From 13b8a41ed5ef059984e43f911b7cdf99223f8241 Mon Sep 17 00:00:00 2001
From: guyrenny <127672145+guyrenny@users.noreply.github.com>
Date: Thu, 17 Aug 2023 10:31:46 +0300
Subject: [PATCH] Add an option to use an existing secret instead of creating
a new one with ssm[CDS-549] (#76)
* Add an option to use an existing secret instead of creating a new one with ssm, and remove the ssm_enabled variable
* change flase to False in create_secret description
* restore the s3 custom bucket
* fix readme files
* arranged the indents
* fix tests
* add changelog new entry
* add change log to s3
---
examples/cloudwatch-logs/variables.tf | 16 ++++++++--------
examples/kinesis/variables.tf | 16 ++++++++--------
examples/lambda-secretLayer/README.md | 1 -
examples/resource-metadata/variables.tf | 16 ++++++++--------
examples/s3/variables.tf | 16 ++++++++--------
modules/cloudwatch-logs/CHANGELOG.md | 5 ++++-
modules/cloudwatch-logs/README.md | 7 +++----
modules/cloudwatch-logs/main.tf | 12 ++++++------
modules/cloudwatch-logs/variables.tf | 16 ++++++++--------
modules/kinesis/CHANGELOG.md | 5 ++++-
modules/kinesis/README.md | 7 +++----
modules/kinesis/main.tf | 11 ++++++-----
modules/kinesis/variables.tf | 14 +++++++-------
modules/resource-metadata/CHANGELOG.md | 5 ++++-
modules/resource-metadata/README.md | 6 +++---
modules/resource-metadata/main.tf | 14 ++++++++------
modules/resource-metadata/variables.tf | 14 +++++++-------
modules/s3/CHANGELOG.md | 3 +++
modules/s3/README.md | 7 +++----
modules/s3/main.tf | 13 +++++++------
modules/s3/variables.tf | 14 +++++++-------
tests/resource-metadata/resource-metadata.tf | 2 --
22 files changed, 115 insertions(+), 105 deletions(-)
diff --git a/examples/cloudwatch-logs/variables.tf b/examples/cloudwatch-logs/variables.tf
index 2ccbfa60..62ba4518 100644
--- a/examples/cloudwatch-logs/variables.tf
+++ b/examples/cloudwatch-logs/variables.tf
@@ -15,7 +15,7 @@ variable "custom_url" {
}
variable "private_key" {
- description = "The Coralogix private key which is used to validate your authenticity"
+ description = "Your Coralogix secret key or incase you use your own created secret put here the name of your secret that contains the coralogix Private Key"
type = string
sensitive = true
}
@@ -84,14 +84,8 @@ variable "tags" {
default = {}
}
-variable "ssm_enable" {
- description = "Use SSM for the private key True/False"
- type = string
- default = "False"
-}
-
variable "layer_arn" {
- description = "Coralogix SSM Layer ARN"
+ description = "In case you are using SSM This is the ARN of the Coralogix Security Layer."
type = string
default = ""
}
@@ -112,4 +106,10 @@ variable "custom_s3_bucket" {
description = "The name of the s3 bucket to save the lambda zip code in"
type = string
default = ""
+}
+
+variable "create_secret" {
+ description = "Set to False In case you want to use SSM with your secret that contains coralogix private key"
+ type = string
+ default = "True"
}
\ No newline at end of file
diff --git a/examples/kinesis/variables.tf b/examples/kinesis/variables.tf
index 4b9d3b14..0c89c363 100644
--- a/examples/kinesis/variables.tf
+++ b/examples/kinesis/variables.tf
@@ -15,7 +15,7 @@ variable "custom_url" {
}
variable "private_key" {
- description = "The Coralogix private key which is used to validate your authenticity"
+ description = "Your Coralogix secret key or incase you use your own created secret put here the name of your secret that contains the coralogix Private Key"
type = string
sensitive = true
}
@@ -79,14 +79,8 @@ variable "tags" {
default = {}
}
-variable "ssm_enable" {
- description = "Use SSM for the private key True/False"
- type = string
- default = "False"
-}
-
variable "layer_arn" {
- description = "Coralogix SSM Layer ARN"
+ description = "In case you are using SSM This is the ARN of the Coralogix Security Layer."
