fix: DBTP-1089 Move to shared log resource policy (#166)

Co-authored-by: Kate Sugden <[email protected]>
uktrade · Jun 27, 2024 · 9527e75 · 9527e75
1 parent 81c7bd7
commit 9527e75
Show file tree

Hide file tree

Showing 8 changed files with 31 additions and 48 deletions.
diff --git a/extensions/main.tf b/extensions/main.tf
@@ -96,10 +96,3 @@ resource "aws_ssm_parameter" "addons" {
   value = jsonencode(var.args.services)
   tags  = local.tags
 }
-
-module "logs" {
-  source = "../logs"
-
-  application = var.args.application
-  environment = var.environment
-}
diff --git a/logs/main.tf b/logs/main.tf
@@ -10,7 +10,7 @@ data "aws_iam_policy_document" "log-resource-policy" {
       "logs:PutLogEvents",
     ]
 
-    resources = ["arn:${data.aws_partition.current.partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/copilot/${var.application}-${var.environment}-*:log-stream:*"]
+    resources = ["arn:${data.aws_partition.current.partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/copilot/*:log-stream:*"]
 
     condition {
       test     = "StringEquals"
@@ -36,7 +36,7 @@ data "aws_iam_policy_document" "log-resource-policy" {
       "logs:PutLogEvents",
     ]
 
-    resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/elasticache/${var.application}/${var.environment}/*"]
+    resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/elasticache/*"]
 
     condition {
       test     = "ArnLike"
@@ -62,7 +62,7 @@ data "aws_iam_policy_document" "log-resource-policy" {
       "logs:PutLogEvents",
     ]
 
-    resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/opensearch/${var.application}/${var.environment}/*"]
+    resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/opensearch/*/*"]
 
     condition {
       test     = "StringEquals"
@@ -79,5 +79,5 @@ data "aws_iam_policy_document" "log-resource-policy" {
 
 resource "aws_cloudwatch_log_resource_policy" "log-resource-policy" {
   policy_document = data.aws_iam_policy_document.log-resource-policy.json
-  policy_name     = "${var.application}-${var.environment}-LogResourcePolicy"
+  policy_name     = "${var.name_prefix}-LogResourcePolicy"
 }
diff --git a/logs/outputs.tf b/logs/outputs.tf
@@ -0,0 +1,3 @@
+output "log-resource-policy" {
+  value = aws_cloudwatch_log_resource_policy.log-resource-policy.policy_name
+}
diff --git a/logs/tests/unit.tftest.hcl b/logs/tests/unit.tftest.hcl
@@ -1,6 +1,5 @@
 variables {
-  application = "log-test-application"
-  environment = "log-test-environment"
+  name_prefix = "test-name"
 }
 
 run "log_resource_policy_unit_test" {
@@ -22,8 +21,8 @@ run "log_resource_policy_unit_test" {
   }
 
   assert {
-    condition     = strcontains(jsondecode(data.aws_iam_policy_document.log-resource-policy.json).Statement[0].Resource, "log-group:/copilot/log-test-application-log-test-environment-*:log-stream:*")
-    error_message = "Invalid value for aws_iam_policy_document log_resource_policy statement resource should contain log-group:/copilot/log-test-application-log-test-environment-*:log-stream:*"
+    condition     = strcontains(jsondecode(data.aws_iam_policy_document.log-resource-policy.json).Statement[0].Resource, "log-group:/copilot/*:log-stream:*")
+    error_message = "Invalid value for aws_iam_policy_document log_resource_policy statement resource should contain log-group:/copilot/*:log-stream:*"
   }
 
   assert {
@@ -42,8 +41,8 @@ run "log_resource_policy_unit_test" {
   }
 
   assert {
-    condition     = strcontains(jsondecode(data.aws_iam_policy_document.log-resource-policy.json).Statement[1].Resource, "log-group:/aws/elasticache/log-test-application/log-test-environment/*")
-    error_message = "Invalid value for aws_iam_policy_document log_resource_policy statement resource should contain log-group:/aws/elasticache/log-test-application/log-test-environment/*"
+    condition     = strcontains(jsondecode(data.aws_iam_policy_document.log-resource-policy.json).Statement[1].Resource, "log-group:/aws/elasticache/*")
+    error_message = "Invalid value for aws_iam_policy_document log_resource_policy statement resource should contain log-group:/aws/elasticache/*"
   }
 
   assert {
@@ -57,7 +56,7 @@ run "log_resource_policy_unit_test" {
   }
 
   assert {
-    condition     = strcontains(jsondecode(data.aws_iam_policy_document.log-resource-policy.json).Statement[2].Resource, "log-group:/aws/opensearch/log-test-application/log-test-environment/*")
-    error_message = "Invalid value for aws_iam_policy_document log_resource_policy statement resource should contain log-group:/aws/opensearch/log-test-application/log-test-environment/*"
+    condition     = strcontains(jsondecode(data.aws_iam_policy_document.log-resource-policy.json).Statement[2].Resource, "log-group:/aws/opensearch/*")
+    error_message = "Invalid value for aws_iam_policy_document log_resource_policy statement resource should contain log-group:/aws/opensearch/*"
   }
 }
diff --git a/logs/variables.tf b/logs/variables.tf
@@ -1,7 +1,4 @@
-variable "application" {
-  type = string
-}
-
-variable "environment" {
-  type = string
+variable "name_prefix" {
+  default = null
+  type    = string
 }
diff --git a/opensearch/main.tf b/opensearch/main.tf
@@ -21,29 +21,6 @@ resource "aws_cloudwatch_log_group" "opensearch_log_group_audit_logs" {
   retention_in_days = coalesce(var.config.audit_log_retention_in_days, 7)
 }
 
-resource "aws_cloudwatch_log_resource_policy" "opensearch_log_group_policy" {
-  policy_name     = "opensearch_log_group_policy"
-  policy_document = <<CONFIG
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "es.amazonaws.com"
-      },
-      "Action": [
-        "logs:PutLogEvents",
-        "logs:PutLogEventsBatch",
-        "logs:CreateLogStream"
-      ],
-      "Resource": "arn:aws:logs:*"
-    }
-  ]
-}
-CONFIG
-}
-
 resource "aws_security_group" "opensearch-security-group" {
   name        = local.domain_name
   vpc_id      = data.aws_vpc.vpc.id

diff --git a/vpc/main.tf b/vpc/main.tf
@@ -306,3 +306,8 @@ data "aws_subnets" "private-subnets" {
     values = ["${var.arg_name}-private-*"]
   }
 }
+
+module "logs" {
+  source      = "../logs"
+  name_prefix = var.arg_name
+}
diff --git a/vpc/tests/unit.tftest.hcl b/vpc/tests/unit.tftest.hcl
@@ -191,3 +191,12 @@ run "aws_default_network_acl_unit_test" {
     error_message = "Invalid default network ACL"
   }
 }
+
+run "log_resource_policy_unit_test" {
+  command = plan
+
+  assert {
+    condition     = module.logs.log-resource-policy == "vpc-test-name-LogResourcePolicy"
+    error_message = "Should be: vpc-test-name-LogResourcePolicy"
+  }
+}