Add an option to use an existing secret instead of creating a new on…

…e with ssm[CDS-549] (#76) * Add an option to use an existing secret instead of creating a new one with ssm, and remove the ssm_enabled variable * change flase to False in create_secret description * restore the s3 custom bucket * fix readme files * arranged the indents * fix tests * add changelog new entry * add change log to s3
coralogix · Aug 17, 2023 · 13b8a41 · 13b8a41
1 parent 8b8fe5e
commit 13b8a41
Show file tree

Hide file tree

Showing 22 changed files with 115 additions and 105 deletions.
diff --git a/examples/cloudwatch-logs/variables.tf b/examples/cloudwatch-logs/variables.tf
@@ -15,7 +15,7 @@ variable "custom_url" {
 }
 
 variable "private_key" {
-  description = "The Coralogix private key which is used to validate your authenticity"
+  description = "Your Coralogix secret key or incase you use your own created secret put here the name of your secret that contains the coralogix Private Key"
   type        = string
   sensitive   = true
 }
@@ -84,14 +84,8 @@ variable "tags" {
   default     = {}
 }
 
-variable "ssm_enable" {
-  description = "Use SSM for the private key True/False"
-  type        = string
-  default     = "False"
-}
-
 variable "layer_arn" {
-  description = "Coralogix SSM Layer ARN"
+  description = "In case you are using SSM This is the ARN of the Coralogix Security Layer."
   type        = string
   default     = ""
 }
@@ -112,4 +106,10 @@ variable "custom_s3_bucket" {
   description = "The name of the s3 bucket to save the lambda zip code in"
   type        = string
   default     = ""
+}
+
+variable "create_secret" {
+  description = "Set to False In case you want to use SSM with your secret that contains coralogix private key"
+  type        = string
+  default     = "True"
 }
diff --git a/examples/kinesis/variables.tf b/examples/kinesis/variables.tf
@@ -15,7 +15,7 @@ variable "custom_url" {
 }
 
 variable "private_key" {
-  description = "The Coralogix private key which is used to validate your authenticity"
+  description = "Your Coralogix secret key or incase you use your own created secret put here the name of your secret that contains the coralogix Private Key"
   type        = string
   sensitive   = true
 }
@@ -79,14 +79,8 @@ variable "tags" {
   default     = {}
 }
 
-variable "ssm_enable" {
-  description = "Use SSM for the private key True/False"
-  type        = string
-  default     = "False"
-}
-
 variable "layer_arn" {
-  description = "Coralogix SSM Layer ARN"
+  description = "In case you are using SSM This is the ARN of the Coralogix Security Layer."
   type        = string
   default     = ""
 }
@@ -95,4 +89,10 @@ variable "custom_s3_bucket" {
   description = "The name of the s3 bucket to save the lambda zip code in"
   type        = string
   default     = ""
+}
+
+variable "create_secret" {
+  description = "Set to False In case you want to use SSM with your secret that contains coralogix private key"
+  type        = string
+  default     = "True"
 }
diff --git a/examples/lambda-secretLayer/README.md b/examples/lambda-secretLayer/README.md
@@ -46,7 +46,6 @@ module "coralogix-shipper-s3" {
 
   coralogix_region   = "Europe"
   private_key        = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXX"
-  ssm_enable         = "True"
   layer_arn          = module.lambda-secretLayer.lambda_layer_version_arn
   application_name   = "s3"
   subsystem_name     = "logs"

diff --git a/examples/resource-metadata/variables.tf b/examples/resource-metadata/variables.tf
@@ -14,19 +14,13 @@ variable "custom_url" {
 }
 
 variable "private_key" {
-  description = "The Coralogix private key which is used to validate your authenticity"
+  description = "Your Coralogix secret key or incase you use your own created secret put here the name of your secret that contains the coralogix Private Key"
   type        = string
   sensitive   = true
 }
 
-variable "ssm_enable" {
-  description = "Use SSM for the private key True/False"
-  type        = string
-  default     = "False"
-}
-
 variable "layer_arn" {
-  description = "Coralogix SSM Layer ARN"
+  description = "In case you are using SSM This is the ARN of the Coralogix Security Layer."
   type        = string
   default     = ""
 }
@@ -95,4 +89,10 @@ variable "custom_s3_bucket" {
   description = "The name of the s3 bucket to save the lambda zip code in"
   type        = string
   default     = ""
+}
+
+variable "create_secret" {
+  description = "Set to False In case you want to use SSM with your secret that contains coralogix private key"
+  type        = string
+  default     = "True"
 }
diff --git a/examples/s3/variables.tf b/examples/s3/variables.tf
@@ -15,19 +15,13 @@ variable "custom_url" {
 }
 
 variable "private_key" {
-  description = "The Coralogix private key which is used to validate your authenticity"
+  description = "Your Coralogix secret key or incase you use your own created secret put here the name of your secret that contains the coralogix Private Key"
   type        = string
   sensitive   = true
 }
 
