Update integration_info parameter in coralogix-aws-shipper module [CDS-1355]

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## v1.0.102
+#### **coralogix-aws-shipper**
+### 💡 Enhancements 
+- Allow to specify multiple ApiKeys when using the parameter integration_info
+
 ## v1.0.101
 #### **coralogix-aws-shipper**
 ### 🧰 Bug fixes 🧰

examples/coralogix-aws-shipper/README.md

@@ -121,24 +121,26 @@ module "coralogix-shipper-multiple-s3-integrations" {
   source = "coralogix/aws/coralogix//modules/coralogix-aws-shipper"
 
   coralogix_region   = "EU1"
-  api_key            = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXX"
   s3_bucket_name     = "bucket name"
   integration_info = {
     "CloudTrail_integration" = {
       integration_type = "CloudTrail"
       application_name = "CloudTrail_application"
       subsystem_name   = "logs_from_cloudtrail"
+      api_key            = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXX"
     }
     "VpcFlow_integration" = {
       integration_type = "VpcFlow"
       application_name = "VpcFlow_application"
       subsystem_name   = "logs_from_vpcflow"
+      api_key            = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXX"
     }
     "S3_integration" = {
       integration_type = "S3"
       application_name = "s3_application"
       subsystem_name   = "s3_vpcflow"
       s3_key_prefix    = "s3_prefix"
+      api_key            = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXX"
     }
   }
 }

examples/coralogix-aws-shipper/variables.tf

@@ -18,6 +18,7 @@ variable "api_key" {
   description = "Your Coralogix Send Your Data - API Key which is used to validate your authenticity, This value can be a Coralogix API Key or an AWS Secret Manager ARN that holds the API Key"
   type        = string
   sensitive   = true
+  default     = ""
 }
 
 variable "application_name" {
@@ -266,6 +267,8 @@ variable "integration_info" {
     newline_pattern      = optional(string)
     blocking_pattern     = optional(string)
     lambda_log_retention = optional(number)
+    api_key              = string
+    store_api_key_in_secrets_manager = optional(bool)
   }))
   default = null
 }

modules/coralogix-aws-shipper/README.md

@@ -66,6 +66,8 @@ If you want to avoid this issue, you can deploy in other ways:
 | Name | Description | Type | Default | Required | 
 |------|-------------|------|---------|:--------:|
 | <a name="input_integration_type"></a> [integration_type](#input\_data\_type) | Choose the AWS service that you wish to integrate with Coralogix. Can be one of: S3, CloudTrail, VpcFlow, S3Csv, CloudFront. | `string` | n/a | yes |
+| <a name="input_api_key"></a> [api\_key](#input\_api_\_key) | The Coralogix Send Your Data - [API Key](https://coralogix.com/docs/send-your-data-api-key/) validates your authenticity. This value can be a direct Coralogix API Key or an AWS Secret Manager ARN containing the API Key.| `string` | n/a | yes |
+| <a name="input_store_api_key_in_secrets_manager"></a> [store\_api\_key\_in\_secrets\_manager](#input\_store\_api\_key\_in\_secrets\_manager) | Enable this to store your API Key securely. Otherwise, it will remain exposed in plain text as an environment variable in the Lambda function console.| bool | true | no |
 | <a name="application_name"></a> [application\_name](#input\_application\_name) | Specify the [name](https://coralogix.com/docs/application-and-subsystem-names/) of your application. for dynamic values from the log use `$.my_log.field` | string | n\a | yes | 
 | <a name="subsystem_name"></a> [subsystem\_name](#input\_subsysten_\_name) | Specify the [name](https://coralogix.com/docs/application-and-subsystem-names/) of your subsystem. For dynamic values from the log use `$.my_log.field` | string | n\a | yes |
 | <a name="lambda_log_retention"></a> [lambda_log_retention](#lambda\_log\_retention) | Set the CloudWatch log retention period (in days) for logs generated by the Lambda function. | `number` | 5 | no |

modules/coralogix-aws-shipper/local.tf

@@ -30,6 +30,8 @@ locals {
       blocking_pattern     = var.blocking_pattern
       lambda_name          = var.lambda_name
       lambda_log_retention = var.lambda_log_retention
+      api_key              = var.api_key
+      store_api_key_in_secrets_manager = var.store_api_key_in_secrets_manager
     }
   } : {}
 

modules/coralogix-aws-shipper/main.tf

@@ -3,10 +3,12 @@ module "locals" {
   for_each = var.integration_info != null ? var.integration_info : local.integration_info
 
   integration_type = each.value.integration_type
-  random_string    = random_string.this.result
+  random_string    = random_string.this[each.key].result
 }
 
 resource "random_string" "this" {
+  for_each = var.integration_info != null ? var.integration_info : local.integration_info
+
   length  = 6
   special = false
 }
@@ -32,7 +34,7 @@ resource "null_resource" "s3_bucket_copy" {
 module "lambda" {
   for_each = var.integration_info != null ? var.integration_info : local.integration_info
 
