From e4cad021576962b1622661a5fe0062990e242a7b Mon Sep 17 00:00:00 2001 From: Jahir Date: Wed, 31 Jan 2024 13:44:22 +0000 Subject: [PATCH 01/13] firehose module for xsiam logs ingestion --- modules/kinesis_firehose_xsiam/data.tf | 7 ++ modules/kinesis_firehose_xsiam/main.tf | 89 +++++++++++++++++++ .../required_providers.tf | 6 ++ modules/kinesis_firehose_xsiam/s3.tf | 5 ++ modules/kinesis_firehose_xsiam/variable.tf | 12 +++ 5 files changed, 119 insertions(+) create mode 100644 modules/kinesis_firehose_xsiam/data.tf create mode 100644 modules/kinesis_firehose_xsiam/main.tf create mode 100644 modules/kinesis_firehose_xsiam/required_providers.tf create mode 100644 modules/kinesis_firehose_xsiam/s3.tf create mode 100644 modules/kinesis_firehose_xsiam/variable.tf diff --git a/modules/kinesis_firehose_xsiam/data.tf b/modules/kinesis_firehose_xsiam/data.tf new file mode 100644 index 0000000..e6f42e8 --- /dev/null +++ b/modules/kinesis_firehose_xsiam/data.tf @@ -0,0 +1,7 @@ +#data "aws_ssm_parameter" "http_endpoint" { +# name = "/service_name/$ENV/xsiam_http_endpoint" +# provider = +#} +#output "http_endpoint" { +# value=data.aws_ssm_parameter.http_endpoint.value +#} diff --git a/modules/kinesis_firehose_xsiam/main.tf b/modules/kinesis_firehose_xsiam/main.tf new file mode 100644 index 0000000..a741c8f --- /dev/null +++ b/modules/kinesis_firehose_xsiam/main.tf @@ -0,0 +1,89 @@ +resource "aws_kinesis_firehose_delivery_stream" "xsiam_delivery_stream" { + name = "xsiam-delivery-stream-${var.prefix}" + destination = "http_endpoint" + + http_endpoint_configuration { + url = var.http_endpoint + name = var.prefix + access_key = var.access_key + buffering_size = 5 + buffering_interval = 300 + role_arn = aws_iam_role.xsiam_kinesis_firehose_role.arn + s3_backup_mode = "FailedDataOnly" + + s3_configuration { + role_arn = aws_iam_role.xsiam_kinesis_firehose_role.arn + bucket_arn = aws_s3_bucket.xsiam_firehose_bucket.arn + buffering_size = 10 + buffering_interval = 400 + compression_format = "GZIP" + } + + request_configuration { + content_encoding = "GZIP" + + # common_attributes { + # name = "testname" + # value = "testvalue" + # } + # + # common_attributes { + # name = "testname2" + # value = "testvalue2" + # } + } + } +} + +resource "aws_iam_role" "xsiam_kinesis_firehose_role" { + + //name = "kinesis-firehose-role-xsiam" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Action = "sts:AssumeRole", + Effect = "Allow", + Principal = { + Service = "firehose.amazonaws.com" + } + }, + { + Action = [ + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:GetLogEvents" + ], + Effect = "Allow", + resource = "*" + } + ] + }) +} +resource "aws_iam_role_policy_attachment" "kinesis_role_attachment" { + policy_arn = "" + role = aws_iam_role.xsiam_kinesis_firehose_role.name + +} + +resource "aws_iam_policy" "s3_kinesis_xsiam_policy" { + + # Terraform's "jsonencode" function converts a + # Terraform expression result to valid JSON syntax. + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "s3:*", + ] + Effect = "Allow" + Resource = [ + aws_s3_bucket.xsiam_firehose_bucket.arn, + "${aws_s3_bucket.xsiam_firehose_bucket.arn}/*" + ] + }, + ] + }) +} diff --git a/modules/kinesis_firehose_xsiam/required_providers.tf b/modules/kinesis_firehose_xsiam/required_providers.tf new file mode 100644 index 0000000..445199f --- /dev/null +++ b/modules/kinesis_firehose_xsiam/required_providers.tf @@ -0,0 +1,6 @@ +terraform { + required_providers { + aws = { + } + } +} diff --git a/modules/kinesis_firehose_xsiam/s3.tf b/modules/kinesis_firehose_xsiam/s3.tf new file mode 100644 index 0000000..db9ecaf --- /dev/null +++ b/modules/kinesis_firehose_xsiam/s3.tf @@ -0,0 +1,5 @@ +resource "aws_s3_bucket" "xsiam_firehose_bucket" { + bucket = "xsiam-firehose-${var.prefix}" + + tags = var.tags +} diff --git a/modules/kinesis_firehose_xsiam/variable.tf b/modules/kinesis_firehose_xsiam/variable.tf new file mode 100644 index 0000000..958dede --- /dev/null +++ b/modules/kinesis_firehose_xsiam/variable.tf @@ -0,0 +1,12 @@ +variable "http_endpoint" { + type = string +} +variable "prefix" { + type = string +} +variable "access_key" { + type = string +} +variable "tags" { + type = map(string) +} From 4011d3197599d321d3b342fcc50b694dbbf18adf Mon Sep 17 00:00:00 2001 From: James Green Date: Thu, 1 Feb 2024 10:27:50 +0000 Subject: [PATCH 02/13] Added terraform force unlock --- Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Makefile b/Makefile index 926d870..eacd0bc 100644 --- a/Makefile +++ b/Makefile @@ -75,6 +75,10 @@ init-reconfigure: ## terraform init --reconfigure init-upgrade: ## terraform init -upgrade $(DOCKER_RUN) /bin/bash -c "terraform init -upgrade --backend-config=\"key=terraform.${ENV}.state\"" +.PHONY: unlock +unlock: ## Terraform unblock (make force-unlock ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) + $(DOCKER_RUN) /bin/bash -c "terraform force-unlock ${ID}" + .PHONY: import import: ## terraform import e.g. (make import IMPORT_ARGUMENT=module.foo.bar some_resource) $(DOCKER_RUN) /bin/bash -c "terraform import ${IMPORT_ARGUMENT}" From 34462d38aeb769de43a6ff6282869c22242ba6eb Mon Sep 17 00:00:00 2001 From: James Green Date: Thu, 1 Feb 2024 10:34:59 +0000 Subject: [PATCH 03/13] adjusted iam polcies, and module to main.tf --- main.tf | 12 +++++ modules/kinesis_firehose_xsiam/main.tf | 64 +++++++++++++++----------- 2 files changed, 50 insertions(+), 26 deletions(-) diff --git a/main.tf b/main.tf index b734dfd..4751d2b 100644 --- a/main.tf +++ b/main.tf @@ -310,3 +310,15 @@ module "performance_testing" { aws = aws.env } } + +module "kinesis_firehose_xsiam" { + source = "./modules/kinesis_firehose_xsiam" + access_key = "bar" + http_endpoint = "https://moj.gov.uk" + prefix = "${module.label.id}-xsiam" + tags = module.label.tags + + providers = { + aws = aws.env + } +} diff --git a/modules/kinesis_firehose_xsiam/main.tf b/modules/kinesis_firehose_xsiam/main.tf index a741c8f..bd28303 100644 --- a/modules/kinesis_firehose_xsiam/main.tf +++ b/modules/kinesis_firehose_xsiam/main.tf @@ -10,59 +10,71 @@ resource "aws_kinesis_firehose_delivery_stream" "xsiam_delivery_stream" { buffering_interval = 300 role_arn = aws_iam_role.xsiam_kinesis_firehose_role.arn s3_backup_mode = "FailedDataOnly" + } s3_configuration { role_arn = aws_iam_role.xsiam_kinesis_firehose_role.arn bucket_arn = aws_s3_bucket.xsiam_firehose_bucket.arn - buffering_size = 10 - buffering_interval = 400 + buffer_size = 10 + buffer_interval = 400 compression_format = "GZIP" } - request_configuration { - content_encoding = "GZIP" - - # common_attributes { - # name = "testname" - # value = "testvalue" - # } - # - # common_attributes { - # name = "testname2" - # value = "testvalue2" - # } - } +# request_configuration { +# content_encoding = "GZIP" +# +# common_attributes { +# name = "testname" +# value = "testvalue" +# } +# +# common_attributes { +# name = "testname2" +# value = "testvalue2" +# } +# } } -} resource "aws_iam_role" "xsiam_kinesis_firehose_role" { //name = "kinesis-firehose-role-xsiam" assume_role_policy = jsonencode({ - Version = "2012-10-17", + Version = "2012-10-17" Statement = [ { - Action = "sts:AssumeRole", - Effect = "Allow", + Action = "sts:AssumeRole" + Effect = "Allow" Principal = { Service = "firehose.amazonaws.com" } - }, + } + ] + }) +} + +resource "aws_iam_role_policy" "xsiam_kinesis_firehose_role_policy" { + role = aws_iam_role.xsiam_kinesis_firehose_role.