features/firehose support (#4)

* feat: initial implementation * upd * Auto Format * upd * Auto Format * upd * Auto Format * upd * Auto Format * last one for today * Auto Format * upd * minor updates * Auto Format * Aws firewall manager allow destroy (dynamic Provider) (#3) * init * add firehose prefix * updates from pr review * comments * make init make github/init make readme * Auto Format * update bucket module * Auto Format * use iam policy document * Auto Format Co-authored-by: SweetOps <[email protected]> Co-authored-by: cloudpossebot <[email protected]>
cloudposse · Jun 28, 2021 · a462d02 · a462d02
1 parent b800f3d
commit a462d02
Show file tree

Hide file tree

Showing 12 changed files with 154 additions and 35 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -15,8 +15,8 @@
 
 # Cloud Posse must review any changes to standard context definition,
 # but some changes can be rubber-stamped.
-**/*.tf       @cloudposse/engineering @cloudposse/approvers
-README.yaml   @cloudposse/engineering @cloudposse/approvers
+**/*.tf       @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
+README.yaml   @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
 README.md     @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
 docs/*.md     @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
 

diff --git a/.github/auto-release.yml b/.github/auto-release.yml
@@ -46,7 +46,7 @@ template: |
 
 replacers:
 # Remove irrelevant information from Renovate bot
-- search: '/---\s+^#.*Renovate configuration(?:.|\n)*?This PR has been generated .*/gm'
+- search: '/(?<=---\s+)+^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm'
   replace: ''
 # Remove Renovate bot banner image
 - search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm'

diff --git a/.github/mergify.yml b/.github/mergify.yml
@@ -56,3 +56,10 @@ pull_request_rules:
       changes_requested: true
       approved: true
       message: "This Pull Request has been updated, so we're dismissing all reviews."
+
+- name: "close Pull Requests without files changed"
+  conditions:
+    - "#files=0"
+  actions:
+    close:
+      message: "This pull request has been automatically closed by Mergify because there are no longer any changes."
diff --git a/.github/workflows/auto-format.yml b/.github/workflows/auto-format.yml
@@ -6,7 +6,7 @@ on:
 jobs:
   auto-format:
     runs-on: ubuntu-latest
-    container: cloudposse/build-harness:slim-latest
+    container: cloudposse/build-harness:latest
     steps:
     # Checkout the pull request branch
     #  "An action in a workflow run can’t trigger a new workflow run. For example, if an action pushes code using
@@ -29,6 +29,8 @@ jobs:
     - name: Auto Format
       if: github.event.pull_request.state == 'open'
       shell: bash
+      env:
+        GITHUB_TOKEN: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
       run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host
 
     # Commit changes (if any) to the PR branch

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
@@ -3,17 +3,25 @@ name: auto-release
 on:
   push:
     branches:
-    - master
+      - main
+      - master
+      - production
 
 jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-    # Drafts your next Release notes as Pull Requests are merged into "master"
-    - uses: release-drafter/release-drafter@v5
-      with:
-        publish: true
-        prerelease: false
-        config-name: auto-release.yml
-      env:
-        GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+      # Get PR from merged commit to master
+      - uses: actions-ecosystem/action-get-merged-pull-request@v1
+        id: get-merged-pull-request
+        with:
+          github_token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+      # Drafts your next Release notes as Pull Requests are merged into "main"
+      - uses: release-drafter/release-drafter@v5
+        if: "!contains(steps.get-merged-pull-request.outputs.labels, 'no-release')"
+        with:
+          publish: true
+          prerelease: false
+          config-name: auto-release.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml
@@ -1,5 +1,7 @@
 name: Validate Codeowners
 on:
+  workflow_dispatch:
+
   pull_request:
 
 jobs:

