xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
1c1c75d5e4
terraform.aws-baseline-infra/modules/ManagementGovernance/Cwl-firehose-s3/main.tf

161 lines
4.6 KiB
Terraform
Raw Normal View History

UPD: Added Cwl-firehose-s3 module and pulled a couple updates from upstream repo.
2024-01-13 00:25:30 +08:00
resource "aws_kinesis_firehose_delivery_stream" "cwl-s3-firehose-stream" {
name = var.stream-name
destination = "extended_s3"
extended_s3_configuration {
role_arn = aws_iam_role.firehose-stream-iam-role.arn
bucket_arn = var.dest-bucket-arn
prefix = trimprefix(var.dest-bucket-prefix, "/")
error_output_prefix = "FirehoseErrors/"
kms_key_arn = var.dest-bucket-kmskey-arn
cloudwatch_logging_options {
enabled = var.enable-firehose-errorlog
log_group_name = try(aws_cloudwatch_log_group.firehose-log[0].name, null)
log_stream_name = "DestinationDelivery"
}
}
server_side_encryption {
enabled = true
key_type = "CUSTOMER_MANAGED_CMK"
key_arn = var.firehose-kmskey-arn
}
}
resource "aws_cloudwatch_log_group" "firehose-log" {
count = var.enable-firehose-errorlog ? 1 : 0
name = "/aws/kinesisfirehose/${var.stream-name}"
retention_in_days = 365
}
resource "aws_cloudwatch_log_subscription_filter" "cwl-sub-filter" {
log_group_name = var.source-cwlgroup-name
name = "stream-to-s3"
role_arn = aws_iam_role.cwlog-stream-role.arn
filter_pattern = ""
destination_arn = aws_kinesis_firehose_delivery_stream.cwl-s3-firehose-stream.arn
}
resource "random_id" "rid" {
byte_length = 4
}
resource "aws_iam_role" "firehose-stream-iam-role" {
name = "firehose-stream-role-${var.stream-name}-${random_id.rid.dec}"
description = "Kinesis Firehose IAM role for streaming logs from CloudwatchLog to S3"
assume_role_policy = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "FirehoseStreaming",
"Effect" : "Allow",
"Principal" : {
"Service" : "firehose.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
}
)
}
resource "aws_iam_role_policy_attachment" "firehose-role-policy-attachment" {
role = aws_iam_role.firehose-stream-iam-role.name
policy_arn = aws_iam_policy.firehose-role-policy.arn
}
resource "aws_iam_policy" "firehose-role-policy" {
name = "kinesis-firehose-log-stream-${var.stream-name}-${random_id.rid.dec}"
description = "Policy for Kinesis Firehose streaming logs to s3"
policy = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"Resource" : [
var.dest-bucket-arn,
"${var.dest-bucket-arn}/*"
]
},
{
"Effect" : "Allow",
"Action" : [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource" : [
var.dest-bucket-kmskey-arn
]
},
{
"Effect" : "Allow",
"Action" : [
"logs:PutLogEvents",
"logs:PutLogEventsBatch",
"logs:CreateLogStream"
],
"Resource" : [
"arn:aws:logs:*:*:log-group:/aws/kinesisfirehose/${var.stream-name}/*"
]
}
]
}
)
}
resource "aws_iam_role" "cwlog-stream-role" {
name = "cloudwatchlog-stream-role-${var.stream-name}-${random_id.rid.dec}"
description = "CloudwatchLog role for streaming to firehose"
assume_role_policy = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "CloudwatchLogStreaming",
"Effect" : "Allow",
"Principal" : {
"Service" : "logs.${var.cwl-region}.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
}
)
}
resource "aws_iam_role_policy_attachment" "cwlog-role-policy-attachment" {
role = aws_iam_role.cwlog-stream-role.name
policy_arn = aws_iam_policy.cwlog-role-policy.arn
}
resource "aws_iam_policy" "cwlog-role-policy" {
name = "cloudwatchlog-stream-${var.stream-name}-${random_id.rid.dec}"
description = "Policy for CloudWatch Logs streaming to Kinesis Firehose"
policy = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : ["firehose:PutRecord"],
"Resource" : [
"arn:aws:firehose:${var.cwl-region}:${data.aws_caller_identity.this.account_id}:deliverystream/${var.stream-name}"
]
}
]
}
)
}
data "aws_caller_identity" "this" {}
Reference in New Issue Copy Permalink