-variable "ssm_enable" {
-  description = "Use SSM for the private key True/False"
-  type        = string
-  default     = "False"
-}
-
 variable "layer_arn" {
-  description = "Coralogix SSM Layer ARN"
+  description = "In case you are using SSM This is the ARN of the Coralogix Security Layer."
   type        = string
   default     = ""
 }
@@ -144,4 +138,10 @@ variable "custom_s3_bucket" {
   description = "The name of the s3 bucket to save the lambda zip code in"
   type        = string
   default     = ""
+}
+
+variable "create_secret" {
+  description = "Set to False In case you want to use SSM with your secret that contains coralogix private key"
+  type        = string
+  default     = "True"
 }
diff --git a/modules/cloudwatch-logs/CHANGELOG.md b/modules/cloudwatch-logs/CHANGELOG.md
@@ -2,8 +2,11 @@
 
 ## cloudwatch-logs
 
+### 0.0.3 / 16.8.2023
+* [Update] Add an option to use an existing secret instead of creating a new one with SSM, and remove ssm_enabled variable.
+
 ### 0.0.2 / 8.8.23
 * [Update] Add support for govcloud, by adding custom_s3_bucket variable.
 
 ### 0.0.1 / 3.8.2023
-* [Update] Add support to use a private link with coralogix - add subnet_id and security_group_id variable to connect the lambda to vpc.
+* [Update] Add support to use a private link with coralogix - add subnet_id and security_group_id variable to connect the lambda to vpc.
diff --git a/modules/cloudwatch-logs/README.md b/modules/cloudwatch-logs/README.md
@@ -29,9 +29,9 @@ Manage the application which retrieves `CloudWatch` logs and sends them to your
 |------|-------------|------|---------|:--------:|
 | <a name="input_coralogix_region"></a> [coralogix\_region](#input\_coralogix\_region) | The Coralogix location region, possible options are [`Europe`, `Europe2`, `India`, `Singapore`, `US`, `US2`] | `string` | `Europe` | yes |
 | <a name="input_custom_url"></a> [custom_url](#input\_custom\_domain) | Custom url for coralogix | `string` | n/a | no |
-| <a name="input_ssm_enable"></a> [ssm_enable](#input\_ssm\_enable\) | store coralogix private_key as a secret so that it will not be save in the lambda True/False. Require that the coralogix ssm layer will be deployed in advance | `string` | `False` | no |
-| <a name="input_layer_arn"></a> [layer_arn](#input\_layer\_arn) | Coralogix SSM Layer ARN (if SsmEnabled set to false, can leave as empty). | `string` | n/a | no |
-| <a name="input_private_key"></a> [private\_key](#input\_private\_key) | The Coralogix private key which is used to validate your authenticity | `string` | n/a | yes |
+| <a name="input_layer_arn"></a> [layer_arn](#input\_layer\_arn) | In case you are using SSM This is the ARN of the Coralogix Security Layer. | `string` | n/a | no |
+| <a name="input_create_secret"></a> [create_secret](#input\_create\_secret) | Set to False In case you want to use SSM with your secret that contains coralogix Private Key| `string` | True | no |
+| <a name="input_private_key"></a> [private\_key](#input\_private\_key) | Your Coralogix secret key or incase you use your own created secret put here the name of your secret that contains the coralogix Private Key| `string` | n/a | yes |
 | <a name="input_application_name"></a> [application\_name](#input\_application\_name) | The name of your application | `string` | n/a | yes |
 | <a name="input_subsystem_name"></a> [subsystem\_name](#input\_subsystem\_name) | The subsystem name of your application | `string` | n/a | yes |
 | <a name="input_newline_pattern"></a> [newline\_pattern](#input\_newline\_pattern) | The pattern for lines splitting | `string` | `(?:\r\n\|\r\|\n)` | no |
@@ -69,4 +69,3 @@ You should use the `custom_s3_bucket` variable only when you need to deploy the
 | <a name="output_lambda_role_arn"></a> [lambda\_role\_arn](#output\_lambda\_role\_arn) | The ARN of the IAM role created for the Lambda Function |
 | <a name="output_lambda_role_name"></a> [lambda\_role\_name](#output\_lambda\_role\_name) | The name of the IAM role created for the Lambda Function |
 
