Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Send live_data flow logs go s3 #8007

Merged
merged 2 commits into from
Sep 23, 2024
Merged

Send live_data flow logs go s3 #8007

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1a7190b
send flow logs to s3 for live_data, lint locals
dms1981 Sep 23, 2024
f9e5865
wrap log buckets secret as nonsensitive
dms1981 Sep 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions terraform/environments/core-network-services/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@ locals {
is-production = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production"

# This local allows us to references the key / value pairs held in xsiam_secrets.
xsiam = jsondecode(data.aws_secretsmanager_secret_version.xsiam_secret_arn_version.secret_string)
cloudwatch_log_buckets = jsondecode(data.aws_secretsmanager_secret_version.core_logging_bucket_arns.secret_string)
cloudwatch_generic_log_groups = concat([module.firewall_logging.cloudwatch_log_group_name], [for key, value in module.vpc_inspection : value.fw_cloudwatch_name])
xsiam = jsondecode(data.aws_secretsmanager_secret_version.xsiam_secret_arn_version.secret_string)
cloudwatch_log_buckets = nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.core_logging_bucket_arns.secret_string))
cloudwatch_generic_log_groups = concat([module.firewall_logging.cloudwatch_log_group_name], [for key, value in module.vpc_inspection : value.fw_cloudwatch_name])

tags = {
business-unit = "Platforms"
Expand Down
19 changes: 10 additions & 9 deletions terraform/environments/core-network-services/vpc.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,16 @@ locals {
module "vpc_inspection" {
for_each = local.networking

source = "../../modules/vpc-inspection"
application_name = local.application_name
fw_allowed_domains = local.fqdn_firewall_rules.fw_allowed_domains
fw_home_net_ips = local.fqdn_firewall_rules.fw_home_net_ips
fw_kms_arn = data.aws_kms_key.general_shared.arn
fw_rules = local.inline_firewall_rules
vpc_cidr = each.value
vpc_flow_log_iam_role = aws_iam_role.vpc_flow_log.arn
transit_gateway_id = aws_ec2_transit_gateway.transit-gateway.id
source = "../../modules/vpc-inspection"
application_name = local.application_name
flow_log_s3_destination_arn = each.key == "live_data" ? local.cloudwatch_log_buckets["vpc-flow-logs"] : ""
fw_allowed_domains = local.fqdn_firewall_rules.fw_allowed_domains
fw_home_net_ips = local.fqdn_firewall_rules.fw_home_net_ips
fw_kms_arn = data.aws_kms_key.general_shared.arn
fw_rules = local.inline_firewall_rules
vpc_cidr = each.value
vpc_flow_log_iam_role = aws_iam_role.vpc_flow_log.arn
transit_gateway_id = aws_ec2_transit_gateway.transit-gateway.id

# Tags
tags_common = merge(
Expand Down