From b83d89be306765a83427bf8dd883707e97e39e05 Mon Sep 17 00:00:00 2001 From: mattJsonar Date: Thu, 25 Jul 2024 15:56:55 -0700 Subject: [PATCH 1/4] add dynamodb modules --- examples/dsfhub-aws-cloud-account/README.md | 13 + .../onboard-aws-dynamodb-cloudwatch/README.md | 39 +++ .../onboard-aws-dynamodb-cloudwatch/main.tf | 132 ++++++++++ examples/onboard-aws-dynamodb-s3/README.md | 38 +++ examples/onboard-aws-dynamodb-s3/main.tf | 148 +++++++++++ modules/aws-cloudtrail/README.md | 32 +++ modules/aws-cloudtrail/main.tf | 26 ++ modules/aws-cloudtrail/outputs.tf | 4 + modules/aws-cloudtrail/variables.tf | 49 ++++ modules/aws-cloudwatch-event-rule/README.md | 31 +++ modules/aws-cloudwatch-event-rule/main.tf | 7 + modules/aws-cloudwatch-event-rule/outputs.tf | 4 + .../aws-cloudwatch-event-rule/variables.tf | 33 +++ modules/aws-cloudwatch-event-target/README.md | 29 +++ modules/aws-cloudwatch-event-target/main.tf | 5 + .../aws-cloudwatch-event-target/outputs.tf | 4 + .../aws-cloudwatch-event-target/variables.tf | 15 ++ .../README.md | 28 ++ .../main.tf | 4 + .../outputs.tf | 4 + .../variables.tf | 9 + modules/aws-iam-role/README.md | 3 +- modules/aws-iam-role/main.tf | 10 + modules/aws-iam-role/variables.tf | 35 ++- .../README.md | 30 +++ .../main.tf | 38 +++ .../outputs.tf | 4 + .../variables.tf | 48 ++++ modules/aws-s3-bucket/variables.tf | 1 + modules/dsfhub-aws-cloud-account/README.md | 8 +- modules/dsfhub-aws-dynamodb/README.md | 42 +++ modules/dsfhub-aws-dynamodb/main.tf | 39 +++ modules/dsfhub-aws-dynamodb/outputs.tf | 4 + modules/dsfhub-aws-dynamodb/variables.tf | 95 +++++++ .../onboard-aws-dynamodb-cloudwatch/README.md | 86 +++++++ .../onboard-aws-dynamodb-cloudwatch/main.tf | 187 ++++++++++++++ .../outputs.tf | 44 ++++ .../variables.tf | 193 ++++++++++++++ modules/onboard-aws-dynamodb-s3/README.md | 98 +++++++ modules/onboard-aws-dynamodb-s3/main.tf | 233 +++++++++++++++++ modules/onboard-aws-dynamodb-s3/outputs.tf | 49 ++++ modules/onboard-aws-dynamodb-s3/variables.tf | 239 ++++++++++++++++++ 42 files changed, 2125 insertions(+), 15 deletions(-) create mode 100644 examples/onboard-aws-dynamodb-cloudwatch/README.md create mode 100644 examples/onboard-aws-dynamodb-cloudwatch/main.tf create mode 100644 examples/onboard-aws-dynamodb-s3/README.md create mode 100644 examples/onboard-aws-dynamodb-s3/main.tf create mode 100644 modules/aws-cloudtrail/README.md create mode 100644 modules/aws-cloudtrail/main.tf create mode 100644 modules/aws-cloudtrail/outputs.tf create mode 100644 modules/aws-cloudtrail/variables.tf create mode 100644 modules/aws-cloudwatch-event-rule/README.md create mode 100644 modules/aws-cloudwatch-event-rule/main.tf create mode 100644 modules/aws-cloudwatch-event-rule/outputs.tf create mode 100644 modules/aws-cloudwatch-event-rule/variables.tf create mode 100644 modules/aws-cloudwatch-event-target/README.md create mode 100644 modules/aws-cloudwatch-event-target/main.tf create mode 100644 modules/aws-cloudwatch-event-target/outputs.tf create mode 100644 modules/aws-cloudwatch-event-target/variables.tf create mode 100644 modules/aws-cloudwatch-log-resource-policy/README.md create mode 100644 modules/aws-cloudwatch-log-resource-policy/main.tf create mode 100644 modules/aws-cloudwatch-log-resource-policy/outputs.tf create mode 100644 modules/aws-cloudwatch-log-resource-policy/variables.tf create mode 100644 modules/aws-kinesis-firehose-delivery-stream/README.md create mode 100644 modules/aws-kinesis-firehose-delivery-stream/main.tf create mode 100644 modules/aws-kinesis-firehose-delivery-stream/outputs.tf create mode 100644 modules/aws-kinesis-firehose-delivery-stream/variables.tf create mode 100644 modules/dsfhub-aws-dynamodb/README.md create mode 100644 modules/dsfhub-aws-dynamodb/main.tf create mode 100644 modules/dsfhub-aws-dynamodb/outputs.tf create mode 100644 modules/dsfhub-aws-dynamodb/variables.tf create mode 100644 modules/onboard-aws-dynamodb-cloudwatch/README.md create mode 100644 modules/onboard-aws-dynamodb-cloudwatch/main.tf create mode 100644 modules/onboard-aws-dynamodb-cloudwatch/outputs.tf create mode 100644 modules/onboard-aws-dynamodb-cloudwatch/variables.tf create mode 100644 modules/onboard-aws-dynamodb-s3/README.md create mode 100644 modules/onboard-aws-dynamodb-s3/main.tf create mode 100644 modules/onboard-aws-dynamodb-s3/outputs.tf create mode 100644 modules/onboard-aws-dynamodb-s3/variables.tf diff --git a/examples/dsfhub-aws-cloud-account/README.md b/examples/dsfhub-aws-cloud-account/README.md index 4027028..0b9768c 100644 --- a/examples/dsfhub-aws-cloud-account/README.md +++ b/examples/dsfhub-aws-cloud-account/README.md @@ -1,3 +1,16 @@ +# AWS Cloud Account Asset + +This example covers the various authentication mechanisms that are supported for AWS cloud account assets. This includes the following: + +| Auth Mechanism | Notes | +|----------------|-------| +| default | DSF uses the IAM role attached to the EC2 instance metadata. If there is no IAM role attached, DSF will look for a profile name called ``default`` in the AWS credentials file located at ``${JSONAR_LOCALDIR}/credentials/.aws/credentials``. | +| iam_role | The DSF machine (either Hub or Agentless Gateway) will assume the role specified in the ``arn`` field. Only supported for DSF machines that are EC2 instances. | +| key | Uses ``aws_access_key`` and ``aws_secret_key`` to authenticate with the given IAM user access keys. | +| profile | Uses an AWS profile specified in the ``profile_name`` field and defined in the AWS credentials file located at ``${JSONAR_LOCALDIR}/credentials/.aws/credentials``. | + +More information can be found in the [AWS Asset Specifications](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/AWS-Asset-Specifications_35815635.html). + ## Requirements diff --git a/examples/onboard-aws-dynamodb-cloudwatch/README.md b/examples/onboard-aws-dynamodb-cloudwatch/README.md new file mode 100644 index 0000000..e85861a --- /dev/null +++ b/examples/onboard-aws-dynamodb-cloudwatch/README.md @@ -0,0 +1,39 @@ +# Onboard Amazon DynamoDB via CloudWatch +This example will cover the ways to onboard Amazon DynamoDB via CloudWatch, including the various authentication mechanisms that are supported to authenticate to AWS and access the audit logs. This includes the following: + +| Auth Mechanism | Notes | +|----------------|-------| +| default | DSF uses the IAM role attached to the EC2 instance metadata. If there is no IAM role attached, DSF will look for a profile name called ``default`` in the AWS credentials file located at ``${JSONAR_LOCALDIR}/credentials/.aws/credentials``. | +| iam_role | The DSF machine (either Hub or Agentless Gateway) will assume the role specified in the ``aws_dynamodb_iam_role_name`` field. Only supported for DSF machines that are EC2 instances. | +| key | Uses ``aws_dynamodb_access_id`` and ``aws_secret_key`` to authenticate with the given IAM user access keys. | +| profile | Uses an AWS profile specified in the ``aws_dynamodb_profile_name`` field and defined in the AWS credentials file located at ``${JSONAR_LOCALDIR}/credentials/.aws/credentials``. | + + +More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-DynamoDB-Onboarding-Steps_48366959.html). + +This example creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each can be found in the relevant provider documentation: +- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) +- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs) + + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [dynamodb-1](#module\_dynamodb-1) | ../../modules/onboard-aws-dynamodb-cloudwatch | n/a | +| [dynamodb-2](#module\_dynamodb-2) | ../../modules/onboard-aws-dynamodb-cloudwatch | n/a | +| [dynamodb-3](#module\_dynamodb-3) | ../../modules/onboard-aws-dynamodb-cloudwatch | n/a | +| [dynamodb-4](#module\_dynamodb-4) | ../../modules/onboard-aws-dynamodb-cloudwatch | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_dynamodb\_access\_id](#input\_aws\_dynamodb\_access\_id) | n/a | `any` | n/a | yes | +| [aws\_dynamodb\_secret\_key](#input\_aws\_dynamodb\_secret\_key) | n/a | `any` | n/a | yes | +| [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | +| [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + \ No newline at end of file diff --git a/examples/onboard-aws-dynamodb-cloudwatch/main.tf b/examples/onboard-aws-dynamodb-cloudwatch/main.tf new file mode 100644 index 0000000..0829da9 --- /dev/null +++ b/examples/onboard-aws-dynamodb-cloudwatch/main.tf @@ -0,0 +1,132 @@ +locals { + aws_region = "us-east-2" + admin_email = "person@example.com" + gateway_id = "a1b2c3d4-1234-5678-9123-cd1edcef7642" +} + +################################################################################ +# Providers +################################################################################ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +provider "aws" { + region = local.aws_region +} + +variable "dsfhub_host" {} # TF_VAR_dsfhub_host env variable +variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable + +provider "dsfhub" { + dsfhub_host = var.dsfhub_host + dsfhub_token = var.dsfhub_token +} + +################################################################################ +# AWS DynamoDB - default auth_mechanism +################################################################################ +module "dynamodb-1" { + source = "../../modules/onboard-aws-dynamodb-cloudwatch" + + aws_dynamodb_admin_email = local.admin_email + aws_dynamodb_auth_mechanism = "default" + aws_dynamodb_gateway_id = local.gateway_id + + aws_log_group_admin_email = local.admin_email + aws_log_group_audit_pull_enabled = true + aws_log_group_gateway_id = local.gateway_id + aws_log_group_reason = "default" + + cloudtrail_name = "tf-dynamodb-cloudtrail" + + eventbridge_rule_name = "tf-dynamodb-eventbridge-rule" + + log_group_name = "tf-dynamodb-log-group" + + s3_bucket_name = "tf-dynamodb-bucket" +} + +################################################################################ +# AWS DynamoDB - iam_role auth_mechanism +################################################################################ +module "dynamodb-2" { + source = "../../modules/onboard-aws-dynamodb-cloudwatch" + + aws_dynamodb_admin_email = local.admin_email + aws_dynamodb_auth_mechanism = "iam_role" + aws_dynamodb_gateway_id = local.gateway_id + aws_dynamodb_iam_role_name = "arn:aws:iam::0123456789:role/my-example-role" + + aws_log_group_admin_email = local.admin_email + aws_log_group_audit_pull_enabled = true + aws_log_group_gateway_id = local.gateway_id + aws_log_group_reason = "default" + + cloudtrail_name = "tf-dynamodb-cloudtrail" + + eventbridge_rule_name = "tf-dynamodb-eventbridge-rule" + + log_group_name = "tf-dynamodb-log-group" + + s3_bucket_name = "tf-dynamodb-bucket" +} + +################################################################################ +# AWS DynamoDB - key auth_mechanism +################################################################################ +# Source AWS key pair from environment variables +variable "aws_dynamodb_access_id" {} # env var: TF_VAR_aws_dynamodb_access_id +variable "aws_dynamodb_secret_key" {} # env var: TF_VAR_aws_dynamodb_secret_key + +module "dynamodb-3" { + source = "../../modules/onboard-aws-dynamodb-cloudwatch" + + aws_dynamodb_admin_email = local.admin_email + aws_dynamodb_auth_mechanism = "key" + aws_dynamodb_gateway_id = local.gateway_id + aws_dynamodb_access_id = var.aws_dynamodb_access_id + aws_dynamodb_secret_key = var.aws_dynamodb_secret_key + + aws_log_group_admin_email = local.admin_email + aws_log_group_audit_pull_enabled = true + aws_log_group_gateway_id = local.gateway_id + aws_log_group_reason = "default" + + cloudtrail_name = "tf-dynamodb-cloudtrail" + + eventbridge_rule_name = "tf-dynamodb-eventbridge-rule" + + log_group_name = "tf-dynamodb-log-group" + + s3_bucket_name = "tf-dynamodb-bucket" +} + +################################################################################ +# AWS DynamoDB - profile auth_mechanism +################################################################################ +module "dynamodb-4" { + source = "../../modules/onboard-aws-dynamodb-cloudwatch" + + aws_dynamodb_admin_email = local.admin_email + aws_dynamodb_auth_mechanism = "profile" + aws_dynamodb_gateway_id = local.gateway_id + aws_dynamodb_profile_name = "my-profile" + + aws_log_group_admin_email = local.admin_email + aws_log_group_audit_pull_enabled = true + aws_log_group_gateway_id = local.gateway_id + aws_log_group_reason = "default" + + cloudtrail_name = "tf-dynamodb-cloudtrail" + + eventbridge_rule_name = "tf-dynamodb-eventbridge-rule" + + log_group_name = "tf-dynamodb-log-group" + + s3_bucket_name = "tf-dynamodb-bucket" +} diff --git a/examples/onboard-aws-dynamodb-s3/README.md b/examples/onboard-aws-dynamodb-s3/README.md new file mode 100644 index 0000000..371eb40 --- /dev/null +++ b/examples/onboard-aws-dynamodb-s3/README.md @@ -0,0 +1,38 @@ +# Onboard Amazon DynamoDB via S3 Bucket +This example will cover the ways to onboard Amazon DynamoDB via S3, including the various authentication mechanisms that are supported to authenticate to AWS and access the audit logs. This includes the following: + +| Auth Mechanism | Notes | +|----------------|-------| +| default | DSF uses the IAM role attached to the EC2 instance metadata. If there is no IAM role attached, DSF will look for a profile name called ``default`` in the AWS credentials file located at ``${JSONAR_LOCALDIR}/credentials/.aws/credentials``. | +| iam_role | The DSF machine (either Hub or Agentless Gateway) will assume the role specified in the ``aws_dynamodb_iam_role_name`` field. Only supported for DSF machines that are EC2 instances. | +| key | Uses ``aws_dynamodb_access_id`` and ``aws_secret_key`` to authenticate with the given IAM user access keys. | +| profile | Uses an AWS profile specified in the ``aws_dynamodb_profile_name`` field and defined in the AWS credentials file located at ``${JSONAR_LOCALDIR}/credentials/.aws/credentials``. | + + +More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-DynamoDB-via-S3-Onboarding-Steps_152764418.html). + +This example creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each can be found in the relevant provider documentation: +- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) +- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs) + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [dynamodb-1](#module\_dynamodb-1) | ../../modules/onboard-aws-dynamodb-s3 | n/a | +| [dynamodb-2](#module\_dynamodb-2) | ../../modules/onboard-aws-dynamodb-s3 | n/a | +| [dynamodb-3](#module\_dynamodb-3) | ../../modules/onboard-aws-dynamodb-s3 | n/a | +| [dynamodb-4](#module\_dynamodb-4) | ../../modules/onboard-aws-dynamodb-s3 | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_dynamodb\_access\_id](#input\_aws\_dynamodb\_access\_id) | n/a | `any` | n/a | yes | +| [aws\_dynamodb\_secret\_key](#input\_aws\_dynamodb\_secret\_key) | n/a | `any` | n/a | yes | +| [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | +| [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + \ No newline at end of file diff --git a/examples/onboard-aws-dynamodb-s3/main.tf b/examples/onboard-aws-dynamodb-s3/main.tf new file mode 100644 index 0000000..0bdc119 --- /dev/null +++ b/examples/onboard-aws-dynamodb-s3/main.tf @@ -0,0 +1,148 @@ +locals { + aws_region = "us-east-2" + admin_email = "person@example.com" + gateway_id = "a1b2c3d4-1234-5678-9123-cd1edcef7642" +} + +################################################################################ +# Providers +################################################################################ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +provider "aws" { + region = local.aws_region +} + +variable "dsfhub_host" {} # TF_VAR_dsfhub_host env variable +variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable + +provider "dsfhub" { + dsfhub_host = var.dsfhub_host + dsfhub_token = var.dsfhub_token +} + +################################################################################ +# AWS DynamoDB - default auth_mechanism +################################################################################ +module "dynamodb-1" { + source = "../../modules/onboard-aws-dynamodb-s3" + + aws_dynamodb_admin_email = local.admin_email + aws_dynamodb_auth_mechanism = "default" + aws_dynamodb_gateway_id = local.gateway_id + + aws_s3_admin_email = local.admin_email + aws_s3_audit_pull_enabled = true + aws_s3_gateway_id = local.gateway_id + + cloudtrail_name = "tf-dynamodb-cloudtrail" + + eventbridge_iam_role_name = "tf-dynamodb-eventbridge-role" + + eventbridge_rule_name = "tf-dynamodb-eventbridge-rule" + + firehose_iam_role_name = "tf-dynamodb-firehose-role" + + firehose_name = "tf-dynamodb-firehose" + + s3_bucket = "tf-dynamodb-bucket" + s3_force_destroy = false +} + +################################################################################ +# AWS DynamoDB - iam_role auth_mechanism +################################################################################ +module "dynamodb-2" { + source = "../../modules/onboard-aws-dynamodb-s3" + + aws_dynamodb_admin_email = local.admin_email + aws_dynamodb_auth_mechanism = "iam_role" + aws_dynamodb_gateway_id = local.gateway_id + + aws_s3_admin_email = local.admin_email + aws_s3_audit_pull_enabled = true + aws_s3_gateway_id = local.gateway_id + aws_dynamodb_iam_role_name = "arn:aws:iam::0123456789:role/my-example-role" + + cloudtrail_name = "tf-dynamodb-cloudtrail" + + eventbridge_iam_role_name = "tf-dynamodb-eventbridge-role" + + eventbridge_rule_name = "tf-dynamodb-eventbridge-rule" + + firehose_iam_role_name = "tf-dynamodb-firehose-role" + + firehose_name = "tf-dynamodb-firehose" + + s3_bucket = "tf-dynamodb-bucket" + s3_force_destroy = false +} + +################################################################################ +# AWS DynamoDB - key auth_mechanism +################################################################################ +# Source AWS key pair from environment variables +variable "aws_dynamodb_access_id" {} # env var: TF_VAR_aws_dynamodb_access_id +variable "aws_dynamodb_secret_key" {} # env var: TF_VAR_aws_dynamodb_secret_key + +module "dynamodb-3" { + source = "../../modules/onboard-aws-dynamodb-s3" + + aws_dynamodb_access_id = var.aws_dynamodb_access_id + aws_dynamodb_admin_email = local.admin_email + aws_dynamodb_auth_mechanism = "key" + aws_dynamodb_gateway_id = local.gateway_id + aws_dynamodb_secret_key = var.aws_dynamodb_secret_key + + aws_s3_admin_email = local.admin_email + aws_s3_audit_pull_enabled = true + aws_s3_gateway_id = local.gateway_id + + cloudtrail_name = "tf-dynamodb-cloudtrail" + + eventbridge_iam_role_name = "tf-dynamodb-eventbridge-role" + + eventbridge_rule_name = "tf-dynamodb-eventbridge-rule" + + firehose_iam_role_name = "tf-dynamodb-firehose-role" + + firehose_name = "tf-dynamodb-firehose" + + s3_bucket = "tf-dynamodb-bucket" + s3_force_destroy = false +} + +################################################################################ +# AWS DynamoDB - profile auth_mechanism +################################################################################ +module "dynamodb-4" { + source = "../../modules/onboard-aws-dynamodb-s3" + + aws_dynamodb_admin_email = local.admin_email + aws_dynamodb_auth_mechanism = "profile" + aws_dynamodb_gateway_id = local.gateway_id + aws_dynamodb_profile_name = "my-profile" + + aws_s3_admin_email = local.admin_email + aws_s3_audit_pull_enabled = true + aws_s3_gateway_id = local.gateway_id + + cloudtrail_name = "tf-dynamodb-cloudtrail" + + eventbridge_iam_role_name = "tf-dynamodb-eventbridge-role" + + eventbridge_rule_name = "tf-dynamodb-eventbridge-rule" + + firehose_iam_role_name = "tf-dynamodb-firehose-role" + + firehose_name = "tf-dynamodb-firehose" + + s3_bucket = "tf-dynamodb-bucket" + s3_force_destroy = false +} diff --git a/modules/aws-cloudtrail/README.md b/modules/aws-cloudtrail/README.md new file mode 100644 index 0000000..1af90b9 --- /dev/null +++ b/modules/aws-cloudtrail/README.md @@ -0,0 +1,32 @@ + + + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudtrail.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [name](#input\_name) | Name of the trail. | `string` | n/a | yes | +| [s3\_bucket\_name](#input\_s3\_bucket\_name) | Name of the S3 bucket designated for publishing log files. | `string` | n/a | yes | +| [enable\_logging](#input\_enable\_logging) | Enables logging for the trail. Setting this to "false" will pause logging. | `bool` | `true` | no | +| [event\_selector](#input\_event\_selector) | Specifies an event selector for enabling data event logging. | 
list(
    object(
      {
        data_resource = optional(
          object(
            {
              type   = string
              values = list(string)
            }
          )
        )
        exclude_management_event_sources = optional(list(string))
        include_management_events        = optional(bool)
        read_write_type                  = optional(string)
      }
    )
  )
| `null` | no | +| [include\_global\_service\_events](#input\_include\_global\_service\_events) | Whether the trail is publishing events from global services such as IAM to the log files. | `bool` | `true` | no | +| [is\_multi\_region\_trail](#input\_is\_multi\_region\_trail) | Whether the trail is created in the current region or in all regions. | `bool` | `false` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | AWS Cloudtrail | + \ No newline at end of file diff --git a/modules/aws-cloudtrail/main.tf b/modules/aws-cloudtrail/main.tf new file mode 100644 index 0000000..57ebaa9 --- /dev/null +++ b/modules/aws-cloudtrail/main.tf @@ -0,0 +1,26 @@ +resource "aws_cloudtrail" "this" { + enable_logging = var.enable_logging + include_global_service_events = var.include_global_service_events + is_multi_region_trail = var.is_multi_region_trail + name = var.name + s3_bucket_name = var.s3_bucket_name + + dynamic "event_selector" { + # If event_selector is not defined, do not create + for_each = var.event_selector != null ? var.event_selector : [] + + content { + dynamic "data_resource" { + for_each = [event_selector.value.data_resource] != null ? [event_selector.value.data_resource] : [] + + content { + type = data_resource.value.type + values = data_resource.value.values + } + } + exclude_management_event_sources = event_selector.value.exclude_management_event_sources != null ? event_selector.value.exclude_management_event_sources : null + include_management_events = event_selector.value.include_management_events != null ? event_selector.value.include_management_events : null + read_write_type = event_selector.value.read_write_type != null ? event_selector.value.read_write_type : null + } + } +} diff --git a/modules/aws-cloudtrail/outputs.tf b/modules/aws-cloudtrail/outputs.tf new file mode 100644 index 0000000..ef004b1 --- /dev/null +++ b/modules/aws-cloudtrail/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "AWS CloudTrail trail" + value = aws_cloudtrail.this +} diff --git a/modules/aws-cloudtrail/variables.tf b/modules/aws-cloudtrail/variables.tf new file mode 100644 index 0000000..6e6c1cb --- /dev/null +++ b/modules/aws-cloudtrail/variables.tf @@ -0,0 +1,49 @@ +variable "enable_logging" { + description = "Enables logging for the trail. Setting this to \"false\" will pause logging." + type = bool + default = true +} + +variable "include_global_service_events" { + description = "Whether the trail is publishing events from global services such as IAM to the log files." + type = bool + default = true +} + +variable "is_multi_region_trail" { + description = "Whether the trail is created in the current region or in all regions." + type = bool + default = false +} + +variable "name" { + description = "Name of the trail." + type = string +} + +variable "s3_bucket_name" { + description = "Name of the S3 bucket designated for publishing log files." + type = string +} + +variable "event_selector" { + description = "Specifies an event selector for enabling data event logging." + type = list( + object( + { + data_resource = optional( + object( + { + type = string + values = list(string) + } + ) + ) + exclude_management_event_sources = optional(list(string)) + include_management_events = optional(bool) + read_write_type = optional(string) + } + ) + ) + default = null +} diff --git a/modules/aws-cloudwatch-event-rule/README.md b/modules/aws-cloudwatch-event-rule/README.md new file mode 100644 index 0000000..823c14b --- /dev/null +++ b/modules/aws-cloudwatch-event-rule/README.md @@ -0,0 +1,31 @@ + + + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_event_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [description](#input\_description) | The description of the rule. | `string` | `null` | no | +| [event\_pattern](#input\_event\_pattern) | The event pattern described a JSON object. See full documentation of [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html) for details. | `any` | `null` | no | +| [name](#input\_name) | The name of the rule. If omitted, Terraform will assign a random, unique name. | `string` | `null` | no | +| [state](#input\_state) | State of the rule. Valid values are DISABLED, ENABLED, and ENABLED\_WITH\_ALL\_CLOUDTRAIL\_MANAGEMENT\_EVENTS. | `string` | `"ENABLED"` | no | +| [tags](#input\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | EventBridge rule | + \ No newline at end of file diff --git a/modules/aws-cloudwatch-event-rule/main.tf b/modules/aws-cloudwatch-event-rule/main.tf new file mode 100644 index 0000000..a256eb2 --- /dev/null +++ b/modules/aws-cloudwatch-event-rule/main.tf @@ -0,0 +1,7 @@ +resource "aws_cloudwatch_event_rule" "this" { + description = var.description + name = var.name + event_pattern = var.event_pattern + state = var.state + tags = var.tags +} diff --git a/modules/aws-cloudwatch-event-rule/outputs.tf b/modules/aws-cloudwatch-event-rule/outputs.tf new file mode 100644 index 0000000..7e3ff82 --- /dev/null +++ b/modules/aws-cloudwatch-event-rule/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "EventBridge rule" + value = aws_cloudwatch_event_rule.this +} diff --git a/modules/aws-cloudwatch-event-rule/variables.tf b/modules/aws-cloudwatch-event-rule/variables.tf new file mode 100644 index 0000000..d1342c9 --- /dev/null +++ b/modules/aws-cloudwatch-event-rule/variables.tf @@ -0,0 +1,33 @@ +variable "description" { + description = "The description of the rule." + type = string + default = null +} + +variable "name" { + description = "The name of the rule. If omitted, Terraform will assign a random, unique name." + type = string + default = null +} + +variable "event_pattern" { + description = "The event pattern described a JSON object. See full documentation of [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html) for details." + type = any + default = null +} + +variable "state" { + description = "State of the rule. Valid values are DISABLED, ENABLED, and ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS." + type = string + default = "ENABLED" + validation { + condition = contains(["DISABLED", "ENABLED", "ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS"], var.state) + error_message = "Invalid state. Valid values are DISABLED, ENABLED, and ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS." + } +} + +variable "tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} diff --git a/modules/aws-cloudwatch-event-target/README.md b/modules/aws-cloudwatch-event-target/README.md new file mode 100644 index 0000000..83128e4 --- /dev/null +++ b/modules/aws-cloudwatch-event-target/README.md @@ -0,0 +1,29 @@ + + + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_event_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [arn](#input\_arn) | The Amazon Resource Name (ARN) of the target. | `string` | n/a | yes | +| [rule](#input\_rule) | The name of the rule you want to add targets to. | `string` | n/a | yes | +| [role\_arn](#input\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered. | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | EventBridge target | + \ No newline at end of file diff --git a/modules/aws-cloudwatch-event-target/main.tf b/modules/aws-cloudwatch-event-target/main.tf new file mode 100644 index 0000000..045af89 --- /dev/null +++ b/modules/aws-cloudwatch-event-target/main.tf @@ -0,0 +1,5 @@ +resource "aws_cloudwatch_event_target" "this" { + arn = var.arn + role_arn = var.role_arn + rule = var.rule +} diff --git a/modules/aws-cloudwatch-event-target/outputs.tf b/modules/aws-cloudwatch-event-target/outputs.tf new file mode 100644 index 0000000..40cb003 --- /dev/null +++ b/modules/aws-cloudwatch-event-target/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "EventBridge target" + value = aws_cloudwatch_event_target.this +} diff --git a/modules/aws-cloudwatch-event-target/variables.tf b/modules/aws-cloudwatch-event-target/variables.tf new file mode 100644 index 0000000..93d3cd4 --- /dev/null +++ b/modules/aws-cloudwatch-event-target/variables.tf @@ -0,0 +1,15 @@ +variable "arn" { + description = "The Amazon Resource Name (ARN) of the target." + type = string +} + +variable "role_arn" { + description = "The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered." + type = string + default = null +} + +variable "rule" { + description = "The name of the rule you want to add targets to." + type = string +} diff --git a/modules/aws-cloudwatch-log-resource-policy/README.md b/modules/aws-cloudwatch-log-resource-policy/README.md new file mode 100644 index 0000000..57f7feb --- /dev/null +++ b/modules/aws-cloudwatch-log-resource-policy/README.md @@ -0,0 +1,28 @@ + + + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_resource_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_resource_policy) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [policy\_document](#input\_policy\_document) | Details of the resource policy, including the identity of the principal that is enabled to put logs to this account. This is formatted as a JSON string. Maximum length of 5120 characters. | `any` | n/a | yes | +| [policy\_name](#input\_policy\_name) | Name of the resource policy. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | CloudWatch log resource policy. | + \ No newline at end of file diff --git a/modules/aws-cloudwatch-log-resource-policy/main.tf b/modules/aws-cloudwatch-log-resource-policy/main.tf new file mode 100644 index 0000000..bfce78d --- /dev/null +++ b/modules/aws-cloudwatch-log-resource-policy/main.tf @@ -0,0 +1,4 @@ +resource "aws_cloudwatch_log_resource_policy" "this" { + policy_document = var.policy_document + policy_name = var.policy_name +} diff --git a/modules/aws-cloudwatch-log-resource-policy/outputs.tf b/modules/aws-cloudwatch-log-resource-policy/outputs.tf new file mode 100644 index 0000000..2f7ff6d --- /dev/null +++ b/modules/aws-cloudwatch-log-resource-policy/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "CloudWatch log resource policy." + value = aws_cloudwatch_log_resource_policy.this +} diff --git a/modules/aws-cloudwatch-log-resource-policy/variables.tf b/modules/aws-cloudwatch-log-resource-policy/variables.tf new file mode 100644 index 0000000..e51ffa8 --- /dev/null +++ b/modules/aws-cloudwatch-log-resource-policy/variables.tf @@ -0,0 +1,9 @@ +variable "policy_document" { + description = "Details of the resource policy, including the identity of the principal that is enabled to put logs to this account. This is formatted as a JSON string. Maximum length of 5120 characters." + type = any +} + +variable "policy_name" { + description = "Name of the resource policy." + type = string +} diff --git a/modules/aws-iam-role/README.md b/modules/aws-iam-role/README.md index be8b754..17e6ebc 100644 --- a/modules/aws-iam-role/README.md +++ b/modules/aws-iam-role/README.md @@ -24,11 +24,12 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [assume\_role\_policy](#input\_assume\_role\_policy) | The policy that grants an entity permission to assume the role. | `string` | n/a | yes | +| [name](#input\_name) | Friendly name of the role. If omitted, Terraform will assign a random, unique name. Forces new resource. | `string` | n/a | yes | | [description](#input\_description) | The description of the IAM role. | `string` | `null` | no | | [force\_detach\_policies](#input\_force\_detach\_policies) | Specifies whether to force detaching any policies the role has before destroying it. Defaults to false. | `bool` | `false` | no | +| [inline\_policy](#input\_inline\_policy) | Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. | 
