-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* firehose module for xsiam logs ingestion * Added terraform force unlock * adjusted iam polcies, and module to main.tf * Added Cloudwatch error logging Added config so we can view Cloudwatch logging errors via cloudwatch * updated module to use secrets manager via data AWS secrets mananger now store the http endpoint and access_key for the firehose http endpoint. * Added server_side_enrytion to firehose * added logging group resource and permissions for firehose to log to it * added cloudwatch subscription * Commit changes made by code formatters * renamed the logs subscription name to reflect nacs to xsiam * updated secret version for xsiam endpoint in production and pre-production * updated secret version for xsiam endpoint in development,production and pre-production * locked down permissive permissions --------- Co-authored-by: Jahir <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
- Loading branch information
1 parent
3211560
commit c2ce7fa
Showing
8 changed files
with
245 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
resource "aws_cloudwatch_log_subscription_filter" "nacs_server_xsiam_subscription" { | ||
name = "xsiam-delivery-stream-${var.prefix}" | ||
role_arn = aws_iam_role.this.arn | ||
log_group_name = var.cloudwatch_log_group_for_subscription | ||
filter_pattern = "" | ||
destination_arn = aws_kinesis_firehose_delivery_stream.xsiam_delivery_stream.arn | ||
} | ||
|
||
resource "aws_iam_role" "this" { | ||
name_prefix = var.prefix | ||
assume_role_policy = <<EOF | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Action": "sts:AssumeRole", | ||
"Principal": { | ||
"Service": "logs.amazonaws.com" | ||
}, | ||
"Effect": "Allow", | ||
"Sid": "" | ||
} | ||
] | ||
} | ||
EOF | ||
} | ||
|
||
resource "aws_iam_policy" "put_record" { | ||
name_prefix = var.prefix | ||
tags = var.tags | ||
policy = <<-EOF | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"firehose:PutRecord", | ||
"firehose:PutRecordBatch" | ||
], | ||
"Resource": [ | ||
"${aws_kinesis_firehose_delivery_stream.xsiam_delivery_stream.arn}" | ||
] | ||
} | ||
] | ||
} | ||
EOF | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "this" { | ||
role = aws_iam_role.this.name | ||
policy_arn = aws_iam_policy.put_record.arn | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
resource "aws_kinesis_firehose_delivery_stream" "xsiam_delivery_stream" { | ||
name = "xsiam-delivery-stream-${var.prefix}" | ||
destination = "http_endpoint" | ||
|
||
server_side_encryption { | ||
enabled = true | ||
} | ||
|
||
http_endpoint_configuration { | ||
url = var.http_endpoint | ||
name = var.prefix | ||
access_key = var.access_key | ||
buffering_size = 5 | ||
buffering_interval = 300 | ||
role_arn = aws_iam_role.xsiam_kinesis_firehose_role.arn | ||
s3_backup_mode = "FailedDataOnly" | ||
|
||
cloudwatch_logging_options { | ||
enabled = true | ||
log_group_name = aws_cloudwatch_log_group.xsiam_delivery_group.name | ||
log_stream_name = aws_cloudwatch_log_stream.xsiam_delivery_stream.name | ||
} | ||
} | ||
|
||
s3_configuration { | ||
role_arn = aws_iam_role.xsiam_kinesis_firehose_role.arn | ||
bucket_arn = aws_s3_bucket.xsiam_firehose_bucket.arn | ||
buffer_size = 10 | ||
buffer_interval = 400 | ||
compression_format = "GZIP" | ||
} | ||
} | ||
|
||
resource "aws_cloudwatch_log_group" "xsiam_delivery_group" { | ||
name = "xsiam-delivery-stream-${var.prefix}" | ||
|
||
retention_in_days = 90 | ||
} | ||
|
||
resource "aws_cloudwatch_log_stream" "xsiam_delivery_stream" { | ||
name = "errors" | ||
log_group_name = aws_cloudwatch_log_group.xsiam_delivery_group.name | ||
} | ||
|
||
resource "aws_iam_role" "xsiam_kinesis_firehose_role" { | ||
|
||
assume_role_policy = jsonencode({ | ||
Version = "2012-10-17" | ||
Statement = [ | ||
{ | ||
Action = "sts:AssumeRole" | ||
Effect = "Allow" | ||
Principal = { | ||
Service = "firehose.amazonaws.com" | ||
} | ||
} | ||
] | ||
}) | ||
} | ||
|
||
resource "aws_iam_role_policy" "xsiam_kinesis_firehose_role_policy" { | ||
role = aws_iam_role.xsiam_kinesis_firehose_role.id | ||
|
||
policy = jsonencode({ | ||
Version = "2012-10-17" | ||
Statement = [ | ||
{ | ||
Action = [ | ||
"logs:DescribeLogGroups", | ||
"logs:DescribeLogStreams", | ||
"logs:GetLogEvents" | ||
] | ||
Effect = "Allow" | ||
Resource = "*" | ||
} | ||
] | ||
}) | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "kinesis_firehose_error_log_role_attachment" { | ||
policy_arn = aws_iam_policy.xsiam_kinesis_firehose_error_log_policy.arn | ||
role = aws_iam_role.xsiam_kinesis_firehose_role.name | ||
|
||
} | ||
|
||
resource "aws_iam_policy" "xsiam_kinesis_firehose_error_log_policy" { | ||
policy = jsonencode({ | ||
Version = "2012-10-17" | ||
Statement = [ | ||
{ | ||
Action = [ | ||
"logs:PutLogEvents", | ||
] | ||
Effect = "Allow" | ||
Resource = [ | ||
"${aws_cloudwatch_log_group.xsiam_delivery_group.arn}/*" | ||
] | ||
} | ||
] | ||
}) | ||
} | ||
|
||
|
||
resource "aws_iam_role_policy_attachment" "kinesis_role_attachment" { | ||
policy_arn = aws_iam_policy.s3_kinesis_xsiam_policy.arn | ||
role = aws_iam_role.xsiam_kinesis_firehose_role.name | ||
|
||
} | ||
|
||
resource "aws_iam_policy" "s3_kinesis_xsiam_policy" { | ||
|
||
# Terraform's "jsonencode" function converts a | ||
# Terraform expression result to valid JSON syntax. | ||
policy = jsonencode({ | ||
Version = "2012-10-17" | ||
Statement = [ | ||
{ | ||
Action = [ | ||
"s3:AbortMultipartUpload", | ||
"s3:GetBucketLocation", | ||
"s3:GetObject", | ||
"s3:ListBucket", | ||
"s3:ListBucketMultipartUploads", | ||
"s3:PutObject" | ||
] | ||
Effect = "Allow" | ||
Resource = [ | ||
aws_s3_bucket.xsiam_firehose_bucket.arn, | ||
"${aws_s3_bucket.xsiam_firehose_bucket.arn}/*" | ||
] | ||
} | ||
] | ||
}) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
terraform { | ||
required_providers { | ||
aws = { | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
resource "aws_s3_bucket" "xsiam_firehose_bucket" { | ||
bucket = "xsiam-firehose-${var.prefix}" | ||
|
||
tags = var.tags | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
variable "http_endpoint" { | ||
type = string | ||
} | ||
variable "prefix" { | ||
type = string | ||
} | ||
variable "access_key" { | ||
type = string | ||
} | ||
variable "tags" { | ||
type = map(string) | ||
} | ||
variable "cloudwatch_log_group_for_subscription" { | ||
type = string | ||
} |