type = string
default = ""
}
@@ -95,4 +89,10 @@ variable "custom_s3_bucket" {
description = "The name of the s3 bucket to save the lambda zip code in"
type = string
default = ""
+}
+
+variable "create_secret" {
+ description = "Set to False In case you want to use SSM with your secret that contains coralogix private key"
+ type = string
+ default = "True"
}
\ No newline at end of file
diff --git a/examples/lambda-secretLayer/README.md b/examples/lambda-secretLayer/README.md
index f6b6d821..87005e5c 100644
--- a/examples/lambda-secretLayer/README.md
+++ b/examples/lambda-secretLayer/README.md
@@ -46,7 +46,6 @@ module "coralogix-shipper-s3" {
coralogix_region = "Europe"
private_key = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXX"
- ssm_enable = "True"
layer_arn = module.lambda-secretLayer.lambda_layer_version_arn
application_name = "s3"
subsystem_name = "logs"
diff --git a/examples/resource-metadata/variables.tf b/examples/resource-metadata/variables.tf
index e8499643..228c7b50 100644
--- a/examples/resource-metadata/variables.tf
+++ b/examples/resource-metadata/variables.tf
@@ -14,19 +14,13 @@ variable "custom_url" {
}
variable "private_key" {
- description = "The Coralogix private key which is used to validate your authenticity"
+ description = "Your Coralogix secret key or incase you use your own created secret put here the name of your secret that contains the coralogix Private Key"
type = string
sensitive = true
}
-variable "ssm_enable" {
- description = "Use SSM for the private key True/False"
- type = string
- default = "False"
-}
-
variable "layer_arn" {
- description = "Coralogix SSM Layer ARN"
+ description = "In case you are using SSM This is the ARN of the Coralogix Security Layer."
type = string
default = ""
}
@@ -95,4 +89,10 @@ variable "custom_s3_bucket" {
description = "The name of the s3 bucket to save the lambda zip code in"
type = string
default = ""
+}
+
+variable "create_secret" {
+ description = "Set to False In case you want to use SSM with your secret that contains coralogix private key"
+ type = string
+ default = "True"
}
\ No newline at end of file
diff --git a/examples/s3/variables.tf b/examples/s3/variables.tf
index 7725d511..549bf9a1 100644
--- a/examples/s3/variables.tf
+++ b/examples/s3/variables.tf
@@ -15,19 +15,13 @@ variable "custom_url" {
}
variable "private_key" {
- description = "The Coralogix private key which is used to validate your authenticity"
+ description = "Your Coralogix secret key or incase you use your own created secret put here the name of your secret that contains the coralogix Private Key"
type = string
sensitive = true
}
-variable "ssm_enable" {
- description = "Use SSM for the private key True/False"
- type = string
- default = "False"
-}
-
variable "layer_arn" {
- description = "Coralogix SSM Layer ARN"
+ description = "In case you are using SSM This is the ARN of the Coralogix Security Layer."
type = string
default = ""
}
@@ -144,4 +138,10 @@ variable "custom_s3_bucket" {
description = "The name of the s3 bucket to save the lambda zip code in"
type = string
default = ""
+}
+
+variable "create_secret" {
+ description = "Set to False In case you want to use SSM with your secret that contains coralogix private key"
+ type = string
+ default = "True"
}
\ No newline at end of file
diff --git a/modules/cloudwatch-logs/CHANGELOG.md b/modules/cloudwatch-logs/CHANGELOG.md
index b7314d24..8ef72132 100644
--- a/modules/cloudwatch-logs/CHANGELOG.md
+++ b/modules/cloudwatch-logs/CHANGELOG.md
@@ -2,8 +2,11 @@
## cloudwatch-logs
+### 0.0.3 / 16.8.2023
+* [Update] Add an option to use an existing secret instead of creating a new one with SSM, and remove ssm_enabled variable.
+
### 0.0.2 / 8.8.23
* [Update] Add support for govcloud, by adding custom_s3_bucket variable.
### 0.0.1 / 3.8.2023
-* [Update] Add support to use a private link with coralogix - add subnet_id and security_group_id variable to connect the lambda to vpc.
\ No newline at end of file
+* [Update] Add support to use a private link with coralogix - add subnet_id and security_group_id variable to connect the lambda to vpc.