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ { Action = [ "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:GetLogEvents" - ], - Effect = "Allow", - resource = "*" + ] + Effect = "Allow" + Resource = "*" } ] }) } + + resource "aws_iam_role_policy_attachment" "kinesis_role_attachment" { - policy_arn = "" + policy_arn = aws_iam_policy.s3_kinesis_xsiam_policy.arn role = aws_iam_role.xsiam_kinesis_firehose_role.name } @@ -76,14 +88,14 @@ resource "aws_iam_policy" "s3_kinesis_xsiam_policy" { Statement = [ { Action = [ - "s3:*", + "s3:*" ] Effect = "Allow" Resource = [ aws_s3_bucket.xsiam_firehose_bucket.arn, "${aws_s3_bucket.xsiam_firehose_bucket.arn}/*" ] - }, + } ] }) } From 15cecfbcd79314d7f43b3e6d53e39e8f109e39ff Mon Sep 17 00:00:00 2001 From: James Green Date: Thu, 1 Feb 2024 10:35:41 +0000 Subject: [PATCH 04/13] Added Cloudwatch error logging Added config so we can view Cloudwatch logging errors via cloudwatch --- modules/kinesis_firehose_xsiam/main.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/kinesis_firehose_xsiam/main.tf b/modules/kinesis_firehose_xsiam/main.tf index bd28303..a2d6e3a 100644 --- a/modules/kinesis_firehose_xsiam/main.tf +++ b/modules/kinesis_firehose_xsiam/main.tf @@ -10,6 +10,12 @@ resource "aws_kinesis_firehose_delivery_stream" "xsiam_delivery_stream" { buffering_interval = 300 role_arn = aws_iam_role.xsiam_kinesis_firehose_role.arn s3_backup_mode = "FailedDataOnly" + + cloudwatch_logging_options { + enabled = true + log_group_name = "xsiam-delivery-stream-${var.prefix}" + log_stream_name = "errors" + } } s3_configuration { From 3ea4d701fd46b11f58ea805dee48e8c91cc4e0c5 Mon Sep 17 00:00:00 2001 From: James Green Date: Thu, 1 Feb 2024 12:09:49 +0000 Subject: [PATCH 05/13] updated module to use secrets manager via data AWS secrets mananger now store the http endpoint and access_key for the firehose http endpoint. --- data.tf | 15 +++++++++ main.tf | 10 +++--- modules/kinesis_firehose_xsiam/data.tf | 7 ---- modules/kinesis_firehose_xsiam/main.tf | 46 +++++++++++++------------- 4 files changed, 43 insertions(+), 35 deletions(-) delete mode 100644 modules/kinesis_firehose_xsiam/data.tf diff --git a/data.tf b/data.tf index 1938662..5df7a63 100644 --- a/data.tf +++ b/data.tf @@ -1,3 +1,9 @@ +locals { + xaiam_secrets_version_development = "2f39a1d3-b363-4d24-8749-f0ae737c2824" + xaiam_secrets_version_pre_production = "" + xaiam_secrets_version_production = "" +} + #----------------------------------------------------------------- ### Getting the staff-device-shared-services-infrastructure state #----------------------------------------------------------------- @@ -10,3 +16,12 @@ data "terraform_remote_state" "staff-device-shared-services-infrastructure" { region = "eu-west-2" } } + +data "aws_secretsmanager_secret" "xsiam_endpoint_secrets" { + name = "/nac-server/${terraform.workspace}/xsiam_endpoint_secrets" +} + +data "aws_secretsmanager_secret_version" "xaiam_secrets_version" { + secret_id = data.aws_secretsmanager_secret.xsiam_endpoint_secrets.id + version_id = terraform.workspace == "pre_production" ? local.xaiam_secrets_version_pre_production : terraform.workspace == "production" ? local.xaiam_secrets_version_production : local.xaiam_secrets_version_development +} diff --git a/main.tf b/main.tf index 4751d2b..914d1f5 100644 --- a/main.tf +++ b/main.tf @@ -312,11 +312,11 @@ module "performance_testing" { } module "kinesis_firehose_xsiam" { - source = "./modules/kinesis_firehose_xsiam" - access_key = "bar" - http_endpoint = "https://moj.gov.uk" - prefix = "${module.label.id}-xsiam" - tags = module.label.tags + source = "./modules/kinesis_firehose_xsiam" + http_endpoint = jsondecode(data.aws_secretsmanager_secret_version.xaiam_secrets_version.secret_string)["http_endpoint"] + access_key = jsondecode(data.aws_secretsmanager_secret_version.xaiam_secrets_version.secret_string)["access_key"] + prefix = "${module.label.id}-xsiam" + tags = module.label.tags providers = { aws = aws.env diff --git a/modules/kinesis_firehose_xsiam/data.tf b/modules/kinesis_firehose_xsiam/data.tf deleted file mode 100644 index e6f42e8..0000000 --- a/modules/kinesis_firehose_xsiam/data.tf +++ /dev/null @@ -1,7 +0,0 @@ -#data "aws_ssm_parameter" "http_endpoint" { -# name = "/service_name/$ENV/xsiam_http_endpoint" -# provider = -#} -#output "http_endpoint" { -# value=data.aws_ssm_parameter.http_endpoint.value -#} diff --git a/modules/kinesis_firehose_xsiam/main.tf b/modules/kinesis_firehose_xsiam/main.tf index a2d6e3a..ecaff36 100644 --- a/modules/kinesis_firehose_xsiam/main.tf +++ b/modules/kinesis_firehose_xsiam/main.tf @@ -12,35 +12,35 @@ resource "aws_kinesis_firehose_delivery_stream" "xsiam_delivery_stream" { s3_backup_mode = "FailedDataOnly" cloudwatch_logging_options { - enabled = true - log_group_name = "xsiam-delivery-stream-${var.prefix}" + enabled = true + log_group_name = "xsiam-delivery-stream-${var.prefix}" log_stream_name = "errors" } } - s3_configuration { - role_arn = aws_iam_role.xsiam_kinesis_firehose_role.arn - bucket_arn = aws_s3_bucket.xsiam_firehose_bucket.arn - buffer_size = 10 - buffer_interval = 400 - compression_format = "GZIP" - } - -# request_configuration { -# content_encoding = "GZIP" -# -# common_attributes { -# name = "testname" -# value = "testvalue" -# } -# -# common_attributes { -# name = "testname2" -# value = "testvalue2" -# } -# } + s3_configuration { + role_arn = aws_iam_role.xsiam_kinesis_firehose_role.arn + bucket_arn = aws_s3_bucket.xsiam_firehose_bucket.arn + buffer_size = 10 + buffer_interval = 400 + compression_format = "GZIP" } + # request_configuration { + # content_encoding = "GZIP" + # + # common_attributes { + # name = "testname" + # value = "testvalue" + # } + # + # common_attributes { + # name = "testname2" + # value = "testvalue2" + # } + # } +} + resource "aws_iam_role" "xsiam_kinesis_firehose_role" { //name = "kinesis-firehose-role-xsiam" From 84c32f916a435e4d5e89775ff35d38ca82b9b00b Mon Sep 17 00:00:00 2001 From: James Green Date: Thu, 1 Feb 2024 12:18:45 +0000 Subject: [PATCH 06/13] Added server_side_enrytion to firehose --- data.tf | 2 +- modules/kinesis_firehose_xsiam/main.tf | 18 ++++-------------- 2 files changed, 5 insertions(+), 15 deletions(-) diff --git a/data.tf b/data.tf index 5df7a63..85acceb 100644 --- a/data.tf +++ b/data.tf @@ -23,5 +23,5 @@ data "aws_secretsmanager_secret" "xsiam_endpoint_secrets" { data "aws_secretsmanager_secret_version" "xaiam_secrets_version" { secret_id = data.aws_secretsmanager_secret.xsiam_endpoint_secrets.id - version_id = terraform.workspace == "pre_production" ? local.xaiam_secrets_version_pre_production : terraform.workspace == "production" ? local.xaiam_secrets_version_production : local.xaiam_secrets_version_development + version_id = terraform.workspace == "pre-production" ? local.xaiam_secrets_version_pre_production : terraform.workspace == "production" ? local.xaiam_secrets_version_production : local.xaiam_secrets_version_development } diff --git a/modules/kinesis_firehose_xsiam/main.tf b/modules/kinesis_firehose_xsiam/main.tf index ecaff36..1004234 100644 --- a/modules/kinesis_firehose_xsiam/main.tf +++ b/modules/kinesis_firehose_xsiam/main.tf @@ -2,6 +2,10 @@ resource "aws_kinesis_firehose_delivery_stream" "xsiam_delivery_stream" { name = "xsiam-delivery-stream-${var.prefix}" destination = "http_endpoint" + server_side_encryption { + enabled = true + } + http_endpoint_configuration { url = var.http_endpoint name = var.prefix @@ -25,20 +29,6 @@ resource "aws_kinesis_firehose_delivery_stream" "xsiam_delivery_stream" { buffer_interval = 400 compression_format = "GZIP" } - - # request_configuration { - # content_encoding = "GZIP" - # - # common_attributes { - # name = "testname" - # value = "testvalue" - # } - # - # common_attributes { - # name = "testname2" - # value = "testvalue2" - # } - # } } resource "aws_iam_role" "xsiam_kinesis_firehose_role" { From d76a1c8b94b392ed2b01ead04c8e03b09a7fea44 Mon Sep 17 00:00:00 2001 From: James Green Date: Thu, 1 Feb 2024 14:40:24 +0000 Subject: [PATCH 07/13] added logging group resource and permissions for firehose to log to it --- modules/kinesis_firehose_xsiam/main.tf | 38 ++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/modules/kinesis_firehose_xsiam/main.tf b/modules/kinesis_firehose_xsiam/main.tf index 1004234..29efcf3 100644 --- a/modules/kinesis_firehose_xsiam/main.tf +++ b/modules/kinesis_firehose_xsiam/main.tf @@ -17,8 +17,8 @@ resource "aws_kinesis_firehose_delivery_stream" "xsiam_delivery_stream" { cloudwatch_logging_options { enabled = true - log_group_name = "xsiam-delivery-stream-${var.prefix}" - log_stream_name = "errors" + log_group_name = aws_cloudwatch_log_group.xsiam_delivery_group.name + log_stream_name = aws_cloudwatch_log_stream.xsiam_delivery_stream.name } } @@ -31,6 +31,17 @@ resource "aws_kinesis_firehose_delivery_stream" "xsiam_delivery_stream" { } } +resource "aws_cloudwatch_log_group" "xsiam_delivery_group" { + name = "xsiam-delivery-stream-${var.prefix}" + + retention_in_days = 90 +} + +resource "aws_cloudwatch_log_stream" "xsiam_delivery_stream" { + name = "errors" + log_group_name = aws_cloudwatch_log_group.xsiam_delivery_group.name +} + resource "aws_iam_role" "xsiam_kinesis_firehose_role" { //name = "kinesis-firehose-role-xsiam" @@ -68,6 +79,29 @@ resource "aws_iam_role_policy" "xsiam_kinesis_firehose_role_policy" { }) } +resource "aws_iam_role_policy_attachment" "kinesis_firehose_error_log_role_attachment" { + policy_arn = aws_iam_policy.xsiam_kinesis_firehose_error_log_policy.arn + role = aws_iam_role.xsiam_kinesis_firehose_role.name + +} + +resource "aws_iam_policy" "xsiam_kinesis_firehose_error_log_policy" { + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "logs:PutLogEvents", + ] + Effect = "Allow" + Resource = [ + "${aws_cloudwatch_log_group.xsiam_delivery_group.arn}/*" + ] + } + ] + }) +} + resource "aws_iam_role_policy_attachment" "kinesis_role_attachment" { policy_arn = aws_iam_policy.s3_kinesis_xsiam_policy.arn From 30af061fa15db4957d78d0294e02c154b5b1d20a Mon Sep 17 00:00:00 2001 From: James Green Date: Thu, 1 Feb 2024 17:07:51 +0000 Subject: [PATCH 08/13] added cloudwatch subscription --- data.tf | 2 +- main.tf | 1 + .../log_group_subscription.tf | 53 +++++++++++++++++++ modules/kinesis_firehose_xsiam/main.tf | 2 - modules/kinesis_firehose_xsiam/variable.tf | 3 ++ 5 files changed, 58 insertions(+), 3 deletions(-) create mode 100644 modules/kinesis_firehose_xsiam/log_group_subscription.tf diff --git a/data.tf b/data.tf index 85acceb..f28037b 100644 --- a/data.tf +++ b/data.tf @@ -1,5 +1,5 @@ locals { - xaiam_secrets_version_development = "2f39a1d3-b363-4d24-8749-f0ae737c2824" + xaiam_secrets_version_development = "74b8d013-7096-415b-a8f4-20adc4624667" xaiam_secrets_version_pre_production = "" xaiam_secrets_version_production = "" } diff --git a/main.tf b/main.tf index 914d1f5..f389dee 100644 --- a/main.tf +++ b/main.tf @@ -317,6 +317,7 @@ module "kinesis_firehose_xsiam" { access_key = jsondecode(data.aws_secretsmanager_secret_version.xaiam_secrets_version.secret_string)["access_key"] prefix = "${module.label.id}-xsiam" tags = module.label.tags + cloudwatch_log_group_for_subscription = module.radius.cloudwatch.server_log_group_name providers = { aws = aws.env diff --git a/modules/kinesis_firehose_xsiam/log_group_subscription.tf b/modules/kinesis_firehose_xsiam/log_group_subscription.tf new file mode 100644 index 0000000..6636332 --- /dev/null +++ b/modules/kinesis_firehose_xsiam/log_group_subscription.tf @@ -0,0 +1,53 @@ +resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter" { + name = "xsiam-delivery-stream-${var.prefix}" + role_arn = aws_iam_role.this.arn + log_group_name = var.cloudwatch_log_group_for_subscription + filter_pattern = "" + destination_arn = aws_kinesis_firehose_delivery_stream.xsiam_delivery_stream.arn +} + +resource "aws_iam_role" "this" { + name_prefix = var.prefix + assume_role_policy = < Date: Thu, 1 Feb 2024 17:08:44 +0000 Subject: [PATCH 09/13] Commit changes made by code formatters --- main.tf | 10 +++++----- modules/kinesis_firehose_xsiam/main.tf | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/main.tf b/main.tf index f389dee..807a619 100644 --- a/main.tf +++ b/main.tf @@ -312,11 +312,11 @@ module "performance_testing" { } module "kinesis_firehose_xsiam" { - source = "./modules/kinesis_firehose_xsiam" - http_endpoint = jsondecode(data.aws_secretsmanager_secret_version.xaiam_secrets_version.secret_string)["http_endpoint"] - access_key = jsondecode(data.aws_secretsmanager_secret_version.xaiam_secrets_version.secret_string)["access_key"] - prefix = "${module.label.id}-xsiam" - tags = module.label.tags + source = "./modules/kinesis_firehose_xsiam" + http_endpoint = jsondecode(data.aws_secretsmanager_secret_version.xaiam_secrets_version.secret_string)["http_endpoint"] + access_key = jsondecode(data.aws_secretsmanager_secret_version.xaiam_secrets_version.secret_string)["access_key"] + prefix = "${module.label.id}-xsiam" + tags = module.label.tags cloudwatch_log_group_for_subscription = module.radius.cloudwatch.server_log_group_name providers = { diff --git a/modules/kinesis_firehose_xsiam/main.tf b/modules/kinesis_firehose_xsiam/main.tf index 2056b74..1215331 100644 --- a/modules/kinesis_firehose_xsiam/main.tf +++ b/modules/kinesis_firehose_xsiam/main.tf @@ -91,10 +91,10 @@ resource "aws_iam_policy" "xsiam_kinesis_firehose_error_log_policy" { Action = [ "logs:PutLogEvents", ] - Effect = "Allow" + Effect = "Allow" Resource = [ "${aws_cloudwatch_log_group.xsiam_delivery_group.arn}/*" - ] + ] } ] }) From 7e78e71d477e3d5f934d0b4862f5bbcea9f06d3f Mon Sep 17 00:00:00 2001 From: Jahir Date: Thu, 1 Feb 2024 17:36:24 +0000 Subject: [PATCH 10/13] renamed the logs subscription name to reflect nacs to xsiam --- modules/kinesis_firehose_xsiam/log_group_subscription.