From f393fd94fe97463d037206823e1c1415abcc177c Mon Sep 17 00:00:00 2001 From: franklinpashok Date: Tue, 20 Feb 2024 23:42:14 +0800 Subject: [PATCH 1/9] Add logging configuration for ava --- modules/logging_configuration/README.md | 49 ++++++++++ modules/logging_configuration/kms.tf | 5 + modules/logging_configuration/main.tf | 39 ++++++++ modules/logging_configuration/outputs.tf | 9 ++ modules/logging_configuration/variables.tf | 101 +++++++++++++++++++++ modules/logging_configuration/versions.tf | 10 ++ 6 files changed, 213 insertions(+) create mode 100644 modules/logging_configuration/README.md create mode 100644 modules/logging_configuration/kms.tf create mode 100644 modules/logging_configuration/main.tf create mode 100644 modules/logging_configuration/outputs.tf create mode 100644 modules/logging_configuration/variables.tf create mode 100644 modules/logging_configuration/versions.tf diff --git a/modules/logging_configuration/README.md b/modules/logging_configuration/README.md new file mode 100644 index 0000000..53f6528 --- /dev/null +++ b/modules/logging_configuration/README.md @@ -0,0 +1,49 @@ +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 5.24 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 5.24 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_kms_key.log_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_verifiedaccess_instance_logging_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/verifiedaccess_instance_logging_configuration) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_verifiedaccess\_instance](#input\_aws\_verifiedaccess\_instance) | Verified access Instance to be associated with logging | `string` | `""` | no | +| [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | The name of the CloudWatch Log Group for AWS Verified Access logging. | `string` | `""` | no | +| [cloudwatch\_logs](#input\_cloudwatch\_logs) | Configuration for CloudWatch logs | 
object({
    enable    = bool
    log_group = string
  })
| 
{
  "enable": false,
  "log_group": ""
}
| no | +| [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Whether to create a new CloudWatch Log Group, if false provide existing group | `bool` | `true` | no | +| [enable\_kms\_key\_rotation](#input\_enable\_kms\_key\_rotation) | Whether to enable automatic rotation of the KMS key used for encrypting CloudWatch logs. | `bool` | `true` | no | +| [enable\_logging](#input\_enable\_logging) | Enable or disable logging configurations entirely. | `bool` | `false` | no | +| [include\_trust\_context](#input\_include\_trust\_context) | Include claims from trust providers in Verified Access logs | `bool` | `false` | no | +| [kinesis\_data\_firehose](#input\_kinesis\_data\_firehose) | Configuration for Kinesis Data Firehose logs | 
object({
    enable          = bool
    delivery_stream = string
  })
| 
{
  "delivery_stream": "",
  "enable": false
}
| no | +| [kms\_key\_deletion\_window\_in\_days](#input\_kms\_key\_deletion\_window\_in\_days) | The waiting period, in days, before the KMS key is deleted after it is scheduled for deletion. | `number` | `10` | no | +| [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The number of days to retain logs in the CloudWatch Log Group. | `number` | `90` | no | +| [log\_version](#input\_log\_version) | Log version for Verified Access logs | `string` | `""` | no | +| [override\_cloudwatch\_log\_group\_name](#input\_override\_cloudwatch\_log\_group\_name) | To use a different cloudwatch log group (optional) | `string` | `""` | no | +| [s3\_logs](#input\_s3\_logs) | Configuration for S3 logs | 
object({
    enable       = bool
    bucket_name  = string
    bucket_owner = optional(number)
    prefix       = string
  })
| 
{
  "bucket_name": "",
  "enable": false,
  "prefix": ""
}
| no | + +## Outputs + +| Name | Description | +|------|-------------| +| [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | The name of the CloudWatch Log Group used for AWS Verified Access logging. | +| [kms\_key\_arn](#output\_kms\_key\_arn) | The ARN of the KMS key used for encrypting the CloudWatch logs. | diff --git a/modules/logging_configuration/kms.tf b/modules/logging_configuration/kms.tf new file mode 100644 index 0000000..963fe23 --- /dev/null +++ b/modules/logging_configuration/kms.tf @@ -0,0 +1,5 @@ +resource "aws_kms_key" "log_encryption_key" { + description = "KMS key for encrypting CloudWatch logs of AWS Verified Access." + deletion_window_in_days = var.kms_key_deletion_window_in_days + enable_key_rotation = var.enable_kms_key_rotation +} diff --git a/modules/logging_configuration/main.tf b/modules/logging_configuration/main.tf new file mode 100644 index 0000000..2ff6269 --- /dev/null +++ b/modules/logging_configuration/main.tf @@ -0,0 +1,39 @@ +locals { + cloudwatch_log_group_name = var.override_cloudwatch_log_group_name != "" ? var.override_cloudwatch_log_group_name : var.cloudwatch_logs.log_group +} + +resource "aws_verifiedaccess_instance_logging_configuration" "this" { + + count = var.enable_logging ? 