diff --git a/modules/cloudwatch-logs/README.md b/modules/cloudwatch-logs/README.md
index fa4a56c9..dd27e27d 100644
--- a/modules/cloudwatch-logs/README.md
+++ b/modules/cloudwatch-logs/README.md
@@ -29,9 +29,9 @@ Manage the application which retrieves `CloudWatch` logs and sends them to your
|------|-------------|------|---------|:--------:|
| [coralogix\_region](#input\_coralogix\_region) | The Coralogix location region, possible options are [`Europe`, `Europe2`, `India`, `Singapore`, `US`, `US2`] | `string` | `Europe` | yes |
| [custom_url](#input\_custom\_domain) | Custom url for coralogix | `string` | n/a | no |
-| [ssm_enable](#input\_ssm\_enable\) | store coralogix private_key as a secret so that it will not be save in the lambda True/False. Require that the coralogix ssm layer will be deployed in advance | `string` | `False` | no |
-| [layer_arn](#input\_layer\_arn) | Coralogix SSM Layer ARN (if SsmEnabled set to false, can leave as empty). | `string` | n/a | no |
-| [private\_key](#input\_private\_key) | The Coralogix private key which is used to validate your authenticity | `string` | n/a | yes |
+| [layer_arn](#input\_layer\_arn) | In case you are using SSM This is the ARN of the Coralogix Security Layer. | `string` | n/a | no |
+| [create_secret](#input\_create\_secret) | Set to False In case you want to use SSM with your secret that contains coralogix Private Key| `string` | True | no |
+| [private\_key](#input\_private\_key) | Your Coralogix secret key or incase you use your own created secret put here the name of your secret that contains the coralogix Private Key| `string` | n/a | yes |
| [application\_name](#input\_application\_name) | The name of your application | `string` | n/a | yes |
| [subsystem\_name](#input\_subsystem\_name) | The subsystem name of your application | `string` | n/a | yes |
| [newline\_pattern](#input\_newline\_pattern) | The pattern for lines splitting | `string` | `(?:\r\n\|\r\|\n)` | no |
@@ -69,4 +69,3 @@ You should use the `custom_s3_bucket` variable only when you need to deploy the
| [lambda\_role\_arn](#output\_lambda\_role\_arn) | The ARN of the IAM role created for the Lambda Function |
| [lambda\_role\_name](#output\_lambda\_role\_name) | The name of the IAM role created for the Lambda Function |
-
diff --git a/modules/cloudwatch-logs/main.tf b/modules/cloudwatch-logs/main.tf
index 40855e63..9f77d0d6 100644
--- a/modules/cloudwatch-logs/main.tf
+++ b/modules/cloudwatch-logs/main.tf
@@ -27,7 +27,7 @@ resource "null_resource" "s3_bucket" {
module "lambda" {
source = "terraform-aws-modules/lambda/aws"
version = "3.3.1"
- create = var.ssm_enable != "True" ? true : false
+ create = var.layer_arn == "" ? true : false
depends_on = [ null_resource.s3_bucket ]
function_name = module.locals.function_name
description = "Send CloudWatch logs to Coralogix."
@@ -73,7 +73,7 @@ module "lambda" {
module "lambdaSSM" {
source = "terraform-aws-modules/lambda/aws"
version = "3.3.1"
- create = var.ssm_enable == "True" ? true : false
+ create = var.layer_arn != "" ? true : false
depends_on = [ null_resource.s3_bucket ]
layers = [var.layer_arn]
function_name = module.locals.function_name
@@ -91,6 +91,7 @@ module "lambdaSSM" {
environment_variables = {
CORALOGIX_URL = var.custom_url == "" ? lookup(module.locals.coralogix_regions, var.coralogix_region, "Europe") : var.custom_url
AWS_LAMBDA_EXEC_WRAPPER = "/opt/wrapper.sh"
+ SECRET_NAME = var.create_secret == "False" ? var.private_key : ""
private_key = "****"
app_name = var.application_name
sub_name = var.subsystem_name
@@ -142,7 +143,7 @@ resource "aws_cloudwatch_log_subscription_filter" "this" {
count = length(var.log_groups)
name = "${module.lambda.lambda_function_name}-Subscription-${count.index}"
log_group_name = data.aws_cloudwatch_log_group.this[count.index].name
- destination_arn = var.ssm_enable == "True" ? module.lambdaSSM.lambda_function_arn : module.lambda.lambda_function_arn
+ destination_arn = var.layer_arn != "" ? module.lambdaSSM.lambda_function_arn : module.lambda.lambda_function_arn
filter_pattern = ""
}
@@ -161,16 +162,15 @@ resource "aws_sns_topic_subscription" "this" {
}
resource "aws_secretsmanager_secret" "private_key_secret" {
- count = var.ssm_enable == "True" ? 1 : 0
+ count = var.layer_arn != "" && var.create_secret == "True" ? 1 : 0
depends_on = [module.lambdaSSM]
name = "lambda/coralogix/${data.aws_region.this.name}/${module.locals.function_name}"
description = "Coralogix Send Your Data key Secret"
}
resource "aws_secretsmanager_secret_version" "service_user" {
- count = var.ssm_enable == "True" ? 1 : 0
+ count = var.layer_arn != "" && var.create_secret == "True" ? 1 : 0
depends_on = [aws_secretsmanager_secret.private_key_secret]
secret_id = aws_secretsmanager_secret.private_key_secret[count.index].id
secret_string = var.private_key
}
-
diff --git a/modules/cloudwatch-logs/variables.tf b/modules/cloudwatch-logs/variables.tf
index 6ea60774..dc7ae0c5 100644
--- a/modules/cloudwatch-logs/variables.tf
+++ b/modules/cloudwatch-logs/variables.tf
@@ -84,14 +84,8 @@ variable "tags" {
default = {}
}
-variable "ssm_enable" {
- description = "Use SSM for the private key True/False"
- type = string
- default = "False"
-}
-
variable "layer_arn" {
- description = "Coralogix SSM Layer ARN"
+ description = "In case you are using SSM This is the ARN of the Coralogix Security Layer."
