3.tf | 5 + modules/kinesis_firehose_xsiam/variable.tf | 15 ++ 8 files changed, 245 insertions(+) create mode 100644 modules/kinesis_firehose_xsiam/log_group_subscription.tf create mode 100644 modules/kinesis_firehose_xsiam/main.tf create mode 100644 modules/kinesis_firehose_xsiam/required_providers.tf create mode 100644 modules/kinesis_firehose_xsiam/s3.tf create mode 100644 modules/kinesis_firehose_xsiam/variable.tf diff --git a/Makefile b/Makefile index 926d870..eacd0bc 100644 --- a/Makefile +++ b/Makefile @@ -75,6 +75,10 @@ init-reconfigure: ## terraform init --reconfigure init-upgrade: ## terraform init -upgrade $(DOCKER_RUN) /bin/bash -c "terraform init -upgrade --backend-config=\"key=terraform.${ENV}.state\"" +.PHONY: unlock +unlock: ## Terraform unblock (make force-unlock ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) + $(DOCKER_RUN) /bin/bash -c "terraform force-unlock ${ID}" + .PHONY: import import: ## terraform import e.g. (make import IMPORT_ARGUMENT=module.foo.bar some_resource) $(DOCKER_RUN) /bin/bash -c "terraform import ${IMPORT_ARGUMENT}" diff --git a/data.tf b/data.tf index 1938662..b322f07 100644 --- a/data.tf +++ b/data.tf @@ -1,3 +1,9 @@ +locals { + xaiam_secrets_version_development = "2e73a1de-af34-4c1d-a8ce-759df5b7bf75" + xaiam_secrets_version_pre_production = "9a071db2-4ed2-4c3f-9568-5ef2d5299dc4" + xaiam_secrets_version_production = "a275ae6e-fc4c-4341-bb63-064f4e2fe209" +} + #----------------------------------------------------------------- ### Getting the staff-device-shared-services-infrastructure state #----------------------------------------------------------------- @@ -10,3 +16,12 @@ data "terraform_remote_state" "staff-device-shared-services-infrastructure" { region = "eu-west-2" } } + +data "aws_secretsmanager_secret" "xsiam_endpoint_secrets" { + name = "/nac-server/${terraform.workspace}/xsiam_endpoint_secrets" +} + +data "aws_secretsmanager_secret_version" "xaiam_secrets_version" { + secret_id = data.aws_secretsmanager_secret.xsiam_endpoint_secrets.id + version_id = terraform.workspace == "pre-production" ? local.xaiam_secrets_version_pre_production : terraform.workspace == "production" ? local.xaiam_secrets_version_production : local.xaiam_secrets_version_development +} diff --git a/main.tf b/main.tf index b734dfd..807a619 100644 --- a/main.tf +++ b/main.tf @@ -310,3 +310,16 @@ module "performance_testing" { aws = aws.env } } + +module "kinesis_firehose_xsiam" { + source = "./modules/kinesis_firehose_xsiam" + http_endpoint = jsondecode(data.aws_secretsmanager_secret_version.xaiam_secrets_version.secret_string)["http_endpoint"] + access_key = jsondecode(data.aws_secretsmanager_secret_version.xaiam_secrets_version.secret_string)["access_key"] + prefix = "${module.label.id}-xsiam" + tags = module.label.tags + cloudwatch_log_group_for_subscription = module.radius.cloudwatch.server_log_group_name + + providers = { + aws = aws.env + } +} diff --git a/modules/kinesis_firehose_xsiam/log_group_subscription.tf b/modules/kinesis_firehose_xsiam/log_group_subscription.tf new file mode 100644 index 0000000..52825a2 --- /dev/null +++ b/modules/kinesis_firehose_xsiam/log_group_subscription.tf @@ -0,0 +1,53 @@ +resource "aws_cloudwatch_log_subscription_filter" "nacs_server_xsiam_subscription" { + name = "xsiam-delivery-stream-${var.prefix}" + role_arn = aws_iam_role.this.arn + log_group_name = var.cloudwatch_log_group_for_subscription + filter_pattern = "" + destination_arn = aws_kinesis_firehose_delivery_stream.xsiam_delivery_stream.arn +} + +resource "aws_iam_role" "this" { + name_prefix = var.prefix + assume_role_policy = <