Merge pull request #1388 from alphagov/samsimpson1/aws-import

Manage aws-logging bucket
alphagov · Jul 11, 2024 · b75fa32 · b75fa32
2 parents ffc8568 + 1e08b18
commit b75fa32
Show file tree

Hide file tree

Showing 6 changed files with 250 additions and 7 deletions.
diff --git a/terraform/deployments/vpc/aws_logging.tf b/terraform/deployments/vpc/aws_logging.tf
@@ -0,0 +1,159 @@
+data "aws_elb_service_account" "main" {}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_policy_document" "s3_aws_logging" {
+  statement {
+    actions   = ["s3:PutObject"]
+    effect    = "Allow"
+    resources = ["arn:aws:s3:::govuk-${var.govuk_environment}-aws-logging/*"]
+    principals {
+      type        = "AWS"
+      identifiers = [data.aws_elb_service_account.main.arn]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "s3_govuk_aws_logging_replication_policy" {
+  statement {
+    actions = [
+      "s3:GetReplicationConfiguration",
+      "s3:ListBucket"
+    ]
+    effect    = "Allow"
+    resources = [aws_s3_bucket.aws_logging.arn]
+  }
+  statement {
+    actions = [
+      "s3:GetObjectVersion",
+      "s3:GetObjectVersionAcl",
+      "s3:GetObjectVersionTagging"
+    ]
+    effect    = "Allow"
+    resources = ["${aws_s3_bucket.aws_logging.arn}/*"]
+  }
+  statement {
+    actions = [
+      "s3:ReplicateObject",
+      "s3:ReplicateDelete",
+      "s3:ReplicateTags",
+      "s3:GetObjectVersionTagging",
+      "s3:ObjectOwnerOverrideToBucketOwner"
+    ]
+    effect    = "Allow"
+    resources = ["arn:aws:s3:::${var.cyber_slunk_s3_bucket_name}/*"]
+  }
+}
+
+data "aws_iam_policy_document" "s3_govuk_aws_logging_replication_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["s3.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "govuk_aws_logging_replication_policy" {
+  name        = "govuk-${var.govuk_environment}-aws-logging-bucket-replication-policy"
+  policy      = data.aws_iam_policy_document.s3_govuk_aws_logging_replication_policy.json
+  description = "Allows replication of the aws-logging bucket"
+}
+
+resource "aws_iam_role" "govuk_aws_logging_replication_role" {
+  name               = "govuk-aws-logging-replication-role"
+  assume_role_policy = data.aws_iam_policy_document.s3_govuk_aws_logging_replication_role.json
+}
+
+resource "aws_iam_role_policy_attachment" "govuk_aws_logging_replication_policy_attachment" {
+  role       = aws_iam_role.govuk_aws_logging_replication_role.name
+  policy_arn = aws_iam_policy.govuk_aws_logging_replication_policy.arn
+}
+
+# Create a bucket that allows AWS services to write to it
+resource "aws_s3_bucket" "aws_logging" {
+  bucket = "govuk-${var.govuk_environment}-aws-logging"
+}
+
+resource "aws_s3_bucket_policy" "aws_logging" {
+  bucket = aws_s3_bucket.aws_logging.id
+  policy = data.aws_iam_policy_document.s3_aws_logging.json
+}
+
+resource "aws_s3_bucket_acl" "aws_logging" {
+  bucket = aws_s3_bucket.aws_logging.id
+  acl    = "log-delivery-write"
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "aws_logging" {
+  bucket = aws_s3_bucket.aws_logging.id
+
+  rule {
+    id     = "ExpireRule"
+    status = "Enabled"
+
+    expiration {
+      days = 30
+    }
+    noncurrent_version_expiration {
+      noncurrent_days = 1
+    }
+  }
+}
+
+resource "aws_s3_bucket_versioning" "aws_logging" {
+  bucket = aws_s3_bucket.aws_logging.id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_replication_configuration" "aws_logging" {
+  bucket = aws_s3_bucket.aws_logging.id
+  role   = aws_iam_role.govuk_aws_logging_replication_role.arn
+
+  rule {
+    id     = "govuk-aws-logging-elb-govuk-public-ckan-rule"
+    status = var.govuk_environment == "production" ? "Enabled" : "Disabled"
+    destination {
+      bucket        = "arn:aws:s3:::${var.cyber_slunk_s3_bucket_name}"
+      storage_class = "STANDARD"
+      account       = var.cyber_slunk_aws_account_id
+
+      access_control_translation {
+        owner = "Destination"
+      }
+    }
+    filter {
+      prefix = "elb/govuk-ckan-public-elb"
+    }
+  }
+}
+
+# IAM role and policy for RDS Enhanced Monitoring
+
+data "aws_iam_policy_document" "rds_enhanced_monitoring" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["monitoring.rds.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "rds_enhanced_monitoring" {
+  name               = "rds-monitoring-role"
+  assume_role_policy = data.aws_iam_policy_document.rds_enhanced_monitoring.json
+}
+
+resource "aws_iam_role_policy_attachment" "rds_enhanced_monitoring" {
+  role       = aws_iam_role.rds_enhanced_monitoring.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
+}
diff --git a/terraform/deployments/vpc/aws_logging_import.tf.json b/terraform/deployments/vpc/aws_logging_import.tf.json
@@ -0,0 +1,49 @@
+{
+  "//": "Generated by autoimports.py script",
+  "import": [
+    {
+      "to": "aws_iam_policy.govuk_aws_logging_replication_policy",
+      "id": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/govuk-${var.govuk_environment}-aws-logging-bucket-replication-policy"
+    },
+    {
+      "to": "aws_iam_role.govuk_aws_logging_replication_role",
+      "id": "govuk-aws-logging-replication-role"
+    },
+    {
+      "to": "aws_iam_role_policy_attachment.govuk_aws_logging_replication_policy_attachment",
+      "id": "${aws_iam_role.govuk_aws_logging_replication_role.name}/${aws_iam_policy.govuk_aws_logging_replication_policy.arn}"
+    },
+    {
+      "to": "aws_s3_bucket.aws_logging",
+      "id": "govuk-${var.govuk_environment}-aws-logging"
+    },
+    {
+      "to": "aws_s3_bucket_policy.aws_logging",
+      "id": "${aws_s3_bucket.aws_logging.id}"
+    },
+    {
+      "to": "aws_s3_bucket_acl.aws_logging",
+      "id": "${aws_s3_bucket.aws_logging.id}"
+    },
+    {
+      "to": "aws_s3_bucket_lifecycle_configuration.aws_logging",
+      "id": "${aws_s3_bucket.aws_logging.id}"
+    },
+    {
+      "to": "aws_s3_bucket_versioning.aws_logging",
+      "id": "${aws_s3_bucket.aws_logging.id}"
+    },
+    {
+      "to": "aws_s3_bucket_replication_configuration.aws_logging",
+      "id": "${aws_s3_bucket.aws_logging.id}"
+    },
+    {
+      "to": "aws_iam_role.rds_enhanced_monitoring",
+      "id": "rds-monitoring-role"
+    },
+    {
+      "to": "aws_iam_role_policy_attachment.rds_enhanced_monitoring",
+      "id": "${aws_iam_role.rds_enhanced_monitoring.name}/arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
+    }
+  ]
+}
diff --git a/terraform/deployments/vpc/google_logging_bucket.tf b/terraform/deployments/vpc/google_logging_bucket.tf
@@ -3,8 +3,7 @@ data "google_project" "project" {}
 resource "google_storage_bucket" "google_logging" {
   name          = "govuk-${var.govuk_environment}-gcp-logging"
   location      = "eu"
-  storage_class = "multi_regional"
-  project       = data.google_project.project.id
+  storage_class = "MULTI_REGIONAL"
 
