GL-28 make var.cloudwatch_logs_to_ship not manadatory; update IAM (#31)

* Fix #28 - ARN of log group to ship should be derived and made optional for input * Handle IAM permissions for list of LogGroups * Add newline at end of data.tf * Update README * Undo order changing in IAM policy * Update CHANGELOG.md * Remove broken badge * Add statement in IAM policy to derive ARN of var.name_cloudwatch_logs_to_ship
disney · Sep 24, 2023 · 2938cf5 · 2938cf5
1 parent f21440d
commit 2938cf5
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 14 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,10 @@
 # Change Log for Terraform AWS Kinesis Firehose Splunk
 
 ## v8.1.0
- * Making var.name\_cloudwatch\_logs\_to\_ship non-mandatory. The var will now default to `null` and the subscription filter will not be created in such case.
- * Adding var.cloudwatch\_log\_group\_names\_to\_ship to allow creating subscription filters to multiple log groups.
+ * Change `var.name_cloudwatch_logs_to_ship` to be non-mandatory. It will now default to `null` and the subscription filter will not be created if it is `null`. See `var.cloudwatch_log_group_names_to_ship` to create subscription filters to multiple log groups.
+ * Fix [#27](https://github.com/disney/terraform-aws-kinesis-firehose-splunk/issues/27) - Add `var.cloudwatch_log_group_names_to_ship` to allow creating subscription filters to multiple log groups.
+ * Fix [#28](https://github.com/disney/terraform-aws-kinesis-firehose-splunk/issues/28) - Change `var.arn_cloudwatch_logs_to_ship` to be non-mandatory. The ARN will now be derived automatically if `var.name_cloudwatch_logs_to_ship` is used (not `null`).
+ * Update README.md with variable changes, and a new description for `var.cloudwatch_logs_to_ship`.
 
 ## v8.0.0 - **Breaking Changes**
  * Requires `>= 5.0.0, < 6.0.0` of the terraform aws [provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)

diff --git a/README.md b/README.md
@@ -1,5 +1,3 @@
-[![pre-commit.ci status](https://results.pre-commit.ci/badge/github/disney/terraform-aws-kinesis-firehose-splunk/master.svg)](https://results.pre-commit.ci/latest/github/disney/terraform-aws-kinesis-firehose-splunk/master)
-
 # Send CloudWatch Logs to Splunk via Kinesis Firehose
 
 This module configures a Kinesis Firehose, sets up a subscription for a desired CloudWatch Log Group to the Firehose, and sends the log data to Splunk.  A Lambda function is required to transform the CloudWatch Log data from "CloudWatch compressed format" to a format compatible with Splunk.  This module takes care of configuring this Lambda function.
@@ -89,18 +87,20 @@ As of v7.0.0, there are two additional options available to pass in the HEC toke
 | [aws_s3_bucket_server_side_encryption_configuration.kinesis_firehose_s3_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_versioning.kinesis_firehose_s3_bucket_versioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [archive_file.lambda_function](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.cloudwatch_to_fh_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.kinesis_firehose_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lambda_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_arn_cloudwatch_logs_to_ship"></a> [arn\_cloudwatch\_logs\_to\_ship](#input\_arn\_cloudwatch\_logs\_to\_ship) | arn of the CloudWatch Log Group that you want to ship to Splunk. | `string` | n/a | yes |
 | <a name="input_hec_url"></a> [hec\_url](#input\_hec\_url) | Splunk Kinesis URL for submitting CloudWatch logs to splunk | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The region of AWS you want to work in, such as us-west-2 or us-east-1 | `string` | n/a | yes |
 | <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | Name of the s3 bucket Kinesis Firehose uses for backups | `string` | n/a | yes |
+| <a name="input_arn_cloudwatch_logs_to_ship"></a> [arn\_cloudwatch\_logs\_to\_ship](#input\_arn\_cloudwatch\_logs\_to\_ship) | arn of the CloudWatch Log Group that you want to ship to Splunk. | `string` | `null` | no |
 | <a name="input_aws_s3_bucket_versioning"></a> [aws\_s3\_bucket\_versioning](#input\_aws\_s3\_bucket\_versioning) | Versioning state of the bucket. Valid values: Enabled, Suspended, or Disabled. Disabled should only be used when creating or importing resources that correspond to unversioned S3 buckets. | `string` | `null` | no |
 | <a name="input_cloudwach_log_group_kms_key_id"></a> [cloudwach\_log\_group\_kms\_key\_id](#input\_cloudwach\_log\_group\_kms\_key\_id) | KMS key ID of the key to use to encrypt the Cloudwatch log group | `string` | `null` | no |
 | <a name="input_cloudwatch_log_filter_name"></a> [cloudwatch\_log\_filter\_name](#input\_cloudwatch\_log\_filter\_name) | Name of Log Filter for CloudWatch Log subscription to Kinesis Firehose | `string` | `"KinesisSubscriptionFilter"` | no |

diff --git a/data.tf b/data.tf
@@ -0,0 +1,3 @@
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}
diff --git a/main.tf b/main.tf
@@ -193,17 +193,49 @@ POLICY
 }
 
 data "aws_iam_policy_document" "lambda_policy_doc" {
-  #checkov:skip=CKV_AWS_356:Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions
-  statement {
-    actions = [
-      "logs:GetLogEvents",
-    ]
+  dynamic "statement" {
+    for_each = var.arn_cloudwatch_logs_to_ship != null ? [var.arn_cloudwatch_logs_to_ship] : []
+    content {
+      actions = [
+        "logs:GetLogEvents",
+      ]
 
-    resources = [
-      var.arn_cloudwatch_logs_to_ship,
-    ]
+      resources = [
+        var.arn_cloudwatch_logs_to_ship,
+      ]
 
-    effect = "Allow"
+      effect = "Allow"
+    }
+  }
+
+  dynamic "statement" {
+    for_each = toset(var.cloudwatch_log_group_names_to_ship) != null ? toset(var.cloudwatch_log_group_names_to_ship) : []
+    content {
+      actions = [
+        "logs:GetLogEvents",
+      ]
+
+      resources = [
+        "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${statement.value}:*"
+      ]
+
+      effect = "Allow"
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.name_cloudwatch_logs_to_ship != null ? [var.name_cloudwatch_logs_to_ship] : []
+    content {
+      actions = [
+        "logs:GetLogEvents",
+      ]
+
+      resources = [
+        "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${statement.value}:*"
+      ]
+
+      effect = "Allow"
+    }
   }
 
   statement {

diff --git a/variables.tf b/variables.tf
@@ -124,6 +124,7 @@ variable "kinesis_firehose_role_name" {
 variable "arn_cloudwatch_logs_to_ship" {
   description = "arn of the CloudWatch Log Group that you want to ship to Splunk."
   type        = string
+  default     = null
 }
 
 variable "name_cloudwatch_logs_to_ship" {