-
diff --git a/modules/cloudwatch-logs/main.tf b/modules/cloudwatch-logs/main.tf
@@ -27,7 +27,7 @@ resource "null_resource" "s3_bucket" {
 module "lambda" {
   source  = "terraform-aws-modules/lambda/aws"
   version = "3.3.1"
-  create  = var.ssm_enable != "True" ? true : false
+  create  = var.layer_arn == "" ? true : false
   depends_on             = [ null_resource.s3_bucket ]
   function_name          = module.locals.function_name
   description            = "Send CloudWatch logs to Coralogix."
@@ -73,7 +73,7 @@ module "lambda" {
 module "lambdaSSM" {
   source  = "terraform-aws-modules/lambda/aws"
   version = "3.3.1"
-  create  = var.ssm_enable == "True" ? true : false
+  create  = var.layer_arn != "" ? true : false
   depends_on             = [ null_resource.s3_bucket ]
   layers                 = [var.layer_arn]
   function_name          = module.locals.function_name
@@ -91,6 +91,7 @@ module "lambdaSSM" {
   environment_variables = {
     CORALOGIX_URL           = var.custom_url == "" ? lookup(module.locals.coralogix_regions, var.coralogix_region, "Europe") : var.custom_url
     AWS_LAMBDA_EXEC_WRAPPER = "/opt/wrapper.sh"
+    SECRET_NAME             = var.create_secret == "False" ? var.private_key : ""
     private_key             = "****"
     app_name                = var.application_name
     sub_name                = var.subsystem_name
@@ -142,7 +143,7 @@ resource "aws_cloudwatch_log_subscription_filter" "this" {
   count           = length(var.log_groups)
   name            = "${module.lambda.lambda_function_name}-Subscription-${count.index}"
   log_group_name  = data.aws_cloudwatch_log_group.this[count.index].name
-  destination_arn = var.ssm_enable == "True" ? module.lambdaSSM.lambda_function_arn : module.lambda.lambda_function_arn
+  destination_arn = var.layer_arn != "" ? module.lambdaSSM.lambda_function_arn : module.lambda.lambda_function_arn
   filter_pattern  = ""
 }
 
@@ -161,16 +162,15 @@ resource "aws_sns_topic_subscription" "this" {
 }
 
 resource "aws_secretsmanager_secret" "private_key_secret" {
-  count       = var.ssm_enable == "True" ? 1 : 0
+  count       = var.layer_arn != "" && var.create_secret == "True"  ? 1 : 0
   depends_on  = [module.lambdaSSM]
   name        = "lambda/coralogix/${data.aws_region.this.name}/${module.locals.function_name}"
   description = "Coralogix Send Your Data key Secret"
 }
 
 resource "aws_secretsmanager_secret_version" "service_user" {
-  count         = var.ssm_enable == "True" ? 1 : 0
+  count         = var.layer_arn != "" && var.create_secret == "True"  ? 1 : 0
   depends_on    = [aws_secretsmanager_secret.private_key_secret]
   secret_id     = aws_secretsmanager_secret.private_key_secret[count.index].id
   secret_string = var.private_key
 }
-
diff --git a/modules/cloudwatch-logs/variables.tf b/modules/cloudwatch-logs/variables.tf
@@ -84,14 +84,8 @@ variable "tags" {
   default     = {}
 }
 
-variable "ssm_enable" {
-  description = "Use SSM for the private key True/False"
-  type        = string
-  default     = "False"
-}
-
 variable "layer_arn" {
-  description = "Coralogix SSM Layer ARN"
+  description = "In case you are using SSM This is the ARN of the Coralogix Security Layer."
   type        = string
   default     = ""
 }
@@ -112,4 +106,10 @@ variable "custom_s3_bucket" {
   description = "The name of the s3 bucket to save the lambda zip code in"
   type        = string
   default     = ""
-}
+}
+
+variable "create_secret" {
+  description = "Set to False In case you want to use SSM with your secret that contains coralogix private key"
+  type        = string
+  default     = "True"
+}
diff --git a/modules/kinesis/CHANGELOG.md b/modules/kinesis/CHANGELOG.md
@@ -2,5 +2,8 @@
 
