Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 00:49:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 106

refactor logging module to prefer logging directly to firehose (#9678)

Browse source 
prefer logging to firehose in target-account, this opens up more
flexibility to choose different out-of-the-box firehose destinations.

by default S3 destination is provided, as a destination is required to
create a firehose delivery stream
This commit is contained in:
Benjamin Edwards 2023-02-06 10:38:23 -05:00 committed by GitHub
parent 1c7f94b745
commit 78e41b60b3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
20 changed files with 274 additions and 404 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
terraform/addons/byo-s3-logging-destination-firehose/.header.md → terraform/addons/byo-firehose-logging-destination/.header.md
View file

0
terraform/addons/byo-s3-logging-destination-firehose/firehose/.terraform-docs.yml → terraform/addons/byo-firehose-logging-destination/firehose/.terraform-docs.yml
View file

35
terraform/addons/byo-firehose-logging-destination/firehose/README.md Normal file
View file

@ -0,0 +1,35 @@
# Logging Destination: Firehose
This addon provides a Kinesis Firehose logging destination for Fleet with support for cross account S3 delivery.
## Requirements
Apply module `target-account` to provision destination firehose, bucket, kms key, and IAM role/policies.
## Providers
| Name | Version |
|---------------------------------------------------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.52.0 |
## Modules
No modules.
## Resources
No resources.
## Inputs
| Name | Description | Type | Default | Required |
|-------------------------------|-----------------------------------------------------------|----------|---------------------|:--------:|
| firehose_results_name | n/a | `string` | no default provided | yes |
| firehose_status_name | n/a | `string` | no default provided | yes |
| iam_role_arn | IAM Role used to write to target firehose delivery stream | `string` | no default provided | yes |
## Outputs
| Name | Description |
|-----------------------------------------------------------------------------------------------------------------|-------------|
| <a name="output_fleet-extra-env-variables"></a> [fleet-extra-env-variables](#output\_fleet-extra-env-variables) | n/a |

11
terraform/addons/byo-firehose-logging-destination/firehose/outputs.tf Normal file
View file

@ -0,0 +1,11 @@
data "aws_region" "current" {}
output "fleet_extra_environment_variables" {
value = {
FLEET_FIREHOSE_STATUS_STREAM = var.firehose_status_name
FLEET_FIREHOSE_RESULT_STREAM = var.firehose_results_name
FLEET_FIREHOSE_STS_ASSUME_ROLE_ARN = var.iam_role_arn
FLEET_FIREHOSE_REGION = data.aws_region.current.name
FLEET_OSQUERY_STATUS_LOG_PLUGIN = "firehose"
FLEET_OSQUERY_RESULT_LOG_PLUGIN = "firehose"
}
}

14
terraform/addons/byo-firehose-logging-destination/firehose/variables.tf Normal file
View file

@ -0,0 +1,14 @@
variable "iam_role_arn" {
type = string
description = "IAM Role ARN to use for Firehose destination logging"
}
variable "firehose_results_name" {
type = string
description = "name of the firehose delivery stream for osquery results logs"
}
variable "firehose_status_name" {
type = string
description = "name of the firehose delivery stream for osquery status logs"
}

0
terraform/addons/byo-s3-logging-destination-firehose/firehose/version.tf → terraform/addons/byo-firehose-logging-destination/firehose/version.tf
View file

56
terraform/addons/byo-firehose-logging-destination/target-account/README.md Normal file
View file

@ -0,0 +1,56 @@
# Logging Destination: S3
This module will provision necessary resources to feed osquery results/status logs into S3.
## Requirements
None
## Providers
| Name | Version |
|---------------------------------------------------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.52.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [aws_s3_bucket.osquery-destination](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_acl.osquery-destination](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
| [aws_s3_bucket_public_access_block.osquery-destination](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [aws_s3_bucket_server_side_encryption_configuration.osquery-destination](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
| [aws_iam_policy.firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.fleet_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_kinesis_firehose_delivery_stream.osquery_results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
| [aws_kinesis_firehose_delivery_stream.osquery_status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_iam_policy_document.osquery_firehose_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.osquery_results_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.osquery_status_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|-----------------------------------------|----------------------------------------------------------|----------|---------------------|:--------:|
| osquery_logging_destination_bucket_name | name of the bucket for osquery logging | `string` | no default provided | yes |
| firehose_results_name | name of the firehose delivery stream for results logging | `string` | `osquery_results` | no |
| firehose_status_name | name of the firehose delivery stream for status logging | `string` | `osquery_status` | no |
| results_prefix | s3 object prefix to give to results logs | `string` | `results/` | no |
| status_prefix | s3 object prefix to give status logs | `string` | `status/` | no |
| fleet_iam_role_arn | the role ARN from Fleet Cloud | `string` | no default provided | yes |
## Outputs
| Name | Description |
|-------------------|---------------------------------------------------------------------------------|
| firehose_iam_role | IAM Role ARN fleet cloud will assume to write data to firehose delivery streams |
| firehose_results | name of the firehose delivery stream for results logs |
| firehose_status | name of the firehose delivery stream for status logs |