type = string
default = ""
}
@@ -112,4 +106,10 @@ variable "custom_s3_bucket" {
description = "The name of the s3 bucket to save the lambda zip code in"
type = string
default = ""
-}
\ No newline at end of file
+}
+
+variable "create_secret" {
+ description = "Set to False In case you want to use SSM with your secret that contains coralogix private key"
+ type = string
+ default = "True"
+}
diff --git a/modules/kinesis/CHANGELOG.md b/modules/kinesis/CHANGELOG.md
index 45d3de99..39e89b03 100644
--- a/modules/kinesis/CHANGELOG.md
+++ b/modules/kinesis/CHANGELOG.md
@@ -2,5 +2,8 @@
## kinesis
+### 0.0.2 / 16.8.2023
+* [Update] Add an option to use an existing secret instead of creating a new one with SSM, and remove ssm_enabled variable.
+
### 0.0.1 / 8.8.23
-* [Update] Add support for govcloud, by adding custom_s3_bucket variable.
\ No newline at end of file
+* [Update] Add support for govcloud, by adding custom_s3_bucket variable.
diff --git a/modules/kinesis/README.md b/modules/kinesis/README.md
index adaac236..39dbe6d7 100644
--- a/modules/kinesis/README.md
+++ b/modules/kinesis/README.md
@@ -28,9 +28,9 @@ Manage the application which retrieves logs from `S3` bucket and sends them to y
|------|-------------|------|---------|:--------:|
| [coralogix\_region](#input\_coralogix\_region) | The Coralogix location region, possible options are [`Europe`, `Europe2`, `India`, `Singapore`, `US`, `US2`] | `string` | `Europe` | yes |
| [custom_url](#input\_custom\_url) | Custom url for coralogix | `string` | n/a | no |
-| [ssm_enable](#input\_ssm\_enable\) | store coralogix private_key as a secret so that it will not be save in the lambda True/False. Require that the coralogix ssm layer will be deployed in advance | `string` | `False` | no |
-| [layer_arn](#input\_layer\_arn) | Coralogix SSM Layer ARN (if SsmEnabled set to false, can leave as empty). | `string` | n/a | no |
-| [private\_key](#input\_private\_key) | The Coralogix private key which is used to validate your authenticity | `string` | n/a | yes |
+| [layer_arn](#input\_layer\_arn) | In case you are using SSM This is the ARN of the Coralogix Security Layer. | `string` | n/a | no |
+| [create_secret](#input\_create\_secret) | Set to False In case you want to use SSM with your secret that contains coralogix Private Key| `string` | True | no |
+| [private\_key](#input\_private\_key) | Your Coralogix secret key or incase you use your own created secret put here the name of your secret that contains the coralogix Private Key| `string` | n/a | yes |
| [application\_name](#input\_application\_name) | The name of your application | `string` | n/a | yes |
| [subsystem\_name](#input\_subsystem\_name) | The subsystem name of your application | `string` | n/a | yes |
| [newline\_pattern](#input\_newline\_pattern) | The pattern for lines splitting | `string` | `(?:\r\n\|\r\|\n)` | no |
@@ -61,4 +61,3 @@ You should use the `custom_s3_bucket` variable only when you need to deploy the
## Outputs
No outputs.
-
diff --git a/modules/kinesis/main.tf b/modules/kinesis/main.tf
index b381c12c..1aeeb211 100644
--- a/modules/kinesis/main.tf
+++ b/modules/kinesis/main.tf
@@ -25,9 +25,9 @@ resource "null_resource" "s3_bucket" {
module "lambda" {
source = "terraform-aws-modules/lambda/aws"
- depends_on = [ null_resource.s3_bucket ]
version = "3.3.1"
- create = var.ssm_enable != "True" ? true : false
+ create = var.layer_arn == "" ? true : false
+ depends_on = [ null_resource.s3_bucket ]
layers = [var.layer_arn]
function_name = module.locals.function_name
description = "Send kinesis data stream logs to Coralogix."