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/kinesis_firehose_xsiam/log_group_subscription.tf b/modules/kinesis_firehose_xsiam/log_group_subscription.tf index 6636332..52825a2 100644 --- a/modules/kinesis_firehose_xsiam/log_group_subscription.tf +++ b/modules/kinesis_firehose_xsiam/log_group_subscription.tf @@ -1,4 +1,4 @@ -resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter" { +resource "aws_cloudwatch_log_subscription_filter" "nacs_server_xsiam_subscription" { name = "xsiam-delivery-stream-${var.prefix}" role_arn = aws_iam_role.this.arn log_group_name = var.cloudwatch_log_group_for_subscription From bd07090bae92f7bce6e94c0e3c6c57791871ba04 Mon Sep 17 00:00:00 2001 From: Jahir Date: Thu, 1 Feb 2024 17:55:14 +0000 Subject: [PATCH 11/13] updated secret version for xsiam endpoint in production and pre-production --- data.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data.tf b/data.tf index f28037b..b9dc050 100644 --- a/data.tf +++ b/data.tf @@ -1,7 +1,7 @@ locals { xaiam_secrets_version_development = "74b8d013-7096-415b-a8f4-20adc4624667" - xaiam_secrets_version_pre_production = "" - xaiam_secrets_version_production = "" + xaiam_secrets_version_pre_production = "f0bd19d9-9e31-478f-a483-6cb010ca58a0" + xaiam_secrets_version_production = "ee71326d-aa17-4035-98cb-19ac8bee3b47" } #----------------------------------------------------------------- From 8a6de2649b48b03fe08fae613314e7252f0217fb Mon Sep 17 00:00:00 2001 From: Jahir Date: Fri, 2 Feb 2024 09:54:38 +0000 Subject: [PATCH 12/13] updated secret version for xsiam endpoint in development,production and pre-production --- data.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/data.tf b/data.tf index b9dc050..b322f07 100644 --- a/data.tf +++ b/data.tf @@ -1,7 +1,7 @@ locals { - xaiam_secrets_version_development = "74b8d013-7096-415b-a8f4-20adc4624667" - xaiam_secrets_version_pre_production = "f0bd19d9-9e31-478f-a483-6cb010ca58a0" - xaiam_secrets_version_production = "ee71326d-aa17-4035-98cb-19ac8bee3b47" + xaiam_secrets_version_development = "2e73a1de-af34-4c1d-a8ce-759df5b7bf75" + xaiam_secrets_version_pre_production = "9a071db2-4ed2-4c3f-9568-5ef2d5299dc4" + xaiam_secrets_version_production = "a275ae6e-fc4c-4341-bb63-064f4e2fe209" } #----------------------------------------------------------------- From 5b1717b45bd1c8522bb149f03f5b3ad99c5affe7 Mon Sep 17 00:00:00 2001 From: James Green Date: Fri, 2 Feb 2024 15:08:10 +0000 Subject: [PATCH 13/13] locked down permissive permissions --- modules/kinesis_firehose_xsiam/main.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/kinesis_firehose_xsiam/main.tf b/modules/kinesis_firehose_xsiam/main.tf index 1215331..c4b5ac3 100644 --- a/modules/kinesis_firehose_xsiam/main.tf +++ b/modules/kinesis_firehose_xsiam/main.tf @@ -116,7 +116,12 @@ resource "aws_iam_policy" "s3_kinesis_xsiam_policy" { Statement = [ { Action = [ - "s3:*" + "s3:AbortMultipartUpload", + "s3:GetBucketLocation", + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketMultipartUploads", + "s3:PutObject" ] Effect = "Allow" Resource = [