From 76a749280fc6c2b56866951924c23a875ffb9c7e Mon Sep 17 00:00:00 2001 From: Hana Lee Date: Sun, 14 Nov 2021 13:02:38 -0600 Subject: [PATCH 1/2] Create encrypted logs module --- modules/encrypted_logs/CHANGELOG.md | 3 ++ modules/encrypted_logs/README.md | 30 +++++++++++++++++ modules/encrypted_logs/VERSION.txt | 1 + modules/encrypted_logs/main.tf | 51 +++++++++++++++++++++++++++++ modules/encrypted_logs/outputs.tf | 7 ++++ modules/encrypted_logs/variables.tf | 10 ++++++ 6 files changed, 102 insertions(+) create mode 100644 modules/encrypted_logs/CHANGELOG.md create mode 100644 modules/encrypted_logs/README.md create mode 100644 modules/encrypted_logs/VERSION.txt create mode 100644 modules/encrypted_logs/main.tf create mode 100644 modules/encrypted_logs/outputs.tf create mode 100644 modules/encrypted_logs/variables.tf diff --git a/modules/encrypted_logs/CHANGELOG.md b/modules/encrypted_logs/CHANGELOG.md new file mode 100644 index 0000000..3164188 --- /dev/null +++ b/modules/encrypted_logs/CHANGELOG.md @@ -0,0 +1,3 @@ +## [1.0] - 2021-11-14 + +* Creates an encrypted log group module diff --git a/modules/encrypted_logs/README.md b/modules/encrypted_logs/README.md new file mode 100644 index 0000000..09d0b4c --- /dev/null +++ b/modules/encrypted_logs/README.md @@ -0,0 +1,30 @@ +# Encrypted Logs + +This module provisions a CloudWatch log group encrypted with KMS. + +## Usage + +```terraform +module "encrypted_logs" { + log_group_name = "encrypted-logs" + tags = { + environment = "staging" + } +} + +resource "aws_sfn_state_machine" "step_function" { + name = "my-step-function" + role_arn = aws_iam_role.step_function.arn + + logging_configuration { + logging_destination = "${module.encrypted_logs.log_group_arn}:*" + include_execution_data = true + level = "ALL" + } +} + +resource "aws_iam_role_policy_attachment" "step_function" { + role = aws_iam_role.step_function.id + policy_arn = module.encrypted_logs.write_logs_policy_arn +} +``` diff --git a/modules/encrypted_logs/VERSION.txt b/modules/encrypted_logs/VERSION.txt new file mode 100644 index 0000000..d3827e7 --- /dev/null +++ b/modules/encrypted_logs/VERSION.txt @@ -0,0 +1 @@ +1.0 diff --git a/modules/encrypted_logs/main.tf b/modules/encrypted_logs/main.tf new file mode 100644 index 0000000..669016c --- /dev/null +++ b/modules/encrypted_logs/main.tf @@ -0,0 +1,51 @@ +resource "aws_cloudwatch_log_group" "main" { + name = var.log_group_name + kms_key_id = aws_kms_key.main.arn + tags = var.tags +} + +// Probably worth creating a KMS key module to use here instead +resource "aws_kms_key" "main" { + description = "Encryption key for ${var.log_group_name} logs" + enable_key_rotation = true + tags = var.tags +} + +resource "aws_kms_alias" "main" { + name = "alias/${log_group_name}-logs" + target_key_id = aws_kms_key.main.key_id +} + +resource "aws_iam_policy" "write_logs" { + name = "write-${var.log_group_name}-logs" + policy = data.aws_iam_policy_document.write_logs.json +} + +resource "aws_iam_policy_document" "write_logs" { + statement { + sid = "CreateLogStream" + actions = ["logs:CreateLogStream"] + resources = [ + "${aws_cloudwatch_log_group.main.arn}:log-stream:*" + ] + } + + statement { + sid = "WriteLogs" + actions = ["logs:PutLogEvents"] + resources = [ + "${aws_cloudwatch_log_group.main.arn}:log-stream:*" + ] + } + + statement { + sid = "UseLogEncryption" + actions = [ + "kms:GenerateDataKey", + "kms:Decrypt", + ] + resources = [ + aws_kms_key.main.arn, + ] + } +} diff --git a/modules/encrypted_logs/outputs.tf b/modules/encrypted_logs/outputs.tf new file mode 100644 index 0000000..ec41e21 --- /dev/null +++ b/modules/encrypted_logs/outputs.tf @@ -0,0 +1,7 @@ +output "write_logs_policy_arn" { + value = aws_iam_policy.write_logs.arn +} + +output "log_group_arn" { + value = aws_cloudwatch_log_group.main.arn +} diff --git a/modules/encrypted_logs/variables.tf b/modules/encrypted_logs/variables.tf new file mode 100644 index 0000000..18ec1dd --- /dev/null +++ b/modules/encrypted_logs/variables.tf @@ -0,0 +1,10 @@ +variable "log_group_name" { + type = string + description = "Name for CloudWatch log group" +} + +variable "tags" { + type = map(string) + description = "Tags to add to CloudWatch log group and associated KMS key" + default = {} +} From f983befab833abb0a3b76c3c62fdd4f8d6df6c9f Mon Sep 17 00:00:00 2001 From: Hana Lee Date: Mon, 15 Nov 2021 09:52:05 -0600 Subject: [PATCH 2/2] Put in source for module usage example in README --- modules/encrypted_logs/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/encrypted_logs/README.md b/modules/encrypted_logs/README.md index 09d0b4c..9721220 100644 --- a/modules/encrypted_logs/README.md +++ b/modules/encrypted_logs/README.md @@ -6,6 +6,8 @@ This module provisions a CloudWatch log group encrypted with KMS. ```terraform module "encrypted_logs" { + source = "modules/encrypted_logs" // update when we've figured out how/if we will publish + log_group_name = "encrypted-logs" tags = { environment = "staging"