@@ -79,7 +79,7 @@ module "lambda" {
module "lambda_ssm" {
source = "terraform-aws-modules/lambda/aws"
version = "3.3.1"
- create = var.ssm_enable == "True" ? true : false
+ create = var.layer_arn != "" ? true : false
depends_on = [ null_resource.s3_bucket ]
layers = [var.layer_arn]
function_name = module.locals.function_name
@@ -94,6 +94,7 @@ module "lambda_ssm" {
environment_variables = {
CORALOGIX_URL = var.custom_url == "" ? "${lookup(module.locals.coralogix_regions, var.coralogix_region, "Europe")}" : var.custom_url
AWS_LAMBDA_EXEC_WRAPPER = "/opt/wrapper.sh"
+ SECRET_NAME = var.create_secret == "False" ? var.private_key : ""
private_key = "****"
app_name = var.application_name
sub_name = var.subsystem_name
@@ -158,14 +159,14 @@ resource "aws_sns_topic_subscription" "this" {
}
resource "aws_secretsmanager_secret" "private_key_secret" {
- count = var.ssm_enable == "True" ? 1 : 0
+ count = var.layer_arn != "" && var.create_secret == "True" ? 1 : 0
depends_on = [module.lambda_ssm]
name = "lambda/coralogix/${data.aws_region.this.name}/${module.locals.function_name}"
description = "Coralogix Send Your Data key Secret"
}
resource "aws_secretsmanager_secret_version" "service_user" {
- count = var.ssm_enable == "True" ? 1 : 0
+ count = var.layer_arn != "" && var.create_secret == "True" ? 1 : 0
depends_on = [aws_secretsmanager_secret.private_key_secret]
secret_id = aws_secretsmanager_secret.private_key_secret[count.index].id
secret_string = var.private_key
diff --git a/modules/kinesis/variables.tf b/modules/kinesis/variables.tf
index 4b9d3b14..9801c76a 100644
--- a/modules/kinesis/variables.tf
+++ b/modules/kinesis/variables.tf
@@ -79,14 +79,8 @@ variable "tags" {
default = {}
}
-variable "ssm_enable" {
- description = "Use SSM for the private key True/False"
- type = string
- default = "False"
-}
-
variable "layer_arn" {
- description = "Coralogix SSM Layer ARN"
+ description = "In case you are using SSM This is the ARN of the Coralogix Security Layer."
type = string
default = ""
}
@@ -95,4 +89,10 @@ variable "custom_s3_bucket" {
description = "The name of the s3 bucket to save the lambda zip code in"
type = string
default = ""
+}
+
+variable "create_secret" {
+ description = "Set to False In case you want to use SSM with your secret that contains coralogix private key"
+ type = string
+ default = "True"
}
\ No newline at end of file
diff --git a/modules/resource-metadata/CHANGELOG.md b/modules/resource-metadata/CHANGELOG.md
index d79210da..40808408 100644
--- a/modules/resource-metadata/CHANGELOG.md
+++ b/modules/resource-metadata/CHANGELOG.md
@@ -2,5 +2,8 @@
## resource-metadata
+### 0.0.2 / 16.8.2023
+* [Update] Add an option to use an existing secret instead of creating a new one with SSM, and remove ssm_enabled variable.
+
### 0.0.1 / 8.8.23
-* [Update] Add support for govcloud, by adding custom_s3_bucket variable.
\ No newline at end of file
+* [Update] Add support for govcloud, by adding custom_s3_bucket variable.