75
terraform/addons/byo-s3-logging-destination-firehose/firehose/main.tf → terraform/addons/byo-firehose-logging-destination/target-account/firehose.tf
View file

@ -1,6 +1,3 @@
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
data "aws_iam_policy_document" "osquery_firehose_assume_role" {
statement {
effect = "Allow"
@ -25,31 +22,32 @@ data "aws_iam_policy_document" "firehose_policy" {
"s3:PutObjectAcl" // required according to https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-s3
]
resources = [
"arn:aws:s3:::${var.results_destination_s3_bucket}",
"arn:aws:s3:::${var.results_destination_s3_bucket}/*",
"arn:aws:s3:::${var.status_destination_s3_bucket}",
"arn:aws:s3:::${var.status_destination_s3_bucket}/*"
aws_s3_bucket.destination.arn,
"${aws_s3_bucket.destination.arn}/*",
]
}
statement {
effect = "Allow"
actions = ["kms:GenerateDataKey*"]
resources = [var.kms_key_arn]
}
statement {
effect = "Allow"
actions = ["logs:PutLogEvents"]
effect = "Allow"
actions = ["logs:PutLogEvents"]
resources = [
"arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.firehose_results_name}:*",
"arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.firehose_status_name}:*"
]
}
statement {
effect = "Allow"
actions = [
"kms:Decrypt",
"kms:GenerateDataKey"
]
resources = [data.aws_kms_alias.s3.arn]
}
}
resource "aws_iam_role" "firehose" {
name = "${var.customer_prefix}-firehose-cross-account-role"
assume_role_policy = data.aws_iam_policy_document.osquery_firehose_assume_role.json
}
@ -62,15 +60,22 @@ resource "aws_iam_role_policy_attachment" "firehose" {
role = aws_iam_role.firehose.name
}
resource "aws_kms_key" "firehose" {
enable_key_rotation = true
}
resource "aws_kinesis_firehose_delivery_stream" "osquery_results" {
name = var.firehose_results_name
destination = "s3"
server_side_encryption {
key_arn = aws_kms_key.firehose.arn
}
s3_configuration {
prefix = var.results_object_prefix
role_arn = aws_iam_role.firehose.arn
bucket_arn = "arn:aws:s3:::${var.results_destination_s3_bucket}"
kms_key_arn = var.kms_key_arn
prefix = var.results_prefix
role_arn = aws_iam_role.firehose.arn
bucket_arn = aws_s3_bucket.destination.arn
}
}
@ -78,27 +83,13 @@ resource "aws_kinesis_firehose_delivery_stream" "osquery_status" {
name = var.firehose_status_name
destination = "s3"
server_side_encryption {
key_arn = aws_kms_key.firehose.arn
}
s3_configuration {
prefix = var.status_object_prefix
role_arn = aws_iam_role.firehose
bucket_arn = "arn:aws:s3:::${var.status_destination_s3_bucket}"
kms_key_arn = var.kms_key_arn
prefix = var.status_prefix
role_arn = aws_iam_role.firehose.arn
bucket_arn = aws_s3_bucket.destination.arn
}
}
data "aws_iam_policy_document" "firehose-logging" {
statement {
actions = [
"firehose:DescribeDeliveryStream",
"firehose:PutRecord",
"firehose:PutRecordBatch",
]
resources = [aws_kinesis_firehose_delivery_stream.osquery_results.arn, aws_kinesis_firehose_delivery_stream.osquery_status.arn]
}
}
resource "aws_iam_policy" "firehose-logging" {
name = "fleet-firehose-logging"
description = "An IAM policy for fleet to log to Firehose destinations"
policy = data.aws_iam_policy_document.firehose-logging.json
}
}