list(
    object(
      {
        name   = string
        policy = any
      }
    )
  )
| `null` | no | | [managed\_policy\_arns](#input\_managed\_policy\_arns) | Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Terraform will ignore policy attachments to this resource. When configured, Terraform will align the role's managed policy attachments with this set by attaching or detaching managed policies. | `list(string)` | `null` | no | | [max\_session\_duration](#input\_max\_session\_duration) | The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours. | `number` | `3600` | no | -| [name](#input\_name) | Friendly name of the role. If omitted, Terraform will assign a random, unique name. Forces new resource. | `string` | n/a | yes | | [name\_prefix](#input\_name\_prefix) | Creates a unique friendly name beginning with the specified prefix. Conflicts with 'name'. Forces new resources. | `string` | `null` | no | | [path](#input\_path) | The path to the role. For more information about paths, see IAM Identifiers in the IAM User Guide. | `string` | `"/"` | no | | [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | diff --git a/modules/aws-iam-role/main.tf b/modules/aws-iam-role/main.tf index f68d733..35282d9 100644 --- a/modules/aws-iam-role/main.tf +++ b/modules/aws-iam-role/main.tf @@ -9,4 +9,14 @@ resource "aws_iam_role" "this" { path = var.path permissions_boundary = var.permissions_boundary tags = var.tags + + dynamic "inline_policy" { + # If inline_policy is not defined, do not create + for_each = var.inline_policy != null ? var.inline_policy : [] + + content { + name = inline_policy.value.name + policy = inline_policy.value.policy + } + } } diff --git a/modules/aws-iam-role/variables.tf b/modules/aws-iam-role/variables.tf index ef6bd2a..cba53dd 100644 --- a/modules/aws-iam-role/variables.tf +++ b/modules/aws-iam-role/variables.tf @@ -3,17 +3,6 @@ variable "assume_role_policy" { type = string } -variable "name" { - description = "Friendly name of the role. If omitted, Terraform will assign a random, unique name. Forces new resource." - type = string -} - -variable "name_prefix" { - description = "Creates a unique friendly name beginning with the specified prefix. Conflicts with 'name'. Forces new resources." - type = string - default = null -} - variable "description" { description = "The description of the IAM role." type = string @@ -26,6 +15,19 @@ variable "force_detach_policies" { default = false } +variable "inline_policy" { + description = "Configuration block defining an exclusive set of IAM inline policies associated with the IAM role." + type = list( + object( + { + name = string + policy = any + } + ) + ) + default = null +} + variable "managed_policy_arns" { description = "Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Terraform will ignore policy attachments to this resource. When configured, Terraform will align the role's managed policy attachments with this set by attaching or detaching managed policies." type = list(string) @@ -38,6 +40,17 @@ variable "max_session_duration" { default = 3600 } +variable "name" { + description = "Friendly name of the role. If omitted, Terraform will assign a random, unique name. Forces new resource." + type = string +} + +variable "name_prefix" { + description = "Creates a unique friendly name beginning with the specified prefix. Conflicts with 'name'. Forces new resources." + type = string + default = null +} + variable "path" { description = "The path to the role. For more information about paths, see IAM Identifiers in the IAM User Guide." type = string diff --git a/modules/aws-kinesis-firehose-delivery-stream/README.md b/modules/aws-kinesis-firehose-delivery-stream/README.md new file mode 100644 index 0000000..3b6c5d0 --- /dev/null +++ b/modules/aws-kinesis-firehose-delivery-stream/README.md @@ -0,0 +1,30 @@ + + + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_kinesis_firehose_delivery_stream.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [destination](#input\_destination) | This is the destination to where the data is delivered. Valid values: extended\_s3, redshift, elasticsearch, splunk, http\_endpoint, opensearch, opensearchserverless, snowflake. | `string` | n/a | yes | +| [name](#input\_name) | A name to identify the stream. This is unique to the AWS account and region the Stream is created in. | `string` | n/a | yes | +| [extended\_s3\_configuration](#input\_extended\_s3\_configuration) | Enhanced configuration options for the s3 destination. | 
object(
    {
      bucket_arn          = optional(string)
      compression_format  = optional(string)
      error_output_prefix = optional(string)
      file_extension      = optional(string)
      prefix              = optional(string)
      role_arn            = optional(string)
      processing_configuration = optional(
        object(
          {
            enabled = string
            processors = optional(
              object(
                {
                  type = string
                  # TODO: support 'parameters' block, see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream.html#parameters-block
                }
              )
            )
          }
        )
      )
    }
  )
| `null` | no | +| [tags](#input\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Kinesis firehose delivery stream | + \ No newline at end of file diff --git a/modules/aws-kinesis-firehose-delivery-stream/main.tf b/modules/aws-kinesis-firehose-delivery-stream/main.tf new file mode 100644 index 0000000..52aceca --- /dev/null +++ b/modules/aws-kinesis-firehose-delivery-stream/main.tf @@ -0,0 +1,38 @@ +resource "aws_kinesis_firehose_delivery_stream" "this" { + destination = var.destination + name = var.name + tags = var.tags + + dynamic "extended_s3_configuration" { + # If extended_s3_configuration is not defined, do not create + for_each = [var.extended_s3_configuration] != null ? [var.extended_s3_configuration] : [] + + content { + bucket_arn = extended_s3_configuration.value.bucket_arn + compression_format = extended_s3_configuration.value.compression_format + error_output_prefix = extended_s3_configuration.value.error_output_prefix + file_extension = extended_s3_configuration.value.file_extension + prefix = extended_s3_configuration.value.prefix + role_arn = extended_s3_configuration.value.role_arn + + dynamic "processing_configuration" { + # If processing_configuration is not defined, do not create + for_each = [extended_s3_configuration.value.processing_configuration] != null ? [extended_s3_configuration.value.processing_configuration] : [] + + content { + enabled = processing_configuration.value.enabled + + dynamic "processors" { + # If processors is not defined, do not create + for_each = [processing_configuration.value.processors] != null ? [processing_configuration.value.processors] : [] + + content { + type = processors.value.type + # TODO: support 'parameters' block, see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream.html#parameters-block + } + } + } + } + } + } +} diff --git a/modules/aws-kinesis-firehose-delivery-stream/outputs.tf b/modules/aws-kinesis-firehose-delivery-stream/outputs.tf new file mode 100644 index 0000000..a5b8330 --- /dev/null +++ b/modules/aws-kinesis-firehose-delivery-stream/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Kinesis firehose delivery stream" + value = aws_kinesis_firehose_delivery_stream.this +} diff --git a/modules/aws-kinesis-firehose-delivery-stream/variables.tf b/modules/aws-kinesis-firehose-delivery-stream/variables.tf new file mode 100644 index 0000000..6ed0353 --- /dev/null +++ b/modules/aws-kinesis-firehose-delivery-stream/variables.tf @@ -0,0 +1,48 @@ +variable "destination" { + description = "This is the destination to where the data is delivered. Valid values: extended_s3, redshift, elasticsearch, splunk, http_endpoint, opensearch, opensearchserverless, snowflake." + type = string + validation { + condition = contains(["extended_s3", "redshift", "elasticsearch", "splunk", "http_endpoint", "opensearch", "opensearchserverless", "snowflake"], var.destination) + error_message = "Invalid destination. Valid values: extended_s3, redshift, elasticsearch, splunk, http_endpoint, opensearch, opensearchserverless, snowflake." + } +} + +variable "extended_s3_configuration" { + description = "Enhanced configuration options for the s3 destination." + type = object( + { + bucket_arn = optional(string) + compression_format = optional(string) + error_output_prefix = optional(string) + file_extension = optional(string) + prefix = optional(string) + role_arn = optional(string) + processing_configuration = optional( + object( + { + enabled = string + processors = optional( + object( + { + type = string + } + ) + ) + } + ) + ) + } + ) + default = null +} + +variable "name" { + description = "A name to identify the stream. This is unique to the AWS account and region the Stream is created in." + type = string +} + +variable "tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} diff --git a/modules/aws-s3-bucket/variables.tf b/modules/aws-s3-bucket/variables.tf index e22c2f9..b3ab3dd 100644 --- a/modules/aws-s3-bucket/variables.tf +++ b/modules/aws-s3-bucket/variables.tf @@ -20,6 +20,7 @@ variable "object_lock_enabled" { type = bool default = false } + variable "tags" { description = "A map of tags to assign to the resource." type = map(string) diff --git a/modules/dsfhub-aws-cloud-account/README.md b/modules/dsfhub-aws-cloud-account/README.md index 6bfa3fc..db717ae 100644 --- a/modules/dsfhub-aws-cloud-account/README.md +++ b/modules/dsfhub-aws-cloud-account/README.md @@ -1,3 +1,5 @@ +# dsfhub-aws-cloud-account + ## Requirements @@ -26,12 +28,12 @@ No modules. | [admin\_email](#input\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | | [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | | [asset\_id](#input\_asset\_id) | AWS ARN, e.g. "arn:aws:iam::1234567890" | `string` | n/a | yes | +| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [region](#input\_region) | Default AWS region of the account | `string` | n/a | yes | | [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection for the account asset | `string` | `"default"` | no | | [aws\_access\_key](#input\_aws\_access\_key) | AWS Access ID | `string` | `null` | no | | [aws\_secret\_key](#input\_aws\_secret\_key) | AWS secret key | `string` | `null` | no | -| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | -| [profile\_name](#input\_profile\_name) | The name of a profile in /install\_dir/jsonar/local/credentials/.aws/credentials to use for authentication | `string` | `null` | no | -| [region](#input\_region) | Default AWS region of the account | `string` | n/a | yes | +| [profile\_name](#input\_profile\_name) | The name of a profile in /install\_dir/jsonar/local/credentials/.aws/credentials to use for authenticating | `string` | `null` | no | ## Outputs diff --git a/modules/dsfhub-aws-dynamodb/README.md b/modules/dsfhub-aws-dynamodb/README.md new file mode 100644 index 0000000..4a268b8 --- /dev/null +++ b/modules/dsfhub-aws-dynamodb/README.md @@ -0,0 +1,42 @@ + + + +## Providers + +| Name | Version | +|------|---------| +| [dsfhub](#provider\_dsfhub) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [dsfhub_data_source.this](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs/resources/data_source) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_email](#input\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | +| [asset\_id](#input\_asset\_id) | AWS ARN, e.g. "arn:aws:dynamodb:123456789012" | `string` | n/a | yes | +| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [access\_id](#input\_access\_id) | AWS Access ID. Required for "key" auth\_mechanism. | `string` | `null` | no | +| [audit\_pull\_enabled](#input\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `null` | no | +| [audit\_type](#input\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `null` | no | +| [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection for the db asset. Valid values: key, profile, default or iam\_role. | `string` | `"default"` | no | +| [available\_regions](#input\_available\_regions) | A list of regions to use when pulling region-specific audit logs | `list(string)` | `null` | no | +| [iam\_role\_name](#input\_iam\_role\_name) | AWS arn of the IAM role to be assumed. Required for "iam\_role" auth\_mechanism. | `string` | `null` | no | +| [parent\_asset\_id](#input\_parent\_asset\_id) | DSFHUB Cloud Account Asset ID | `string` | `null` | no | +| [region](#input\_region) | AWS region of the DynamoDB instance. | `string` | `null` | no | +| [secret\_key](#input\_secret\_key) | AWS secret key. Required for "key" auth\_mechanism. | `string` | `null` | no | +| [server\_host\_name](#input\_server\_host\_name) | AWS DynamoDB service endpoint | `string` | `"dynamodb.us-east-2.amazonaws.com"` | no | +| [server\_port](#input\_server\_port) | AWS DynamoDB service endpoint port | `string` | `"443"` | no | +| [username](#input\_username) | The name of a profile in /install\_dir/jsonar/local/credentials/.aws/credentials to use for authenticating | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | AWS DynamoDB asset | + \ No newline at end of file diff --git a/modules/dsfhub-aws-dynamodb/main.tf b/modules/dsfhub-aws-dynamodb/main.tf new file mode 100644 index 0000000..aca7417 --- /dev/null +++ b/modules/dsfhub-aws-dynamodb/main.tf @@ -0,0 +1,39 @@ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +resource "dsfhub_data_source" "this" { + server_type = "AWS DYNAMODB" + + admin_email = var.admin_email + asset_display_name = var.asset_display_name + asset_id = var.asset_id + arn = var.auth_mechanism == "iam_role" ? var.iam_role_name : var.asset_id + audit_pull_enabled = var.audit_pull_enabled + audit_type = var.audit_type + available_regions = var.available_regions + gateway_id = var.gateway_id + parent_asset_id = var.parent_asset_id + region = var.region + server_host_name = var.server_host_name + server_ip = var.server_host_name + server_port = var.server_port + + dynamic "asset_connection" { + # If auth_mechanism is not defined, do not create a connection + for_each = var.auth_mechanism != null ? [0] : [] + + content { + auth_mechanism = var.auth_mechanism + username = var.auth_mechanism == "profile" ? var.username : null + access_id = var.auth_mechanism == "key" ? var.access_id : null + secret_key = var.auth_mechanism == "key" ? var.secret_key : null + reason = "default" + region = var.region + } + } +} diff --git a/modules/dsfhub-aws-dynamodb/outputs.tf b/modules/dsfhub-aws-dynamodb/outputs.tf new file mode 100644 index 0000000..0e003af --- /dev/null +++ b/modules/dsfhub-aws-dynamodb/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "AWS DynamoDB asset" + value = dsfhub_data_source.this +} diff --git a/modules/dsfhub-aws-dynamodb/variables.tf b/modules/dsfhub-aws-dynamodb/variables.tf new file mode 100644 index 0000000..e04723b --- /dev/null +++ b/modules/dsfhub-aws-dynamodb/variables.tf @@ -0,0 +1,95 @@ +variable "access_id" { + description = "AWS Access ID. Required for \"key\" auth_mechanism." + type = string + default = null +} + +variable "admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "asset_display_name" { + description = "User-friendly name of the asset, defined by user" + type = string +} + +variable "asset_id" { + description = "AWS ARN, e.g. \"arn:aws:dynamodb:123456789012\"" + type = string +} + +variable "audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = null +} + +variable "audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = null +} + +variable "auth_mechanism" { + description = "Specifies the auth mechanism used by the connection for the db asset. Valid values: key, profile, default or iam_role." + type = string + default = "default" + validation { + condition = contains(["key", "profile", "default", "iam_role"], var.auth_mechanism) + error_message = "Invalid auth mechanism. Valid values: key, profile, default or iam_role." + } +} + +variable "available_regions" { + description = "A list of regions to use when pulling region-specific audit logs" + type = list(string) + default = null +} + +variable "gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "iam_role_name" { + description = "AWS arn of the IAM role to be assumed. Required for \"iam_role\" auth_mechanism." + type = string + default = null +} + +variable "parent_asset_id" { + description = "DSFHUB Cloud Account Asset ID" + type = string + default = null +} + +variable "region" { + description = "AWS region of the DynamoDB instance." + type = string + default = null +} + +variable "secret_key" { + description = "AWS secret key. Required for \"key\" auth_mechanism." + type = string + default = null +} + +variable "server_host_name" { + description = "AWS DynamoDB service endpoint" + type = string + default = "dynamodb.us-east-2.amazonaws.com" +} + +variable "server_port" { + description = "AWS DynamoDB service endpoint port" + type = string + default = "443" +} + +variable "username" { + description = "The name of a profile in /install_dir/jsonar/local/credentials/.aws/credentials to use for authenticating" + type = string + default = null +} diff --git a/modules/onboard-aws-dynamodb-cloudwatch/README.md b/modules/onboard-aws-dynamodb-cloudwatch/README.md new file mode 100644 index 0000000..6ca470c --- /dev/null +++ b/modules/onboard-aws-dynamodb-cloudwatch/README.md @@ -0,0 +1,86 @@ +# onboard-aws-dynamodb-cloudwatch +Onboard AWS DynamoDB via CloudWatch to DSF Hub. + +## Notes +The ``AWS DYNAMODB`` asset supports various authentication mechanisms (key, iam_role, profile, default) that can be used to authenticate to AWS and collect the audit logs from the CloudWatch log group. Ensure you have the necessary credentials/information for the chosen authentication mechanism, and that it has permissions to read from the newly created CloudWatch log group. + +See the corresponding example for more details. + + + + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aws-dynamodb-asset](#module\_aws-dynamodb-asset) | ../dsfhub-aws-dynamodb | n/a | +| [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a | +| [cloudtrail](#module\_cloudtrail) | ../aws-cloudtrail | n/a | +| [cloudwatch-policy](#module\_cloudwatch-policy) | ../aws-cloudwatch-log-resource-policy | n/a | +| [dynamodb-log-group](#module\_dynamodb-log-group) | ../aws-cloudwatch-log-group | n/a | +| [eventbridge-rule](#module\_eventbridge-rule) | ../aws-cloudwatch-event-rule | n/a | +| [eventbridge-target](#module\_eventbridge-target) | ../aws-cloudwatch-event-target | n/a | +| [s3-bucket](#module\_s3-bucket) | ../aws-s3-bucket | n/a | +| [s3-bucket-policy](#module\_s3-bucket-policy) | ../aws-s3-bucket-policy | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.cloudtrail_to_s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.eventbridge_to_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_dynamodb\_admin\_email](#input\_aws\_dynamodb\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [aws\_dynamodb\_gateway\_id](#input\_aws\_dynamodb\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [aws\_log\_group\_admin\_email](#input\_aws\_log\_group\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [aws\_log\_group\_gateway\_id](#input\_aws\_log\_group\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | +| [cloudtrail\_name](#input\_cloudtrail\_name) | Name of the trail. | `string` | n/a | yes | +| [log\_group\_name](#input\_log\_group\_name) | Name of AWS CloudWatch log group to contain DynamoDB logs. Will be prefixed with "/aws/events". | `string` | n/a | yes | +| [s3\_bucket\_name](#input\_s3\_bucket\_name) | The name of the bucket. Must be lowercase and less than or equal to 63 characters in length. | `string` | n/a | yes | +| [aws\_dynamodb\_access\_id](#input\_aws\_dynamodb\_access\_id) | AWS Access ID. Required for "key" auth\_mechanism. | `string` | `null` | no | +| [aws\_dynamodb\_auth\_mechanism](#input\_aws\_dynamodb\_auth\_mechanism) | Specifies the auth mechanism used by the connection for the db asset. Valid values: key, profile, default or iam\_role. | `string` | `"default"` | no | +| [aws\_dynamodb\_iam\_role\_name](#input\_aws\_dynamodb\_iam\_role\_name) | AWS arn of the IAM role to be assumed. Required for "iam\_role" auth\_mechanism. | `string` | `null` | no | +| [aws\_dynamodb\_profile\_name](#input\_aws\_dynamodb\_profile\_name) | The name of a profile in /install\_dir/jsonar/local/credentials/.aws/credentials to use for authentication. Required for "profile" auth\_mechanism. | `string` | `null` | no | +| [aws\_dynamodb\_secret\_key](#input\_aws\_dynamodb\_secret\_key) | AWS secret key. Required for "key" auth\_mechanism. | `string` | `null` | no | +| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [aws\_log\_group\_reason](#input\_aws\_log\_group\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [cloudtrail\_enable\_logging](#input\_cloudtrail\_enable\_logging) | Enables logging for the trail. Setting this to "false" will pause logging. | `bool` | `true` | no | +| [cloudtrail\_event\_selector](#input\_cloudtrail\_event\_selector) | Specifies an event selector for enabling data event logging. Note: exclude\_management\_event\_sources requires include\_management\_events set to true. If include\_management\_events is set to false, do not pass in exclude\_management\_event\_sources. | 
list(
    object(
      {
        data_resource = optional(
          object(
            {
              type   = string
              values = list(string)
            }
          )
        )
        exclude_management_event_sources = optional(list(string))
        include_management_events        = optional(bool)
        read_write_type                  = optional(string)
      }
    )
  )
| 
[
  {
    "data_resource": {
      "type": "AWS::DynamoDB::Table",
      "values": [
        "arn:aws:dynamodb"
      ]
    },
    "exclude_management_event_sources": [
      "kms.amazonaws.com",
      "rdsdata.amazonaws.com"
    ],
    "include_management_events": true,
    "read_write_type": "All"
  }
]
| no | +| [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | Whether the trail is created in the current region or in all regions. | `bool` | `false` | no | +| [cloudwatch\_policy\_policy\_name](#input\_cloudwatch\_policy\_policy\_name) | Name of the resource policy. | `string` | `"eventbridge-to-cloudwatch-policy"` | no | +| [eventbridge\_rule\_description](#input\_eventbridge\_rule\_description) | The description of the eventbridge rule. | `string` | `"Captures All DynamoDB events and sends to CloudWatch log group"` | no | +| [eventbridge\_rule\_event\_pattern](#input\_eventbridge\_rule\_event\_pattern) | The event pattern described a JSON object. See full documentation of [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html) for details. | `any` | 
{
  "detail": {
    "eventSource": [
      "dynamodb.amazonaws.com"
    ],
    "sourceIPAddress": [
      {
        "anything-but": [
          "replication.dynamodb.amazonaws.com",
          "dynamodb.application-autoscaling.amazonaws.com",
          "application-autoscaling.amazonaws.com"
        ]
      }
    ]
  },
  "source": [
    "aws.dynamodb"
  ]
}
| no | +| [eventbridge\_rule\_name](#input\_eventbridge\_rule\_name) | The name of the rule. If omitted, Terraform will assign a random, unique name. | `string` | `null` | no | +| [eventbridge\_rule\_state](#input\_eventbridge\_rule\_state) | State of the rule. Valid values are DISABLED, ENABLED, and ENABLED\_WITH\_ALL\_CLOUDTRAIL\_MANAGEMENT\_EVENTS. | `string` | `"ENABLED"` | no | +| [eventbridge\_rule\_tags](#input\_eventbridge\_rule\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | +| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no | +| [s3\_bucket\_force\_destroy](#input\_s3\_bucket\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error. See more details in the [aws terraform documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#force_destroy). | `bool` | `false` | no | +| [s3\_bucket\_tags](#input\_s3\_bucket\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [aws-dynamodb-asset](#output\_aws-dynamodb-asset) | AWS DynamoDB asset | +| [aws-log-group-asset](#output\_aws-log-group-asset) | AWS Log Group asset | +| [cloudtrail](#output\_cloudtrail) | AWS CloudTrail | +| [cloudwatch-policy](#output\_cloudwatch-policy) | CloudWatch policy | +| [eventbridge-rule](#output\_eventbridge-rule) | EventBridge rule | +| [eventbridge-target](#output\_eventbridge-target) | EventBridge target | +| [log-group](#output\_log-group) | CloudWatch log group | +| [s3-bucket](#output\_s3-bucket) | S3 bucket | +| [s3-bucket-policy](#output\_s3-bucket-policy) | S3 bucket policy | + \ No newline at end of file diff --git a/modules/onboard-aws-dynamodb-cloudwatch/main.tf b/modules/onboard-aws-dynamodb-cloudwatch/main.tf new file mode 100644 index 0000000..293c7d4 --- /dev/null +++ b/modules/onboard-aws-dynamodb-cloudwatch/main.tf @@ -0,0 +1,187 @@ +# Collect AWS region & account info +data "aws_region" "current" {} +data "aws_caller_identity" "current" {} +data "aws_partition" "current" {} + +# Generates an IAM policy document in JSON format for use with resources +data "aws_iam_policy_document" "cloudtrail_to_s3_policy" { + statement { + sid = "AWSCloudTrailAclCheck" + effect = "Allow" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = ["s3:GetBucketAcl"] + resources = [module.s3-bucket.this.arn] + condition { + test = "StringEquals" + variable = "aws:SourceArn" + values = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"] + } + } + + statement { + sid = "AWSCloudTrailWrite" + effect = "Allow" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = ["s3:PutObject"] + resources = ["${module.s3-bucket.this.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"] + + condition { + test = "StringEquals" + variable = "s3:x-amz-acl" + values = ["bucket-owner-full-control"] + } + condition { + test = "StringEquals" + variable = "aws:SourceArn" + values = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"] + } + } +} + +module "s3-bucket" { + source = "../aws-s3-bucket" + + bucket = var.s3_bucket_name + force_destroy = var.s3_bucket_force_destroy + tags = var.s3_bucket_tags +} + +# Attaches a policy to an S3 bucket resource +module "s3-bucket-policy" { + source = "../aws-s3-bucket-policy" + + bucket = module.s3-bucket.this.id + policy = data.aws_iam_policy_document.cloudtrail_to_s3_policy.json +} + +module "cloudtrail" { + depends_on = [module.s3-bucket-policy] + source = "../aws-cloudtrail" + + enable_logging = var.cloudtrail_enable_logging + event_selector = var.cloudtrail_event_selector + include_global_service_events = false + is_multi_region_trail = var.cloudtrail_is_multi_region_trail + name = var.cloudtrail_name + s3_bucket_name = module.s3-bucket.this.id +} + +module "dynamodb-log-group" { + source = "../aws-cloudwatch-log-group" + + name = "/aws/events/${var.log_group_name}" + retention_in_days = var.log_group_retention_in_days +} + +data "aws_iam_policy_document" "eventbridge_to_cloudwatch" { + depends_on = [module.eventbridge-rule] + + statement { + effect = "Allow" + actions = [ + "logs:CreateLogStream" + ] + + resources = [ + "${module.dynamodb-log-group.this.arn}:*" + ] + + principals { + type = "Service" + identifiers = [ + "events.amazonaws.com", + "delivery.logs.amazonaws.com" + ] + } + } + statement { + effect = "Allow" + actions = [ + "logs:PutLogEvents" + ] + + resources = [ + "${module.dynamodb-log-group.this.arn}:*:*" + ] + + principals { + type = "Service" + identifiers = [ + "events.amazonaws.com", + "delivery.logs.amazonaws.com" + ] + } + + condition { + test = "ArnEquals" + values = [module.eventbridge-rule.this.arn] + variable = "aws:SourceArn" + } + } +} + +module "cloudwatch-policy" { + source = "../aws-cloudwatch-log-resource-policy" + + policy_document = data.aws_iam_policy_document.eventbridge_to_cloudwatch.json + policy_name = var.cloudwatch_policy_policy_name +} + +module "eventbridge-rule" { + source = "../aws-cloudwatch-event-rule" + + description = var.eventbridge_rule_description + event_pattern = jsonencode(var.eventbridge_rule_event_pattern) + name = var.eventbridge_rule_name + state = var.eventbridge_rule_state + tags = var.eventbridge_rule_tags +} + +module "eventbridge-target" { + source = "../aws-cloudwatch-event-target" + + arn = module.dynamodb-log-group.this.arn + rule = module.eventbridge-rule.this.name +} + +module "aws-dynamodb-asset" { + source = "../dsfhub-aws-dynamodb" + + access_id = var.aws_dynamodb_access_id + admin_email = var.aws_dynamodb_admin_email + asset_display_name = "arn:${data.aws_partition.current.partition}:dynamodb:${data.aws_caller_identity.current.account_id}" + asset_id = "arn:${data.aws_partition.current.partition}:dynamodb:${data.aws_caller_identity.current.account_id}" + audit_type = "LOG_GROUP" + auth_mechanism = var.aws_dynamodb_auth_mechanism + gateway_id = var.aws_dynamodb_gateway_id + iam_role_name = var.aws_dynamodb_iam_role_name + secret_key = var.aws_dynamodb_secret_key + username = var.aws_dynamodb_profile_name + + region = data.aws_region.current.name + server_host_name = "dynamodb.