diff --git a/modules/resource-metadata/README.md b/modules/resource-metadata/README.md
index 7afc65ad..8567130e 100644
--- a/modules/resource-metadata/README.md
+++ b/modules/resource-metadata/README.md
@@ -28,9 +28,9 @@ Manage the application which retrieves `meta data` from your aws account and sen
|------|-------------|------|---------|:--------:|
| [coralogix\_region](#input\_coralogix\_region) | The Coralogix location region, possible options are [`Europe`, `Europe2`, `India`, `Singapore`, `US`, `US2`, `Custom`] | `string` | n/a | yes |
| [custom_url](#input\_custom\_domain) | Custom url for coralogix for example: https:///api/v1/logs| `string` | n/a | no |
-| [ssm_enable](#input\_ssm\_enable\) | store coralogix private_key as a secret so that it will not be save in the lambda True/False. Require that the coralogix ssm layer will be deployed in advance | `string` | `False` | no |
-| [layer_arn](#input\_layer\_arn) | Coralogix SSM Layer ARN (if SsmEnabled set to false, can leave as empty). | `string` | n/a | no |
-| [private\_key](#input\_private\_key) | The Coralogix private key which is used to validate your authenticity | `string` | n/a | yes |
+| [layer_arn](#input\_layer\_arn) | In case you are using SSM This is the ARN of the Coralogix Security Layer. | `string` | n/a | no |
+| [create_secret](#input\_create\_secret) | Set to False In case you want to use SSM with your secret that contains coralogix Private Key| `string` | True | no |
+| [private\_key](#input\_private\_key) | Your Coralogix secret key or incase you use your own created secret put here the name of your secret that contains the coralogix Private Key| `string` | n/a | yes |
| [schedule](#input\_schedule) | The rate to collacet metadata | `string` | `rate(10 minutes)` | no |
| [latest_versions_per_function](#input\_latest\_versions\_per\_function) | How many latest published versions of each Lambda function should be collected | `number` | 5 | no |
| [resource_ttl_minutes](#input\_resource\_ttl\_minutes) | Once a resource is collected, how long should it remain valid | `number` | 60 | no |
diff --git a/modules/resource-metadata/main.tf b/modules/resource-metadata/main.tf
index 55b83f26..d58d162f 100644
--- a/modules/resource-metadata/main.tf
+++ b/modules/resource-metadata/main.tf
@@ -33,7 +33,7 @@ module "eventbridge" {
crons = [
{
name = "cron-for-lambda"
- arn = var.ssm_enable != "True" ? module.lambda.lambda_function_arn : module.lambdaSSM.lambda_function_arn
+ arn = var.layer_arn == "" ? module.lambda.lambda_function_arn : module.lambdaSSM.lambda_function_arn
input = jsonencode({ "job" : "cron-by-rate" })
}
]
@@ -54,7 +54,7 @@ resource "null_resource" "s3_bucket" {
}
module "lambda" {
- create = var.ssm_enable != "True" ? true : false
+ create = var.layer_arn == "" ? true : false
depends_on = [ null_resource.s3_bucket ]
source = "terraform-aws-modules/lambda/aws"
version = "3.2.1"
@@ -115,7 +115,7 @@ module "lambda" {
}
module "lambdaSSM" {
- create = var.ssm_enable == "True" ? true : false
+ create = var.layer_arn != "" ? true : false
depends_on = [ null_resource.s3_bucket ]
source = "terraform-aws-modules/lambda/aws"
version = "3.2.1"
@@ -132,6 +132,7 @@ module "lambdaSSM" {
environment_variables = {
CORALOGIX_METADATA_URL = lookup(local.coralogix_regions, var.coralogix_region, "Europe")
AWS_LAMBDA_EXEC_WRAPPER = "/opt/wrapper.sh"
+ SECRET_NAME = var.create_secret == "False" ? var.private_key : ""
LATEST_VERSIONS_PER_FUNCTION = var.latest_versions_per_function
RESOURCE_TTL_MINUTES = var.resource_ttl_minutes
COLLECT_ALIASES = var.collect_aliases
@@ -193,13 +194,14 @@ resource "aws_sns_topic" "this" {
}
resource "aws_secretsmanager_secret" "private_key_secret" {
- count = var.ssm_enable == "True" ? 1 : 0
+ count = var.layer_arn != "" && var.create_secret == "True" ? 1 : 0
depends_on = [module.lambdaSSM]
name = "lambda/coralogix/${data.aws_region.this.name}/${local.function_name}"
description = "Coralogix Send Your Data key Secret"
}
+
resource "aws_secretsmanager_secret_version" "service_user" {
- count = var.ssm_enable == "True" ? 1 : 0
+ count = var.layer_arn != "" && var.create_secret == "True" ? 1 : 0
depends_on = [aws_secretsmanager_secret.private_key_secret]
secret_id = aws_secretsmanager_secret.private_key_secret[count.index].id
secret_string = var.private_key
@@ -211,4 +213,4 @@ resource "aws_sns_topic_subscription" "this" {
topic_arn = aws_sns_topic.this.arn
protocol = "email"
endpoint = var.notification_email
-}
\ No newline at end of file
+}
diff --git a/modules/resource-metadata/variables.tf b/modules/resource-metadata/variables.tf
index e8499643..46f9eda5 100644
--- a/modules/resource-metadata/variables.tf
+++ b/modules/resource-metadata/variables.tf
@@ -19,14 +19,8 @@ variable "private_key" {
sensitive = true
}
-variable "ssm_enable" {
- description = "Use SSM for the private key True/False"
- type = string
- default = "False"
-}
-
variable "layer_arn" {
- description = "Coralogix SSM Layer ARN"
+ description = "In case you are using SSM This is the ARN of the Coralogix Security Layer."