45
terraform/addons/byo-firehose-logging-destination/target-account/iam.tf Normal file
View file

@ -0,0 +1,45 @@
resource "aws_iam_role" "fleet_role" {
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
identifiers = [var.fleet_iam_role_arn]
type = "AWS"
}
}
}
data "aws_iam_policy_document" "firehose" {
statement {
effect = "Allow"
actions = [
"firehose:DescribeDeliveryStream",
"firehose:PutRecord",
"firehose:PutRecordBatch",
]
resources = [aws_kinesis_firehose_delivery_stream.osquery_results.arn, aws_kinesis_firehose_delivery_stream.osquery_status.arn]
}
statement {
effect = "Allow"
actions = [
"kms:Decrypt",
"kms:GenerateDataKey"
]
resources = [aws_kms_key.firehose.arn]
}
}
resource "aws_iam_policy" "firehose" {
policy = data.aws_iam_policy_document.firehose.json
}
resource "aws_iam_policy_attachment" "firehose" {
name = aws_iam_role.fleet_role.name
policy_arn = aws_iam_policy.firehose.arn
}

15
terraform/addons/byo-firehose-logging-destination/target-account/outputs.tf Normal file
View file

@ -0,0 +1,15 @@
output "firehose_iam_role" {
value = aws_iam_role.fleet_role.arn
}
output "s3_destination" {
value = aws_s3_bucket.destination.arn
}
output "firehose_results" {
value = aws_kinesis_firehose_delivery_stream.osquery_results.name
}
output "firehose_status" {
value = aws_kinesis_firehose_delivery_stream.osquery_status.name
}

34
terraform/addons/byo-firehose-logging-destination/target-account/s3.tf Normal file
View file

@ -0,0 +1,34 @@
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
data "aws_kms_alias" "s3" {
name = "aws/s3"
}
resource "aws_s3_bucket" "destination" {
bucket = var.osquery_logging_destination_bucket_name
}
resource "aws_s3_bucket_public_access_block" "destination" {
bucket = aws_s3_bucket.destination.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_acl" "destination" {
bucket = aws_s3_bucket.destination.id
acl = "private"
}
// Objects in S3 are now encrypted by default https://aws.amazon.com/blogs/aws/amazon-s3-encrypts-new-objects-by-default/
// If you need more granular control, use a customer managed KMS Key
resource "aws_s3_bucket_server_side_encryption_configuration" "destination" {
bucket = aws_s3_bucket.destination.id
rule {
bucket_key_enabled = true
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}

31
terraform/addons/byo-firehose-logging-destination/target-account/variables.tf Normal file
View file

@ -0,0 +1,31 @@
variable "osquery_logging_destination_bucket_name" {
type = string
description = "name of the bucket to store osquery results & status logs"
}
variable "firehose_results_name" {
type = string
description = "firehose delivery stream name for osquery results logs"
default = "osquery_results"
}
variable "firehose_status_name" {
type = string
description = "firehose delivery stream name for osquery status logs"
default = "osquery_status"
}
variable "fleet_iam_role_arn" {
type = string
description = "the arn of the fleet role that firehose will assume to write data to your bucket"
}
variable "results_prefix" {
default = "results/"
description = "s3 object prefix to give to results logs"
}
variable "status_prefix" {
default = "status/"
description = "s3 object prefix to give status logs"
}

0
terraform/addons/byo-s3-logging-destination-firehose/target-account/version.tf → terraform/addons/byo-firehose-logging-destination/target-account/version.tf
View file

51
terraform/addons/byo-s3-logging-destination-firehose/firehose/README.md
View file