1 : 0 + + access_logs { + cloudwatch_logs { + enabled = var.cloudwatch_logs.enable + log_group = var.cloudwatch_logs.log_group + } + + kinesis_data_firehose { + enabled = var.kinesis_data_firehose.enable + delivery_stream = var.kinesis_data_firehose.delivery_stream + } + + s3 { + enabled = var.s3_logs.enable + bucket_name = var.s3_logs.bucket_name + bucket_owner = var.s3_logs.bucket_owner + prefix = var.s3_logs.prefix + } + + log_version = var.log_version + include_trust_context = var.include_trust_context + } + + verifiedaccess_instance_id = var.aws_verifiedaccess_instance + +} +resource "aws_cloudwatch_log_group" "cloudwatch_log_group" { + count = var.create_cloudwatch_log_group ? 1 : 0 + name = var.cloudwatch_log_group_name + kms_key_id = aws_kms_key.log_encryption_key.arn + retention_in_days = var.log_retention_in_days +} diff --git a/modules/logging_configuration/outputs.tf b/modules/logging_configuration/outputs.tf new file mode 100644 index 0000000..980ea73 --- /dev/null +++ b/modules/logging_configuration/outputs.tf @@ -0,0 +1,9 @@ +output "kms_key_arn" { + value = aws_kms_key.log_encryption_key.arn + description = "The ARN of the KMS key used for encrypting the CloudWatch logs." +} + +output "cloudwatch_log_group_name" { + value = aws_cloudwatch_log_group.cloudwatch_log_group[0].name + description = "The name of the CloudWatch Log Group used for AWS Verified Access logging." +} diff --git a/modules/logging_configuration/variables.tf b/modules/logging_configuration/variables.tf new file mode 100644 index 0000000..b78cce0 --- /dev/null +++ b/modules/logging_configuration/variables.tf @@ -0,0 +1,101 @@ +#Logging +variable "enable_logging" { + description = "Enable or disable logging configurations entirely." + type = bool + default = false +} + +variable "aws_verifiedaccess_instance" { + description = "Verified access Instance to be associated with logging" + type = string + default = "" +} + +variable "cloudwatch_logs" { + description = "Configuration for CloudWatch logs" + type = object({ + enable = bool + log_group = string + }) + default = { + enable = false + log_group = "" + } +} + +variable "kinesis_data_firehose" { + description = "Configuration for Kinesis Data Firehose logs" + type = object({ + enable = bool + delivery_stream = string + }) + default = { + enable = false + delivery_stream = "" + } +} + +variable "s3_logs" { + description = "Configuration for S3 logs" + type = object({ + enable = bool + bucket_name = string + bucket_owner = optional(number) + prefix = string + }) + default = { + enable = false + bucket_name = "" + prefix = "" + } +} + +variable "log_version" { + description = "Log version for Verified Access logs" + type = string + default = "" +} + +variable "include_trust_context" { + description = "Include claims from trust providers in Verified Access logs" + type = bool + default = false +} + +#Cloudwatch Log group +variable "create_cloudwatch_log_group" { + description = "Whether to create a new CloudWatch Log Group, if false provide existing group" + type = bool + default = true +} + +variable "cloudwatch_log_group_name" { + description = "The name of the CloudWatch Log Group for AWS Verified Access logging." + type = string + default = "" +} + +variable "override_cloudwatch_log_group_name" { + type = string + description = "To use a different cloudwatch log group (optional)" + default = "" +} + + +variable "log_retention_in_days" { + description = "The number of days to retain logs in the CloudWatch Log Group." + type = number + default = 90 +} + +variable "enable_kms_key_rotation" { + description = "Whether to enable automatic rotation of the KMS key used for encrypting CloudWatch logs." + type = bool + default = true +} + +variable "kms_key_deletion_window_in_days" { + description = "The waiting period, in days, before the KMS key is deleted after it is scheduled for deletion." + type = number + default = 10 +} diff --git a/modules/logging_configuration/versions.tf b/modules/logging_configuration/versions.tf new file mode 