-
Notifications
You must be signed in to change notification settings - Fork 1
/
cloudwatch_for_cdm.tf
92 lines (83 loc) · 2.84 KB
/
cloudwatch_for_cdm.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# ------------------------------------------------------------------------------
# Provision the IAM policy that allows access to the CDM CloudWatch data
# and attach it to the existing IAM role that the CDM user can already
# assume to access the CDM CloudTrail data.
# ------------------------------------------------------------------------------
# Policy document that assigns the necessary permissions to access the
# CDM CloudWatch data.
data "aws_iam_policy_document" "allow_access_to_selected_cloudwatch_logs" {
statement {
actions = [
"logs:DescribeLogStreams",
]
effect = "Allow"
resources = [
for group in var.cloudwatch_policy_log_groups :
format("arn:aws:logs:%s:%d:log-group:%s", var.aws_region, local.sharedservices_account_id, group)
]
}
statement {
actions = [
"logs:GetLogEvents",
]
effect = "Allow"
resources = [
# setproduct() allows us to iterate through every possible pair
# where one member is selected from
# var.cloudwatch_policy_log_groups and the other is selected
# from var.cloudwatch_policy_instances.
for group_and_stream in setproduct(var.cloudwatch_policy_log_groups, var.cloudwatch_policy_instances) :
format("arn:aws:logs:%s:%d:log-group:%s:log-stream:%s", var.aws_region, local.sharedservices_account_id, group_and_stream[0], group_and_stream[1])
]
}
# The following statements provide permissions needed by the Splunk Add-on
# for AWS to access the SQS queue and S3 bucket where the CDM CloudWatch log
# data is stored. For more information, see:
# https://docs.splunk.com/Documentation/AddOns/released/AWS/SQS-basedS3
statement {
actions = [
"kms:Decrypt",
"sqs:ListQueues",
]
effect = "Allow"
resources = ["*"]
}
statement {
actions = [
"s3:GetObject",
"s3:GetObjectVersion",
]
effect = "Allow"
resources = [
"${aws_s3_bucket.cloudwatch.arn}/*",
]
}
statement {
actions = [
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
"sqs:SendMessage",
]
effect = "Allow"
resources = [
aws_sqs_queue.cloudwatch_logs.arn,
]
}
}
# Policy with the necessary permissions to access the CDM CloudWatch
# data.
resource "aws_iam_policy" "cloudwatch" {
provider = aws.sharedservicesprovisionaccount
description = var.cloudwatch_policy_description
name = var.cloudwatch_policy_name
policy = data.aws_iam_policy_document.allow_access_to_selected_cloudwatch_logs.json
}
# Attach the policy to the role that already exists
resource "aws_iam_role_policy_attachment" "cloudwatch" {
provider = aws.sharedservicesprovisionaccount
policy_arn = aws_iam_policy.cloudwatch.arn
role = module.cdm_cloudtrail.access_role.name
}