Inicio Explorar Axuda
Rexistro Iniciar sesión
AFS
/
xdr-terraform-modules
2
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Explorar o código

Fixes Snapshots and Filters out NODATA flowlogs

* volume_tags applied to all instances
* NODATA entries filtered from vpc flow logs
* lifecycle for EBS snapshots added

Note: This will install the 'Snapshot: Daily' tag everywhere, even in
places that are not appropriate. However, the opposite scenario (when
the tag is _not_ present when it should be) seems much worse, and is
where we ended up in TF11 (which clearly had intended to have separate
ebs_vol_tags), so this seems cleaner.
Fred Damstra %!s(int64=4) %!d(string=hai) anos
pai
5e191dc5dc
achega
d20e02f051
Modificáronse 5 ficheiros con 48 adicións e 0 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 36 0
      base/account_standards/ebs_backups.tf
  2. 1 0
      base/bastion/main.tf
  3. 7 0
      base/interconnects/main.tf
  4. 1 0
      base/salt_master/main.tf
  5. 3 0
      thirdparty/terraform-aws-kinesis-firehose-splunk/files/kinesis-firehose-cloudwatch-logs-processor.js

+ 36 - 0
base/account_standards/ebs_backups.tf
Ver ficheiro 

@@ -0,0 +1,36 @@
 
+# To keep in line with FedRAMP we are setting up a lifecycle on the EBS vol to create "backups"
 
+# It will target the tag "Snapshot" based on the value depends on what policy is assigned (see comments bellow)
 
+resource "aws_dlm_lifecycle_policy" "daily" {
 
+  description        = "daily DLM lifecycle policy"
 
+  execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn
 
+  state              = "ENABLED"
 
+
 
+  policy_details {
 
+    resource_types = ["VOLUME"]
 
+
 
+    schedule {
 
+      name = "daily snapshots retain 2"
 
+
 
+      create_rule {
 
+        interval      = 24
 
+        interval_unit = "HOURS"
 
+        times         = ["23:45"]
 
+      }
 
+
 
+      retain_rule {
 
+        count = 2
 
+      }
 
+
 
+      tags_to_add = {
 
+        SnapshotCreator = "DLM"
 
+        SnapshotPolicy = "Daily"
 
+      }
 
+
 
+      copy_tags = true
 
+    }
 
+
 
+    target_tags = {
 
+      Snapshot = "Daily"
 
+    }
 
+  }
 
+}

+ 1 - 0
base/bastion/main.tf
Ver ficheiro 

@@ -130,6 +130,7 @@ resource "aws_instance" "instance" {
 
 
   user_data = data.template_cloudinit_config.cloud-init.rendered
 
   tags = merge( var.standard_tags, var.tags, { Name = var.instance_name })
 
+  volume_tags = merge( var.standard_tags, var.tags, { Name = var.instance_name })
 
 }
 
 
 module "private_dns_record" {

+ 7 - 0
base/interconnects/main.tf
Ver ficheiro 

@@ -62,6 +62,13 @@ resource "aws_instance" "interconnects" {
 
       Name = "interconnect-${count.index}"
 
     }
 
   )
 
+  volume_tags = merge(
 
+    var.standard_tags,
 
+    var.tags,
 
+    { 
+      Name = "interconnect-${count.index}"
 
+    }
 
+  )
 
 
   root_block_device {
 
       volume_type = "gp2"

+ 1 - 0
base/salt_master/main.tf
Ver ficheiro 

@@ -130,6 +130,7 @@ resource "aws_instance" "instance" {
 
 
   user_data = data.template_cloudinit_config.salt_master_cloud_init_config.rendered
 
   tags = merge( var.standard_tags, var.tags, { Name = var.instance_name })
 
+  volume_tags = merge( var.standard_tags, var.tags, { Name = var.instance_name })
 
 }
 
 
 #Uncommnet this when we are ready to make the change.

+ 3 - 0
thirdparty/terraform-aws-kinesis-firehose-splunk/files/kinesis-firehose-cloudwatch-logs-processor.js
Ver ficheiro 

@@ -60,6 +60,9 @@ const AWS = require('aws-sdk');
 
  * The result must be returned in a Promise.
 
  */
 
 function transformLogEvent(logEvent) {
 
+    if (logEvent.message.includes('NODATA')) {
 
+        return Promise.resolve(``);
 
+    }
 
     return Promise.resolve(`${logEvent.message}\n`);
 
 }