 ## kinesis
 
+### 0.0.2 / 16.8.2023
+* [Update] Add an option to use an existing secret instead of creating a new one with SSM, and remove ssm_enabled variable.
+
 ### 0.0.1 / 8.8.23
-* [Update] Add support for govcloud, by adding custom_s3_bucket variable.
+* [Update] Add support for govcloud, by adding custom_s3_bucket variable.
diff --git a/modules/kinesis/README.md b/modules/kinesis/README.md
@@ -28,9 +28,9 @@ Manage the application which retrieves logs from `S3` bucket and sends them to y
 |------|-------------|------|---------|:--------:|
 | <a name="input_coralogix_region"></a> [coralogix\_region](#input\_coralogix\_region) | The Coralogix location region, possible options are [`Europe`, `Europe2`, `India`, `Singapore`, `US`, `US2`] | `string` | `Europe` | yes |
 | <a name="input_custom_url"></a> [custom_url](#input\_custom\_url) | Custom url for coralogix | `string` | n/a | no |
-| <a name="input_ssm_enable"></a> [ssm_enable](#input\_ssm\_enable\) | store coralogix private_key as a secret so that it will not be save in the lambda True/False. Require that the coralogix ssm layer will be deployed in advance | `string` | `False` | no |
-| <a name="input_layer_arn"></a> [layer_arn](#input\_layer\_arn) | Coralogix SSM Layer ARN (if SsmEnabled set to false, can leave as empty). | `string` | n/a | no |
-| <a name="input_private_key"></a> [private\_key](#input\_private\_key) | The Coralogix private key which is used to validate your authenticity | `string` | n/a | yes |
+| <a name="input_layer_arn"></a> [layer_arn](#input\_layer\_arn) | In case you are using SSM This is the ARN of the Coralogix Security Layer. | `string` | n/a | no |
+| <a name="input_create_secret"></a> [create_secret](#input\_create\_secret) | Set to False In case you want to use SSM with your secret that contains coralogix Private Key| `string` | True | no |
+| <a name="input_private_key"></a> [private\_key](#input\_private\_key) | Your Coralogix secret key or incase you use your own created secret put here the name of your secret that contains the coralogix Private Key| `string` | n/a | yes |
 | <a name="input_application_name"></a> [application\_name](#input\_application\_name) | The name of your application | `string` | n/a | yes |
 | <a name="input_subsystem_name"></a> [subsystem\_name](#input\_subsystem\_name) | The subsystem name of your application | `string` | n/a | yes |
 | <a name="input_newline_pattern"></a> [newline\_pattern](#input\_newline\_pattern) | The pattern for lines splitting | `string` | `(?:\r\n\|\r\|\n)` | no |
@@ -61,4 +61,3 @@ You should use the `custom_s3_bucket` variable only when you need to deploy the
 ## Outputs
 
 No outputs.
-
diff --git a/modules/kinesis/main.tf b/modules/kinesis/main.tf
@@ -25,9 +25,9 @@ resource "null_resource" "s3_bucket" {
 
 module "lambda" {
   source                 = "terraform-aws-modules/lambda/aws"
-  depends_on             = [ null_resource.s3_bucket ]
   version                = "3.3.1"
-  create                 = var.ssm_enable != "True" ? true : false
+  create                 = var.layer_arn == "" ? true : false
+  depends_on             = [ null_resource.s3_bucket ]
   layers                 = [var.layer_arn]
   function_name          = module.locals.function_name
   description            = "Send kinesis data stream logs to Coralogix."
@@ -79,7 +79,7 @@ module "lambda" {
 module "lambda_ssm" {
   source  = "terraform-aws-modules/lambda/aws"
   version = "3.3.1"
-  create  = var.ssm_enable == "True" ? true : false
+  create  = var.layer_arn != "" ? true : false
   depends_on             = [ null_resource.s3_bucket ]
   layers                 = [var.layer_arn]
   function_name          = module.locals.function_name
@@ -94,6 +94,7 @@ module "lambda_ssm" {
   environment_variables = {
     CORALOGIX_URL           = var.custom_url == "" ? "${lookup(module.locals.coralogix_regions, var.coralogix_region, "Europe")}" : var.custom_url
     AWS_LAMBDA_EXEC_WRAPPER = "/opt/wrapper.sh"
+    SECRET_NAME             = var.create_secret == "False" ? var.private_key : ""
     private_key             = "****"
     app_name                = var.application_name
     sub_name                = var.subsystem_name
@@ -158,14 +159,14 @@ resource "aws_sns_topic_subscription" "this" {
 }
 
