| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284 |
- # The centralized bucket for ELB Logging
- data "aws_elb_service_account" "main" {} # ELB logs use a single aws account to place logs
- module "elb_logging_logging_bucket" {
- source = "../../thirdparty/terraform-aws-s3logging-bucket"
- bucket_name = "xdr-elb-${var.environment}-access-logs"
- lifecycle_rules = [
- {
- id = "expire-old-logs"
- enabled = true
- prefix = ""
- expiration = 30
- noncurrent_version_expiration = 30
- abort_incomplete_multipart_upload_days = 7
- }
- ]
- tags = merge(local.standard_tags, var.tags, { "Note" = "ELB Logging Does Not Support SSE-KMS. Only SSE-S3 is supported." })
- versioning_enabled = true
- }
- resource "aws_s3_bucket" "elb_logging_bucket" {
- bucket = "xdr-elb-${var.environment}"
- tags = merge(local.standard_tags, var.tags)
- }
- resource "aws_s3_bucket_acl" "s3_acl_elb_logging_bucket" {
- bucket = aws_s3_bucket.elb_logging_bucket.id
- acl = "private"
- }
- resource "aws_s3_bucket_versioning" "s3_version_elb_logging_bucket" {
- bucket = aws_s3_bucket.elb_logging_bucket.id
- versioning_configuration {
- status = "Enabled"
- }
- }
- resource "aws_s3_bucket_logging" "elb_logging_bucket" {
- bucket = aws_s3_bucket.elb_logging_bucket.id
- target_bucket = module.elb_logging_logging_bucket.s3_bucket_name
- target_prefix = "${var.aws_account_id}-${var.aws_region}-elblogs/"
- }
- # tfsec:ignore:aws-s3-encryption-customer-key Risk is low for AES-256 encryption
- resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_elb_logging_bucket" {
- bucket = aws_s3_bucket.elb_logging_bucket.id
- rule {
- apply_server_side_encryption_by_default {
- sse_algorithm = "AES256" # ELB logging only supports SSE-S3
- }
- }
- }
- resource "aws_s3_bucket_public_access_block" "aws_elb_bucket_block_public_access" {
- block_public_acls = true
- block_public_policy = true
- bucket = aws_s3_bucket.elb_logging_bucket.id
- ignore_public_acls = true
- restrict_public_buckets = true
- }
- data "aws_iam_policy_document" "aws_elb_bucket_policy" {
- statement {
- effect = "Allow"
- actions = ["s3:PutObject"]
- # principals {
- # type = "AWS"
- # identifiers = [ for a in local.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
- #}
- principals {
- type = "AWS"
- identifiers = [data.aws_elb_service_account.main.arn]
- }
- resources = ["arn:${var.aws_partition}:s3:::${aws_s3_bucket.elb_logging_bucket.bucket}/*"]
- }
- statement {
- effect = "Allow"
- actions = ["s3:PutObject"]
- principals {
- type = "Service"
- identifiers = ["delivery.logs.amazonaws.com"]
- }
- resources = ["arn:${var.aws_partition}:s3:::${aws_s3_bucket.elb_logging_bucket.bucket}/*"]
- condition {
- test = "StringEquals"
- variable = "s3:x-amz-acl"
- values = ["bucket-owner-full-control"]
- }
- }
- statement {
- effect = "Allow"
- actions = ["s3:GetBucketAcl"]
- principals {
- type = "Service"
- identifiers = ["delivery.logs.amazonaws.com"]
- }
- resources = ["arn:${var.aws_partition}:s3:::${aws_s3_bucket.elb_logging_bucket.bucket}"]
- }
- }
- resource "aws_s3_bucket_policy" "aws_elb_bucket_policy" {
- bucket = aws_s3_bucket.elb_logging_bucket.id
- policy = data.aws_iam_policy_document.aws_elb_bucket_policy.json
- # Ordering bug, see https://github.com/terraform-providers/terraform-provider-aws/issues/7628
- depends_on = [aws_s3_bucket_public_access_block.aws_elb_bucket_block_public_access]
- }
- #### SQS Queue for Splunk
- resource "aws_s3_bucket_notification" "on_new_elb_log" {
- bucket = aws_s3_bucket.elb_logging_bucket.bucket
- topic {
