Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encrypted logs module #3

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions modules/encrypted_logs/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
## [1.0] - 2021-11-14

* Creates an encrypted log group module
32 changes: 32 additions & 0 deletions modules/encrypted_logs/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Encrypted Logs

This module provisions a CloudWatch log group encrypted with KMS.

## Usage

```terraform
module "encrypted_logs" {
source = "modules/encrypted_logs" // update when we've figured out how/if we will publish

log_group_name = "encrypted-logs"
tags = {
environment = "staging"
hnlee marked this conversation as resolved.
Show resolved Hide resolved
}
}

resource "aws_sfn_state_machine" "step_function" {
name = "my-step-function"
role_arn = aws_iam_role.step_function.arn

logging_configuration {
logging_destination = "${module.encrypted_logs.log_group_arn}:*"
include_execution_data = true
level = "ALL"
}
}

resource "aws_iam_role_policy_attachment" "step_function" {
role = aws_iam_role.step_function.id
policy_arn = module.encrypted_logs.write_logs_policy_arn
}
```
1 change: 1 addition & 0 deletions modules/encrypted_logs/VERSION.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
1.0
51 changes: 51 additions & 0 deletions modules/encrypted_logs/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
resource "aws_cloudwatch_log_group" "main" {
name = var.log_group_name
kms_key_id = aws_kms_key.main.arn
tags = var.tags
}

// Probably worth creating a KMS key module to use here instead
resource "aws_kms_key" "main" {
description = "Encryption key for ${var.log_group_name} logs"
enable_key_rotation = true
tags = var.tags
}
Comment on lines +7 to +12

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe tfsec raises a warning if you define a key resource without an explicit policy attribute, even though that is perfectly valid Terraform that behaves the way you probably want (i.e. use the default KMS key policy). If/when a KMS key module is created, we should also make the default_kms_key_policy module (that simply exposes the default policy JSON) not just for cases where we want to compose additional policy details onto the key resource without replacing the default and locking ourselves out, but also reference it directly in the key module so that every key we make has an explicit policy attribute. Something like:

resource "aws_kms_key" "main" {
  # details elided
  policy = data.aws_iam_policy_document.key_policy.json
}

data "aws_iam_policy_document" "key_policy" {
  source_json = module.default_kms_key_policy.json
  override_json = var.additional_key_policy_statements # JSON, default null
}

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, thanks for that pointer. Hmm...debating whether to go ahead and just make that KMS key module for this PR now or punt it down the road.


resource "aws_kms_alias" "main" {
name = "alias/${log_group_name}-logs"
target_key_id = aws_kms_key.main.key_id
}

resource "aws_iam_policy" "write_logs" {
name = "write-${var.log_group_name}-logs"
policy = data.aws_iam_policy_document.write_logs.json
}

resource "aws_iam_policy_document" "write_logs" {
statement {
sid = "CreateLogStream"
actions = ["logs:CreateLogStream"]
resources = [
"${aws_cloudwatch_log_group.main.arn}:log-stream:*"
]
}

statement {
sid = "WriteLogs"
actions = ["logs:PutLogEvents"]
resources = [
"${aws_cloudwatch_log_group.main.arn}:log-stream:*"
]
}

statement {
sid = "UseLogEncryption"
actions = [
"kms:GenerateDataKey",
"kms:Decrypt",
]
resources = [
aws_kms_key.main.arn,
]
}
}
7 changes: 7 additions & 0 deletions modules/encrypted_logs/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
output "write_logs_policy_arn" {
value = aws_iam_policy.write_logs.arn
}

output "log_group_arn" {
value = aws_cloudwatch_log_group.main.arn
}
10 changes: 10 additions & 0 deletions modules/encrypted_logs/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
variable "log_group_name" {
type = string
description = "Name for CloudWatch log group"
}

variable "tags" {
type = map(string)
description = "Tags to add to CloudWatch log group and associated KMS key"
default = {}
}