resource "aws_kinesis_firehose_delivery_stream" "aws-waf-logs-splunk" { name = "aws-waf-logs-splunk" destination = "splunk" server_side_encryption { enabled = true } s3_configuration { role_arn = aws_iam_role.aws-waf-logs-splunk.arn bucket_arn = aws_s3_bucket.aws-waf-logs-splunk.arn buffer_size = 10 buffer_interval = 400 compression_format = "GZIP" kms_key_arn = aws_kms_key.aws-waf-logs-splunk.arn } splunk_configuration { hec_endpoint = "https://${local.hec_pub_ack}:8088" hec_token = local.aws_waf_logs_hec_token hec_acknowledgment_timeout = 600 hec_endpoint_type = "Raw" s3_backup_mode = "FailedEventsOnly" cloudwatch_logging_options { enabled = true log_group_name = "kinesis" log_stream_name = "aws-waf-logs-splunk" } } tags = merge(local.standard_tags, var.tags) } resource "aws_cloudwatch_log_group" "kinesis" { name = "kinesis" retention_in_days = 7 kms_key_id = var.cloudtrail_key_arn tags = merge(local.standard_tags, var.tags) } resource "aws_cloudwatch_log_stream" "kinesis" { name = "aws-waf-logs-splunk" log_group_name = aws_cloudwatch_log_group.kinesis.name } # tfsec:ignore:aws-s3-enable-bucket-logging Don't log the logs resource "aws_s3_bucket" "aws-waf-logs-splunk" { bucket = "aws-waf-logs-splunk-${var.environment}-${var.account_name}" tags = merge(local.standard_tags, var.tags, { "Purpose" = "Failed events from AWS Kinesis" }) } resource "aws_s3_bucket_acl" "s3_acl_aws-waf-logs-splunk" { bucket = aws_s3_bucket.aws-waf-logs-splunk.id acl = "private" } # tfsec:ignore:aws-s3-enable-versioning No versioning on logging buckets resource "aws_s3_bucket_versioning" "s3_version_aws-waf-logs-splunk" { bucket = aws_s3_bucket.aws-waf-logs-splunk.id versioning_configuration { status = "Suspended" } } resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_aws-waf-logs-splunk" { bucket = aws_s3_bucket.aws-waf-logs-splunk.id rule { apply_server_side_encryption_by_default { kms_master_key_id = aws_kms_key.aws-waf-logs-splunk.arn sse_algorithm = "aws:kms" } } } resource "aws_s3_bucket_public_access_block" "aws-waf-logs-splunk" { bucket = aws_s3_bucket.aws-waf-logs-splunk.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true } resource "aws_kms_key" "aws-waf-logs-splunk" { description = "KMS Key for Failed AWS Kinesis Transmission to the HEC" deletion_window_in_days = 10 enable_key_rotation = true policy = data.aws_iam_policy_document.aws-waf-logs-splunk.json tags = merge(local.standard_tags, var.tags, { "Purpose" = "Failed events from AWS Kinesis" }) } data "aws_iam_policy_document" "aws-waf-logs-splunk" { statement { sid = "AllowThisAccount" effect = "Allow" principals { identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"] type = "AWS" } actions = [ "kms:*" ] resources = ["*"] } statement { sid = "AllowKinesis" effect = "Allow" principals { identifiers = ["firehose.amazonaws.com"] type = "Service" } actions = [ "kms:GenerateDataKey", "kms:Decrypt" ] resources = ["*"] } } resource "aws_iam_role" "aws-waf-logs-splunk" { name = "aws-waf-logs-splunk" path = "/aws_services/" assume_role_policy = <