100644 index 0000000..aa088bb --- /dev/null +++ b/modules/logging_configuration/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.3" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.24" + } + } +} From 1727eaaf878d7ec0471817f1286a287be1b6464c Mon Sep 17 00:00:00 2001 From: franklinpashok Date: Tue, 20 Feb 2024 23:42:47 +0800 Subject: [PATCH 2/9] Add logging configuration for ava --- modules/logging_configuration/main.tf | 2 +- modules/logging_configuration/outputs.tf | 4 ++-- modules/logging_configuration/variables.tf | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/logging_configuration/main.tf b/modules/logging_configuration/main.tf index 2ff6269..dceb1aa 100644 --- a/modules/logging_configuration/main.tf +++ b/modules/logging_configuration/main.tf @@ -32,7 +32,7 @@ resource "aws_verifiedaccess_instance_logging_configuration" "this" { } resource "aws_cloudwatch_log_group" "cloudwatch_log_group" { - count = var.create_cloudwatch_log_group ? 1 : 0 + count = var.create_cloudwatch_log_group ? 1 : 0 name = var.cloudwatch_log_group_name kms_key_id = aws_kms_key.log_encryption_key.arn retention_in_days = var.log_retention_in_days diff --git a/modules/logging_configuration/outputs.tf b/modules/logging_configuration/outputs.tf index 980ea73..a2e6a5a 100644 --- a/modules/logging_configuration/outputs.tf +++ b/modules/logging_configuration/outputs.tf @@ -1,9 +1,9 @@ output "kms_key_arn" { - value = aws_kms_key.log_encryption_key.arn + value = aws_kms_key.log_encryption_key.arn description = "The ARN of the KMS key used for encrypting the CloudWatch logs." } output "cloudwatch_log_group_name" { - value = aws_cloudwatch_log_group.cloudwatch_log_group[0].name + value = aws_cloudwatch_log_group.cloudwatch_log_group[0].name description = "The name of the CloudWatch Log Group used for AWS Verified Access logging." } diff --git a/modules/logging_configuration/variables.tf b/modules/logging_configuration/variables.tf index b78cce0..bc70754 100644 --- a/modules/logging_configuration/variables.tf +++ b/modules/logging_configuration/variables.tf @@ -44,9 +44,9 @@ variable "s3_logs" { prefix = string }) default = { - enable = false - bucket_name = "" - prefix = "" + enable = false + bucket_name = "" + prefix = "" } } @@ -72,7 +72,7 @@ variable "create_cloudwatch_log_group" { variable "cloudwatch_log_group_name" { description = "The name of the CloudWatch Log Group for AWS Verified Access logging." type = string - default = "" + default = "" } variable "override_cloudwatch_log_group_name" { From d4813c0816463d8bd5d09148b1fc73ea4cdc4220 Mon Sep 17 00:00:00 2001 From: franklinpashok Date: Tue, 20 Feb 2024 23:50:37 +0800 Subject: [PATCH 3/9] Add logging configuration for ava --- modules/logging_configuration/README.md | 22 +++++++++++----------- modules/logging_configuration/main.tf | 1 + modules/logging_configuration/outputs.tf | 4 ++-- modules/logging_configuration/variables.tf | 19 +++++++++---------- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/modules/logging_configuration/README.md b/modules/logging_configuration/README.md index 53f6528..fd18a75 100644 --- a/modules/logging_configuration/README.md +++ b/modules/logging_configuration/README.md @@ -28,22 +28,22 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [aws\_verifiedaccess\_instance](#input\_aws\_verifiedaccess\_instance) | Verified access Instance to be associated with logging | `string` | `""` | no | -| [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | The name of the CloudWatch Log Group for AWS Verified Access logging. | `string` | `""` | no | +| [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | CW Log Group for AVA logging. | `string` | `""` | no | | [cloudwatch\_logs](#input\_cloudwatch\_logs) | Configuration for CloudWatch logs | 
object({
    enable    = bool
    log_group = string
  })
| 
{
  "enable": false,
  "log_group": ""
}
| no | -| [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Whether to create a new CloudWatch Log Group, if false provide existing group | `bool` | `true` | no | -| [enable\_kms\_key\_rotation](#input\_enable\_kms\_key\_rotation) | Whether to enable automatic rotation of the KMS key used for encrypting CloudWatch logs. | `bool` | `true` | no | -| [enable\_logging](#input\_enable\_logging) | Enable or disable logging configurations entirely. | `bool` | `false` | no | -| [include\_trust\_context](#input\_include\_trust\_context) | Include claims from trust providers in Verified Access logs | `bool` | `false` | no | +| [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Enable/disable CloudWatch Log Group, if false provide existing group | `bool` | `true` | no | +| [enable\_kms\_key\_rotation](#input\_enable\_kms\_key\_rotation) | enable/disable automatic rotation of the KMS key | `bool` | `true` | no | +| [enable\_logging](#input\_enable\_logging) | Enable/disable logging config | `bool` | `false` | no | +| [include\_trust\_context](#input\_include\_trust\_context) | Trust providers in AVA logs | `bool` | `false` | no | | [kinesis\_data\_firehose](#input\_kinesis\_data\_firehose) | Configuration for Kinesis Data Firehose logs | 
