terraform-aws-logs/log-reader.tf at main · nullstone-modules/terraform-aws-logs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
locals {
  # The log reader name must be /aws/lambda/{function_name} to properly capture lambda logs
  #   However, a username cannot contain '/'.
  #   Let's drop `/aws/lambda/` from the name to create a safe user name
  safe_username = replace(trimprefix(var.name, "/aws/"), "/", "-")
}

resource "aws_iam_user" "log_reader" {
  name = "log-reader-${local.safe_username}"
  tags = var.tags

  count = var.log_reader_type == "user" ? 1 : 0
}

resource "aws_iam_access_key" "log_reader" {
  user = aws_iam_user.log_reader[count.index].name

  count = var.log_reader_type == "user" ? 1 : 0
}

resource "aws_iam_user_policy" "log_reader" {
  name   = "AllowReadLogs"
  user   = aws_iam_user.log_reader[count.index].name
  policy = data.aws_iam_policy_document.log_reader.json

  count = var.log_reader_type == "user" ? 1 : 0
}

data "aws_iam_policy_document" "log_reader" {
  statement {
    sid    = "AllowReadLogs"
    effect = "Allow"

    actions = [
      "logs:Get*",
      "logs:List*",
      "logs:StartQuery",
      "logs:StopQuery",
      "logs:TestMetricFilter",
      "logs:Filter*"
    ]

    resources = [
      "${aws_cloudwatch_log_group.this.arn}:log-stream:*"
    ]
  }

  dynamic "statement" {
    for_each = var.enable_get_metrics ? [""] : []

    content {
      sid       = "AllowGetMetrics"
      effect    = "Allow"
      resources = ["*"] // Metrics cannot be restricted by resource

      actions = [
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
      ]
    }
  }
}

resource "aws_iam_role" "log_reader" {
  name               = "log-reader-${local.safe_username}"
  assume_role_policy = data.aws_iam_policy_document.log_reader_assume.json
  tags               = var.tags

  count = var.log_reader_type == "role" ? 1 : 0
}

data "aws_iam_policy_document" "log_reader_assume" {
  statement {
    effect = "Allow"

    actions = [
      "sts:AssumeRole",
      "sts:SetSourceIdentity",
      "sts:TagSession",
    ]

    principals {
      type        = "AWS"
      identifiers = var.log_reader_role_principals
    }
  }
}

resource "aws_iam_role_policy" "log_reader" {
  name   = "AllowReadLogs"
  role   = aws_iam_role.log_reader[count.index].name
  policy = data.aws_iam_policy_document.log_reader.json

  count = var.log_reader_type == "role" ? 1 : 0
}