${data.aws_region.current.name}.amazonaws.com" + server_port = "443" +} + +module "aws-log-group-asset" { + source = "../dsfhub-aws-log-group" + + admin_email = var.aws_log_group_admin_email + asset_display_name = "${module.dynamodb-log-group.this.arn}:*" + asset_id = "${module.dynamodb-log-group.this.arn}:*" + audit_pull_enabled = var.aws_log_group_audit_pull_enabled + gateway_id = var.aws_log_group_gateway_id + parent_asset_id = module.aws-dynamodb-asset.this.asset_id + reason = var.aws_log_group_reason + region = data.aws_region.current.name +} diff --git a/modules/onboard-aws-dynamodb-cloudwatch/outputs.tf b/modules/onboard-aws-dynamodb-cloudwatch/outputs.tf new file mode 100644 index 0000000..553c79f --- /dev/null +++ b/modules/onboard-aws-dynamodb-cloudwatch/outputs.tf @@ -0,0 +1,44 @@ +output "s3-bucket" { + description = "S3 bucket" + value = module.s3-bucket.this +} + +output "s3-bucket-policy" { + description = "S3 bucket policy" + value = module.s3-bucket-policy.this +} + +output "cloudtrail" { + description = "AWS CloudTrail" + value = module.cloudtrail.this +} + +output "log-group" { + description = "CloudWatch log group" + value = module.dynamodb-log-group.this +} + +output "cloudwatch-policy" { + description = "CloudWatch policy" + value = module.cloudwatch-policy.this +} + +output "eventbridge-rule" { + description = "EventBridge rule" + value = module.eventbridge-rule.this +} + +output "eventbridge-target" { + description = "EventBridge target" + value = module.eventbridge-target.this +} + +output "aws-dynamodb-asset" { + description = "AWS DynamoDB asset" + value = module.aws-dynamodb-asset.this +} + +output "aws-log-group-asset" { + description = "AWS Log Group asset" + value = module.aws-log-group-asset.this +} diff --git a/modules/onboard-aws-dynamodb-cloudwatch/variables.tf b/modules/onboard-aws-dynamodb-cloudwatch/variables.tf new file mode 100644 index 0000000..9e43963 --- /dev/null +++ b/modules/onboard-aws-dynamodb-cloudwatch/variables.tf @@ -0,0 +1,193 @@ +variable "aws_dynamodb_access_id" { + description = "AWS Access ID. Required for \"key\" auth_mechanism." + type = string + default = null +} + +variable "aws_dynamodb_admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "aws_dynamodb_auth_mechanism" { + description = "Specifies the auth mechanism used by the connection for the db asset. Valid values: key, profile, default or iam_role." + type = string + default = "default" + validation { + condition = contains(["key", "profile", "default", "iam_role"], var.aws_dynamodb_auth_mechanism) + error_message = "Invalid auth mechanism. Valid values: key, profile, default or iam_role." + } +} + +variable "aws_dynamodb_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "aws_dynamodb_iam_role_name" { + description = "AWS arn of the IAM role to be assumed. Required for \"iam_role\" auth_mechanism." + type = string + default = null +} + +variable "aws_dynamodb_secret_key" { + description = "AWS secret key. Required for \"key\" auth_mechanism." + type = string + default = null +} + +variable "aws_dynamodb_profile_name" { + description = "The name of a profile in /install_dir/jsonar/local/credentials/.aws/credentials to use for authentication. Required for \"profile\" auth_mechanism." + type = string + default = null +} + +variable "aws_log_group_admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "aws_log_group_audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "aws_log_group_gateway_id" { + description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'." + type = string +} + +variable "aws_log_group_reason" { + description = "Used to differentiate connections that belong to the same asset" + type = string + default = "default" +} + +variable "cloudtrail_enable_logging" { + description = "Enables logging for the trail. Setting this to \"false\" will pause logging." + type = bool + default = true +} + +variable "cloudtrail_is_multi_region_trail" { + description = "Whether the trail is created in the current region or in all regions." + type = bool + default = false +} + +variable "cloudtrail_name" { + description = "Name of the trail." + type = string +} + +variable "cloudtrail_event_selector" { + description = "Specifies an event selector for enabling data event logging. Note: exclude_management_event_sources requires include_management_events set to true. If include_management_events is set to false, do not pass in exclude_management_event_sources." + type = list( + object( + { + data_resource = optional( + object( + { + type = string + values = list(string) + } + ) + ) + exclude_management_event_sources = optional(list(string)) + include_management_events = optional(bool) + read_write_type = optional(string) + } + ) + ) + default = [ + { + data_resource = { + type = "AWS::DynamoDB::Table" + values = ["arn:aws:dynamodb"] + } + exclude_management_event_sources = [ + "kms.amazonaws.com", + "rdsdata.amazonaws.com" + ] + include_management_events = true + read_write_type = "All" + } + ] +} + +variable "cloudwatch_policy_policy_name" { + description = "Name of the resource policy." + type = string + default = "eventbridge-to-cloudwatch-policy" +} + +variable "eventbridge_rule_description" { + description = "The description of the EventBridge rule." + type = string + default = "Captures All DynamoDB events and sends to CloudWatch log group" +} + +variable "eventbridge_rule_name" { + description = "The name of the rule. If omitted, Terraform will assign a random, unique name." + type = string + default = null +} + +variable "eventbridge_rule_event_pattern" { + description = "The event pattern described a JSON object. See full documentation of [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html) for details." + type = any + default = { + "source" : ["aws.dynamodb"], + "detail" : { + "eventSource" : ["dynamodb.amazonaws.com"], + "sourceIPAddress" : [{ + "anything-but" : ["replication.dynamodb.amazonaws.com", "dynamodb.application-autoscaling.amazonaws.com", "application-autoscaling.amazonaws.com"] + }] + } + } +} + +variable "eventbridge_rule_state" { + description = "State of the rule. Valid values are DISABLED, ENABLED, and ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS." + type = string + default = "ENABLED" + validation { + condition = contains(["DISABLED", "ENABLED", "ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS"], var.eventbridge_rule_state) + error_message = "Invalid state. Valid values are DISABLED, ENABLED, and ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS." + } +} + +variable "eventbridge_rule_tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} + +variable "log_group_name" { + description = "Name of AWS CloudWatch log group to contain DynamoDB logs. Will be prefixed with \"/aws/events\"." + type = string +} + +variable "log_group_retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire." + type = number + default = 7 +} + +variable "s3_bucket_name" { + description = "The name of the bucket. Must be lowercase and less than or equal to 63 characters in length." + type = string +} + +variable "s3_bucket_force_destroy" { + description = "A boolean that indicates all objects should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error. See more details in the [aws terraform documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#force_destroy)." + type = bool + default = false +} + +variable "s3_bucket_tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} diff --git a/modules/onboard-aws-dynamodb-s3/README.md b/modules/onboard-aws-dynamodb-s3/README.md new file mode 100644 index 0000000..b9d6bd3 --- /dev/null +++ b/modules/onboard-aws-dynamodb-s3/README.md @@ -0,0 +1,98 @@ +# onboard-aws-dynamodb-s3 +Onboard AWS DynamoDB via S3 to DSF Hub. + +## Notes +The ``AWS DYNAMODB`` asset supports various authentication mechanisms (key, iam_role, profile, default) that can be used to authenticate to AWS and collect the audit logs from the S3 bucket. Ensure you have the necessary credentials/information for the chosen authentication mechanism, and that it has permissions to read from the newly created S3 bucket. + +See the corresponding example for more details. + + + + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aws-dynamodb-asset](#module\_aws-dynamodb-asset) | ../dsfhub-aws-dynamodb | n/a | +| [aws-s3-asset](#module\_aws-s3-asset) | ../dsfhub-aws-s3-bucket-la | n/a | +| [dynamodb-cloudtrail](#module\_dynamodb-cloudtrail) | ../aws-cloudtrail | n/a | +| [eventbridge-firehose-iam-role](#module\_eventbridge-firehose-iam-role) | ../aws-iam-role | n/a | +| [eventbridge-rule](#module\_eventbridge-rule) | ../aws-cloudwatch-event-rule | n/a | +| [eventbridge-target](#module\_eventbridge-target) | ../aws-cloudwatch-event-target | n/a | +| [firehose-s3-iam-role](#module\_firehose-s3-iam-role) | ../aws-iam-role | n/a | +| [kinesis-firehose-delivery-stream](#module\_kinesis-firehose-delivery-stream) | ../aws-kinesis-firehose-delivery-stream | n/a | +| [s3-bucket](#module\_s3-bucket) | ../aws-s3-bucket | n/a | +| [s3-bucket-policy](#module\_s3-bucket-policy) | ../aws-s3-bucket-policy | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.cloudtrail_to_s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.eventbridge_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.eventbridge_to_firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.firehose_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.firehose_to_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_dynamodb\_admin\_email](#input\_aws\_dynamodb\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [aws\_dynamodb\_gateway\_id](#input\_aws\_dynamodb\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [aws\_s3\_admin\_email](#input\_aws\_s3\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [aws\_s3\_gateway\_id](#input\_aws\_s3\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [cloudtrail\_name](#input\_cloudtrail\_name) | Name of the trail. | `string` | n/a | yes | +| [firehose\_name](#input\_firehose\_name) | A name to identify the stream. This is unique to the AWS account and region the Stream is created in. | `string` | n/a | yes | +| [s3\_bucket](#input\_s3\_bucket) | The name of the bucket. Must be lowercase and less than or equal to 63 characters in length. | `string` | n/a | yes | +| [aws\_dynamodb\_access\_id](#input\_aws\_dynamodb\_access\_id) | AWS Access ID. Required for "key" auth\_mechanism. | `string` | `null` | no | +| [aws\_dynamodb\_auth\_mechanism](#input\_aws\_dynamodb\_auth\_mechanism) | Specifies the auth mechanism used by the connection for the db asset. Valid values: key, profile, default or iam\_role. | `string` | `"default"` | no | +| [aws\_dynamodb\_iam\_role\_name](#input\_aws\_dynamodb\_iam\_role\_name) | AWS arn of the IAM role to be assumed. Required for "iam\_role" auth\_mechanism. | `string` | `null` | no | +| [aws\_dynamodb\_profile\_name](#input\_aws\_dynamodb\_profile\_name) | The name of a profile in /install\_dir/jsonar/local/credentials/.aws/credentials to use for authenticating | `string` | `null` | no | +| [aws\_dynamodb\_secret\_key](#input\_aws\_dynamodb\_secret\_key) | AWS secret key. Required for "key" auth\_mechanism. | `string` | `null` | no | +| [aws\_s3\_audit\_pull\_enabled](#input\_aws\_s3\_audit\_pull\_enabled) | Whether the DSFHUB should pull logs from the asset. | `bool` | `false` | no | +| [cloudtrail\_enable\_logging](#input\_cloudtrail\_enable\_logging) | Enables logging for the trail. Setting this to "false" will pause logging. | `bool` | `true` | no | +| [cloudtrail\_event\_selector](#input\_cloudtrail\_event\_selector) | Specifies an event selector for enabling data event logging. | 
list(
    object(
      {
        data_resource = optional(
          object(
            {
              type   = string
              values = list(string)
            }
          )
        )
        exclude_management_event_sources = optional(list(string))
        include_management_events        = optional(bool)
        read_write_type                  = optional(string)
      }
    )
  )
| 
[
  {
    "data_resource": {
      "type": "AWS::DynamoDB::Table",
      "values": [
        "arn:aws:dynamodb"
      ]
    },
    "exclude_management_event_sources": [
      "kms.amazonaws.com",
      "rdsdata.amazonaws.com"
    ],
    "include_management_events": true,
    "read_write_type": "All"
  }
]
| no | +| [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | Whether the trail is created in the current region or in all regions. | `bool` | `false` | no | +| [eventbridge\_iam\_role\_description](#input\_eventbridge\_iam\_role\_description) | The description of the IAM role. | `string` | `"IAM role for sending DynamoDB logs from EventBridge to Firehose."` | no | +| [eventbridge\_iam\_role\_name](#input\_eventbridge\_iam\_role\_name) | Friendly name of the role. If omitted, Terraform will assign a random, unique name. Forces new resource. | `string` | `"dynamodb_eventbridge_role"` | no | +| [eventbridge\_iam\_role\_name\_prefix](#input\_eventbridge\_iam\_role\_name\_prefix) | Creates a unique friendly name beginning with the specified prefix. Conflicts with 'name'. Forces new resources. | `string` | `null` | no | +| [eventbridge\_iam\_role\_tags](#input\_eventbridge\_iam\_role\_tags) | Key-value mapping of tags for the IAM role. | `map(string)` | `null` | no | +| [eventbridge\_rule\_description](#input\_eventbridge\_rule\_description) | The description of the rule. | `string` | `"Captures All DynamoDB events and sends to CloudWatch log group"` | no | +| [eventbridge\_rule\_event\_pattern](#input\_eventbridge\_rule\_event\_pattern) | The event pattern described a JSON object. See full documentation of [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html) for details. | `any` | 
{
  "detail": {
    "eventCategory": [
      "Management"
    ],
    "eventSource": [
      "dynamodb.amazonaws.com"
    ],
    "sourceIPAddress": [
      {
        "anything-but": [
          "replication.dynamodb.amazonaws.com",
          "dynamodb.application-autoscaling.amazonaws.com",
          "application-autoscaling.amazonaws.com"
        ]
      }
    ]
  },
  "source": [
    "aws.dynamodb"
  ]
}
| no | +| [eventbridge\_rule\_name](#input\_eventbridge\_rule\_name) | The name of the rule. If omitted, Terraform will assign a random, unique name. | `string` | `null` | no | +| [eventbridge\_rule\_state](#input\_eventbridge\_rule\_state) | State of the rule. Valid values are DISABLED, ENABLED, and ENABLED\_WITH\_ALL\_CLOUDTRAIL\_MANAGEMENT\_EVENTS. | `string` | `"ENABLED"` | no | +| [eventbridge\_rule\_tags](#input\_eventbridge\_rule\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | +| [firehose\_iam\_role\_description](#input\_firehose\_iam\_role\_description) | The description of the IAM role. | `string` | `"IAM role for sending DynamoDB logs from Firehose to S3."` | no | +| [firehose\_iam\_role\_name](#input\_firehose\_iam\_role\_name) | Friendly name of the role. If omitted, Terraform will assign a random, unique name. Forces new resource. | `string` | `"dynamodb_firehose_role"` | no | +| [firehose\_iam\_role\_name\_prefix](#input\_firehose\_iam\_role\_name\_prefix) | Creates a unique friendly name beginning with the specified prefix. Conflicts with 'name'. Forces new resources. | `string` | `null` | no | +| [firehose\_iam\_role\_tags](#input\_firehose\_iam\_role\_tags) | Key-value mapping of tags for the IAM role. | `map(string)` | `null` | no | +| [firehose\_tags](#input\_firehose\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | +| [s3\_bucket\_prefix](#input\_s3\_bucket\_prefix) | Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. Must be lowercase and less than or equal to 37 characters in length. | `string` | `null` | no | +| [s3\_force\_destroy](#input\_s3\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error. See more details in the [aws terraform documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#force_destroy). | `bool` | `false` | no | +| [s3\_tags](#input\_s3\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [aws-dynamodb-asset](#output\_aws-dynamodb-asset) | AWS DynamoDB asset | +| [aws-s3-bucket-asset](#output\_aws-s3-bucket-asset) | AWS S3 asset | +| [dynamodb-cloudtrail](#output\_dynamodb-cloudtrail) | DynamoDB CloudTrail | +| [eventbridge-firehose-iam-role](#output\_eventbridge-firehose-iam-role) | EventBridge to firehose IAM role | +| [eventbridge-rule](#output\_eventbridge-rule) | EventBridge rule | +| [eventbridge-target](#output\_eventbridge-target) | EventBridge target | +| [firehose-s3-iam-role](#output\_firehose-s3-iam-role) | Firehose to S3 IAM role | +| [kinesis-firehose-delivery-stream](#output\_kinesis-firehose-delivery-stream) | Firehose delivery stream to S3 | +| [s3-bucket](#output\_s3-bucket) | S3 bucket | +| [s3-bucket-policy](#output\_s3-bucket-policy) | S3 bucket policy | + \ No newline at end of file diff --git a/modules/onboard-aws-dynamodb-s3/main.tf b/modules/onboard-aws-dynamodb-s3/main.tf new file mode 100644 index 0000000..fadf2df --- /dev/null +++ b/modules/onboard-aws-dynamodb-s3/main.tf @@ -0,0 +1,233 @@ +# Collect AWS region & account info +data "aws_region" "current" {} +data "aws_caller_identity" "current" {} +data "aws_partition" "current" {} + +module "s3-bucket" { + source = "../aws-s3-bucket" + + bucket = var.s3_bucket + force_destroy = var.s3_force_destroy + tags = var.s3_tags +} + +data "aws_iam_policy_document" "cloudtrail_to_s3_policy" { + statement { + sid = "AWSCloudTrailAclCheck" + effect = "Allow" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = ["s3:GetBucketAcl"] + resources = [module.s3-bucket.this.arn] + condition { + test = "StringEquals" + variable = "aws:SourceArn" + values = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"] + } + } + + statement { + sid = "AWSCloudTrailWrite" + effect = "Allow" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = ["s3:PutObject"] + resources = ["${module.s3-bucket.this.