From c4eed4fbf8b662bf3208f24462fdc895ff9c1a4e Mon Sep 17 00:00:00 2001 From: Andrew Pearce Date: Tue, 10 Sep 2024 13:24:19 +0100 Subject: [PATCH 1/9] create and apply data protection policies to log groups --- .../cloudwatch_data_protection_policy.tf | 33 +++++++++++++++++ .../environment/region/modules/lambda/main.tf | 35 +++++++++++++++++++ .../region/modules/s3_antivirus/main.tf | 34 ++++++++++++++++++ 3 files changed, 102 insertions(+) create mode 100644 terraform/environment/region/modules/application_logs/cloudwatch_data_protection_policy.tf diff --git a/terraform/environment/region/modules/application_logs/cloudwatch_data_protection_policy.tf b/terraform/environment/region/modules/application_logs/cloudwatch_data_protection_policy.tf new file mode 100644 index 0000000000..fe92f1e2b7 --- /dev/null +++ b/terraform/environment/region/modules/application_logs/cloudwatch_data_protection_policy.tf @@ -0,0 +1,33 @@ +resource "aws_cloudwatch_log_data_protection_policy" "application_logs" { + log_group_name = aws_cloudwatch_log_group.application_logs.name + policy_document = jsonencode({ + Name = "data-protection-${data.aws_default_tags.current.tags.environment-name}-application-logs" + Version = "2021-06-01" + + "Statement" : [ + { + "Sid" : "audit-policy", + "DataIdentifier" : [ + "arn:aws:dataprotection::aws:data-identifier/EmailAddress" + ], + "Operation" : { + "Audit" : { + "FindingsDestination" : {} + } + } + }, + { + "Sid" : "redact-policy", + "DataIdentifier" : [ + "arn:aws:dataprotection::aws:data-identifier/EmailAddress" + ], + "Operation" : { + "Deidentify" : { + "MaskConfig" : {} + } + } + } + ] + }) + provider = aws.region +} diff --git a/terraform/environment/region/modules/lambda/main.tf b/terraform/environment/region/modules/lambda/main.tf index 6d70f276f3..7b6d6a745e 100644 --- a/terraform/environment/region/modules/lambda/main.tf +++ b/terraform/environment/region/modules/lambda/main.tf @@ -4,6 +4,41 @@ resource "aws_cloudwatch_log_group" "lambda" { provider = aws.region } +resource "aws_cloudwatch_log_data_protection_policy" "application_logs" { + log_group_name = aws_cloudwatch_log_group.lambda.name + policy_document = jsonencode({ + Name = "data-protection-${var.environment}-${var.lambda_name}" + Version = "2021-06-01" + + "Statement" : [ + { + "Sid" : "audit-policy", + "DataIdentifier" : [ + "arn:aws:dataprotection::aws:data-identifier/EmailAddress" + ], + "Operation" : { + "Audit" : { + "FindingsDestination" : {} + } + } + }, + { + "Sid" : "redact-policy", + "DataIdentifier" : [ + "arn:aws:dataprotection::aws:data-identifier/EmailAddress" + ], + "Operation" : { + "Deidentify" : { + "MaskConfig" : {} + } + } + } + ] + }) + provider = aws.region +} + + resource "aws_lambda_function" "lambda_function" { function_name = "${var.lambda_name}-${var.environment}" description = var.description diff --git a/terraform/environment/region/modules/s3_antivirus/main.tf b/terraform/environment/region/modules/s3_antivirus/main.tf index d986b13f3a..09013c2952 100644 --- a/terraform/environment/region/modules/s3_antivirus/main.tf +++ b/terraform/environment/region/modules/s3_antivirus/main.tf @@ -5,6 +5,40 @@ resource "aws_cloudwatch_log_group" "lambda" { provider = aws.region } +resource "aws_cloudwatch_log_data_protection_policy" "application_logs" { + log_group_name = aws_cloudwatch_log_group.lambda.name + policy_document = jsonencode({ + Name = "data-protection-${data.aws_default_tags.current.tags.environment-name}-$s3-antivirus" + Version = "2021-06-01" + + "Statement" : [ + { + "Sid" : "audit-policy", + "DataIdentifier" : [ + "arn:aws:dataprotection::aws:data-identifier/EmailAddress" + ], + "Operation" : { + "Audit" : { + "FindingsDestination" : {} + } + } + }, + { + "Sid" : "redact-policy", + "DataIdentifier" : [ + "arn:aws:dataprotection::aws:data-identifier/EmailAddress" + ], + "Operation" : { + "Deidentify" : { + "MaskConfig" : {} + } + } + } + ] + }) + provider = aws.region +} + resource "aws_cloudwatch_query_definition" "main" { name = "${data.aws_default_tags.current.tags.environment-name}/s3-antivirus" log_group_names = [aws_cloudwatch_log_group.lambda.name] From c6f3550528dc809a288a4a391ef30b9236aba345 Mon Sep 17 00:00:00 2001 From: Andrew Pearce Date: Tue, 10 Sep 2024 13:39:51 +0100 Subject: [PATCH 2/9] fix typo in name --- terraform/environment/region/modules/lambda/main.tf | 2 +- terraform/environment/region/modules/s3_antivirus/main.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environment/region/modules/lambda/main.tf b/terraform/environment/region/modules/lambda/main.tf index 7b6d6a745e..24f73d6a90 100644 --- a/terraform/environment/region/modules/lambda/main.tf +++ b/terraform/environment/region/modules/lambda/main.tf @@ -4,7 +4,7 @@ resource "aws_cloudwatch_log_group" "lambda" { provider = aws.region } -resource "aws_cloudwatch_log_data_protection_policy" "application_logs" { +resource "aws_cloudwatch_log_data_protection_policy" "logs" { log_group_name = aws_cloudwatch_log_group.lambda.name policy_document = jsonencode({ Name = "data-protection-${var.environment}-${var.lambda_name}" diff --git a/terraform/environment/region/modules/s3_antivirus/main.tf b/terraform/environment/region/modules/s3_antivirus/main.tf index 09013c2952..aed9841fb3 100644 --- a/terraform/environment/region/modules/s3_antivirus/main.tf +++ b/terraform/environment/region/modules/s3_antivirus/main.tf @@ -5,10 +5,10 @@ resource "aws_cloudwatch_log_group" "lambda" { provider = aws.region } -resource "aws_cloudwatch_log_data_protection_policy" "application_logs" { +resource "aws_cloudwatch_log_data_protection_policy" "logs" { log_group_name = aws_cloudwatch_log_group.lambda.name policy_document = jsonencode({ - Name = "data-protection-${data.aws_default_tags.current.tags.environment-name}-$s3-antivirus" + Name = "data-protection-${data.aws_default_tags.current.tags.environment-name}-s3-antivirus" Version = "2021-06-01" "Statement" : [ From 167fd768c2209224f4c8e45db27e279dff78f0a9 Mon Sep 17 00:00:00 2001 From: Andrew Pearce Date: Tue, 10 Sep 2024 14:02:21 +0100 Subject: [PATCH 3/9] fix names of resources apply policy to events log --- .../environment/region/cloudwatch_events.tf | 33 +++++++++++++++++++ .../environment/region/modules/lambda/main.tf | 3 +- .../region/modules/s3_antivirus/main.tf | 2 +- 3 files changed, 35 insertions(+), 3 deletions(-) diff --git a/terraform/environment/region/cloudwatch_events.tf b/terraform/environment/region/cloudwatch_events.tf index 32a5bcda6d..d9a45371d6 100644 --- a/terraform/environment/region/cloudwatch_events.tf +++ b/terraform/environment/region/cloudwatch_events.tf @@ -5,6 +5,39 @@ resource "aws_cloudwatch_log_group" "events" { provider = aws.region } +resource "aws_cloudwatch_log_data_protection_policy" "events" { + log_group_name = aws_cloudwatch_log_group.lambda.name + policy_document = jsonencode({ + Name = "data-protection-${data.aws_default_tags.current.tags.environment-name}-events" + Version = "2021-06-01" + + "Statement" : [ + { + "Sid" : "audit-policy", + "DataIdentifier" : [ + "arn:aws:dataprotection::aws:data-identifier/EmailAddress" + ], + "Operation" : { + "Audit" : { + "FindingsDestination" : {} + } + } + }, + { + "Sid" : "redact-policy", + "DataIdentifier" : [ + "arn:aws:dataprotection::aws:data-identifier/EmailAddress" + ], + "Operation" : { + "Deidentify" : { + "MaskConfig" : {} + } + } + } + ] + }) + provider = aws.region +} resource "aws_cloudwatch_query_definition" "events" { name = "${data.aws_default_tags.current.tags.environment-name}/events" log_group_names = [aws_cloudwatch_log_group.events.name] diff --git a/terraform/environment/region/modules/lambda/main.tf b/terraform/environment/region/modules/lambda/main.tf index 24f73d6a90..a7d8a5d800 100644 --- a/terraform/environment/region/modules/lambda/main.tf +++ b/terraform/environment/region/modules/lambda/main.tf @@ -4,7 +4,7 @@ resource "aws_cloudwatch_log_group" "lambda" { provider = aws.region } -resource "aws_cloudwatch_log_data_protection_policy" "logs" { +resource "aws_cloudwatch_log_data_protection_policy" "lambda" { log_group_name = aws_cloudwatch_log_group.lambda.name policy_document = jsonencode({ Name = "data-protection-${var.environment}-${var.lambda_name}" @@ -38,7 +38,6 @@ resource "aws_cloudwatch_log_data_protection_policy" "logs" { provider = aws.region } - resource "aws_lambda_function" "lambda_function" { function_name = "${var.lambda_name}-${var.environment}" description = var.description diff --git a/terraform/environment/region/modules/s3_antivirus/main.tf b/terraform/environment/region/modules/s3_antivirus/main.tf index aed9841fb3..41ff78326f 100644 --- a/terraform/environment/region/modules/s3_antivirus/main.tf +++ b/terraform/environment/region/modules/s3_antivirus/main.tf @@ -5,7 +5,7 @@ resource "aws_cloudwatch_log_group" "lambda" { provider = aws.region } -resource "aws_cloudwatch_log_data_protection_policy" "logs" { +resource "aws_cloudwatch_log_data_protection_policy" "lambda" { log_group_name = aws_cloudwatch_log_group.lambda.name policy_document = jsonencode({ Name = "data-protection-${data.aws_default_tags.current.tags.environment-name}-s3-antivirus" From e6cb3c2cbd16cb8055eacf4ebfa173e904661d94 Mon Sep 17 00:00:00 2001 From: Andrew Pearce Date: Tue, 10 Sep 2024 15:43:16 +0100 Subject: [PATCH 4/9] fix log group name reference --- terraform/environment/region/cloudwatch_events.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environment/region/cloudwatch_events.tf b/terraform/environment/region/cloudwatch_events.tf index d9a45371d6..bda3cbc259 100644 --- a/terraform/environment/region/cloudwatch_events.tf +++ b/terraform/environment/region/cloudwatch_events.tf @@ -6,7 +6,7 @@ resource "aws_cloudwatch_log_group" "events" { } resource "aws_cloudwatch_log_data_protection_policy" "events" { - log_group_name = aws_cloudwatch_log_group.lambda.name + log_group_name = aws_cloudwatch_log_group.events.name policy_document = jsonencode({ Name = "data-protection-${data.aws_default_tags.current.tags.environment-name}-events" Version = "2021-06-01" From cdc34cba121ca1491009360e7807977253652c88 Mon Sep 17 00:00:00 2001 From: Andrew Pearce Date: Tue, 10 Sep 2024 15:52:02 +0100 Subject: [PATCH 5/9] data protection for opensearch pipeline log group --- .../opensearch_ingestion_pipeline.tf | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/terraform/environment/opensearch_ingestion_pipeline.tf b/terraform/environment/opensearch_ingestion_pipeline.tf index 539eb4c917..cde2ebf7c6 100644 --- a/terraform/environment/opensearch_ingestion_pipeline.tf +++ b/terraform/environment/opensearch_ingestion_pipeline.tf @@ -183,6 +183,40 @@ resource "aws_cloudwatch_log_group" "opensearch_pipeline" { provider = aws.eu_west_1 } +resource "aws_cloudwatch_log_data_protection_policy" "opensearch_pipeline" { + log_group_name = aws_cloudwatch_log_group.opensearch_pipeline.name + policy_document = jsonencode({ + Name = "data-protection-${data.aws_default_tags.current.tags.environment-name}-opensearch-ingestion" + Version = "2021-06-01" + + "Statement" : [ + { + "Sid" : "audit-policy", + "DataIdentifier" : [ + "arn:aws:dataprotection::aws:data-identifier/EmailAddress" + ], + "Operation" : { + "Audit" : { + "FindingsDestination" : {} + } + } + }, + { + "Sid" : "redact-policy", + "DataIdentifier" : [ + "arn:aws:dataprotection::aws:data-identifier/EmailAddress" + ], + "Operation" : { + "Deidentify" : { + "MaskConfig" : {} + } + } + } + ] + }) + provider = aws.eu_west_1 +} + resource "aws_cloudwatch_query_definition" "opensearch_pipeline" { count = local.enable_opensearch_ingestion_pipeline ? 1 : 0 name = "${local.default_tags.environment-name}/lpas-opensearch-pipeline" From 9cb2dfb74549e8e9cf992313c45b03a660f98b03 Mon Sep 17 00:00:00 2001 From: Andrew Pearce Date: Tue, 10 Sep 2024 15:56:21 +0100 Subject: [PATCH 6/9] fix references to log group --- terraform/environment/opensearch_ingestion_pipeline.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environment/opensearch_ingestion_pipeline.tf b/terraform/environment/opensearch_ingestion_pipeline.tf index cde2ebf7c6..dc1e767351 100644 --- a/terraform/environment/opensearch_ingestion_pipeline.tf +++ b/terraform/environment/opensearch_ingestion_pipeline.tf @@ -184,9 +184,9 @@ resource "aws_cloudwatch_log_group" "opensearch_pipeline" { } resource "aws_cloudwatch_log_data_protection_policy" "opensearch_pipeline" { - log_group_name = aws_cloudwatch_log_group.opensearch_pipeline.name + log_group_name = aws_cloudwatch_log_group.opensearch_pipeline[0].name policy_document = jsonencode({ - Name = "data-protection-${data.aws_default_tags.current.tags.environment-name}-opensearch-ingestion" + Name = "data-protection-${local.default_tags.environment-name}-opensearch-ingestion" Version = "2021-06-01" "Statement" : [ From 0e231f60074db9da4bc76eadff9d64aa78c29bce Mon Sep 17 00:00:00 2001 From: Andrew Pearce Date: Tue, 10 Sep 2024 16:54:24 +0100 Subject: [PATCH 7/9] use a single policy statement for everry instance of a data protection resource --- ...atch_log_data_protection_policy.json.tftpl | 28 +++++++++++++ .../opensearch_ingestion_pipeline.tf | 42 ++++++------------- 2 files changed, 41 insertions(+), 29 deletions(-) create mode 100644 terraform/environment/cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json.tftpl diff --git a/terraform/environment/cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json.tftpl b/terraform/environment/cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json.tftpl new file mode 100644 index 0000000000..449d060b31 --- /dev/null +++ b/terraform/environment/cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json.tftpl @@ -0,0 +1,28 @@ +{ + "Name": "", + "Version": "2021-06-01", + "Statement" : [ + { + "Sid" : "audit-policy", + "DataIdentifier" : [ + "arn:aws:dataprotection::aws:data-identifier/EmailAddress" + ], + "Operation" : { + "Audit" : { + "FindingsDestination" : {} + } + } + }, + { + "Sid" : "redact-policy", + "DataIdentifier" : [ + "arn:aws:dataprotection::aws:data-identifier/EmailAddress" + ], + "Operation" : { + "Deidentify" : { + "MaskConfig" : {} + } + } + } + ] +} diff --git a/terraform/environment/opensearch_ingestion_pipeline.tf b/terraform/environment/opensearch_ingestion_pipeline.tf index dc1e767351..eba8996dc7 100644 --- a/terraform/environment/opensearch_ingestion_pipeline.tf +++ b/terraform/environment/opensearch_ingestion_pipeline.tf @@ -183,37 +183,21 @@ resource "aws_cloudwatch_log_group" "opensearch_pipeline" { provider = aws.eu_west_1 } +locals { + cloudwatch_data_protection_policy_template_vars = { + environment_name = local.default_tags.environment-name + protected_resource_name = "opensearch-ingestion" + } + template = templatefile("cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json.tftpl", local.cloudwatch_data_protection_policy_template_vars) +} resource "aws_cloudwatch_log_data_protection_policy" "opensearch_pipeline" { log_group_name = aws_cloudwatch_log_group.opensearch_pipeline[0].name - policy_document = jsonencode({ - Name = "data-protection-${local.default_tags.environment-name}-opensearch-ingestion" - Version = "2021-06-01" - - "Statement" : [ - { - "Sid" : "audit-policy", - "DataIdentifier" : [ - "arn:aws:dataprotection::aws:data-identifier/EmailAddress" - ], - "Operation" : { - "Audit" : { - "FindingsDestination" : {} - } - } - }, - { - "Sid" : "redact-policy", - "DataIdentifier" : [ - "arn:aws:dataprotection::aws:data-identifier/EmailAddress" - ], - "Operation" : { - "Deidentify" : { - "MaskConfig" : {} - } - } - } - ] - }) + policy_document = jsonencode(merge( + jsondecode(local.template), + { + Name = "data-protection-${local.default_tags.environment-name}-opensearch-ingestion" + } + )) provider = aws.eu_west_1 } From 000bedf6adfbd968b26568fe78095ef5eb9e1a90 Mon Sep 17 00:00:00 2001 From: Andrew Pearce Date: Tue, 10 Sep 2024 17:00:37 +0100 Subject: [PATCH 8/9] cleanup --- ...n.tftpl => cloudwatch_log_data_protection_policy.json} | 0 terraform/environment/opensearch_ingestion_pipeline.tf | 8 ++------ 2 files changed, 2 insertions(+), 6 deletions(-) rename terraform/environment/cloudwatch_log_data_protection_policy/{cloudwatch_log_data_protection_policy.json.tftpl => cloudwatch_log_data_protection_policy.json} (100%) diff --git a/terraform/environment/cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json.tftpl b/terraform/environment/cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json similarity index 100% rename from terraform/environment/cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json.tftpl rename to terraform/environment/cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json diff --git a/terraform/environment/opensearch_ingestion_pipeline.tf b/terraform/environment/opensearch_ingestion_pipeline.tf index eba8996dc7..4ebd726653 100644 --- a/terraform/environment/opensearch_ingestion_pipeline.tf +++ b/terraform/environment/opensearch_ingestion_pipeline.tf @@ -184,16 +184,12 @@ resource "aws_cloudwatch_log_group" "opensearch_pipeline" { } locals { - cloudwatch_data_protection_policy_template_vars = { - environment_name = local.default_tags.environment-name - protected_resource_name = "opensearch-ingestion" - } - template = templatefile("cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json.tftpl", local.cloudwatch_data_protection_policy_template_vars) + data_protect_policy = file("cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json") } resource "aws_cloudwatch_log_data_protection_policy" "opensearch_pipeline" { log_group_name = aws_cloudwatch_log_group.opensearch_pipeline[0].name policy_document = jsonencode(merge( - jsondecode(local.template), + jsondecode(local.data_protect_policy), { Name = "data-protection-${local.default_tags.environment-name}-opensearch-ingestion" } From d60245de13f27478ea1c1aafad3d44d97192a56c Mon Sep 17 00:00:00 2001 From: Andrew Pearce Date: Tue, 10 Sep 2024 17:18:50 +0100 Subject: [PATCH 9/9] use a single policy statement for everry instance of a data protection resource --- .../opensearch_ingestion_pipeline.tf | 5 +-- .../environment/region/cloudwatch_events.tf | 36 ++++--------------- .../cloudwatch_data_protection_policy.tf | 33 ----------------- .../application_logs/cloudwatch_log_group.tf | 11 ++++++ .../environment/region/modules/lambda/main.tf | 35 ++++-------------- .../region/modules/s3_antivirus/main.tf | 35 ++++-------------- 6 files changed, 31 insertions(+), 124 deletions(-) delete mode 100644 terraform/environment/region/modules/application_logs/cloudwatch_data_protection_policy.tf diff --git a/terraform/environment/opensearch_ingestion_pipeline.tf b/terraform/environment/opensearch_ingestion_pipeline.tf index 4ebd726653..1b428b2dc4 100644 --- a/terraform/environment/opensearch_ingestion_pipeline.tf +++ b/terraform/environment/opensearch_ingestion_pipeline.tf @@ -183,13 +183,10 @@ resource "aws_cloudwatch_log_group" "opensearch_pipeline" { provider = aws.eu_west_1 } -locals { - data_protect_policy = file("cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json") -} resource "aws_cloudwatch_log_data_protection_policy" "opensearch_pipeline" { log_group_name = aws_cloudwatch_log_group.opensearch_pipeline[0].name policy_document = jsonencode(merge( - jsondecode(local.data_protect_policy), + jsondecode(file("${path.root}/cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json")), { Name = "data-protection-${local.default_tags.environment-name}-opensearch-ingestion" } diff --git a/terraform/environment/region/cloudwatch_events.tf b/terraform/environment/region/cloudwatch_events.tf index bda3cbc259..0c8378ce39 100644 --- a/terraform/environment/region/cloudwatch_events.tf +++ b/terraform/environment/region/cloudwatch_events.tf @@ -7,37 +7,15 @@ resource "aws_cloudwatch_log_group" "events" { resource "aws_cloudwatch_log_data_protection_policy" "events" { log_group_name = aws_cloudwatch_log_group.events.name - policy_document = jsonencode({ - Name = "data-protection-${data.aws_default_tags.current.tags.environment-name}-events" - Version = "2021-06-01" - - "Statement" : [ - { - "Sid" : "audit-policy", - "DataIdentifier" : [ - "arn:aws:dataprotection::aws:data-identifier/EmailAddress" - ], - "Operation" : { - "Audit" : { - "FindingsDestination" : {} - } - } - }, - { - "Sid" : "redact-policy", - "DataIdentifier" : [ - "arn:aws:dataprotection::aws:data-identifier/EmailAddress" - ], - "Operation" : { - "Deidentify" : { - "MaskConfig" : {} - } - } - } - ] - }) + policy_document = jsonencode(merge( + jsondecode(file("${path.root}/cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json")), + { + Name = "data-protection-${data.aws_default_tags.current.tags.environment-name}-events" + } + )) provider = aws.region } + resource "aws_cloudwatch_query_definition" "events" { name = "${data.aws_default_tags.current.tags.environment-name}/events" log_group_names = [aws_cloudwatch_log_group.events.name] diff --git a/terraform/environment/region/modules/application_logs/cloudwatch_data_protection_policy.tf b/terraform/environment/region/modules/application_logs/cloudwatch_data_protection_policy.tf deleted file mode 100644 index fe92f1e2b7..0000000000 --- a/terraform/environment/region/modules/application_logs/cloudwatch_data_protection_policy.tf +++ /dev/null @@ -1,33 +0,0 @@ -resource "aws_cloudwatch_log_data_protection_policy" "application_logs" { - log_group_name = aws_cloudwatch_log_group.application_logs.name - policy_document = jsonencode({ - Name = "data-protection-${data.aws_default_tags.current.tags.environment-name}-application-logs" - Version = "2021-06-01" - - "Statement" : [ - { - "Sid" : "audit-policy", - "DataIdentifier" : [ - "arn:aws:dataprotection::aws:data-identifier/EmailAddress" - ], - "Operation" : { - "Audit" : { - "FindingsDestination" : {} - } - } - }, - { - "Sid" : "redact-policy", - "DataIdentifier" : [ - "arn:aws:dataprotection::aws:data-identifier/EmailAddress" - ], - "Operation" : { - "Deidentify" : { - "MaskConfig" : {} - } - } - } - ] - }) - provider = aws.region -} diff --git a/terraform/environment/region/modules/application_logs/cloudwatch_log_group.tf b/terraform/environment/region/modules/application_logs/cloudwatch_log_group.tf index 2357e3e061..a746319a26 100644 --- a/terraform/environment/region/modules/application_logs/cloudwatch_log_group.tf +++ b/terraform/environment/region/modules/application_logs/cloudwatch_log_group.tf @@ -10,6 +10,17 @@ resource "aws_cloudwatch_log_group" "application_logs" { provider = aws.region } +resource "aws_cloudwatch_log_data_protection_policy" "application_logs" { + log_group_name = aws_cloudwatch_log_group.application_logs.name + policy_document = jsonencode(merge( + jsondecode(file("${path.root}/cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json")), + { + Name = "data-protection-${data.aws_default_tags.current.tags.environment-name}-application-logs" + } + )) + provider = aws.region +} + resource "aws_cloudwatch_query_definition" "app_container_messages" { name = "${data.aws_default_tags.current.tags.environment-name}/app container messages" log_group_names = [aws_cloudwatch_log_group.application_logs.name] diff --git a/terraform/environment/region/modules/lambda/main.tf b/terraform/environment/region/modules/lambda/main.tf index a7d8a5d800..7ca8276c0b 100644 --- a/terraform/environment/region/modules/lambda/main.tf +++ b/terraform/environment/region/modules/lambda/main.tf @@ -6,35 +6,12 @@ resource "aws_cloudwatch_log_group" "lambda" { resource "aws_cloudwatch_log_data_protection_policy" "lambda" { log_group_name = aws_cloudwatch_log_group.lambda.name - policy_document = jsonencode({ - Name = "data-protection-${var.environment}-${var.lambda_name}" - Version = "2021-06-01" - - "Statement" : [ - { - "Sid" : "audit-policy", - "DataIdentifier" : [ - "arn:aws:dataprotection::aws:data-identifier/EmailAddress" - ], - "Operation" : { - "Audit" : { - "FindingsDestination" : {} - } - } - }, - { - "Sid" : "redact-policy", - "DataIdentifier" : [ - "arn:aws:dataprotection::aws:data-identifier/EmailAddress" - ], - "Operation" : { - "Deidentify" : { - "MaskConfig" : {} - } - } - } - ] - }) + policy_document = jsonencode(merge( + jsondecode(file("${path.root}/cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json")), + { + Name = "data-protection-${var.environment}-${var.lambda_name}" + } + )) provider = aws.region } diff --git a/terraform/environment/region/modules/s3_antivirus/main.tf b/terraform/environment/region/modules/s3_antivirus/main.tf index 41ff78326f..ae3bf32ca4 100644 --- a/terraform/environment/region/modules/s3_antivirus/main.tf +++ b/terraform/environment/region/modules/s3_antivirus/main.tf @@ -7,35 +7,12 @@ resource "aws_cloudwatch_log_group" "lambda" { resource "aws_cloudwatch_log_data_protection_policy" "lambda" { log_group_name = aws_cloudwatch_log_group.lambda.name - policy_document = jsonencode({ - Name = "data-protection-${data.aws_default_tags.current.tags.environment-name}-s3-antivirus" - Version = "2021-06-01" - - "Statement" : [ - { - "Sid" : "audit-policy", - "DataIdentifier" : [ - "arn:aws:dataprotection::aws:data-identifier/EmailAddress" - ], - "Operation" : { - "Audit" : { - "FindingsDestination" : {} - } - } - }, - { - "Sid" : "redact-policy", - "DataIdentifier" : [ - "arn:aws:dataprotection::aws:data-identifier/EmailAddress" - ], - "Operation" : { - "Deidentify" : { - "MaskConfig" : {} - } - } - } - ] - }) + policy_document = jsonencode(merge( + jsondecode(file("${path.root}/cloudwatch_log_data_protection_policy/cloudwatch_log_data_protection_policy.json")), + { + Name = "data-protection-${data.aws_default_tags.current.tags.environment-name}-s3-antivirus" + } + )) provider = aws.region }