type = string
default = ""
}
@@ -95,4 +89,10 @@ variable "custom_s3_bucket" {
description = "The name of the s3 bucket to save the lambda zip code in"
type = string
default = ""
+}
+
+variable "create_secret" {
+ description = "Set to False In case you want to use SSM with your secret that contains coralogix private key"
+ type = string
+ default = "True"
}
\ No newline at end of file
diff --git a/modules/s3/CHANGELOG.md b/modules/s3/CHANGELOG.md
index e06b267a..64e95f87 100644
--- a/modules/s3/CHANGELOG.md
+++ b/modules/s3/CHANGELOG.md
@@ -2,5 +2,8 @@
## S3
+### 0.0.1 / 16.8.2023
+* [Update] Add an option to use an existing secret instead of creating a new one with SSM, and remove ssm_enabled variable.
+
### 0.0.1 / 8.8.23
* [Update] Add support for govcloud, by adding custom_s3_bucket variable.
diff --git a/modules/s3/README.md b/modules/s3/README.md
index 59ffecd0..ad74a692 100644
--- a/modules/s3/README.md
+++ b/modules/s3/README.md
@@ -30,9 +30,9 @@ Manage the application which retrieves logs from `S3` bucket and sends them to y
| [custom_url](#input\_custom\_domain) | Custom url for coralogix for example: https:///api/v1/logs| `string` | n/a | no |
| [integration_type](#input\_data\_type) | which service will send the data to the s3, possible options are [`cloudtrail`, `vpc-flow-log`, `s3`, `s3-sns`, `cloudtrail-sns`] | `string` | n/a | yes |
| [sns_topic_name](#input\_sns\_topic\_name) | The SNS topic that will contain the SNS subscription, need only if you use the sns interations | `string` | | no |
-| [ssm_enable](#input\_ssm\_enable\) | store coralogix private_key as a secret so that it will not be save in the lambda True/False. Require that the coralogix ssm layer will be deployed in advance | `string` | `False` | no |
-| [layer_arn](#input\_layer\_arn) | Coralogix SSM Layer ARN (if SsmEnabled set to false, can leave as empty). | `string` | n/a | no |
-| [private\_key](#input\_private\_key) | The Coralogix private key which is used to validate your authenticity | `string` | n/a | yes |
+| [layer_arn](#input\_layer\_arn) | In case you are using SSM This is the ARN of the Coralogix Security Layer. | `string` | n/a | no |
+| [create_secret](#input\_create\_secret) | Set to False In case you want to use SSM with your secret that contains coralogix Private Key| `string` | True | no |
+| [private\_key](#input\_private\_key) | Your Coralogix secret key or incase you use your own created secret put here the name of your secret that contains the coralogix Private Key| `string` | n/a | yes |
| [application\_name](#input\_application\_name) | The name of your application | `string` | n/a | yes |
| [subsystem\_name](#input\_subsystem\_name) | The subsystem name of your application | `string` | n/a | yes |
| [custom\_s3\_bucket](#input\_custom\_s3\_bucket) | The name of an existing s3 bucket in your region, in which the lambda zip code will be upload to. | `string` | n/a | no |
@@ -72,4 +72,3 @@ You should use the `custom_s3_bucket` variable only when you need to deploy the
| [lambda\_role\_arn](#output\_lambda\_role\_arn) | The ARN of the IAM role created for the Lambda Function |
| [lambda\_role\_name](#output\_lambda\_role\_name) | The name of the IAM role created for the Lambda Function |
-
diff --git a/modules/s3/main.tf b/modules/s3/main.tf
index 4bd3f063..f57d3e70 100644
--- a/modules/s3/main.tf
+++ b/modules/s3/main.tf
@@ -56,7 +56,7 @@ resource "null_resource" "s3_bucket_copy" {
}
module "lambda" {
- create = var.ssm_enable != "True" ? true : false
+ create = var.layer_arn == "" ? true : false
depends_on = [ null_resource.s3_bucket_copy ]
source = "terraform-aws-modules/lambda/aws"
version = "3.2.1"
@@ -111,7 +111,7 @@ module "lambda" {
module "lambdaSSM" {
source = "terraform-aws-modules/lambda/aws"
- create = var.ssm_enable == "True" ? true : false
+ create = var.layer_arn != "" ? true : false
