implemented query logging

FriendsOfTerraform · Jul 10, 2024 · 7241b69 · 7241b69
1 parent 2d2c9d0
commit 7241b69
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -491,6 +491,26 @@ module "psin_lab_com" {
 
         Specify whether to sign the zone with DNSSEC. Valid values: `"SIGNING"`, `"NOT_SIGNING"`
 
+- (object) **`enable_query_logging = null`** _[since v1.0.0]_
+
+    Enables [Route 53 Query Logging][route53-query-logging].
+
+    - (string) **`cloudwatch_log_group_arn = null`** _[since v1.0.0]_
+
+        An existing Cloudwatch log group to send query logging to
+
+    - (bool) **`create_resource_policy = false`** _[since v1.0.0]_
+
+        Creates a Cloudwatch log resource policy named AWSServiceRoleForRoute53 to grant route 53 permissions to send logs to Cloudwatch. You do not need to create this if one is already created
+
+    - (string) **`log_group_class = "STANDARD"`** _[since v1.0.0]_
+
+        Specified the log class of the log group. Possible values are: `"STANDARD"`, `"INFREQUENT_ACCESS"`. Mutually exclusive with `cloudwatch_log_group_arn`
+
+    - (number) **`retention = 0`** _[since v1.0.0]_
+
+        Specifies the number of days you want to retain log events in the specified log group. Possible values are: `1`, `3`, `5`, `7`, `14`, `30`, `60`, `90`, `120`, `150`, `180`, `365`, `400`, `545`, `731`, `1096`, `1827`, `2192`, `2557`, `2922`, `3288`, `3653`,`0`. If you select `0`, the events in the log group are always retained and never expire. Mutually exclusive with `cloudwatch_log_group_arn`
+
 - (map(list(string))) **`private_zone_vpc_associations = {}`** _[since v1.0.0]_
 
     One of more VPC IDs this private hosted zone is used to resolve DNS queries for. Do not specify if you want to create a public hosted zone. Please [see example](#private-hosted-zone)
@@ -728,6 +748,7 @@ module "psin_lab_com" {
 [route53-health-check-types]:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/health-checks-types.html
 [route53-ksk]:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-ksk.html
 [route53-ksk-kms-requirements]:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-cmk-requirements.html
+[route53-query-logging]:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/query-logs.html
 [route53-routing-policy-failover]:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-failover.html
 [route53-routing-policy-geolocation]:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-geo.html
 [route53-routing-policy-geoproximity]:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-geoproximity.html

diff --git a/cloudwatch-log-group.tf b/cloudwatch-log-group.tf
@@ -0,0 +1,14 @@
+resource "aws_cloudwatch_log_group" "query_logging_cloudwatch_log_group" {
+  count = var.enable_query_logging != null ? (
+    var.enable_query_logging.cloudwatch_log_group_arn != null ? 0 : 1
+  ) : 0
+
+  name              = "/aws/route53/${var.domain_name}"
+  log_group_class   = var.enable_query_logging.log_group_class
+  retention_in_days = var.enable_query_logging.retention
+
+  tags = merge(
+    local.common_tags,
+    var.additional_tags_all
+  )
+}
diff --git a/cloudwatch-log-resource-policy.tf b/cloudwatch-log-resource-policy.tf
@@ -0,0 +1,25 @@
+resource "aws_cloudwatch_log_resource_policy" "route53-query-logging-policy" {
+  count = var.enable_query_logging != null ? (
+    var.enable_query_logging.cloudwatch_log_group_arn != null ? 0 : (var.enable_query_logging.create_resource_policy ? 1 : 0)
+  ) : 0
+
+  policy_name = "AWSServiceRoleForRoute53"
+
+  policy_document = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "Route53LogsToCloudWatchLogs"
+        Effect = "Allow"
+        Principal = {
+          Service = "route53.amazonaws.com"
+        }
+        Action = [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:log-group:*"
+      }
+    ]
+  })
+}
diff --git a/route53-query-log.tf b/route53-query-log.tf
@@ -0,0 +1,6 @@
+resource "aws_route53_query_log" "query_log" {
+  count = var.enable_query_logging != null ? 1 : 0
+
+  cloudwatch_log_group_arn = var.enable_query_logging.cloudwatch_log_group_arn != null ? var.enable_query_logging.cloudwatch_log_group_arn : aws_cloudwatch_log_group.query_logging_cloudwatch_log_group[0].arn
+  zone_id                  = aws_route53_zone.hosted_zone.zone_id
+}
diff --git a/variables.tf b/variables.tf
@@ -34,12 +34,14 @@ variable "enable_dnssec" {
   default     = null
 }
 
-# TODO
 variable "enable_query_logging" {
   type = object({
-    cloudwatch_log_group = optional(string, null)
+    cloudwatch_log_group_arn = optional(string, null)
+    create_resource_policy   = optional(bool, false)
+    log_group_class          = optional(string, "STANDARD")
+    retention                = optional(number, 0)
   })
-  description = ""
+  description = "Enables Route 53 query log"
   default     = null
 }