 resource "aws_secretsmanager_secret" "private_key_secret" {
-  count       = var.ssm_enable == "True" ? 1 : 0
+  count       = var.layer_arn != "" && var.create_secret == "True"  ? 1 : 0
   depends_on  = [module.lambda_ssm]
   name        = "lambda/coralogix/${data.aws_region.this.name}/${module.locals.function_name}"
   description = "Coralogix Send Your Data key Secret"
 }
 
 resource "aws_secretsmanager_secret_version" "service_user" {
-  count         = var.ssm_enable == "True" ? 1 : 0
+  count         = var.layer_arn != "" && var.create_secret == "True"  ? 1 : 0
   depends_on    = [aws_secretsmanager_secret.private_key_secret]
   secret_id     = aws_secretsmanager_secret.private_key_secret[count.index].id
   secret_string = var.private_key

diff --git a/modules/kinesis/variables.tf b/modules/kinesis/variables.tf
@@ -79,14 +79,8 @@ variable "tags" {
   default     = {}
 }
 
-variable "ssm_enable" {
-  description = "Use SSM for the private key True/False"
-  type        = string
-  default     = "False"
-}
-
 variable "layer_arn" {
-  description = "Coralogix SSM Layer ARN"
+  description = "In case you are using SSM This is the ARN of the Coralogix Security Layer."
   type        = string
   default     = ""
 }
@@ -95,4 +89,10 @@ variable "custom_s3_bucket" {
   description = "The name of the s3 bucket to save the lambda zip code in"
   type        = string
   default     = ""
+}
+
+variable "create_secret" {
+  description = "Set to False In case you want to use SSM with your secret that contains coralogix private key"
+  type        = string
+  default     = "True"
 }
diff --git a/modules/resource-metadata/CHANGELOG.md b/modules/resource-metadata/CHANGELOG.md
@@ -2,5 +2,8 @@
 
 ## resource-metadata
 
+### 0.0.2 / 16.8.2023
+* [Update] Add an option to use an existing secret instead of creating a new one with SSM, and remove ssm_enabled variable.
+
 ### 0.0.1 / 8.8.23
-* [Update] Add support for govcloud, by adding custom_s3_bucket variable.
+* [Update] Add support for govcloud, by adding custom_s3_bucket variable.
diff --git a/modules/resource-metadata/README.md b/modules/resource-metadata/README.md
@@ -28,9 +28,9 @@ Manage the application which retrieves `meta data` from your aws account and sen
 |------|-------------|------|---------|:--------:|
 | <a name="input_coralogix_region"></a> [coralogix\_region](#input\_coralogix\_region) | The Coralogix location region, possible options are [`Europe`, `Europe2`, `India`, `Singapore`, `US`, `US2`, `Custom`] | `string` | n/a | yes |
 | <a name="input_custom_url"></a> [custom_url](#input\_custom\_domain) | Custom url for coralogix for example: https://<your_custom_domain>/api/v1/logs| `string` | n/a | no |
-| <a name="input_ssm_enable"></a> [ssm_enable](#input\_ssm\_enable\) | store coralogix private_key as a secret so that it will not be save in the lambda True/False. Require that the coralogix ssm layer will be deployed in advance | `string` | `False` | no |
-| <a name="input_layer_arn"></a> [layer_arn](#input\_layer\_arn) | Coralogix SSM Layer ARN (if SsmEnabled set to false, can leave as empty). | `string` | n/a | no |
-| <a name="input_private_key"></a> [private\_key](#input\_private\_key) | The Coralogix private key which is used to validate your authenticity | `string` | n/a | yes |
+| <a name="input_layer_arn"></a> [layer_arn](#input\_layer\_arn) | In case you are using SSM This is the ARN of the Coralogix Security Layer. | `string` | n/a | no |
+| <a name="input_create_secret"></a> [create_secret](#input\_create\_secret) | Set to False In case you want to use SSM with your secret that contains coralogix Private Key| `string` | True | no |
+| <a name="input_private_key"></a> [private\_key](#input\_private\_key) | Your Coralogix secret key or incase you use your own created secret put here the name of your secret that contains the coralogix Private Key| `string` | n/a | yes |
 | <a name="input_schedule"></a> [schedule](#input\_schedule) | The rate to collacet metadata  | `string` | `rate(10 minutes)` | no |
 | <a name="input_latest_versions_per_function"></a> [latest_versions_per_function](#input\_latest\_versions\_per\_function) | How many latest published versions of each Lambda function should be collected  | `number` | 5 | no |
 | <a name="input_resource_ttl_minutes"></a> [resource_ttl_minutes](#input\_resource\_ttl\_minutes) | Once a resource is collected, how long should it remain valid | `number` | 60 | no |