   versioning {
     enabled = true
@@ -16,15 +15,15 @@ resource "google_storage_bucket" "google_logging" {
     }
 
     condition {
-      age = 30
+      age        = 30
+      with_state = "ARCHIVED"
     }
   }
 }
 
-resource "google_storage_bucket_acl" "google_logging" {
+resource "google_storage_bucket_access_control" "google_logging" {
   bucket = google_storage_bucket.google_logging.name
 
-  role_entity = [
-    "WRITER:group-cloud-storage-analytics@google.com",
-  ]
+  role   = "WRITER"
+  entity = "group-cloud-storage-analytics@google.com"
 }
diff --git a/terraform/deployments/vpc/google_logging_bucket_import.tf.json b/terraform/deployments/vpc/google_logging_bucket_import.tf.json
@@ -0,0 +1,9 @@
+{
+  "//": "Generated by autoimports.py script",
+  "import": [
+    {
+      "to": "google_storage_bucket.google_logging",
+      "id": "govuk-${var.govuk_environment}-gcp-logging"
+    }
+  ]
+}
diff --git a/terraform/deployments/vpc/outputs.tf b/terraform/deployments/vpc/outputs.tf
@@ -1 +1,16 @@
 output "id" { value = aws_vpc.vpc.id }
+
+output "aws_logging_bucket_id" {
+  value       = aws_s3_bucket.aws_logging.id
+  description = "Name of the AWS logging bucket"
+}
+
+output "aws_logging_bucket_arn" {
+  value       = aws_s3_bucket.aws_logging.arn
+  description = "ARN of the AWS logging bucket"
+}
+
+output "rds_enhanced_monitoring_role_arn" {
+  description = "The ARN of the IAM role for RDS Enhanced Monitoring"
+  value       = aws_iam_role.rds_enhanced_monitoring.arn
+}
diff --git a/terraform/deployments/vpc/variables.tf b/terraform/deployments/vpc/variables.tf
@@ -24,3 +24,15 @@ variable "cluster_log_retention_in_days" {
   type        = string
   description = "Number of days to retain Cloudwatch logs for"
 }
+
+variable "cyber_slunk_s3_bucket_name" {
+  type        = string
+  description = "Bucket to store logs for ingestion by Splunk"
+  default     = "central-pipeline-logging-prod-non-cw"
+}
+
+variable "cyber_slunk_aws_account_id" {
+  type        = string
+  description = "Account ID which holds the Splunk log bucket"
+  default     = "885513274347"
+}