object({
    enable          = bool
    delivery_stream = string
  })
| 
{
  "delivery_stream": "",
  "enable": false
}
| no | -| [kms\_key\_deletion\_window\_in\_days](#input\_kms\_key\_deletion\_window\_in\_days) | The waiting period, in days, before the KMS key is deleted after it is scheduled for deletion. | `number` | `10` | no | -| [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The number of days to retain logs in the CloudWatch Log Group. | `number` | `90` | no | -| [log\_version](#input\_log\_version) | Log version for Verified Access logs | `string` | `""` | no | -| [override\_cloudwatch\_log\_group\_name](#input\_override\_cloudwatch\_log\_group\_name) | To use a different cloudwatch log group (optional) | `string` | `""` | no | +| [kms\_key\_deletion\_window\_in\_days](#input\_kms\_key\_deletion\_window\_in\_days) | The wait period(days) before rotating | `number` | `10` | no | +| [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | Retain logs in the CW Log Group. | `number` | `90` | no | +| [log\_version](#input\_log\_version) | Log version for AVA logs | `string` | `""` | no | +| [override\_cloudwatch\_log\_group\_name](#input\_override\_cloudwatch\_log\_group\_name) | Existing CW log group name (optional) | `string` | `""` | no | | [s3\_logs](#input\_s3\_logs) | Configuration for S3 logs | 
object({
    enable       = bool
    bucket_name  = string
    bucket_owner = optional(number)
    prefix       = string
  })
| 
{
  "bucket_name": "",
  "enable": false,
  "prefix": ""
}
| no | ## Outputs | Name | Description | |------|-------------| -| [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | The name of the CloudWatch Log Group used for AWS Verified Access logging. | -| [kms\_key\_arn](#output\_kms\_key\_arn) | The ARN of the KMS key used for encrypting the CloudWatch logs. | +| [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | CloudWatch Log Group for AVA logging. | +| [kms\_key\_arn](#output\_kms\_key\_arn) | KMS key ARN for encryption | diff --git a/modules/logging_configuration/main.tf b/modules/logging_configuration/main.tf index dceb1aa..edefe4b 100644 --- a/modules/logging_configuration/main.tf +++ b/modules/logging_configuration/main.tf @@ -31,6 +31,7 @@ resource "aws_verifiedaccess_instance_logging_configuration" "this" { verifiedaccess_instance_id = var.aws_verifiedaccess_instance } + resource "aws_cloudwatch_log_group" "cloudwatch_log_group" { count = var.create_cloudwatch_log_group ? 1 : 0 name = var.cloudwatch_log_group_name diff --git a/modules/logging_configuration/outputs.tf b/modules/logging_configuration/outputs.tf index a2e6a5a..606bb77 100644 --- a/modules/logging_configuration/outputs.tf +++ b/modules/logging_configuration/outputs.tf @@ -1,9 +1,9 @@ output "kms_key_arn" { value = aws_kms_key.log_encryption_key.arn - description = "The ARN of the KMS key used for encrypting the CloudWatch logs." + description = "KMS key ARN for encryption" } output "cloudwatch_log_group_name" { value = aws_cloudwatch_log_group.cloudwatch_log_group[0].name - description = "The name of the CloudWatch Log Group used for AWS Verified Access logging." + description = "CloudWatch Log Group for AVA logging." } diff --git a/modules/logging_configuration/variables.tf b/modules/logging_configuration/variables.tf index bc70754..0121531 100644 --- a/modules/logging_configuration/variables.tf +++ b/modules/logging_configuration/variables.tf @@ -1,6 +1,6 @@ #Logging variable "enable_logging" { - description = "Enable or disable logging configurations entirely." + description = "Enable/disable logging config" type = bool default = false } @@ -51,51 +51,50 @@ variable "s3_logs" { } variable "log_version" { - description = "Log version for Verified Access logs" + description = "Log version for AVA logs" type = string default = "" } variable "include_trust_context" { - description = "Include claims from trust providers in Verified