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"] + + condition { + test = "StringEquals" + variable = "s3:x-amz-acl" + values = ["bucket-owner-full-control"] + } + condition { + test = "StringEquals" + variable = "aws:SourceArn" + values = ["arn:${data.aws_partition.current.partition}:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"] + } + } +} + +module "s3-bucket-policy" { + source = "../aws-s3-bucket-policy" + + bucket = module.s3-bucket.this.id + policy = data.aws_iam_policy_document.cloudtrail_to_s3_policy.json +} + +module "dynamodb-cloudtrail" { + depends_on = [module.s3-bucket-policy] + source = "../aws-cloudtrail" + + enable_logging = var.cloudtrail_enable_logging + event_selector = var.cloudtrail_event_selector + include_global_service_events = false + is_multi_region_trail = var.cloudtrail_is_multi_region_trail + name = var.cloudtrail_name + s3_bucket_name = module.s3-bucket.this.id +} + +data "aws_iam_policy_document" "eventbridge_to_firehose" { + statement { + effect = "Allow" + + actions = ["firehose:PutRecord", + "firehose:PutRecordBatch"] + resources = [module.kinesis-firehose-delivery-stream.this.arn] + } +} + +data "aws_iam_policy_document" "firehose_to_s3" { + statement { + effect = "Allow" + + actions = ["s3:AbortMultipartUpload", + "s3:GetBucketLocation", + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketMultipartUploads", + "s3:PutObject"] + resources = [module.s3-bucket.this.arn, "${module.s3-bucket.this.arn}/*"] + } +} + +data "aws_iam_policy_document" "firehose_assume_role" { + statement { + effect = "Allow" + + principals { + type = "Service" + identifiers = ["firehose.amazonaws.com"] + } + + actions = ["sts:AssumeRole"] + } +} + +data "aws_iam_policy_document" "eventbridge_assume_role" { + statement { + effect = "Allow" + + principals { + type = "Service" + identifiers = ["events.amazonaws.com"] + } + + actions = ["sts:AssumeRole"] + } +} + +module "eventbridge-firehose-iam-role" { + source = "../aws-iam-role" + + assume_role_policy = data.aws_iam_policy_document.eventbridge_assume_role.json + description = var.eventbridge_iam_role_description + inline_policy = [ + { + name = "eventbridge_to_firehose_policy" + policy = data.aws_iam_policy_document.eventbridge_to_firehose.json + } + ] + name = var.eventbridge_iam_role_name + name_prefix = var.eventbridge_iam_role_name_prefix + tags = var.eventbridge_iam_role_tags +} + +module "firehose-s3-iam-role" { + source = "../aws-iam-role" + + assume_role_policy = data.aws_iam_policy_document.firehose_assume_role.json + description = var.firehose_iam_role_description + inline_policy = [ + { + name = "firehose_to_s3_policy" + policy = data.aws_iam_policy_document.firehose_to_s3.json + } + ] + name = var.firehose_iam_role_name + name_prefix = var.firehose_iam_role_name_prefix + tags = var.firehose_iam_role_tags +} + +module "kinesis-firehose-delivery-stream" { + depends_on = [module.s3-bucket] + source = "../aws-kinesis-firehose-delivery-stream" + + destination = "extended_s3" + extended_s3_configuration = { + role_arn = module.firehose-s3-iam-role.this.arn + bucket_arn = module.s3-bucket.this.arn + file_extension = ".json.gz" + prefix = "AWSLogs/${data.aws_caller_identity.current.account_id}/CloudTrail/${data.aws_region.current.name}/!{timestamp:yyyy/MM/dd/}" + compression_format = "GZIP" + error_output_prefix = "FirehosetoS3Error/!{firehose:error-output-type}/!{timestamp:yyyy/MM/dd/}" + processing_configuration = { + enabled = "true" + processors = { + type = "AppendDelimiterToRecord" + } + } + } + name = var.firehose_name + tags = var.firehose_tags +} + +module "eventbridge-rule" { + source = "../aws-cloudwatch-event-rule" + + description = var.eventbridge_rule_description + event_pattern = jsonencode(var.eventbridge_rule_event_pattern) + name = var.eventbridge_rule_name + state = var.eventbridge_rule_state + tags = var.eventbridge_rule_tags +} + +module "eventbridge-target" { + source = "../aws-cloudwatch-event-target" + + arn = module.kinesis-firehose-delivery-stream.this.arn + role_arn = module.eventbridge-firehose-iam-role.this.arn + rule = module.eventbridge-rule.this.name +} + +module "aws-dynamodb-asset" { + source = "../dsfhub-aws-dynamodb" + + access_id = var.aws_dynamodb_access_id + admin_email = var.aws_dynamodb_admin_email + asset_display_name = "arn:${data.aws_partition.current.partition}:dynamodb:${data.aws_caller_identity.current.account_id}" + asset_id = "arn:${data.aws_partition.current.partition}:dynamodb:${data.aws_caller_identity.current.account_id}" + auth_mechanism = var.aws_dynamodb_auth_mechanism + gateway_id = var.aws_dynamodb_gateway_id + iam_role_name = var.aws_dynamodb_iam_role_name + secret_key = var.aws_dynamodb_secret_key + username = var.aws_dynamodb_profile_name + + region = data.aws_region.current.name + server_host_name = "dynamodb.${data.aws_region.current.name}.amazonaws.com" + server_port = "443" +} + +module "aws-s3-asset" { + source = "../dsfhub-aws-s3-bucket-la" + + admin_email = var.aws_s3_admin_email + asset_display_name = module.s3-bucket.this.id + asset_id = module.s3-bucket.this.arn + audit_pull_enabled = var.aws_s3_audit_pull_enabled + audit_type = "DYNAMODB" + bucket_account_id = data.aws_caller_identity.current.account_id + gateway_id = var.aws_s3_gateway_id + parent_asset_id = module.aws-dynamodb-asset.this.asset_id + region = data.aws_region.current.name + server_host_name = module.s3-bucket.this.id + server_ip = module.s3-bucket.this.arn + server_port = "443" +} diff --git a/modules/onboard-aws-dynamodb-s3/outputs.tf b/modules/onboard-aws-dynamodb-s3/outputs.tf new file mode 100644 index 0000000..588db06 --- /dev/null +++ b/modules/onboard-aws-dynamodb-s3/outputs.tf @@ -0,0 +1,49 @@ +output "s3-bucket" { + description = "S3 bucket" + value = module.s3-bucket.this +} + +output "s3-bucket-policy" { + description = "S3 bucket policy" + value = module.s3-bucket-policy.this +} + +output "dynamodb-cloudtrail" { + description = "DynamoDB CloudTrail" + value = module.dynamodb-cloudtrail.this +} + +output "eventbridge-firehose-iam-role" { + description = "EventBridge to firehose IAM role" + value = module.eventbridge-firehose-iam-role.this +} + +output "firehose-s3-iam-role" { + description = "Firehose to S3 IAM role" + value = module.firehose-s3-iam-role.this +} + +output "kinesis-firehose-delivery-stream" { + description = "Firehose delivery stream to S3" + value = module.kinesis-firehose-delivery-stream.this +} + +output "eventbridge-rule" { + description = "EventBridge rule" + value = module.eventbridge-rule.this +} + +output "eventbridge-target" { + description = "EventBridge target" + value = module.eventbridge-target.this +} + +output "aws-dynamodb-asset" { + description = "AWS DynamoDB asset" + value = module.aws-dynamodb-asset.this +} + +output "aws-s3-bucket-asset" { + description = "AWS S3 asset" + value = module.aws-s3-asset.this +} diff --git a/modules/onboard-aws-dynamodb-s3/variables.tf b/modules/onboard-aws-dynamodb-s3/variables.tf new file mode 100644 index 0000000..d49ea97 --- /dev/null +++ b/modules/onboard-aws-dynamodb-s3/variables.tf @@ -0,0 +1,239 @@ +variable "aws_dynamodb_access_id" { + description = "AWS Access ID. Required for \"key\" auth_mechanism." + type = string + default = null +} + +variable "aws_dynamodb_admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "aws_dynamodb_auth_mechanism" { + description = "Specifies the auth mechanism used by the connection for the db asset. Valid values: key, profile, default or iam_role." + type = string + default = "default" + validation { + condition = contains(["key", "profile", "default", "iam_role"], var.aws_dynamodb_auth_mechanism) + error_message = "Invalid auth mechanism. Valid values: key, profile, default or iam_role." + } +} + +variable "aws_dynamodb_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "aws_dynamodb_iam_role_name" { + description = "AWS arn of the IAM role to be assumed. Required for \"iam_role\" auth_mechanism." + type = string + default = null +} + +variable "aws_dynamodb_profile_name" { + description = "The name of a profile in /install_dir/jsonar/local/credentials/.aws/credentials to use for authenticating" + type = string + default = null +} + +variable "aws_dynamodb_secret_key" { + description = "AWS secret key. Required for \"key\" auth_mechanism." + type = string + default = null +} + +variable "aws_s3_admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "aws_s3_audit_pull_enabled" { + description = "Whether the DSFHUB should pull logs from the asset." + type = bool + default = false +} + +variable "aws_s3_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + + +variable "cloudtrail_enable_logging" { + description = "Enables logging for the trail. Setting this to \"false\" will pause logging." + type = bool + default = true +} + +variable "cloudtrail_is_multi_region_trail" { + description = "Whether the trail is created in the current region or in all regions." + type = bool + default = false +} + +variable "cloudtrail_name" { + description = "Name of the trail." + type = string +} + +variable "cloudtrail_event_selector" { + description = "Specifies an event selector for enabling data event logging." + type = list( + object( + { + data_resource = optional( + object( + { + type = string + values = list(string) + } + ) + ) + exclude_management_event_sources = optional(list(string)) + include_management_events = optional(bool) + read_write_type = optional(string) + } + ) + ) + default = [ + { + data_resource = { + type = "AWS::DynamoDB::Table" + values = ["arn:aws:dynamodb"] + } + exclude_management_event_sources = [ + "kms.amazonaws.com", + "rdsdata.amazonaws.com" + ] + include_management_events = true + read_write_type = "All" + } + ] +} + +variable "eventbridge_rule_description" { + description = "The description of the rule." + type = string + default = "Captures All DynamoDB events and sends to CloudWatch log group" +} + +variable "eventbridge_rule_name" { + description = "The name of the rule. If omitted, Terraform will assign a random, unique name." + type = string + default = null +} + +variable "eventbridge_rule_event_pattern" { + description = "The event pattern described a JSON object. See full documentation of [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html) for details." + type = any + default = { + "source" : ["aws.dynamodb"], + "detail" : { + "eventSource" : ["dynamodb.amazonaws.com"], + "eventCategory" : ["Management"], + "sourceIPAddress" : [{ + "anything-but" : ["replication.dynamodb.amazonaws.com", "dynamodb.application-autoscaling.amazonaws.com", "application-autoscaling.amazonaws.com"] + }] + } + } +} + +variable "eventbridge_rule_state" { + description = "State of the rule. Valid values are DISABLED, ENABLED, and ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS." + type = string + default = "ENABLED" + validation { + condition = contains(["DISABLED", "ENABLED", "ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS"], var.eventbridge_rule_state) + error_message = "Invalid state. Valid values are DISABLED, ENABLED, and ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS." + } +} + +variable "eventbridge_rule_tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} + +variable "eventbridge_iam_role_name" { + description = "Friendly name of the role. If omitted, Terraform will assign a random, unique name. Forces new resource." + type = string + default = "dynamodb_eventbridge_role" +} + +variable "eventbridge_iam_role_name_prefix" { + description = "Creates a unique friendly name beginning with the specified prefix. Conflicts with 'name'. Forces new resources." + type = string + default = null +} + +variable "eventbridge_iam_role_description" { + description = "The description of the IAM role." + type = string + default = "IAM role for sending DynamoDB logs from EventBridge to Firehose." +} + +variable "eventbridge_iam_role_tags" { + description = "Key-value mapping of tags for the IAM role." + type = map(string) + default = null +} + +variable "firehose_iam_role_description" { + description = "The description of the IAM role." + type = string + default = "IAM role for sending DynamoDB logs from Firehose to S3." +} + +variable "firehose_iam_role_name" { + description = "Friendly name of the role. If omitted, Terraform will assign a random, unique name. Forces new resource." + type = string + default = "dynamodb_firehose_role" +} + +variable "firehose_iam_role_name_prefix" { + description = "Creates a unique friendly name beginning with the specified prefix. Conflicts with 'name'. Forces new resources." + type = string + default = null +} + +variable "firehose_iam_role_tags" { + description = "Key-value mapping of tags for the IAM role." + type = map(string) + default = null +} + +variable "firehose_name" { + description = "A name to identify the stream. This is unique to the AWS account and region the Stream is created in." + type = string +} + +variable "firehose_tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} + +variable "s3_bucket" { + description = "The name of the bucket. Must be lowercase and less than or equal to 63 characters in length." + type = string +} + +variable "s3_bucket_prefix" { + description = "Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. Must be lowercase and less than or equal to 37 characters in length." + type = string + default = null +} + +variable "s3_force_destroy" { + description = "A boolean that indicates all objects should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error. See more details in the [aws terraform documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#force_destroy)." + type = bool + default = false +} + +variable "s3_tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} + + From 687376b1d2ee6a1a54e649a3f76655d1088f9279 Mon Sep 17 00:00:00 2001 From: mattJsonar Date: Thu, 25 Jul 2024 15:59:57 -0700 Subject: [PATCH 2/4] update changelog, version compatability --- CHANGELOG.md | 6 ++++++ DSF_VERSION_COMPATABILITY.md | 8 ++++++++ 2 files changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a25cd7..34993d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## 1.0.4 (2024-07-25) + +### Features +- Amazon DynamoDB via CloudWatch module +- Amazon DynamoDB via S3 Bucket module + ## 1.0.3 (2024-07-22) ### Features diff --git a/DSF_VERSION_COMPATABILITY.md b/DSF_VERSION_COMPATABILITY.md index daea41b..2724c10 100644 --- a/DSF_VERSION_COMPATABILITY.md +++ b/DSF_VERSION_COMPATABILITY.md @@ -11,6 +11,14 @@ The following table lists the DSF versions that each module is tested and mainta onboard-aws-docdb-cluster 4.17+ + + onboard-aws-dynamodb-cloudwatch + 4.16+ + + + onboard-aws-dynamodb-s3 + 4.17+ + onboard-aws-rds-neptune 4.17+ From 9d660d5d7684b9293eebfd8eb4a5bd5eadd254ac Mon Sep 17 00:00:00 2001 From: mattJsonar Date: Thu, 25 Jul 2024 23:01:14 +0000 Subject: [PATCH 3/4] Apply automatic changes --- .../aws-cloudwatch-event-rule/variables.tf | 22 +++++++++---------- modules/onboard-aws-dynamodb-s3/variables.tf | 20 ++++++++--------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/modules/aws-cloudwatch-event-rule/variables.tf b/modules/aws-cloudwatch-event-rule/variables.tf index d1342c9..5215601 100644 --- a/modules/aws-cloudwatch-event-rule/variables.tf +++ b/modules/aws-cloudwatch-event-rule/variables.tf @@ -1,33 +1,33 @@ variable "description" { description = "The description of the rule." - type = string - default = null + type = string + default = null } variable "name" { description = "The name of the rule. If omitted, Terraform will assign a random, unique name." - type = string - default = null + type = string + default = null } variable "event_pattern" { description = "The event pattern described a JSON object. See full documentation of [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html) for details." - type = any - default = null + type = any + default = null } variable "state" { description = "State of the rule. Valid values are DISABLED, ENABLED, and ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS." - type = string - default = "ENABLED" + type = string + default = "ENABLED" validation { - condition = contains(["DISABLED", "ENABLED", "ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS"], var.state) + condition = contains(["DISABLED", "ENABLED", "ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS"], var.state) error_message = "Invalid state. Valid values are DISABLED, ENABLED, and ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS." } } variable "tags" { description = "A map of tags to assign to the resource." - type = map(string) - default = null + type = map(string) + default = null } diff --git a/modules/onboard-aws-dynamodb-s3/variables.tf b/modules/onboard-aws-dynamodb-s3/variables.tf index d49ea97..6df8db7 100644 --- a/modules/onboard-aws-dynamodb-s3/variables.tf +++ b/modules/onboard-aws-dynamodb-s3/variables.tf @@ -113,19 +113,19 @@ variable "cloudtrail_event_selector" { variable "eventbridge_rule_description" { description = "The description of the rule." - type = string - default = "Captures All DynamoDB events and sends to CloudWatch log group" + type = string + default = "Captures All DynamoDB events and sends to CloudWatch log group" } variable "eventbridge_rule_name" { description = "The name of the rule. If omitted, Terraform will assign a random, unique name." - type = string - default = null + type = string + default = null } variable "eventbridge_rule_event_pattern" { description = "The event pattern described a JSON object. See full documentation of [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html) for details." - type = any + type = any default = { "source" : ["aws.dynamodb"], "detail" : { @@ -140,18 +140,18 @@ variable "eventbridge_rule_event_pattern" { variable "eventbridge_rule_state" { description = "State of the rule. Valid values are DISABLED, ENABLED, and ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS." - type = string - default = "ENABLED" + type = string + default = "ENABLED" validation { - condition = contains(["DISABLED", "ENABLED", "ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS"], var.eventbridge_rule_state) + condition = contains(["DISABLED", "ENABLED", "ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS"], var.eventbridge_rule_state) error_message = "Invalid state. Valid values are DISABLED, ENABLED, and ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS." } } variable "eventbridge_rule_tags" { description = "A map of tags to assign to the resource." - type = map(string) - default = null + type = map(string) + default = null } variable "eventbridge_iam_role_name" { From 6c858a0b8cbfd6018aea0cb9b60513b029dd5d6f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 25 Jul 2024 23:02:18 +0000 Subject: [PATCH 4/4] terraform-docs: automated action --- .../onboard-aws-dynamodb-cloudwatch/README.md | 14 ++++++++++++++ examples/onboard-aws-dynamodb-s3/README.md | 14 ++++++++++++++ modules/aws-cloudtrail/README.md | 12 +++++++++--- modules/aws-cloudwatch-event-rule/README.md | 6 ++++++ modules/aws-cloudwatch-event-target/README.md | 8 +++++++- .../README.md | 6 ++++++ modules/aws-iam-role/README.md | 2 +- .../README.md | 8 +++++++- modules/dsfhub-aws-cloud-account/README.md | 6 +++--- modules/dsfhub-aws-dynamodb/README.md | 10 ++++++++-- .../onboard-aws-dynamodb-cloudwatch/README.md | 18 ++++++++++-------- modules/onboard-aws-dynamodb-s3/README.md | 16 +++++++++------- 12 files changed, 94 insertions(+), 26 deletions(-) diff --git a/examples/onboard-aws-dynamodb-cloudwatch/README.md b/examples/onboard-aws-dynamodb-cloudwatch/README.md index e85861a..3504c1d 100644 --- a/examples/onboard-aws-dynamodb-cloudwatch/README.md +++ b/examples/onboard-aws-dynamodb-cloudwatch/README.md @@ -17,7 +17,13 @@ This example creates both 'aws' and 'dsfhub' resources. More information regardi +## Requirements +No requirements. + +## Providers + +No providers. ## Modules @@ -28,6 +34,10 @@ This example creates both 'aws' and 'dsfhub' resources. More information regardi | [dynamodb-3](#module\_dynamodb-3) | ../../modules/onboard-aws-dynamodb-cloudwatch | n/a | | [dynamodb-4](#module\_dynamodb-4) | ../../modules/onboard-aws-dynamodb-cloudwatch | n/a | +## Resources + +No resources. + ## Inputs | Name | Description | Type | Default | Required | @@ -36,4 +46,8 @@ This example creates both 'aws' and 'dsfhub' resources. More information regardi | [aws\_dynamodb\_secret\_key](#input\_aws\_dynamodb\_secret\_key) | n/a | `any` | n/a | yes | | [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | | [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + +## Outputs + +No outputs. \ No newline at end of file diff --git a/examples/onboard-aws-dynamodb-s3/README.md b/examples/onboard-aws-dynamodb-s3/README.md index 371eb40..fc2fa42 100644 --- a/examples/onboard-aws-dynamodb-s3/README.md +++ b/examples/onboard-aws-dynamodb-s3/README.md @@ -16,7 +16,13 @@ This example creates both 'aws' and 'dsfhub' resources. More information regardi - [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs) +## Requirements +No requirements. + +## Providers + +No providers. ## Modules @@ -27,6 +33,10 @@ This example creates both 'aws' and 'dsfhub' resources. More information regardi | [dynamodb-3](#module\_dynamodb-3) | ../../modules/onboard-aws-dynamodb-s3 | n/a | | [dynamodb-4](#module\_dynamodb-4) | ../../modules/onboard-aws-dynamodb-s3 | n/a | +## Resources + +No resources. + ## Inputs | Name | Description | Type | Default | Required | @@ -35,4 +45,8 @@ This example creates both 'aws' and 'dsfhub' resources. More information regardi | [aws\_dynamodb\_secret\_key](#input\_aws\_dynamodb\_secret\_key) | n/a | `any` | n/a | yes | | [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | | [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + +## Outputs + +No outputs. \ No newline at end of file diff --git a/modules/aws-cloudtrail/README.md b/modules/aws-cloudtrail/README.md index 1af90b9..819c2e1 100644 --- a/modules/aws-cloudtrail/README.md +++ b/modules/aws-cloudtrail/README.md @@ -1,5 +1,7 @@ +## Requirements +No requirements. ## Providers @@ -7,6 +9,10 @@ |------|---------| | [aws](#provider\_aws) | n/a | +## Modules + +No modules. + ## Resources | Name | Type | @@ -17,16 +23,16 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [name](#input\_name) | Name of the trail. | `string` | n/a | yes | -| [s3\_bucket\_name](#input\_s3\_bucket\_name) | Name of the S3 bucket designated for publishing log files. | `string` | n/a | yes | | [enable\_logging](#input\_enable\_logging) | Enables logging for the trail. Setting this to "false" will pause logging. | `bool` | `true` | no | | [event\_selector](#input\_event\_selector) | Specifies an event selector for enabling data event logging. | 
list(
    object(
      {
        data_resource = optional(
          object(
            {
              type   = string
              values = list(string)
            }
          )
        )
        exclude_management_event_sources = optional(list(string))
        include_management_events        = optional(bool)
        read_write_type                  = optional(string)
      }
    )
  )
| `null` | no | | [include\_global\_service\_events](#input\_include\_global\_service\_events) | Whether the trail is publishing events from global services such as IAM to the log files. | `bool` | `true` | no | | [is\_multi\_region\_trail](#input\_is\_multi\_region\_trail) | Whether the trail is created in the current region or in all regions. | `bool` | `false` | no | +| [name](#input\_name) | Name of the trail. | `string` | n/a | yes | +| [s3\_bucket\_name](#input\_s3\_bucket\_name) | Name of the S3 bucket designated for publishing log files. | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| -| [this](#output\_this) | AWS Cloudtrail | +| [this](#output\_this) | AWS CloudTrail trail | \ No newline at end of file diff --git a/modules/aws-cloudwatch-event-rule/README.md b/modules/aws-cloudwatch-event-rule/README.md index 823c14b..338d95c 100644 --- a/modules/aws-cloudwatch-event-rule/README.md +++ b/modules/aws-cloudwatch-event-rule/README.md @@ -1,5 +1,7 @@ +## Requirements +No requirements. ## Providers @@ -7,6 +9,10 @@ |------|---------| | [aws](#provider\_aws) | n/a | +## Modules + +No modules. + ## Resources | Name | Type | diff --git a/modules/aws-cloudwatch-event-target/README.md b/modules/aws-cloudwatch-event-target/README.md index 83128e4..0083530 100644 --- a/modules/aws-cloudwatch-event-target/README.md +++ b/modules/aws-cloudwatch-event-target/README.md @@ -1,5 +1,7 @@ +## Requirements +No requirements. ## Providers @@ -7,6 +9,10 @@ |------|---------| | [aws](#provider\_aws) | n/a | +## Modules + +No modules. + ## Resources | Name | Type | @@ -18,8 +24,8 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [arn](#input\_arn) | The Amazon Resource Name (ARN) of the target. | `string` | n/a | yes | -| [rule](#input\_rule) | The name of the rule you want to add targets to. | `string` | n/a | yes | | [role\_arn](#input\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered. | `string` | `null` | no | +| [rule](#input\_rule) | The name of the rule you want to add targets to. | `string` | n/a | yes | ## Outputs diff --git a/modules/aws-cloudwatch-log-resource-policy/README.md b/modules/aws-cloudwatch-log-resource-policy/README.md index 57f7feb..bc89d9c 100644 --- a/modules/aws-cloudwatch-log-resource-policy/README.md +++ b/modules/aws-cloudwatch-log-resource-policy/README.md @@ -1,5 +1,7 @@ +## Requirements +No requirements. ## Providers @@ -7,6 +9,10 @@ |------|---------| | [aws](#provider\_aws) | n/a | +## Modules + +No modules. + ## Resources | Name | Type | diff --git a/modules/aws-iam-role/README.md b/modules/aws-iam-role/README.md index 17e6ebc..c766046 100644 --- a/modules/aws-iam-role/README.md +++ b/modules/aws-iam-role/README.md @@ -24,12 +24,12 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [assume\_role\_policy](#input\_assume\_role\_policy) | The policy that grants an entity permission to assume the role. | `string` | n/a | yes | -| [name](#input\_name) | Friendly name of the role. If omitted, Terraform will assign a random, unique name. Forces new resource. | `string` | n/a | yes | | [description](#input\_description) | The description of the IAM role. | `string` | `null` | no | | [force\_detach\_policies](#input\_force\_detach\_policies) | Specifies whether to force detaching any policies the role has before destroying it. Defaults to false. | `bool` | `false` | no | | [inline\_policy](#input\_inline\_policy) | Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. | 
list(
    object(
      {
        name   = string
        policy = any
      }
    )
  )
| `null` | no | | [managed\_policy\_arns](#input\_managed\_policy\_arns) | Set of exclusive IAM managed policy ARNs to attach to the IAM role. If this attribute is not configured, Terraform will ignore policy attachments to this resource. When configured, Terraform will align the role's managed policy attachments with this set by attaching or detaching managed policies. | `list(string)` | `null` | no | | [max\_session\_duration](#input\_max\_session\_duration) | The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours. | `number` | `3600` | no | +| [name](#input\_name) | Friendly name of the role. If omitted, Terraform will assign a random, unique name. Forces new resource. | `string` | n/a | yes | | [name\_prefix](#input\_name\_prefix) | Creates a unique friendly name beginning with the specified prefix. Conflicts with 'name'. Forces new resources. | `string` | `null` | no | | [path](#input\_path) | The path to the role. For more information about paths, see IAM Identifiers in the IAM User Guide. | `string` | `"/"` | no | | [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | diff --git a/modules/aws-kinesis-firehose-delivery-stream/README.md b/modules/aws-kinesis-firehose-delivery-stream/README.md index 3b6c5d0..490c0e8 100644 --- a/modules/aws-kinesis-firehose-delivery-stream/README.md +++ b/modules/aws-kinesis-firehose-delivery-stream/README.md @@ -1,5 +1,7 @@ +## Requirements +No requirements. ## Providers @@ -7,6 +9,10 @@ |------|---------| | [aws](#provider\_aws) | n/a | +## Modules + +No modules. + ## Resources | Name | Type | @@ -18,8 +24,8 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [destination](#input\_destination) | This is the destination to where the data is delivered. Valid values: extended\_s3, redshift, elasticsearch, splunk, http\_endpoint, opensearch, opensearchserverless, snowflake. | `string` | n/a | yes | +| [extended\_s3\_configuration](#input\_extended\_s3\_configuration) | Enhanced configuration options for the s3 destination. | 
object(
    {
      bucket_arn          = optional(string)
      compression_format  = optional(string)
      error_output_prefix = optional(string)
      file_extension      = optional(string)
      prefix              = optional(string)
      role_arn            = optional(string)
      processing_configuration = optional(
        object(
          {
            enabled = string
            processors = optional(
              object(
                {
                  type = string
                }
              )
            )
          }
        )
      )
    }
  )
| `null` | no | | [name](#input\_name) | A name to identify the stream. This is unique to the AWS account and region the Stream is created in. | `string` | n/a | yes | -| [extended\_s3\_configuration](#input\_extended\_s3\_configuration) | Enhanced configuration options for the s3 destination. | 
object(
    {
      bucket_arn          = optional(string)
      compression_format  = optional(string)
      error_output_prefix = optional(string)
      file_extension      = optional(string)
      prefix              = optional(string)
      role_arn            = optional(string)
      processing_configuration = optional(
        object(
          {
            enabled = string
            processors = optional(
              object(
                {
                  type = string
                  # TODO: support 'parameters' block, see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream.html#parameters-block
                }
              )
            )
          }
        )
      )
    }
  )