-  depends_on             = [null_resource.s3_bucket_copy,aws_sqs_queue.DLQ]
+  depends_on             = [null_resource.s3_bucket_copy,aws_sqs_queue.DLQ, aws_secretsmanager_secret.coralogix_secret]
   source                 = "terraform-aws-modules/lambda/aws"
   function_name          = each.value.lambda_name == null ? module.locals[each.key].function_name : each.value.lambda_name
   description            = "Send logs to Coralogix."
@@ -52,7 +54,7 @@ module "lambda" {
     CORALOGIX_ENDPOINT = var.custom_domain != "" ? "https://ingress.${var.custom_domain}" : var.subnet_ids == null ? "https://ingress.${lookup(module.locals[each.key].coralogix_domains, var.coralogix_region, "EU1")}" : "https://ingress.private.${lookup(module.locals[each.key].coralogix_domains, var.coralogix_region, "EU1")}"
     INTEGRATION_TYPE   = each.value.integration_type
     RUST_LOG           = var.log_level
-    CORALOGIX_API_KEY  = var.store_api_key_in_secrets_manager && !local.api_key_is_arn ? aws_secretsmanager_secret.coralogix_secret[0].arn : var.api_key
+    CORALOGIX_API_KEY  = !local.api_key_is_arn &&  (each.value.store_api_key_in_secrets_manager == null || each.value.store_api_key_in_secrets_manager == true) ? aws_secretsmanager_secret.coralogix_secret[each.key].arn : each.value.api_key
     APP_NAME           = each.value.application_name
     SUB_NAME           = each.value.subsystem_name
     NEWLINE_PATTERN    = var.integration_info != null ? each.value.newline_pattern : null
@@ -98,10 +100,10 @@ module "lambda" {
       actions   = ["rds:DescribeAccountAttributes"]
       resources = ["*"]
     }
-    secret_access_policy = var.store_api_key_in_secrets_manager || local.api_key_is_arn ? {
+    secret_access_policy = each.value.store_api_key_in_secrets_manager == null || each.value.store_api_key_in_secrets_manager == true || local.api_key_is_arn ? {
       effect    = "Allow"
       actions   = ["secretsmanager:GetSecretValue"]
-      resources = local.api_key_is_arn ? [var.api_key] : [aws_secretsmanager_secret.coralogix_secret[0].arn]
+      resources = local.api_key_is_arn ? [var.api_key] : [aws_secretsmanager_secret.coralogix_secret[each.key].arn]
       } : {
       effect    = "Deny"
       actions   = ["secretsmanager:GetSecretValue"]
@@ -250,8 +252,12 @@ resource "aws_sns_topic_policy" "test" {
 
 
 resource "aws_secretsmanager_secret" "coralogix_secret" {
-  count       = var.store_api_key_in_secrets_manager && !local.api_key_is_arn ? 1 : 0
-  name        = "lambda/coralogix/${data.aws_region.this.name}/coralogix-aws-shipper/coralogix-${random_string.this.result}"
+  # count       = var.store_api_key_in_secrets_manager && !local.api_key_is_arn ? 1 : 0
+  for_each = {
+    for key, integration_info in var.integration_info != null ? var.integration_info : local.integration_info : key => integration_info
+    if !local.api_key_is_arn && (integration_info.store_api_key_in_secrets_manager == null || integration_info.store_api_key_in_secrets_manager == true) 
+  }
+  name        = "lambda/coralogix/${data.aws_region.this.name}/coralogix-aws-shipper/coralogix-${random_string.this[each.key].result}"
   description = "Coralogix Send Your Data key Secret"
 
   lifecycle {
@@ -260,10 +266,14 @@ resource "aws_secretsmanager_secret" "coralogix_secret" {
 }
 
 resource "aws_secretsmanager_secret_version" "service_user" {
-  count         = var.store_api_key_in_secrets_manager && !local.api_key_is_arn ? 1 : 0
+  # count         = var.store_api_key_in_secrets_manager && !local.api_key_is_arn ? 1 : 0
+  for_each = {
+    for key, integration_info in var.integration_info != null ? var.integration_info : local.integration_info : key => integration_info
+    if !local.api_key_is_arn && (integration_info.store_api_key_in_secrets_manager == null || integration_info.store_api_key_in_secrets_manager == true)
+  }
   depends_on    = [aws_secretsmanager_secret.coralogix_secret]
-  secret_id     = aws_secretsmanager_secret.coralogix_secret[0].id
-  secret_string = var.api_key
+  secret_id     = aws_secretsmanager_secret.coralogix_secret[each.key].id
+  secret_string = each.value.api_key
 }
 
 resource "aws_vpc_endpoint" "secretsmanager" {
@@ -278,7 +288,7 @@ resource "aws_vpc_endpoint" "secretsmanager" {
 
 resource "aws_sqs_queue" "DLQ" {
   count = var.enable_dlq ? 1 : 0
-  name                       = "coralogix-aws-shipper-dlq-${random_string.this.result}"
+  name                       = "coralogix-aws-shipper-dlq-${random_string.this[0].result}"
   message_retention_seconds  = 1209600
   delay_seconds              = var.dlq_retry_delay
   visibility_timeout_seconds = var.timeout
@@ -290,4 +300,4 @@ resource "aws_lambda_event_source_mapping" "dlq_sqs" {
   event_source_arn = aws_sqs_queue.DLQ[0].arn
   function_name    = local.integration_info.integration.lambda_name == null ? module.locals.integration.function_name : local.integration_info.integration.lambda_name
   enabled          = true
-}
+}

modules/coralogix-aws-shipper/variables.tf

@@ -18,6 +18,7 @@ variable "api_key" {
   description = "Your Coralogix Send Your Data - API Key which is used to validate your authenticity, This value can be a Coralogix API Key or an AWS Secret Manager ARN that holds the API Key"
   type        = string
   sensitive   = true
+  default     = ""
 }
 
 variable "application_name" {
@@ -266,6 +267,8 @@ variable "integration_info" {
     newline_pattern      = optional(string)
     blocking_pattern     = optional(string)
     lambda_log_retention = optional(number)
+    api_key              = string
+    store_api_key_in_secrets_manager = optional(bool)
   }))
   default = null
 }