Updates to Kinesis Logs to Block Public Access

Going to celebrate the move to govcloud by labeling this v2.0.0

base/account_standards/flowlogs.tf

@@ -65,5 +65,8 @@ module "kinesis_firehose" {
   cloudwatch_log_retention = 30 # keep kinesis logs this long
   log_stream_name = "SplunkDelivery_VPCFlowLogs"
   s3_bucket_name = "kinesis-flowlogs-${var.aws_account_id}-${var.aws_region}"
+  s3_bucket_block_public_access_enabled = 1
+  s3_backup_mode = "FailedEventsOnly"
+  s3_expiration = 30
 }
 

thirdparty/terraform-aws-kinesis-firehose-splunk/main.tf

@@ -15,7 +15,6 @@ resource "aws_kinesis_firehose_delivery_stream" "kinesis_firehose" {
 
   splunk_configuration {
     hec_endpoint               = var.hec_url
-    #hec_token                  = data.aws_kms_secrets.splunk_hec_token.plaintext["hec_token"]
     hec_token                  = var.hec_token
     hec_acknowledgment_timeout = var.hec_acknowledgment_timeout
     hec_endpoint_type          = var.hec_endpoint_type
@@ -51,8 +50,6 @@ resource "aws_kinesis_firehose_delivery_stream" "kinesis_firehose" {
 # S3 Bucket for Kinesis Firehose s3_backup_mode
 resource "aws_s3_bucket" "kinesis_firehose_s3_bucket" {
   bucket = var.s3_bucket_name
-  # new version of aws doesn't let you specify the region
-  #region = var.region
   acl    = "private"
 
   server_side_encryption_configuration {
@@ -63,9 +60,32 @@ resource "aws_s3_bucket" "kinesis_firehose_s3_bucket" {
     }
   }
 
+  lifecycle_rule {
+    id                            = "expire-old-logs"
+    enabled                       = true
+    prefix                        = ""
+    expiration {
+      days = var.s3_expiration
+    }
+    noncurrent_version_expiration {
+      days = var.s3_expiration
+    }
+    abort_incomplete_multipart_upload_days = 7
+  }
+
   tags = var.tags
 }
 
+resource "aws_s3_bucket_public_access_block" "kinesis_firehose_s3_bucket" {
+  count  = var.s3_bucket_block_public_access_enabled
+  bucket = aws_s3_bucket.kinesis_firehose_s3_bucket.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 # Cloudwatch logging group for Kinesis Firehose
 resource "aws_cloudwatch_log_group" "kinesis_logs" {
   name              = "/aws/kinesisfirehose/${var.firehose_name}"
@@ -284,15 +304,15 @@ resource "aws_iam_policy" "kinesis_firehose_iam_policy" {
   policy = data.aws_iam_policy_document.kinesis_firehose_policy_document.json
 }
 
-resource "aws_iam_role_policy_attachment" "kenisis_fh_role_attachment" {
+resource "aws_iam_role_policy_attachment" "kinesis_fh_role_attachment" {
   role       = aws_iam_role.kinesis_firehose.name
   policy_arn = aws_iam_policy.kinesis_firehose_iam_policy.arn
 }
 
 resource "aws_iam_role" "cloudwatch_to_firehose_trust" {
   name        = var.cloudwatch_to_firehose_trust_iam_role_name
-  description = "Role for CloudWatch Log Group subscription"
   path        = "/aws_services/"
+  description = "Role for CloudWatch Log Group subscription"
   force_detach_policies = true
 
   assume_role_policy = <<ROLE

thirdparty/terraform-aws-kinesis-firehose-splunk/outputs.tf

@@ -0,0 +1,9 @@
+output "cloudwatch_to_firehose_trust_arn" {
+  description = "cloudwatch log subscription filter role_arn"
+  value       = aws_iam_role.cloudwatch_to_firehose_trust.arn
+}
+
+output "destination_firehose_arn" {
+  description = "cloudwatch log subscription filter - Firehose destination arn"
+  value       = aws_kinesis_firehose_delivery_stream.kinesis_firehose.arn
+}

thirdparty/terraform-aws-kinesis-firehose-splunk/terraform.tf

@@ -1,10 +1,3 @@
-#terraform {
-#  required_version = "~> 0.12.0"
-#}
-#
-#provider "aws" {
-#  version = "~> 2.7"
-#
-#  region = var.region
-#}
-
+terraform {
+  required_version = ">= 0.13.0"
+}

thirdparty/terraform-aws-kinesis-firehose-splunk/variables.tf

@@ -1,3 +1,9 @@
+variable "s3_expiration" {
+  description = "How many days to retain objects in s3"
+  type = number
+  default = 30
+}
+
 variable "region" {
   description = "The region of AWS you want to work in, such as us-west-2 or us-east-1"
 }
@@ -78,14 +84,18 @@ variable "log_stream_name" {
 
 variable "s3_bucket_name" {
   description = "Name of the s3 bucket Kinesis Firehose uses for backups"
-  default     = "kinesis-firehose-to-splunk"
 }
 
-#variable "encryption_context" {
-#  description = "aws_kms_secrets encryption context"
-#  type        = map(string)
-#  default     = {}
-#}
+variable "s3_bucket_block_public_access_enabled" {
+  description = "Set to 1 if you would like to add block public access settings for the s3 bucket Kinesis Firehose uses for backups"
+  default     = 0
+}
+
+variable "encryption_context" {
+  description = "aws_kms_secrets encryption context"
+  type        = map(string)
+  default     = {}
+}
 
 variable "kinesis_firehose_lambda_role_name" {
   description = "Name of IAM Role for Lambda function that transforms CloudWatch data for Kinesis Firehose into Splunk compatible format"