terraform module -- firehose audit logs (#11710)

Add support for Fleet audit logs by adding a new variable `firehose_audit_name` to the `firehose` module. If the variable is set, a new delivery stream is created for Fleet audit logs. The IAM role is updated to allow writing to the new delivery stream. The `outputs.tf` file is updated to include the new environment variable `FLEET_ACTIVITY_ENABLE_AUDIT_LOG` and `FLEET_ACTIVITY_AUDIT_LOG_PLUGIN` to the `fleet_extra_environment_variables` output. The `firehose_policy` in `firehose.tf` is updated to allow writing to the new delivery stream. The `firehose_audit` policy is created and attached to the IAM role if the `firehose_audit_name` variable is set. --------- Co-authored-by: Robert Fairburn <8029478+rfairburn@users.noreply.github.com>
2026-05-23 08:58:41 +00:00 · 2023-05-31 15:02:22 -04:00 · 2023-05-31 15:02:22 -04:00 · 806e6b9887
commit 806e6b9887
parent 297d87934f
6 changed files with 82 additions and 7 deletions
--- a/terraform/addons/byo-firehose-logging-destination/firehose/outputs.tf
+++ b/terraform/addons/byo-firehose-logging-destination/firehose/outputs.tf
@ -6,6 +6,8 @@ output "fleet_extra_environment_variables" {
    FLEET_FIREHOSE_REGION              = var.region
    FLEET_OSQUERY_STATUS_LOG_PLUGIN    = "firehose"
    FLEET_OSQUERY_RESULT_LOG_PLUGIN    = "firehose"
+    FLEET_ACTIVITY_ENABLE_AUDIT_LOG    = length(var.firehose_audit_name) > 0 ? "true" : "false"
+    FLEET_ACTIVITY_AUDIT_LOG_PLUGIN    = "firehose" # only has an effect if ^ is true
  }
 }

--- a/terraform/addons/byo-firehose-logging-destination/firehose/variables.tf
+++ b/terraform/addons/byo-firehose-logging-destination/firehose/variables.tf
@ -13,6 +13,11 @@ variable "firehose_status_name" {
  description = "name of the firehose delivery stream for osquery status logs"
 }

+variable "firehose_audit_name" {
+  type        = string
+  description = "name of the firehose delivery stream for fleet audit logs"
+}
+
 variable "region" {
  type        = string
  description = "region the target firehose delivery stream is in"
--- a/terraform/addons/byo-firehose-logging-destination/target-account/firehose.tf
+++ b/terraform/addons/byo-firehose-logging-destination/target-account/firehose.tf
@ -30,10 +30,13 @@ data "aws_iam_policy_document" "firehose_policy" {
  statement {
    effect  = "Allow"
    actions = ["logs:PutLogEvents"]
-    resources = [
+    resources = concat([
      "arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.firehose_results_name}:*",
-      "arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.firehose_status_name}:*"
-    ]
+      "arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.firehose_status_name}:*",
+      ],
+      var.firehose_status_name == "" ? [] : [
+        "arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.firehose_audit_name}:*"
+    ])
  }

  statement {
@ -92,4 +95,20 @@ resource "aws_kinesis_firehose_delivery_stream" "osquery_status" {
    role_arn   = aws_iam_role.firehose.arn
    bucket_arn = aws_s3_bucket.destination.arn
  }
-}
+}
+
+resource "aws_kinesis_firehose_delivery_stream" "fleet_audit" {
+  count       = length(var.firehose_audit_name) > 0 ? 1 : 0
+  name        = var.firehose_audit_name
+  destination = "s3"
+
+  server_side_encryption {
+    key_arn = aws_kms_key.firehose.arn
+  }
+
+  s3_configuration {
+    prefix     = var.audit_prefix
+    role_arn   = aws_iam_role.firehose.arn
+    bucket_arn = aws_s3_bucket.destination.arn
+  }
+}
--- a/terraform/addons/byo-firehose-logging-destination/target-account/iam.tf
+++ b/terraform/addons/byo-firehose-logging-destination/target-account/iam.tf
@ -4,7 +4,7 @@ resource "aws_iam_role" "fleet_role" {

 data "aws_iam_policy_document" "assume_role" {
  statement {
-    effect = "Allow"
+    effect  = "Allow"
    actions = ["sts:AssumeRole"]
    principals {
      identifiers = [var.fleet_iam_role_arn]
@ -21,7 +21,10 @@ data "aws_iam_policy_document" "firehose" {
      "firehose:PutRecord",
      "firehose:PutRecordBatch",
    ]
-    resources = [aws_kinesis_firehose_delivery_stream.osquery_results.arn, aws_kinesis_firehose_delivery_stream.osquery_status.arn]
+    resources = [
+      aws_kinesis_firehose_delivery_stream.osquery_results.arn,
+      aws_kinesis_firehose_delivery_stream.osquery_status.arn
+    ]
  }

  statement {
@ -42,4 +45,39 @@ resource "aws_iam_policy" "fleet_firehose" {
 resource "aws_iam_role_policy_attachment" "fleet_firehose" {
  policy_arn = aws_iam_policy.fleet_firehose.arn
  role       = aws_iam_role.fleet_role.name
+}
+
+data "aws_iam_policy_document" "firehose_audit" {
+  count = length(var.firehose_audit_name) > 0 ? 1 : 0
+  statement {
+    effect = "Allow"
+    actions = [
+      "firehose:DescribeDeliveryStream",
+      "firehose:PutRecord",
+      "firehose:PutRecordBatch",
+    ]
+    resources = [
+      aws_kinesis_firehose_delivery_stream.fleet_audit.*.arn
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey"
+    ]
+    resources = [aws_kms_key.firehose.arn]
+  }
+}
+
+resource "aws_iam_policy" "fleet_firehose_audit" {
+  count  = length(var.firehose_audit_name) > 0 ? 1 : 0
+  policy = data.aws_iam_policy_document.firehose_audit.*.json
+}
+
+resource "aws_iam_role_policy_attachment" "fleet_firehose_audit" {
+  count      = length(var.firehose_audit_name) > 0 ? 1 : 0
+  policy_arn = aws_iam_policy.fleet_firehose_audit.*.arn
+  role       = aws_iam_role.fleet_role.name
 }
--- a/terraform/addons/byo-firehose-logging-destination/target-account/s3.tf
+++ b/terraform/addons/byo-firehose-logging-destination/target-account/s3.tf
@ -31,4 +31,4 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "destination" {
      sse_algorithm = "aws:kms"
    }
  }
-}
+}
--- a/terraform/addons/byo-firehose-logging-destination/target-account/variables.tf
+++ b/terraform/addons/byo-firehose-logging-destination/target-account/variables.tf
@ -15,6 +15,12 @@ variable "firehose_status_name" {
  default     = "osquery_status"
 }

+variable "firehose_audit_name" {
+  type        = string
+  description = "firehose delivery stream name for Fleet audit logs"
+  default     = ""
+}
+
 variable "fleet_iam_role_arn" {
  type        = string
  description = "the arn of the fleet role that firehose will assume to write data to your bucket"
@ -28,4 +34,9 @@ variable "results_prefix" {
 variable "status_prefix" {
  default     = "status/"
  description = "s3 object prefix to give status logs"
+}
+
+variable "audit_prefix" {
+  default     = "audit/"
+  description = "s3 object prefix to give Fleet audit logs"
 }