Skip to content

Commit

Permalink
Merge pull request #9049 from ministryofjustice/feature/7474-dns-fire…
Browse files Browse the repository at this point in the history
…wall-monitoring

Associate non-prod VPCs with cloudwatch rqlc-only and r53 dns firewall monitoring
  • Loading branch information
richgreen-moj authored Jan 24, 2025
2 parents b738a10 + 51dbaaa commit b9682f9
Show file tree
Hide file tree
Showing 3 changed files with 94 additions and 3 deletions.
2 changes: 1 addition & 1 deletion terraform/environments/core-logging/logging.tf
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,4 @@ resource "aws_route53_resolver_query_log_config_association" "core_logging" {
for_each = local.is-production ? local.vpc_rlq_associations : {}
resolver_query_log_config_id = each.value.rlq_id
resource_id = each.value.vpc_id
}
}
88 changes: 88 additions & 0 deletions terraform/environments/core-logging/r53_logs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -90,3 +90,91 @@ data "aws_iam_policy_document" "r53_resolver_logs_kms" {
}
}
}

resource "aws_cloudwatch_log_metric_filter" "r53_dns_firewall_metric_filter" {
name = "r53-dns-firewall-matches"
log_group_name = aws_cloudwatch_log_group.r53_resolver_logs.name

pattern = "{ ($.firewall_rule_action = \"BLOCK\" || $.firewall_rule_action = \"ALERT\") }"
metric_transformation {
name = "r53-dns-firewall-matches"
namespace = "R53DNSFirewall"
value = "1"
}
}

resource "aws_cloudwatch_metric_alarm" "r53_dns_firewall_alarm" {
alarm_name = "r53-dns-firewall-matches"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = aws_cloudwatch_log_metric_filter.r53_dns_firewall_metric_filter.metric_transformation[0].name
namespace = aws_cloudwatch_log_metric_filter.r53_dns_firewall_metric_filter.metric_transformation[0].namespace
period = "60"
statistic = "Sum"
threshold = "1"
alarm_actions = [aws_sns_topic.r53_dns_firewall.arn]
tags = local.tags
}

resource "aws_sns_topic" "r53_dns_firewall" {
name = "r53-dns-firewall-sns-topic"
kms_master_key_id = aws_kms_key.r53_dns_firewall.key_id
tags = local.tags
}

resource "aws_kms_key" "r53_dns_firewall" {
description = "KMS key for DNS Firewall SNS Topic Encryption"
enable_key_rotation = true
policy = data.aws_iam_policy_document.r53_dns_firewall_kms_policy.json
tags = local.tags
}

resource "aws_kms_alias" "r53_dns_firewall" {
name_prefix = "alias/r53-dns-firewall-sns-encryption"
target_key_id = aws_kms_key.r53_dns_firewall.key_id
}

data "aws_iam_policy_document" "r53_dns_firewall_kms_policy" {
# checkov:skip=CKV_AWS_111: "policy is directly related to the resource"
# checkov:skip=CKV_AWS_109: "policy is directly related to the resource"
# checkov:skip=CKV_AWS_356: "policy is directly related to the resource"
statement {
sid = "Allow SNS/Cloudwatch services to use the KMS key"
effect = "Allow"
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
resources = [
"*"
]
principals {
type = "Service"
identifiers = ["sns.amazonaws.com", "cloudwatch.amazonaws.com", "logs.amazonaws.com"]
}
}

statement {
sid = "Allow account to manage key"
effect = "Allow"
actions = [
"kms:*"
]
resources = [
"*"
]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
}
}
module "pagerduty_r53_dns_firewall" {
depends_on = [aws_sns_topic.r53_dns_firewall]
source = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4" # v2.0.0
sns_topics = [aws_sns_topic.r53_dns_firewall.name]
pagerduty_integration_key = local.pagerduty_integration_keys["core_alerts_cloudwatch"]
}
7 changes: 5 additions & 2 deletions terraform/environments/core-vpc/logging.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ locals {
}
}
]...)
vpc_cloudwatch_rlq_associations = {
for key, value in local.vpc_rlq_associations : key => value if can(regex("cloudwatch", key))
}
}

data "aws_route53_resolver_query_log_config" "core_logging" {
Expand All @@ -22,7 +25,7 @@ data "aws_route53_resolver_query_log_config" "core_logging" {
}

resource "aws_route53_resolver_query_log_config_association" "core_logging" {
for_each = local.is-production ? local.vpc_rlq_associations : {}
for_each = local.is-production ? local.vpc_rlq_associations : local.vpc_cloudwatch_rlq_associations
resolver_query_log_config_id = each.value.rlq_id
resource_id = each.value.vpc_id
}
}

0 comments on commit b9682f9

Please sign in to comment.