Эхлэл Бүгдийг харах Тусламж
Бүртгүүлэх Нэвтрэх
AFS
/
xdr-terraform-modules
2
0
Салаа 0
Файлууд Асуудлууд 0 Хуулах хүсэлтүүд 0 Мэдлэгийн сан
Мод: 370353c645
Салаанууд Тагууд
xdr-terraform-m...
/
base
/
kinesis_firehose_waf_logs
/
main.tf

main.tf 6.7 KB
Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245 
  1. resource "aws_kinesis_firehose_delivery_stream" "aws-waf-logs-splunk" {
    2. 

  2.   name        = "aws-waf-logs-splunk"
    3. 

  3.   destination = "splunk"
    4. 

  4. 

  5.   server_side_encryption {
    6. 

  6.     enabled = true
    7. 

  7.   }
    8. 

  8. 

  9.   s3_configuration {
    10. 

  10.     role_arn           = aws_iam_role.aws-waf-logs-splunk.arn
    11. 

  11.     bucket_arn         = aws_s3_bucket.aws-waf-logs-splunk.arn
    12. 

  12.     buffer_size        = 10
    13. 

  13.     buffer_interval    = 400
    14. 

  14.     compression_format = "GZIP"
    15. 

  15.     kms_key_arn        = aws_kms_key.aws-waf-logs-splunk.arn
    16. 

  16.   }
    17. 

  17. 

  18.   splunk_configuration {
    19. 

  19.     hec_endpoint               = "https://${local.hec_pub_ack}:8088"
    20. 

  20.     hec_token                  = local.aws_waf_logs_hec_token
    21. 

  21.     hec_acknowledgment_timeout = 600
    22. 

  22.     hec_endpoint_type          = "Raw"
    23. 

  23.     s3_backup_mode             = "FailedEventsOnly"
    24. 

  24.     cloudwatch_logging_options {
    25. 

  25.       enabled         = true
    26. 

  26.       log_group_name  = "kinesis"
    27. 

  27.       log_stream_name = "aws-waf-logs-splunk"
    28. 

  28.     }
    29. 

  29.   }
    30. 

  30. 

  31.   tags = merge(local.standard_tags, var.tags)
    32. 

  32. }
    33. 

  33. 

  34. resource "aws_cloudwatch_log_group" "kinesis" {
    35. 

  35.   name              = "kinesis"
    36. 

  36.   retention_in_days = 7
    37. 

  37.   kms_key_id        = var.cloudtrail_key_arn
    38. 

  38.   tags              = merge(local.standard_tags, var.tags)
    39. 

  39. }
    40. 

  40. 

  41. resource "aws_cloudwatch_log_stream" "kinesis" {
    42. 

  42.   name           = "aws-waf-logs-splunk"
    43. 

  43.   log_group_name = aws_cloudwatch_log_group.kinesis.name
    44. 

  44. }
    45. 

  45. 

  46. # tfsec:ignore:aws-s3-enable-bucket-logging Don't log the logs
    47. 

  47. resource "aws_s3_bucket" "aws-waf-logs-splunk" {
    48. 

  48.   bucket = "aws-waf-logs-splunk-${var.environment}-${var.account_name}"
    49. 

  49. 

  50.   tags = merge(local.standard_tags, var.tags, { "Purpose" = "Failed events from AWS Kinesis" })
    51. 

  51. }
    52. 

  52. 

  53. resource "aws_s3_bucket_acl" "s3_acl_aws-waf-logs-splunk" {
    54. 

  54.   bucket = aws_s3_bucket.aws-waf-logs-splunk.id
    55. 

  55.   acl    = "private"
    56. 

  56. }
    57. 

  57. 

  58. # tfsec:ignore:aws-s3-enable-versioning No versioning on logging buckets
    59. 

  59. resource "aws_s3_bucket_versioning" "s3_version_aws-waf-logs-splunk" {
    60. 

  60.   bucket = aws_s3_bucket.aws-waf-logs-splunk.id
    61. 

  61. 

  62.   versioning_configuration {
    63. 

  63.     status = "Suspended"
    64. 

  64.   }
    65. 

  65. }
    66. 

  66. 

  67. resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_aws-waf-logs-splunk" {
    68. 