diff --git a/README.md b/README.md
diff --git a/docs/terraform.md b/docs/terraform.md
diff --git a/firehose.tf b/firehose.tf
@@ -0,0 +1,58 @@
+module "firehose_label" {
+  source  = "cloudposse/label/null"
+  version = "0.24.1"
+
+  attributes = ["firehose"]
+
+  context = module.this.context
+}
+
+module "firehose_s3_bucket" {
+  count                  = local.enabled && var.firehose_enabled ? 1 : 0
+  source                 = "cloudposse/s3-bucket/aws"
+  version                = "0.38.0"
+  acl                    = "private"
+  enabled                = true
+  user_enabled           = true
+  versioning_enabled     = false
+  allowed_bucket_actions = ["s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation"]
+  name                   = module.firehose_label.id
+  stage                  = module.this.stage
+  namespace              = module.this.namespace
+  bucket_name            = module.firehose_label.id
+
+  context = module.this.context
+}
+
+data "aws_iam_policy_document" "assume_role" {
+  count = local.enabled ? 1 : 0
+
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["firehose.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "firehose_role" {
+  count = local.enabled && var.firehose_enabled ? 1 : 0
+  name  = module.firehose_label.id
+
+  assume_role_policy = join("", data.aws_iam_policy_document.assume_role.*.json)
+}
+
+resource "aws_kinesis_firehose_delivery_stream" "firehose_stream" {
+  count = local.enabled && var.firehose_enabled ? 1 : 0
+  // `aws-waf-logs-` required by AWS - https://aws.amazon.com/premiumsupport/knowledge-center/waf-configure-comprehensive-logging/
+  name        = format("%s%s", "aws-waf-logs-", module.this.id)
+  destination = "s3"
+
+  s3_configuration {
+    role_arn   = join("", aws_iam_role.firehose_role.*.arn)
+    bucket_arn = join("", module.firehose_s3_bucket.*.bucket_arn)
+  }
+}
diff --git a/main.tf b/main.tf
@@ -8,10 +8,16 @@ locals {
   waf_v2_policies                        = local.enabled && length(var.waf_v2_policies) > 0 ? { for policy in flatten(var.waf_v2_policies) : policy.name => policy } : {}
   dns_firewall_policies                  = local.enabled && length(var.dns_firewall_policies) > 0 ? { for policy in flatten(var.dns_firewall_policies) : policy.name => policy } : {}
   network_firewall_policies              = local.enabled && length(var.network_firewall_policies) > 0 ? { for policy in flatten(var.network_firewall_policies) : policy.name => policy } : {}
+
+
+  logging_config_firehose_arn     = { logDestinationConfigs : [var.firehose_arn], redactedFields : [{ redactedFieldType : "SingleHeader", redactedFieldValue : "Cookies" }, { redactedFieldType : "Method" }] }
+  logging_config_firehose_enabled = { logDestinationConfigs : [join("", aws_kinesis_firehose_delivery_stream.firehose_stream.*.id)], redactedFields : [{ redactedFieldType : "SingleHeader", redactedFieldValue : "Cookies" }, { redactedFieldType : "Method" }] }
+
+  logging_configuration = local.enabled && var.firehose_enabled ? local.logging_config_firehose_enabled : local.enabled && var.firehose_arn != null ? local.logging_config_firehose_arn : {}
 }
 
 resource "aws_fms_admin_account" "default" {
-  count = local.enabled ? 1 : 0
+  count    = local.enabled && var.admin_account_enabled ? 1 : 0
   provider = aws.admin
 
   account_id = var.admin_account_id

diff --git a/variables.tf b/variables.tf
@@ -4,6 +4,24 @@ variable "admin_account_id" {
   default     = null
 }
 
+variable "admin_account_enabled" {
+  type        = bool
+  description = "Resource for aws_fms_admin_account is enabled and will be created or destroyed"
+  default     = true
+}
+
+variable "firehose_enabled" {
+  type        = bool
+  description = "Create a Kinesis Firehose destination for WAF_V2 Rules. Conflicts with `firehose_arn`"
+  default     = false
+}
+
+variable "firehose_arn" {
+  type        = string
+  description = "Kinesis Firehose ARN used to create a Kinesis Firehose destination for WAF_V2 Rules. Conflicts with `firehose_enabled`"
+  default     = null
+}
+
 variable "security_groups_common_policies" {
   type        = list(any)
   default     = []

diff --git a/waf_v2.tf b/waf_v2.tf
@@ -48,7 +48,7 @@ resource "aws_fms_policy" "waf_v2" {
       }
 
       overrideCustomerWebACLAssociation = lookup(each.value.policy_data, "override_customer_web_acl_association", false)
-      loggingConfiguration              = lookup(each.value.policy_data, "logging_configuration", {})
+      loggingConfiguration              = lookup(each.value.policy_data, "logging_configuration", local.logging_configuration)
     })
   }
 }