resource "aws_kinesis_firehose_delivery_stream" "cwl-s3-firehose-stream" { name = var.stream-name destination = "extended_s3" extended_s3_configuration { role_arn = aws_iam_role.firehose-stream-iam-role.arn bucket_arn = var.dest-bucket-arn prefix = trimprefix(var.dest-bucket-prefix, "/") error_output_prefix = "FirehoseErrors/" kms_key_arn = var.dest-bucket-kmskey-arn cloudwatch_logging_options { enabled = var.enable-firehose-errorlog log_group_name = try(aws_cloudwatch_log_group.firehose-log[0].name, null) log_stream_name = "DestinationDelivery" } } server_side_encryption { enabled = true key_type = "CUSTOMER_MANAGED_CMK" key_arn = var.firehose-kmskey-arn } } resource "aws_cloudwatch_log_group" "firehose-log" { count = var.enable-firehose-errorlog ? 1 : 0 name = "/aws/kinesisfirehose/${var.stream-name}" retention_in_days = 365 } resource "aws_cloudwatch_log_subscription_filter" "cwl-sub-filter" { log_group_name = var.source-cwlgroup-name name = "stream-to-s3" role_arn = aws_iam_role.cwlog-stream-role.arn filter_pattern = "" destination_arn = aws_kinesis_firehose_delivery_stream.cwl-s3-firehose-stream.arn } resource "random_id" "rid" { byte_length = 4 } resource "aws_iam_role" "firehose-stream-iam-role" { name = "firehose-stream-role-${var.stream-name}-${random_id.rid.dec}" description = "Kinesis Firehose IAM role for streaming logs from CloudwatchLog to S3" assume_role_policy = jsonencode( { "Version" : "2012-10-17", "Statement" : [ { "Sid" : "FirehoseStreaming", "Effect" : "Allow", "Principal" : { "Service" : "firehose.amazonaws.com" }, "Action" : "sts:AssumeRole" } ] } ) } resource "aws_iam_role_policy_attachment" "firehose-role-policy-attachment" { role = aws_iam_role.firehose-stream-iam-role.name policy_arn = aws_iam_policy.firehose-role-policy.arn } resource "aws_iam_policy" "firehose-role-policy" { name = "kinesis-firehose-log-stream-${var.stream-name}-${random_id.rid.dec}" description = "Policy for Kinesis Firehose streaming logs to s3" policy = jsonencode( { "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:PutObject" ], "Resource" : [ var.dest-bucket-arn, "${var.dest-bucket-arn}/*" ] }, { "Effect" : "Allow", "Action" : [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource" : [ var.dest-bucket-kmskey-arn ] }, { "Effect" : "Allow", "Action" : [ "logs:PutLogEvents", "logs:PutLogEventsBatch", "logs:CreateLogStream" ], "Resource" : [ "arn:aws:logs:*:*:log-group:/aws/kinesisfirehose/${var.stream-name}/*" ] } ] } ) } resource "aws_iam_role" "cwlog-stream-role" { name = "cloudwatchlog-stream-role-${var.stream-name}-${random_id.rid.dec}" description = "CloudwatchLog role for streaming to firehose" assume_role_policy = jsonencode( { "Version" : "2012-10-17", "Statement" : [ { "Sid" : "CloudwatchLogStreaming", "Effect" : "Allow", "Principal" : { "Service" : "logs.${var.cwl-region}.amazonaws.com" }, "Action" : "sts:AssumeRole" } ] } ) } resource "aws_iam_role_policy_attachment" "cwlog-role-policy-attachment" { role = aws_iam_role.cwlog-stream-role.name policy_arn = aws_iam_policy.cwlog-role-policy.arn } resource "aws_iam_policy" "cwlog-role-policy" { name = "cloudwatchlog-stream-${var.stream-name}-${random_id.rid.dec}" description = "Policy for CloudWatch Logs streaming to Kinesis Firehose" policy = jsonencode( { "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : ["firehose:PutRecord"], "Resource" : [ "arn:aws:firehose:${var.cwl-region}:${data.aws_caller_identity.this.account_id}:deliverystream/${var.stream-name}" ] } ] } ) } data "aws_caller_identity" "this" {}