| `null` | no | | [tags](#input\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | ## Outputs diff --git a/modules/dsfhub-aws-cloud-account/README.md b/modules/dsfhub-aws-cloud-account/README.md index db717ae..24e6cb6 100644 --- a/modules/dsfhub-aws-cloud-account/README.md +++ b/modules/dsfhub-aws-cloud-account/README.md @@ -28,12 +28,12 @@ No modules. | [admin\_email](#input\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | | [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | | [asset\_id](#input\_asset\_id) | AWS ARN, e.g. "arn:aws:iam::1234567890" | `string` | n/a | yes | -| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | -| [region](#input\_region) | Default AWS region of the account | `string` | n/a | yes | | [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection for the account asset | `string` | `"default"` | no | | [aws\_access\_key](#input\_aws\_access\_key) | AWS Access ID | `string` | `null` | no | | [aws\_secret\_key](#input\_aws\_secret\_key) | AWS secret key | `string` | `null` | no | -| [profile\_name](#input\_profile\_name) | The name of a profile in /install\_dir/jsonar/local/credentials/.aws/credentials to use for authenticating | `string` | `null` | no | +| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [profile\_name](#input\_profile\_name) | The name of a profile in /install\_dir/jsonar/local/credentials/.aws/credentials to use for authentication | `string` | `null` | no | +| [region](#input\_region) | Default AWS region of the account | `string` | n/a | yes | ## Outputs diff --git a/modules/dsfhub-aws-dynamodb/README.md b/modules/dsfhub-aws-dynamodb/README.md index 4a268b8..4b0be8b 100644 --- a/modules/dsfhub-aws-dynamodb/README.md +++ b/modules/dsfhub-aws-dynamodb/README.md @@ -1,5 +1,7 @@ +## Requirements +No requirements. ## Providers @@ -7,6 +9,10 @@ |------|---------| | [dsfhub](#provider\_dsfhub) | n/a | +## Modules + +No modules. + ## Resources | Name | Type | @@ -17,15 +23,15 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [access\_id](#input\_access\_id) | AWS Access ID. Required for "key" auth\_mechanism. | `string` | `null` | no | | [admin\_email](#input\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | | [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | | [asset\_id](#input\_asset\_id) | AWS ARN, e.g. "arn:aws:dynamodb:123456789012" | `string` | n/a | yes | -| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | -| [access\_id](#input\_access\_id) | AWS Access ID. Required for "key" auth\_mechanism. | `string` | `null` | no | | [audit\_pull\_enabled](#input\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `null` | no | | [audit\_type](#input\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `null` | no | | [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection for the db asset. Valid values: key, profile, default or iam\_role. | `string` | `"default"` | no | | [available\_regions](#input\_available\_regions) | A list of regions to use when pulling region-specific audit logs | `list(string)` | `null` | no | +| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | | [iam\_role\_name](#input\_iam\_role\_name) | AWS arn of the IAM role to be assumed. Required for "iam\_role" auth\_mechanism. | `string` | `null` | no | | [parent\_asset\_id](#input\_parent\_asset\_id) | DSFHUB Cloud Account Asset ID | `string` | `null` | no | | [region](#input\_region) | AWS region of the DynamoDB instance. | `string` | `null` | no | diff --git a/modules/onboard-aws-dynamodb-cloudwatch/README.md b/modules/onboard-aws-dynamodb-cloudwatch/README.md index 6ca470c..8ce8a7b 100644 --- a/modules/onboard-aws-dynamodb-cloudwatch/README.md +++ b/modules/onboard-aws-dynamodb-cloudwatch/README.md @@ -7,7 +7,9 @@ The ``AWS DYNAMODB`` asset supports various authentication mechanisms (key, iam_ See the corresponding example for more details. +## Requirements +No requirements. ## Providers @@ -43,31 +45,31 @@ See the corresponding example for more details. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_dynamodb\_admin\_email](#input\_aws\_dynamodb\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | -| [aws\_dynamodb\_gateway\_id](#input\_aws\_dynamodb\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | -| [aws\_log\_group\_admin\_email](#input\_aws\_log\_group\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | -| [aws\_log\_group\_gateway\_id](#input\_aws\_log\_group\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | -| [cloudtrail\_name](#input\_cloudtrail\_name) | Name of the trail. | `string` | n/a | yes | -| [log\_group\_name](#input\_log\_group\_name) | Name of AWS CloudWatch log group to contain DynamoDB logs. Will be prefixed with "/aws/events". | `string` | n/a | yes | -| [s3\_bucket\_name](#input\_s3\_bucket\_name) | The name of the bucket. Must be lowercase and less than or equal to 63 characters in length. | `string` | n/a | yes | | [aws\_dynamodb\_access\_id](#input\_aws\_dynamodb\_access\_id) | AWS Access ID. Required for "key" auth\_mechanism. | `string` | `null` | no | +| [aws\_dynamodb\_admin\_email](#input\_aws\_dynamodb\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | | [aws\_dynamodb\_auth\_mechanism](#input\_aws\_dynamodb\_auth\_mechanism) | Specifies the auth mechanism used by the connection for the db asset. Valid values: key, profile, default or iam\_role. | `string` | `"default"` | no | +| [aws\_dynamodb\_gateway\_id](#input\_aws\_dynamodb\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | | [aws\_dynamodb\_iam\_role\_name](#input\_aws\_dynamodb\_iam\_role\_name) | AWS arn of the IAM role to be assumed. Required for "iam\_role" auth\_mechanism. | `string` | `null` | no | | [aws\_dynamodb\_profile\_name](#input\_aws\_dynamodb\_profile\_name) | The name of a profile in /install\_dir/jsonar/local/credentials/.aws/credentials to use for authentication. Required for "profile" auth\_mechanism. | `string` | `null` | no | | [aws\_dynamodb\_secret\_key](#input\_aws\_dynamodb\_secret\_key) | AWS secret key. Required for "key" auth\_mechanism. | `string` | `null` | no | +| [aws\_log\_group\_admin\_email](#input\_aws\_log\_group\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | | [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [aws\_log\_group\_gateway\_id](#input\_aws\_log\_group\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | | [aws\_log\_group\_reason](#input\_aws\_log\_group\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | | [cloudtrail\_enable\_logging](#input\_cloudtrail\_enable\_logging) | Enables logging for the trail. Setting this to "false" will pause logging. | `bool` | `true` | no | | [cloudtrail\_event\_selector](#input\_cloudtrail\_event\_selector) | Specifies an event selector for enabling data event logging. Note: exclude\_management\_event\_sources requires include\_management\_events set to true. If include\_management\_events is set to false, do not pass in exclude\_management\_event\_sources. | 
list(
    object(
      {
        data_resource = optional(
          object(
            {
              type   = string
              values = list(string)
            }
          )
        )
        exclude_management_event_sources = optional(list(string))
        include_management_events        = optional(bool)
        read_write_type                  = optional(string)
      }
    )
  )
| 
[
  {
    "data_resource": {
      "type": "AWS::DynamoDB::Table",
      "values": [
        "arn:aws:dynamodb"
      ]
    },
    "exclude_management_event_sources": [
      "kms.amazonaws.com",
      "rdsdata.amazonaws.com"
    ],
    "include_management_events": true,
    "read_write_type": "All"
  }
]
| no | | [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | Whether the trail is created in the current region or in all regions. | `bool` | `false` | no | +| [cloudtrail\_name](#input\_cloudtrail\_name) | Name of the trail. | `string` | n/a | yes | | [cloudwatch\_policy\_policy\_name](#input\_cloudwatch\_policy\_policy\_name) | Name of the resource policy. | `string` | `"eventbridge-to-cloudwatch-policy"` | no | -| [eventbridge\_rule\_description](#input\_eventbridge\_rule\_description) | The description of the eventbridge rule. | `string` | `"Captures All DynamoDB events and sends to CloudWatch log group"` | no | +| [eventbridge\_rule\_description](#input\_eventbridge\_rule\_description) | The description of the EventBridge rule. | `string` | `"Captures All DynamoDB events and sends to CloudWatch log group"` | no | | [eventbridge\_rule\_event\_pattern](#input\_eventbridge\_rule\_event\_pattern) | The event pattern described a JSON object. See full documentation of [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html) for details. | `any` | 
{
  "detail": {
    "eventSource": [
      "dynamodb.amazonaws.com"
    ],
    "sourceIPAddress": [
      {
        "anything-but": [
          "replication.dynamodb.amazonaws.com",
          "dynamodb.application-autoscaling.amazonaws.com",
          "application-autoscaling.amazonaws.com"
        ]
      }
    ]
  },
  "source": [
    "aws.dynamodb"
  ]
}
| no | | [eventbridge\_rule\_name](#input\_eventbridge\_rule\_name) | The name of the rule. If omitted, Terraform will assign a random, unique name. | `string` | `null` | no | | [eventbridge\_rule\_state](#input\_eventbridge\_rule\_state) | State of the rule. Valid values are DISABLED, ENABLED, and ENABLED\_WITH\_ALL\_CLOUDTRAIL\_MANAGEMENT\_EVENTS. | `string` | `"ENABLED"` | no | | [eventbridge\_rule\_tags](#input\_eventbridge\_rule\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | +| [log\_group\_name](#input\_log\_group\_name) | Name of AWS CloudWatch log group to contain DynamoDB logs. Will be prefixed with "/aws/events". | `string` | n/a | yes | | [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no | | [s3\_bucket\_force\_destroy](#input\_s3\_bucket\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error. See more details in the [aws terraform documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#force_destroy). | `bool` | `false` | no | +| [s3\_bucket\_name](#input\_s3\_bucket\_name) | The name of the bucket. Must be lowercase and less than or equal to 63 characters in length. | `string` | n/a | yes | | [s3\_bucket\_tags](#input\_s3\_bucket\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | ## Outputs diff --git a/modules/onboard-aws-dynamodb-s3/README.md b/modules/onboard-aws-dynamodb-s3/README.md index b9d6bd3..944e2b7 100644 --- a/modules/onboard-aws-dynamodb-s3/README.md +++ b/modules/onboard-aws-dynamodb-s3/README.md @@ -7,7 +7,9 @@ The ``AWS DYNAMODB`` asset supports various authentication mechanisms (key, iam_ See the corresponding example for more details. +## Requirements +No requirements. ## Providers @@ -47,22 +49,20 @@ See the corresponding example for more details. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_dynamodb\_admin\_email](#input\_aws\_dynamodb\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | -| [aws\_dynamodb\_gateway\_id](#input\_aws\_dynamodb\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | -| [aws\_s3\_admin\_email](#input\_aws\_s3\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | -| [aws\_s3\_gateway\_id](#input\_aws\_s3\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | -| [cloudtrail\_name](#input\_cloudtrail\_name) | Name of the trail. | `string` | n/a | yes | -| [firehose\_name](#input\_firehose\_name) | A name to identify the stream. This is unique to the AWS account and region the Stream is created in. | `string` | n/a | yes | -| [s3\_bucket](#input\_s3\_bucket) | The name of the bucket. Must be lowercase and less than or equal to 63 characters in length. | `string` | n/a | yes | | [aws\_dynamodb\_access\_id](#input\_aws\_dynamodb\_access\_id) | AWS Access ID. Required for "key" auth\_mechanism. | `string` | `null` | no | +| [aws\_dynamodb\_admin\_email](#input\_aws\_dynamodb\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | | [aws\_dynamodb\_auth\_mechanism](#input\_aws\_dynamodb\_auth\_mechanism) | Specifies the auth mechanism used by the connection for the db asset. Valid values: key, profile, default or iam\_role. | `string` | `"default"` | no | +| [aws\_dynamodb\_gateway\_id](#input\_aws\_dynamodb\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | | [aws\_dynamodb\_iam\_role\_name](#input\_aws\_dynamodb\_iam\_role\_name) | AWS arn of the IAM role to be assumed. Required for "iam\_role" auth\_mechanism. | `string` | `null` | no | | [aws\_dynamodb\_profile\_name](#input\_aws\_dynamodb\_profile\_name) | The name of a profile in /install\_dir/jsonar/local/credentials/.aws/credentials to use for authenticating | `string` | `null` | no | | [aws\_dynamodb\_secret\_key](#input\_aws\_dynamodb\_secret\_key) | AWS secret key. Required for "key" auth\_mechanism. | `string` | `null` | no | +| [aws\_s3\_admin\_email](#input\_aws\_s3\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | | [aws\_s3\_audit\_pull\_enabled](#input\_aws\_s3\_audit\_pull\_enabled) | Whether the DSFHUB should pull logs from the asset. | `bool` | `false` | no | +| [aws\_s3\_gateway\_id](#input\_aws\_s3\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | | [cloudtrail\_enable\_logging](#input\_cloudtrail\_enable\_logging) | Enables logging for the trail. Setting this to "false" will pause logging. | `bool` | `true` | no | | [cloudtrail\_event\_selector](#input\_cloudtrail\_event\_selector) | Specifies an event selector for enabling data event logging. | 
list(
    object(
      {
        data_resource = optional(
          object(
            {
              type   = string
              values = list(string)
            }
          )
        )
        exclude_management_event_sources = optional(list(string))
        include_management_events        = optional(bool)
        read_write_type                  = optional(string)
      }
    )
  )
| 
[
  {
    "data_resource": {
      "type": "AWS::DynamoDB::Table",
      "values": [
        "arn:aws:dynamodb"
      ]
    },
    "exclude_management_event_sources": [
      "kms.amazonaws.com",
      "rdsdata.amazonaws.com"
    ],
    "include_management_events": true,
    "read_write_type": "All"
  }
]
| no | | [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | Whether the trail is created in the current region or in all regions. | `bool` | `false` | no | +| [cloudtrail\_name](#input\_cloudtrail\_name) | Name of the trail. | `string` | n/a | yes | | [eventbridge\_iam\_role\_description](#input\_eventbridge\_iam\_role\_description) | The description of the IAM role. | `string` | `"IAM role for sending DynamoDB logs from EventBridge to Firehose."` | no | | [eventbridge\_iam\_role\_name](#input\_eventbridge\_iam\_role\_name) | Friendly name of the role. If omitted, Terraform will assign a random, unique name. Forces new resource. | `string` | `"dynamodb_eventbridge_role"` | no | | [eventbridge\_iam\_role\_name\_prefix](#input\_eventbridge\_iam\_role\_name\_prefix) | Creates a unique friendly name beginning with the specified prefix. Conflicts with 'name'. Forces new resources. | `string` | `null` | no | @@ -76,7 +76,9 @@ See the corresponding example for more details. | [firehose\_iam\_role\_name](#input\_firehose\_iam\_role\_name) | Friendly name of the role. If omitted, Terraform will assign a random, unique name. Forces new resource. | `string` | `"dynamodb_firehose_role"` | no | | [firehose\_iam\_role\_name\_prefix](#input\_firehose\_iam\_role\_name\_prefix) | Creates a unique friendly name beginning with the specified prefix. Conflicts with 'name'. Forces new resources. | `string` | `null` | no | | [firehose\_iam\_role\_tags](#input\_firehose\_iam\_role\_tags) | Key-value mapping of tags for the IAM role. | `map(string)` | `null` | no | +| [firehose\_name](#input\_firehose\_name) | A name to identify the stream. This is unique to the AWS account and region the Stream is created in. | `string` | n/a | yes | | [firehose\_tags](#input\_firehose\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | +| [s3\_bucket](#input\_s3\_bucket) | The name of the bucket. Must be lowercase and less than or equal to 63 characters in length. | `string` | n/a | yes | | [s3\_bucket\_prefix](#input\_s3\_bucket\_prefix) | Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. Must be lowercase and less than or equal to 37 characters in length. | `string` | `null` | no | | [s3\_force\_destroy](#input\_s3\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error. See more details in the [aws terraform documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#force_destroy). | `bool` | `false` | no | | [s3\_tags](#input\_s3\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no |