Reverting old commit and adding code to new folder

Author: himsharma01

aws/elasticloadbalancing/README.md

@@ -0,0 +1,54 @@
+# SumoLogic-AWS-Elb
+
+This module is used to create AWS and Sumo Logic resource to collect ELB logs from an AWS S3 bucket. Features include
+- Create AWS S3 bucket or use an existing AWS S3 bucket.
+- Create AWS IAM role or use an existing IAM role.
+- Create AWS SNS Topic or use an existing AWS SNS topic.
+- Create Sumo Logic hosted collector or use an existing Sumo Logic hosted collector.
+- Create Sumo Logic ELB source.
+- Auto enable access logs for Existing and New load balancer after installing the module.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 0.13.0 |
+| aws | >= 3.42.0 |
+| random | >=3.1.0 |
+| sumologic | >= 2.9.0 |
+| time | >=0.7.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | >= 3.42.0 |
+| random | >=3.1.0 |
+| sumologic | >= 2.9.0 |
+| time | >=0.7.1 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| auto\_enable\_access\_logs | New - Automatically enables access logging for newly created ALB resources to collect logs for ALB resources. This does not affect ALB resources already collecting logs.<br>                              Existing - Automatically enables access logging for existing ALB resources to collect logs for ALB resources.<br>                               Both - Automatically enables access logging for new and existing ALB resources.<br>                               None - Skips Automatic access Logging enable for ALB resources. | `string` | `"Both"` | no |
+| auto\_enable\_access\_logs\_options | filter - provide a regex to filter the ELB for which access logs should be enabled. Empty means all resources. For eg :- 'Type': 'application'\|'type': 'application', will enable access logs for Application load balancer only.<br>            remove\_on\_delete\_stack - provide true if you would like to disable access logging when you destroy the terraform resources. | <pre>object({<br>    filter                 = string<br>    remove_on_delete_stack = bool<br>  })</pre> | <pre>{<br>  "filter": "",<br>  "remove_on_delete_stack": true<br>}</pre> | no |
+| collector\_details | Provide details for the Sumo Logic collector. If not provided, then defaults will be used. | <pre>object({<br>    collector_name = string<br>    description    = string<br>    fields         = map(string)<br>  })</pre> | <pre>{<br>  "collector_name": "SumoLogic Elb Collector <Random ID>",<br>  "description": "This collector is created using Sumo Logic terraform AWS ELB module to collect AWS elb logs.",<br>  "fields": {}<br>}</pre> | no |
+| create\_collector | Provide "true" if you would like to create the Sumo Logic Collector. | `bool` | n/a | yes |
+| source\_details | Provide details for the Sumo Logic ELB source. If not provided, then defaults will be used. | <pre>object({<br>    source_name     = string<br>    source_category = string<br>    collector_id    = string<br>    description     = string<br>    bucket_details = object({<br>      create_bucket        = bool<br>      bucket_name          = string<br>      path_expression      = string<br>      force_destroy_bucket = bool<br>    })<br>    paused               = bool<br>    scan_interval        = string<br>    sumo_account_id      = number<br>    cutoff_relative_time = string<br>    fields               = map(string)<br>    iam_details = object({<br>      create_iam_role = bool<br>      iam_role_arn    = string<br>    })<br>    sns_topic_details = object({<br>      create_sns_topic = bool<br>      sns_topic_arn    = string<br>    })<br>  })</pre> | <pre>{<br>  "bucket_details": {<br>    "bucket_name": "elb-logs-random-id",<br>    "create_bucket": true,<br>    "force_destroy_bucket": true,<br>    "path_expression": "*AWSLogs/<ACCOUNT-ID>/elasticloadbalancing/<REGION-NAME>/*"<br>  },<br>  "collector_id": "",<br>  "cutoff_relative_time": "-1d",<br>  "description": "This source is created using Sumo Logic terraform AWS elb module to collect AWS elb logs.",<br>  "fields": {},<br>  "iam_details": {<br>    "create_iam_role": true,<br>    "iam_role_arn": null<br>  },<br>  "paused": false,<br>  "scan_interval": 300000,<br>  "sns_topic_details": {<br>    "create_sns_topic": true,<br>    "sns_topic_arn": null<br>  },<br>  "source_category": "Labs/aws/elb",<br>  "source_name": "Elb Source",<br>  "sumo_account_id": 926226587429<br>}</pre> | no |
+| sumologic\_organization\_id | Appears on the Account Overview page that displays information about your Sumo Logic organization. Used for IAM Role in Sumo Logic AWS Sources. | `string` | n/a | yes |
+| wait\_for\_seconds | wait\_for\_seconds is used to delay sumo logic source creation. This helps persisting IAM role in AWS system.<br>        Default value is 180 seconds.<br>        If the AWS IAM role is created outside the module, the value can be decreased to 1 second. | `number` | `180` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| aws\_iam\_role | AWS IAM role with permission to allow Sumo Logic to read logs from S3 Bucket. |
+| aws\_s3\_bucket | AWS S3 Bucket name created to Store the ELB logs. |
+| aws\_s3\_bucket\_notification | AWS S3 Bucket Notification attached to the AWS S3 Bucket |
+| aws\_serverlessapplicationrepository\_cloudformation\_stack | AWS CloudFormation stack for ALB Auto Enable access logs. |
+| aws\_sns\_subscription | AWS SNS subscription to Sumo Logic AWS ELB source. |
+| aws\_sns\_topic | AWS SNS topic attached to the AWS S3 bucket. |
+| random\_string | Random String value created. |
+| sumologic\_collector | Sumo Logic hosted collector. |
+| sumologic\_source | Sumo Logic AWS ELB source. |