  68.   bucket = aws_s3_bucket.aws-waf-logs-splunk.id
    69. 

  69. 

  70.   rule {
    71. 

  71.     apply_server_side_encryption_by_default {
    72. 

  72.       kms_master_key_id = aws_kms_key.aws-waf-logs-splunk.arn
    73. 

  73.       sse_algorithm     = "aws:kms"
    74. 

  74.     }
    75. 

  75.   }
    76. 

  76. }
    77. 

  77. 

  78. resource "aws_s3_bucket_public_access_block" "aws-waf-logs-splunk" {
    79. 

  79.   bucket = aws_s3_bucket.aws-waf-logs-splunk.id
    80. 

  80. 

  81.   block_public_acls       = true
    82. 

  82.   block_public_policy     = true
    83. 

  83.   ignore_public_acls      = true
    84. 

  84.   restrict_public_buckets = true
    85. 

  85. }
    86. 

  86. 

  87. resource "aws_kms_key" "aws-waf-logs-splunk" {
    88. 

  88.   description             = "KMS Key for Failed AWS Kinesis Transmission to the HEC"
    89. 

  89.   deletion_window_in_days = 10
    90. 

  90.   enable_key_rotation     = true
    91. 

  91.   policy                  = data.aws_iam_policy_document.aws-waf-logs-splunk.json
    92. 

  92. 

  93.   tags = merge(local.standard_tags, var.tags, { "Purpose" = "Failed events from AWS Kinesis" })
    94. 

  94. }
    95. 

  95. 

  96. data "aws_iam_policy_document" "aws-waf-logs-splunk" {
    97. 

  97.   statement {
    98. 

  98.     sid    = "AllowThisAccount"
    99. 

  99.     effect = "Allow"
    100. 

  100.     principals {
    101. 

  101.       identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
    102. 

  102.       type        = "AWS"
    103. 

  103.     }
    104. 

  104.     actions = [
    105. 

  105.       "kms:*"
    106. 

  106.     ]
    107. 

  107.     resources = ["*"]
    108. 

  108.   }
    109. 

  109.   statement {
    110. 

  110.     sid    = "AllowKinesis"
    111. 

  111.     effect = "Allow"
    112. 

  112.     principals {
    113. 

  113.       identifiers = ["firehose.amazonaws.com"]
    114. 

  114.       type        = "Service"
    115. 

  115.     }
    116. 

  116.     actions = [
    117. 

  117.       "kms:GenerateDataKey",
    118. 

  118.       "kms:Decrypt"
    119. 

  119.     ]
    120. 

  120.     resources = ["*"]
    121. 

  121.   }
    122. 

  122. }
    123. 

  123. 

  124. 

  125. resource "aws_iam_role" "aws-waf-logs-splunk" {
    126. 

  126.   name = "aws-waf-logs-splunk"
    127. 

  127.   path = "/aws_services/"
    128. 

  128. 

  129.   assume_role_policy = <<EOF
    130. 

  130. {
    131. 

  131.   "Version": "2012-10-17",
    132. 

  132.   "Statement": [
    133. 

  133.     {
    134. 

  134.       "Sid": "",
    135. 

  135.       "Effect": "Allow",
    136. 

  136.       "Principal": {
    137. 

  137.         "Service": "firehose.amazonaws.com"
    138. 

  138.       },
    139. 

  139.       "Action": "sts:AssumeRole"
    140. 

  140.     }
    141. 

  141.   ]
    142. 

  142. }
    143. 

  143. EOF
    144. 

  144. 

  145.   tags = merge(local.standard_tags, var.tags)
    146. 

  146. }
    147. 

  147. 

  148. resource "aws_iam_role_policy" "aws-waf-logs-splunk" {
    149. 

  149.   name = "aws-waf-logs-splunk"
    150. 

  150.   role = aws_iam_role.aws-waf-logs-splunk.id
    151. 

  151. 

  152.   # From https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-splunk
    153. 

  153.   policy = <<-EOF
    154. 

  154. {
    155. 

  155.     "Version": "2012-10-17",
    156. 

  156.     "Statement":
    157. 

  157.     [
    158. 

  158.         {
    159. 

  159.             "Effect": "Allow",
    160. 

  160.             "Action": [
    161. 