- topic_arn = aws_sns_topic.new_elb_log_event.arn
- events = [
- "s3:ObjectCreated:*",
- ]
- filter_suffix = ""
- }
- }
- resource "aws_sns_topic" "new_elb_log_event" {
- name = "s3-notification-topic-${aws_s3_bucket.elb_logging_bucket.bucket}"
- kms_master_key_id = aws_kms_key.new_object_key.id
- }
- resource "aws_sns_topic_policy" "elb_log" {
- arn = aws_sns_topic.new_elb_log_event.arn
- policy = data.aws_iam_policy_document.elblog_bucket_can_publish.json
- }
- data "aws_iam_policy_document" "elblog_bucket_can_publish" {
- statement {
- actions = [
- "SNS:Publish",
- ]
- effect = "Allow"
- condition {
- test = "ArnLike"
- variable = "aws:SourceArn"
- values = [
- aws_s3_bucket.elb_logging_bucket.arn
- ]
- }
- principals {
- type = "AWS"
- identifiers = ["*"]
- }
- resources = [
- aws_sns_topic.new_elb_log_event.arn
- ]
- sid = "allowpublish"
- }
- statement {
- actions = [
- "SNS:Subscribe",
- "SNS:Receive",
- ]
- effect = "Allow"
- principals {
- type = "AWS"
- identifiers = ["*"]
- }
- condition {
- test = "ArnEquals"
- values = [aws_sqs_queue.new_elblog.arn]
- variable = "aws:SourceArn"
- }
- resources = [
- aws_sns_topic.new_elb_log_event.arn
- ]
- sid = "sid_allow_subscribe"
- }
- }
- resource "aws_sqs_queue" "new_elblog" {
- name = "new-objects-for-${aws_s3_bucket.elb_logging_bucket.bucket}"
- visibility_timeout_seconds = 300 # wait 5 minutes before allowing a different splunk instance to process the same message
- message_retention_seconds = 604800 # Keep a message in the queue for 7 days
- receive_wait_time_seconds = 0 # how long to wait for a message before returning
- redrive_policy = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.elblog-dlg.arn}\",\"maxReceiveCount\":4}"
- tags = merge(local.standard_tags, var.tags)
- kms_master_key_id = aws_kms_key.new_object_key.id
- kms_data_key_reuse_period_seconds = 3600
- }
- data "aws_iam_policy_document" "sns_topic_elblog_can_publish" {
- statement {
- effect = "Allow"
- principals {
- identifiers = [
- "*",
- ]
- type = "AWS"
- }
- actions = [
- "SQS:SendMessage",
- ]
- resources = [
- aws_sqs_queue.new_elblog.arn
- ]
- condition {
- test = "ArnEquals"
- values = [
- aws_sns_topic.new_elb_log_event.arn
- ]
- variable = "aws:SourceArn"
- }
- }
- }
- // Dead Letter queue, use same parameters as main queue
- resource "aws_sqs_queue" "elblog-dlg" {
- name = "new-objects-for-${aws_s3_bucket.elb_logging_bucket.bucket}-dlq"
- message_retention_seconds = 300
- receive_wait_time_seconds = 0
- tags = merge(local.standard_tags, var.tags)
- kms_master_key_id = aws_kms_key.new_object_key.id
- kms_data_key_reuse_period_seconds = 3600
- }
- resource "aws_sqs_queue_policy" "elblog_bucket_can_publish" {
- policy = data.aws_iam_policy_document.sns_topic_elblog_can_publish.json
- queue_url = aws_sqs_queue.new_elblog.id
- }
- resource "aws_sns_topic_subscription" "elblog_bucket_change_notification_to_queue" {
- topic_arn = aws_sns_topic.new_elb_log_event.arn
- protocol = "sqs"
- endpoint = aws_sqs_queue.new_elblog.arn
- }
- //AWS Provider outdated arguments <4.4.0
- /*resource "aws_s3_bucket" "elb_logging_bucket" {
- bucket = "xdr-elb-${var.environment}"
- acl = "private"
- tags = merge(local.standard_tags, var.tags)
- versioning {
- enabled = true
- }
- logging {
- target_bucket = module.elb_logging_logging_bucket.s3_bucket_name
- target_prefix = "${var.aws_account_id}-${var.aws_region}-elblogs/"
- }
- server_side_encryption_configuration {
- rule {
- apply_server_side_encryption_by_default {
- sse_algorithm = "AES256" # ELB logging only supports SSE-S3
- }
- }
- }
- }
- */
|