Access logs" + description = "Trust providers in AVA logs" type = bool default = false } #Cloudwatch Log group variable "create_cloudwatch_log_group" { - description = "Whether to create a new CloudWatch Log Group, if false provide existing group" + description = "Enable/disable CloudWatch Log Group, if false provide existing group" type = bool default = true } variable "cloudwatch_log_group_name" { - description = "The name of the CloudWatch Log Group for AWS Verified Access logging." + description = "CW Log Group for AVA logging." type = string default = "" } variable "override_cloudwatch_log_group_name" { type = string - description = "To use a different cloudwatch log group (optional)" + description = "Existing CW log group name (optional)" default = "" } - variable "log_retention_in_days" { - description = "The number of days to retain logs in the CloudWatch Log Group." + description = "Retain logs in the CW Log Group." type = number default = 90 } variable "enable_kms_key_rotation" { - description = "Whether to enable automatic rotation of the KMS key used for encrypting CloudWatch logs." + description = "enable/disable automatic rotation of the KMS key" type = bool default = true } variable "kms_key_deletion_window_in_days" { - description = "The waiting period, in days, before the KMS key is deleted after it is scheduled for deletion." + description = "The wait period(days) before rotating" type = number default = 10 } From b0f3a3eb091ca29ea055fb1236adc3319cfa6566 Mon Sep 17 00:00:00 2001 From: franklinpashok Date: Wed, 21 Feb 2024 11:27:24 +0800 Subject: [PATCH 4/9] Fix lint error --- modules/logging_configuration/main.tf | 7 ++++--- modules/logging_configuration/variables.tf | 6 ------ 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/modules/logging_configuration/main.tf b/modules/logging_configuration/main.tf index edefe4b..af4f252 100644 --- a/modules/logging_configuration/main.tf +++ b/modules/logging_configuration/main.tf @@ -1,5 +1,6 @@ +# tflint-ignore: terraform_unused_declarations locals { - cloudwatch_log_group_name = var.override_cloudwatch_log_group_name != "" ? var.override_cloudwatch_log_group_name : var.cloudwatch_logs.log_group + cloudwatch_log_group_name = var.override_cloudwatch_log_group_name != "" ? var.override_cloudwatch_log_group_name : aws_cloudwatch_log_group.cloudwatch_log_group.arn } resource "aws_verifiedaccess_instance_logging_configuration" "this" { @@ -9,7 +10,7 @@ resource "aws_verifiedaccess_instance_logging_configuration" "this" { access_logs { cloudwatch_logs { enabled = var.cloudwatch_logs.enable - log_group = var.cloudwatch_logs.log_group + log_group = aws_cloudwatch_log_group.cloudwatch_log_group.arn } kinesis_data_firehose { @@ -34,7 +35,7 @@ resource "aws_verifiedaccess_instance_logging_configuration" "this" { resource "aws_cloudwatch_log_group" "cloudwatch_log_group" { count = var.create_cloudwatch_log_group ? 1 : 0 - name = var.cloudwatch_log_group_name + name = "ava-default-log-group" kms_key_id = aws_kms_key.log_encryption_key.arn retention_in_days = var.log_retention_in_days } diff --git a/modules/logging_configuration/variables.tf b/modules/logging_configuration/variables.tf index 0121531..816cf18 100644 --- a/modules/logging_configuration/variables.tf +++ b/modules/logging_configuration/variables.tf @@ -69,12 +69,6 @@ variable "create_cloudwatch_log_group" { default = true } -variable "cloudwatch_log_group_name" { - description = "CW Log Group for AVA logging." - type = string - default = "" -} - variable "override_cloudwatch_log_group_name" { type = string description = "Existing CW log group name (optional)" From c9d3b5d3a51f7367bbca472350de53fc8e9c91ab Mon Sep 17 00:00:00 2001 From: franklinpashok Date: Wed, 21 Feb 2024 12:58:05 +0800 Subject: [PATCH 5/9] Add KMS-CMK and KMS policy --- examples/main.tf | 8 ++++ modules/logging_configuration/README.md | 9 ++++- modules/logging_configuration/data.tf | 3 ++ modules/logging_configuration/kms.tf | 43 ++++++++++++++++++++++ modules/logging_configuration/local.tf | 10 +++++ modules/logging_configuration/main.tf | 11 ++---- modules/logging_configuration/outputs.tf | 2 +- modules/logging_configuration/variables.tf | 14 ++++++- outputs.tf | 5 +++ 9 files changed, 93 insertions(+), 12 deletions(-) create mode 100644 modules/logging_configuration/data.tf create mode 100644 modules/logging_configuration/local.tf diff --git a/examples/main.tf b/examples/main.tf index 596e87e..e504c6d 100644 --- a/examples/main.tf +++ b/examples/main.tf @@ -178,3 +178,11 @@ module "alb" { Project = "Example" } } + +module "verified_access_logging" { + source = "../modules/logging_configuration" + + enable_logging = true + create_cloudwatch_log_group = true + aws_verifiedaccess_instance = module.verified_access_oidc.verifiedaccess_instance_id +} diff --git a/modules/logging_configuration/README.md b/modules/logging_configuration/README.md index fd18a75..6beb8e2 100644 --- a/modules/logging_configuration/README.md +++ b/modules/logging_configuration/README.md @@ -20,17 +20,22 @@ No modules. | Name | Type | |------|------| | [aws_cloudwatch_log_group.cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | | [aws_kms_key.log_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | | [aws_verifiedaccess_instance_logging_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/verifiedaccess_instance_logging_configuration) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [alias](#input\_alias) | Alias for kms key | `string` | `"alias/ava/loggroup"` | no | | [aws\_verifiedaccess\_instance](#input\_aws\_verifiedaccess\_instance) | Verified access Instance to be associated with logging | `string` | `""` | no | -| [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | CW Log Group for AVA logging. | `string` | `""` | no | +| [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | New CW log group name if creating a new group | `string` | `"default-ava-cloudwatch-loggroup"` | no | | [cloudwatch\_logs](#input\_cloudwatch\_logs) | Configuration for CloudWatch logs | 
object({
    enable    = bool
    log_group = string
  })
| 
{
  "enable": false,
  "log_group": ""
}
| no | -| [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Enable/disable CloudWatch Log Group, if false provide existing group | `bool` | `true` | no | +| [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Enable/disable CloudWatch Log Group, if false provide existing group | `bool` | `false` | no | | [enable\_kms\_key\_rotation](#input\_enable\_kms\_key\_rotation) | enable/disable automatic rotation of the KMS key | `bool` | `true` | no | | [enable\_logging](#input\_enable\_logging) | Enable/disable logging config | `bool` | `false` | no | | [include\_trust\_context](#input\_include\_trust\_context) | Trust providers in AVA logs | `bool` | `false` | no | diff --git a/modules/logging_configuration/data.tf b/modules/logging_configuration/data.tf new file mode 100644 index 0000000..f4693af --- /dev/null +++ b/modules/logging_configuration/data.tf @@ -0,0 +1,3 @@ +data "aws_caller_identity" "current" {} + +data "aws_region" "current" {} diff --git a/modules/logging_configuration/kms.tf b/modules/logging_configuration/kms.tf index 963fe23..abdd3c4 100644 --- a/modules/logging_configuration/kms.tf +++ b/modules/logging_configuration/kms.tf @@ -2,4 +2,47 @@ resource "aws_kms_key" "log_encryption_key" { description = "KMS key for encrypting CloudWatch logs of AWS Verified Access." deletion_window_in_days = var.kms_key_deletion_window_in_days enable_key_rotation = var.enable_kms_key_rotation + + policy = data.aws_iam_policy_document.cloudwatch_log_group.json +} + +resource "aws_kms_alias" "key" { + count = var.alias != null && var.alias != "" ? 1 : 0 + + name = var.alias + target_key_id = aws_kms_key.log_encryption_key.key_id +} + + +################ +# KMS policy to allow cloudwatch log groups +################ +data "aws_iam_policy_document" "cloudwatch_log_group" { + #checkov:skip=CKV_AWS_283=Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource + #checkov:skip=CKV_AWS_111=Ensure IAM policies does not allow write access without constraints + #checkov:skip=CKV_AWS_109: "Ensure IAM policies does not allow permissions management (only give for describe key)" + #checkov:skip=CKV_AWS_356:Ensure IAM policies limit resource access + statement { + sid = "Add permission to cw to access KMS key" + + principals { + type = "AWS" + identifiers = [ + "*" + ] + } + actions = [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + resources = ["*"] + condition { + test = "ArnLike" + variable = "kms:EncryptionContext:aws:logs:arn" + values = ["arn:aws:logs:${local.aws_region}:${local.account_id}:log-group:*"] + } + } } diff --git a/modules/logging_configuration/local.tf b/modules/logging_configuration/local.tf new file mode 100644 index 0000000..f2fa12a --- /dev/null +++ b/modules/logging_configuration/local.tf @@ -0,0 +1,10 @@ +# tflint-ignore: terraform_unused_declarations +locals { + + cloudwatch_log_group_name = var.enable_logging ? (var.override_cloudwatch_log_group_name != "" ? var.override_cloudwatch_log_group_name : aws_cloudwatch_log_group.cloudwatch_log_group[0].arn) : "" + + + account_id = data.aws_caller_identity.current.account_id + + aws_region = data.aws_region.current.name +} diff --git a/modules/logging_configuration/main.tf b/modules/logging_configuration/main.tf index af4f252..3fa7c39 100644 --- a/modules/logging_configuration/main.tf +++ b/modules/logging_configuration/main.tf @@ -1,8 +1,3 @@ -# tflint-ignore: terraform_unused_declarations -locals { - cloudwatch_log_group_name = var.override_cloudwatch_log_group_name != "" ? var.override_cloudwatch_log_group_name : aws_cloudwatch_log_group.cloudwatch_log_group.arn -} - resource "aws_verifiedaccess_instance_logging_configuration" "this" { count = var.enable_logging ? 1 : 0 @@ -10,7 +5,7 @@ resource "aws_verifiedaccess_instance_logging_configuration" "this" { access_logs { cloudwatch_logs { enabled = var.cloudwatch_logs.enable - log_group = aws_cloudwatch_log_group.cloudwatch_log_group.arn + log_group = aws_cloudwatch_log_group.cloudwatch_log_group[0].arn } kinesis_data_firehose { @@ -34,8 +29,8 @@ resource "aws_verifiedaccess_instance_logging_configuration" "this" { } resource "aws_cloudwatch_log_group" "cloudwatch_log_group" { - count = var.create_cloudwatch_log_group ? 1 : 0 - name = "ava-default-log-group" + count = var.create_cloudwatch_log_group && var.enable_logging ? 1 : 0 + name = var.cloudwatch_log_group_name kms_key_id = aws_kms_key.log_encryption_key.arn retention_in_days = var.log_retention_in_days } diff --git a/modules/logging_configuration/outputs.tf b/modules/logging_configuration/outputs.tf index 606bb77..c9f5048 100644 --- a/modules/logging_configuration/outputs.tf +++ b/modules/logging_configuration/outputs.tf @@ -4,6 +4,6 @@ output "kms_key_arn" { } output "cloudwatch_log_group_name" { - value = aws_cloudwatch_log_group.cloudwatch_log_group[0].name + value = var.cloudwatch_log_group_name description = "CloudWatch Log Group for AVA logging." } diff --git a/modules/logging_configuration/variables.tf b/modules/logging_configuration/variables.tf index 816cf18..3d78928 100644 --- a/modules/logging_configuration/variables.tf +++ b/modules/logging_configuration/variables.tf @@ -66,7 +66,13 @@ variable "include_trust_context" { variable "create_cloudwatch_log_group" { description = "Enable/disable CloudWatch Log Group, if false provide existing group" type = bool - default = true + default = false +} + +variable "cloudwatch_log_group_name" { + type = string + description = "New CW log group name if creating a new group" + default = "default-ava-cloudwatch-loggroup" } variable "override_cloudwatch_log_group_name" { @@ -87,6 +93,12 @@ variable "enable_kms_key_rotation" { default = true } +variable "alias" { + description = "Alias for kms key" + type = string + default = "alias/ava/loggroup" +} + variable "kms_key_deletion_window_in_days" { description = "The wait period(days) before rotating" type = number diff --git a/outputs.tf b/outputs.tf index 365316b..e610ac5 100644 --- a/outputs.tf +++ b/outputs.tf @@ -2,3 +2,8 @@ output "verifiedaccess_group_id" { description = "The ID of the Verified Access group to associate the endpoint with." value = aws_verifiedaccess_group.this.id } + +output "verifiedaccess_instance_id" { + description = "The ID of the Verified Access instance to associate the logging configuration." + value = aws_verifiedaccess_instance.this.id +} From 5dcaff1abb6c33db5731d3f1ae6b38fa72deb429 Mon Sep 17 00:00:00 2001 From: franklinpashok Date: Wed, 21 Feb 2024 13:23:02 +0800 Subject: [PATCH 6/9] Add KMS-CMK and KMS policy --- modules/logging_configuration/local.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/modules/logging_configuration/local.tf b/modules/logging_configuration/local.tf index f2fa12a..f9915e3 100644 --- a/modules/logging_configuration/local.tf +++ b/modules/logging_configuration/local.tf @@ -1,10 +1,6 @@ # tflint-ignore: terraform_unused_declarations locals { - cloudwatch_log_group_name = var.enable_logging ? (var.override_cloudwatch_log_group_name != "" ? var.override_cloudwatch_log_group_name : aws_cloudwatch_log_group.cloudwatch_log_group[0].arn) : "" - - account_id = data.aws_caller_identity.current.account_id - aws_region = data.aws_region.current.name } From 8cf79b1b06f43a78bdcf21f4452836e2856cf961 Mon Sep 17 00:00:00 2001 From: franklinpashok Date: Wed, 21 Feb 2024 13:32:35 +0800 Subject: [PATCH 7/9] Add KMS-CMK and KMS policy --- modules/logging_configuration/local.tf | 4 ++-- modules/logging_configuration/main.tf | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/logging_configuration/local.tf b/modules/logging_configuration/local.tf index f9915e3..5752185 100644 --- a/modules/logging_configuration/local.tf +++ b/modules/logging_configuration/local.tf @@ -1,6 +1,6 @@ # tflint-ignore: terraform_unused_declarations locals { cloudwatch_log_group_name = var.enable_logging ? (var.override_cloudwatch_log_group_name != "" ? var.override_cloudwatch_log_group_name : aws_cloudwatch_log_group.cloudwatch_log_group[0].arn) : "" - account_id = data.aws_caller_identity.current.account_id - aws_region = data.aws_region.current.name + account_id = data.aws_caller_identity.current.account_id + aws_region = data.aws_region.current.name } diff --git a/modules/logging_configuration/main.tf b/modules/logging_configuration/main.tf index 3fa7c39..05f54a0 100644 --- a/modules/logging_configuration/main.tf +++ b/modules/logging_configuration/main.tf @@ -28,6 +28,7 @@ resource "aws_verifiedaccess_instance_logging_configuration" "this" { } +#checkov:skip=CKV_AWS_338:Ensure CloudWatch log groups retains logs for at least 1 year resource "aws_cloudwatch_log_group" "cloudwatch_log_group" { count = var.create_cloudwatch_log_group && var.enable_logging ? 1 : 0 name = var.cloudwatch_log_group_name From bd8a81d3d1f9dfb30585563a08091e0967f94dcd Mon Sep 17 00:00:00 2001 From: franklinpashok Date: Wed, 21 Feb 2024 13:35:34 +0800 Subject: [PATCH 8/9] fix lint and security error --- modules/logging_configuration/local.tf | 2 +- modules/logging_configuration/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/logging_configuration/local.tf b/modules/logging_configuration/local.tf index 5752185..89ddcc0 100644 --- a/modules/logging_configuration/local.tf +++ b/modules/logging_configuration/local.tf @@ -1,5 +1,5 @@ -# tflint-ignore: terraform_unused_declarations locals { +# tflint-ignore: terraform_unused_declarations cloudwatch_log_group_name = var.enable_logging ? (var.override_cloudwatch_log_group_name != "" ? var.override_cloudwatch_log_group_name : aws_cloudwatch_log_group.cloudwatch_log_group[0].arn) : "" account_id = data.aws_caller_identity.current.account_id aws_region = data.aws_region.current.name diff --git a/modules/logging_configuration/main.tf b/modules/logging_configuration/main.tf index 05f54a0..b6bbef9 100644 --- a/modules/logging_configuration/main.tf +++ b/modules/logging_configuration/main.tf @@ -28,8 +28,8 @@ resource "aws_verifiedaccess_instance_logging_configuration" "this" { } -#checkov:skip=CKV_AWS_338:Ensure CloudWatch log groups retains logs for at least 1 year resource "aws_cloudwatch_log_group" "cloudwatch_log_group" { +#checkov:skip=CKV_AWS_338:Ensure CloudWatch log groups retains logs for at least 1 year count = var.create_cloudwatch_log_group && var.enable_logging ? 1 : 0 name = var.cloudwatch_log_group_name kms_key_id = aws_kms_key.log_encryption_key.arn From 52f0e818f88ef0f4170d4b8a0dd0bcdcb7860a6e Mon Sep 17 00:00:00 2001 From: franklinpashok Date: Wed, 21 Feb 2024 13:41:36 +0800 Subject: [PATCH 9/9] fix fmt error --- modules/logging_configuration/local.tf | 2 +- modules/logging_configuration/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/logging_configuration/local.tf b/modules/logging_configuration/local.tf index 89ddcc0..b9b4147 100644 --- a/modules/logging_configuration/local.tf +++ b/modules/logging_configuration/local.tf @@ -1,5 +1,5 @@ locals { -# tflint-ignore: terraform_unused_declarations + # tflint-ignore: terraform_unused_declarations cloudwatch_log_group_name = var.enable_logging ? (var.override_cloudwatch_log_group_name != "" ? var.override_cloudwatch_log_group_name : aws_cloudwatch_log_group.cloudwatch_log_group[0].arn) : "" account_id = data.aws_caller_identity.current.account_id aws_region = data.aws_region.current.name diff --git a/modules/logging_configuration/main.tf b/modules/logging_configuration/main.tf index b6bbef9..84ad47f 100644 --- a/modules/logging_configuration/main.tf +++ b/modules/logging_configuration/main.tf @@ -29,7 +29,7 @@ resource "aws_verifiedaccess_instance_logging_configuration" "this" { } resource "aws_cloudwatch_log_group" "cloudwatch_log_group" { -#checkov:skip=CKV_AWS_338:Ensure CloudWatch log groups retains logs for at least 1 year + #checkov:skip=CKV_AWS_338:Ensure CloudWatch log groups retains logs for at least 1 year count = var.create_cloudwatch_log_group && var.enable_logging ? 1 : 0 name = var.cloudwatch_log_group_name kms_key_id = aws_kms_key.log_encryption_key.arn