  161.                 "s3:AbortMultipartUpload",
    162. 

  162.                 "s3:GetBucketLocation",
    163. 

  163.                 "s3:GetObject",
    164. 

  164.                 "s3:ListBucket",
    165. 

  165.                 "s3:ListBucketMultipartUploads",
    166. 

  166.                 "s3:PutObject"
    167. 

  167.             ],
    168. 

  168.             "Resource": [
    169. 

  169.                 "${aws_s3_bucket.aws-waf-logs-splunk.arn}",
    170. 

  170.                 "${aws_s3_bucket.aws-waf-logs-splunk.arn}/*"
    171. 

  171.             ]
    172. 

  172.         },
    173. 

  173.         {
    174. 

  174.            "Effect": "Allow",
    175. 

  175.            "Action": [
    176. 

  176.                "kms:Decrypt",
    177. 

  177.                "kms:GenerateDataKey"
    178. 

  178.            ],
    179. 

  179.            "Resource": [
    180. 

  180.                "${aws_kms_key.aws-waf-logs-splunk.arn}"
    181. 

  181.            ],
    182. 

  182.            "Condition": {
    183. 

  183.                "StringEquals": {
    184. 

  184.                    "kms:ViaService": "s3.${var.aws_region}.amazonaws.com"
    185. 

  185.                },
    186. 

  186.                "StringLike": {
    187. 

  187.                    "kms:EncryptionContext:aws:s3:arn": "${aws_s3_bucket.aws-waf-logs-splunk.arn}/*"
    188. 

  188.                }
    189. 

  189.            }
    190. 

  190.         },
    191. 

  191.         {
    192. 

  192.            "Effect": "Allow",
    193. 

  193.            "Action": [
    194. 

  194.                "kinesis:DescribeStream",
    195. 

  195.                "kinesis:GetShardIterator",
    196. 

  196.                "kinesis:GetRecords",
    197. 

  197.                "kinesis:ListShards"
    198. 

  198.            ],
    199. 

  199.            "Resource": "${aws_kinesis_firehose_delivery_stream.aws-waf-logs-splunk.arn}"
    200. 

  200.         },
    201. 

  201.         {
    202. 

  202.            "Effect": "Allow",
    203. 

  203.            "Action": [
    204. 

  204.                "logs:PutLogEvents"
    205. 

  205.            ],
    206. 

  206.            "Resource": [
    207. 

  207.              "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:kinesis:*"
    208. 

  208.            ]
    209. 

  209.         }
    210. 

  210.     ]
    211. 

  211. }
    212. 

  212. EOF
    213. 

  213.   # Removed from above policy as I think it's unneeded
    214. 

  214.   #        ,
    215. 

  215.   #        {
    216. 

  216.   #           "Effect": "Allow",
    217. 

  217.   #           "Action": [
    218. 

  218.   #               "lambda:InvokeFunction",
    219. 

  219.   #               "lambda:GetFunctionConfiguration"
    220. 

  220.   #           ],
    221. 

  221.   #           "Resource": [
    222. 

  222.   #               "arn:aws:lambda:region:account-id:function:function-name:function-version"
    223. 

  223.   #           ]
    224. 

  224.   #        }
    225. 

  225. }
    226. 

  226. 

  227. //AWS Provider outdated arguments <4.4.0
    228. 

  228. /*resource "aws_s3_bucket" "aws-waf-logs-splunk" {
    229. 

  229.   bucket = "aws-waf-logs-splunk-${var.environment}-${var.account_name}"
    230. 

  230.   acl    = "private"
    231. 

  231. 

  232.   versioning { enabled = false }
    233. 

  233. 

  234.   server_side_encryption_configuration {
    235. 

  235.     rule {
    236. 

  236.       apply_server_side_encryption_by_default {
    237. 

  237.         kms_master_key_id = aws_kms_key.aws-waf-logs-splunk.arn
    238. 

  238.         sse_algorithm     = "aws:kms"
    239. 

  239.       }
    240. 

  240.     }
    241. 

  241.   }
    242. 

  242. 

  243.   tags   = merge(local.standard_tags, var.tags, { "Purpose" = "Failed events from AWS Kinesis" })
    244. 

  244. }
    245. 

  245. */
    246.