@ -1,51 +0,0 @@
# Logging Destination: Firehose
This addon provides a Kinesis Firehose logging destination for Fleet with support for cross account S3 delivery.
## Requirements
Apply module `target-account` to provision destination bucket, kms key, and IAM policies.
## Providers
| Name | Version |
|---------------------------------------------------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.49.0 |
## Modules
No modules.
## Resources
| Name | Type |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [aws_iam_policy.firehose-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.firehose-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.firehose-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.firehose-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.firehose-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.firehose-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_kinesis_firehose_delivery_stream.osquery_results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
| [aws_kinesis_firehose_delivery_stream.osquery_status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
| [aws_iam_policy_document.osquery_firehose_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.osquery_results_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.osquery_status_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|-------------------------------|----------------------------------------|----------|---------------------|:--------:|
| firehose_results_name | n/a | `string` | no default provided | yes |
| firehose_status_name | n/a | `string` | no default provided | yes |
| customer_prefix | used for resource tagging | `string` | no default provided | yes |
| kms_key_arn | key arn used to encrypt target buckets | `string` | no default provided | yes |
| results_destination_s3_bucket | bucket name to send osquery results | `string` | no default provided | yes |
| status_destination_s3_bucket | bucket name to send osquery status | `string` | no default provided | yes |
## Outputs
| Name | Description |
|-----------------------------------------------------------------------------------------------------------------|-------------|
| <a name="output_fleet-extra-env-variables"></a> [fleet-extra-env-variables](#output\_fleet-extra-env-variables) | n/a |

19
terraform/addons/byo-s3-logging-destination-firehose/firehose/outputs.tf
View file

@ -1,19 +0,0 @@
output "fleet_extra_environment_variables" {
value = {
FLEET_FIREHOSE_STATUS_STREAM = aws_kinesis_firehose_delivery_stream.osquery_status.name
FLEET_FIREHOSE_RESULT_STREAM = aws_kinesis_firehose_delivery_stream.osquery_results.name
FLEET_FIREHOSE_REGION = data.aws_region.current.name
FLEET_OSQUERY_STATUS_LOG_PLUGIN = "firehose"
FLEET_OSQUERY_RESULT_LOG_PLUGIN = "firehose"
}
}
output "fleet_extra_iam_policies" {
value = [
aws_iam_policy.firehose-logging.arn
]
}
output "firehose_role_arn" {
value = aws_iam_role.firehose.arn
}

42
terraform/addons/byo-s3-logging-destination-firehose/firehose/variables.tf
View file

@ -1,42 +0,0 @@
variable "results_destination_s3_bucket" {
type = string
description = "s3 bucket name for osquery results"
}
variable "status_destination_s3_bucket" {
type = string
description = "s3 bucket name for osquery status"
}
variable "kms_key_arn" {
type = string
description = "kms key arn used to encrypt destination buckets"
default = "arn:aws:kms:us-east-2:123456789123:key/fix-me"
}
variable "firehose_results_name" {
type = string
description = "name of the firehose delivery stream for osquery results logs"
}
variable "firehose_status_name" {
type = string
description = "name of the firehose delivery stream for osquery status logs"
}
variable "customer_prefix" {
type = string
description = "customer prefix to use to namespace all resources"
}
variable "results_object_prefix" {
type = string
description = "object prefix for results logs e.g. 'results/'"
default = "results/"
}
variable "status_object_prefix" {
type = string
description = "object prefix for results logs e.g. 'status/'"
default = "status/"
}

46
terraform/addons/byo-s3-logging-destination-firehose/target-account/README.md
View file

@ -1,46 +0,0 @@
# Logging Destination: S3
This module will provision necessary resources to feed osquery results/status logs into S3.
## Requirements
None
## Providers
| Name | Version |
|---------------------------------------------------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.52.0 |
## Modules
No modules.
## Resources
| Name | Type |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [aws_s3_bucket.osquery-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket.osquery-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_acl.osquery-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
| [aws_s3_bucket_acl.osquery-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
| [aws_s3_bucket_public_access_block.osquery-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [aws_s3_bucket_public_access_block.osquery-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [aws_s3_bucket_server_side_encryption_configuration.osquery-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
| [aws_s3_bucket_server_side_encryption_configuration.osquery-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------------------------|----------------------------------------|----------|---------------------|:--------:|
| osquery_results_bucket | name of the bucket for results logging | `string` | no default provided | yes |
| osquery_status_bucket | name of the bucket for status logging | `string` | no default provided | yes |
| fleet_iam_role_arn | the role ARN from Fleet Cloud | `string` | no default provided | yes |
## Outputs
| Name | Description |
|---------------------|-------------|
| kms_key_arn | n/a |
| results_bucket_name | n/a |
| status_bucket_name | n/a |

179
terraform/addons/byo-s3-logging-destination-firehose/target-account/main.tf
View file