depends_on = [ null_resource.s3_bucket_copy ]
version = "3.2.1"
layers = [var.layer_arn]
@@ -128,6 +128,7 @@ module "lambdaSSM" {
CORALOGIX_URL = var.custom_url == "" ? "https://${lookup(module.locals.coralogix_regions, var.coralogix_region, "Europe")}${module.locals.coralogix_url_seffix}" : var.custom_url
CORALOGIX_BUFFER_SIZE = tostring(var.buffer_size)
AWS_LAMBDA_EXEC_WRAPPER = "/opt/wrapper.sh"
+ SECRET_NAME = var.create_secret == "False" ? var.private_key : ""
app_name = var.application_name
sub_name = var.subsystem_name
newline_pattern = var.newline_pattern
@@ -177,7 +178,7 @@ resource "aws_s3_bucket_notification" "lambda_notification" {
count = local.sns_enable == false ? 1 : 0
bucket = data.aws_s3_bucket.this.bucket
lambda_function {
- lambda_function_arn = var.ssm_enable == "True" ? module.lambdaSSM.lambda_function_arn : module.lambda.lambda_function_arn
+ lambda_function_arn = var.layer_arn != "" ? module.lambdaSSM.lambda_function_arn : module.lambda.lambda_function_arn
events = ["s3:ObjectCreated:*"]
filter_prefix = var.integration_type == "s3" || var.s3_key_prefix != null ? var.s3_key_prefix : "AWSLogs/${data.aws_caller_identity.this.account_id}/${lookup(module.locals.s3_prefix_map, var.integration_type)}/"
filter_suffix = var.integration_type == "s3" || var.s3_key_suffix != null ? var.s3_key_suffix : lookup(module.locals.s3_suffix_map, var.integration_type)
@@ -202,13 +203,13 @@ resource "aws_sns_topic" "this" {
}
resource "aws_secretsmanager_secret" "private_key_secret" {
- count = var.ssm_enable == "True" ? 1 : 0
+ count = var.layer_arn != "" && var.create_secret == "True" ? 1 : 0
depends_on = [module.lambdaSSM]
name = "lambda/coralogix/${data.aws_region.this.name}/${module.locals.function_name}"
description = "Coralogix Send Your Data key Secret"
}
resource "aws_secretsmanager_secret_version" "service_user" {
- count = var.ssm_enable == "True" ? 1 : 0
+ count = var.layer_arn != "" && var.create_secret == "True" ? 1 : 0
depends_on = [aws_secretsmanager_secret.private_key_secret]
secret_id = aws_secretsmanager_secret.private_key_secret[count.index].id
secret_string = var.private_key
@@ -242,5 +243,5 @@ resource "aws_sns_topic_subscription" "lambda_sns_subscription" {
depends_on = [module.lambdaSSM, module.lambda]
topic_arn = data.aws_sns_topic.sns_topic[count.index].arn
protocol = "lambda"
- endpoint = var.ssm_enable == "True" ? module.lambdaSSM.lambda_function_arn : module.lambda.lambda_function_arn
+ endpoint = var.layer_arn != "" ? module.lambdaSSM.lambda_function_arn : module.lambda.lambda_function_arn
}
diff --git a/modules/s3/variables.tf b/modules/s3/variables.tf
index e301e3f3..783f025a 100644
--- a/modules/s3/variables.tf
+++ b/modules/s3/variables.tf
@@ -19,14 +19,8 @@ variable "private_key" {
sensitive = true
}
-variable "ssm_enable" {
- description = "Use SSM for the private key True/False"
- type = string
- default = "False"
-}
-
variable "layer_arn" {
- description = "Coralogix SSM Layer ARN"
+ description = " In case you are using SSM This is the ARN of the Coralogix Security Layer."
type = string
default = ""
}
@@ -137,4 +131,10 @@ variable "custom_s3_bucket" {
description = "The name of the s3 bucket to save the lambda zip code in"
type = string
default = ""
+}
+
+variable "create_secret" {
+ description = "Set to False In case you want to use SSM with your secret that contains coralogix private key"
+ type = string
+ default = "True"
}
\ No newline at end of file
diff --git a/tests/resource-metadata/resource-metadata.tf b/tests/resource-metadata/resource-metadata.tf
index 4f48fe27..b46c726d 100644
--- a/tests/resource-metadata/resource-metadata.tf
+++ b/tests/resource-metadata/resource-metadata.tf
@@ -17,6 +17,4 @@ module "resource-metadata" {
coralogix_region = "Europe"
private_key = "{{ secrets.TESTING_PRIVATE_KEY }}"
- ssm_enable = "false"
- layer_arn = ""
}
\ No newline at end of file