@ -1,179 +0,0 @@
data "aws_caller_identity" "current" {}
data "aws_iam_policy_document" "results" {
statement {
principals {
identifiers = [var.fleet_iam_role_arn]
type = "AWS"
}
effect = "Allow"
actions = [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutObjectAcl" // required according to https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-s3
]
resources = [
aws_s3_bucket.osquery-results.arn,
"${aws_s3_bucket.osquery-results.arn}/*"
]
}
statement {
principals {
identifiers = [var.fleet_iam_role_arn]
type = "AWS"
}
effect = "Allow"
actions = ["s3:PutObject"]
resources = ["${aws_s3_bucket.osquery-results.arn}/*"]
condition {
test = "StringEquals"
values = ["bucket-owner-full-control"]
variable = "s3:x-amz-acl"
}
}
}
data "aws_iam_policy_document" "status" {
statement {
principals {
identifiers = [var.fleet_iam_role_arn]
type = "AWS"
}
effect = "Allow"
actions = [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutObjectAcl" // required according to https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-s3
]
resources = [
aws_s3_bucket.osquery-status.arn,
"${aws_s3_bucket.osquery-status.arn}/*"
]
}
statement {
principals {
identifiers = [var.fleet_iam_role_arn]
type = "AWS"
}
effect = "Allow"
actions = ["s3:PutObject"]
resources = ["${aws_s3_bucket.osquery-status.arn}/*"]
condition {
test = "StringEquals"
values = ["bucket-owner-full-control"]
variable = "s3:x-amz-acl"
}
}
}
resource "aws_s3_bucket" "osquery-results" {
bucket = var.osquery_results_bucket
}
resource "aws_s3_bucket" "osquery-status" {
bucket = var.osquery_status_bucket
}
resource "aws_s3_bucket_policy" "results" {
bucket = aws_s3_bucket.osquery-results.id
policy = data.aws_iam_policy_document.results.json
}
resource "aws_s3_bucket_policy" "status" {
bucket = aws_s3_bucket.osquery-status.id
policy = data.aws_iam_policy_document.status.json
}
resource "aws_s3_bucket_public_access_block" "results" {
bucket = aws_s3_bucket.osquery-results.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_public_access_block" "status" {
bucket = aws_s3_bucket.osquery-status.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_acl" "results" {
bucket = aws_s3_bucket.osquery-results.id
acl = "private"
}
resource "aws_s3_bucket_acl" "status" {
bucket = aws_s3_bucket.osquery-status.id
acl = "private"
}
data "aws_iam_policy_document" "key_policy" {
// self account has access to key
statement {
principals {
identifiers = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
]
type = "AWS"
}
effect = "Allow"
actions = ["*"]
resources = ["*"]
}
// only allow the IAM role from fleet aws account
statement {
principals {
identifiers = [var.fleet_iam_role_arn]
type = "AWS"
}
effect = "Allow"
actions = ["kms:GenerateDataKey*"]
resources = ["*"] // this is basically "self" aka this particular key
}
}
// customer managed key to allow other aws account access
resource "aws_kms_key" "key" {
enable_key_rotation = true
policy = data.aws_iam_policy_document.key_policy.json
description = "key used for osquery results and status bucket encryption"
}
// enable server side encryption with KMS key
resource "aws_s3_bucket_server_side_encryption_configuration" "results" {
bucket = aws_s3_bucket.osquery-results.id
rule {
bucket_key_enabled = true
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.key.id
sse_algorithm = "aws:kms"
}
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "status" {
bucket = aws_s3_bucket.osquery-status.id
rule {
bucket_key_enabled = true
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.key.id
sse_algorithm = "aws:kms"
}
}
}

11
terraform/addons/byo-s3-logging-destination-firehose/target-account/outputs.tf
View file

@ -1,11 +0,0 @@
output "kms_key_arn" {
value = aws_kms_key.key.arn
}
output "results_bucket_name" {
value = aws_s3_bucket.osquery-results.id
}
output "status_bucket_name" {
value = aws_s3_bucket.osquery-status.id
}

14
terraform/addons/byo-s3-logging-destination-firehose/target-account/variables.tf
View file

@ -1,14 +0,0 @@
variable "osquery_results_bucket" {
type = string
description = "name of the bucket to store osquery results logs"
}
variable "osquery_status_bucket" {
type = string
description = "name of the bucket to store osquery status logs"
}
variable "fleet_iam_role_arn" {
type = string
description = "the arn of the fleet role that firehose will assume to write data to your bucket"
}