aws/elasticloadbalancing/data.tf

@@ -0,0 +1,10 @@
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}
+
+data "sumologic_caller_identity" "current" {}
+
+data "aws_serverlessapplicationrepository_application" "app" {
+  application_id   = "arn:aws:serverlessrepo:us-east-1:956882708938:applications/sumologic-s3-logging-auto-enable"
+  semantic_version = "1.0.2"
+}

aws/elasticloadbalancing/elb.tf

@@ -0,0 +1,152 @@
+# *************** Steps are as Below to create Sumo Logic ELB source *************** #
+# 1. Create AWS S3 Bucket. If the Bucket is created, create SNS Topic and SNS policy to attach to Bucket.
+# 2. Create IAM role in AWS with access to the bucket name provided.
+# 3. Create a Collector. If the Collector ID is provided, do not create a Collector.
+# 4. Create the source either in the collector created or in the collector id provided.
+# 5. Create SNS Subscription to be attached to the source and SNS Topic.
+# 6. Add SAM app for auto enable of access logs for ELBs.
+
+resource "random_string" "aws_random" {
+  length  = 10
+  special = false
+  upper   = false
+}
+
+resource "aws_s3_bucket" "s3_bucket" {
+  for_each = toset(var.source_details.bucket_details.create_bucket ? ["s3_bucket"] : [])
+
+  bucket        = local.bucket_name
+  force_destroy = var.source_details.bucket_details.force_destroy_bucket
+
+  policy = templatefile("${path.module}/templates/elb_bucket_policy.tmpl", {
+    BUCKET_NAME     = local.bucket_name
+    ELB_ACCCOUNT_ID = local.region_to_elb_account_id[local.aws_region]
+  })
+}
+
+resource "aws_sns_topic" "sns_topic" {
+  for_each = toset(var.source_details.sns_topic_details.create_sns_topic ? ["sns_topic"] : [])
+
+  name = "SumoLogic-Terraform-Elb-Module-${random_string.aws_random.id}"
+  policy = templatefile("${path.module}/templates/sns_topic_policy.tmpl", {
+    BUCKET_NAME    = local.bucket_name,
+    AWS_REGION     = local.aws_region,
+    SNS_TOPIC_NAME = "SumoLogic-Terraform-Elb-Module-${random_string.aws_random.id}",
+    AWS_ACCOUNT    = local.aws_account_id
+  })
+}
+
+resource "aws_s3_bucket_notification" "bucket_notification" {
+  for_each = toset(var.source_details.sns_topic_details.create_sns_topic && var.source_details.bucket_details.create_bucket ? ["bucket_notification"] : [])
+
+  bucket = aws_s3_bucket.s3_bucket["s3_bucket"].id
+
+  topic {
+    topic_arn = aws_sns_topic.sns_topic["sns_topic"].arn
+    events    = ["s3:ObjectCreated:Put"]
+  }
+}
+
+resource "aws_iam_role" "source_iam_role" {
+  for_each = toset(var.source_details.iam_details.create_iam_role ? ["source_iam_role"] : [])
+
+  name = "SumoLogic-Terraform-Elb-Module-${random_string.aws_random.id}"
+  path = "/"
+
+  assume_role_policy = templatefile("${path.module}/templates/sumologic_assume_role.tmpl", {
+    SUMO_LOGIC_ACCOUNT_ID = var.source_details.sumo_account_id,
+    ENVIRONMENT           = data.sumologic_caller_identity.current.environment,
+    SUMO_LOGIC_ORG_ID     = var.sumologic_organization_id
+  })
+
+  managed_policy_arns = [aws_iam_policy.iam_policy["iam_policy"].arn]
+}
+
+resource "aws_iam_policy" "iam_policy" {
+  for_each = toset(var.source_details.iam_details.create_iam_role ? ["iam_policy"] : [])
+
+  name = "SumoLogicElbSource-${random_string.aws_random.id}"
+  policy = templatefile("${path.module}/templates/sumologic_source_policy.tmpl", {
+    BUCKET_NAME = local.bucket_name
+  })
+}
+
+resource "sumologic_collector" "collector" {
+  for_each    = toset(var.create_collector ? ["collector"] : [])
+  name        = local.collector_name
+  description = var.collector_details.description
+  fields      = var.collector_details.fields
+  timezone    = "UTC"
+}
+
+resource "time_sleep" "wait_for_seconds" {
+  create_duration = "${var.wait_for_seconds}s"
+}
+
+resource "sumologic_elb_source" "source" {
+  depends_on = [
+    time_sleep.wait_for_seconds
+  ]
+
+  lifecycle {
+    ignore_changes = [cutoff_timestamp, cutoff_relative_time]
+  }
+  category             = var.source_details.source_category
+  collector_id         = var.create_collector ? sumologic_collector.collector["collector"].id : var.source_details.collector_id
+  content_type         = "AwsElbBucket"
+  cutoff_relative_time = var.source_details.cutoff_relative_time
+  description          = var.source_details.description
+  fields               = var.source_details.fields
+  name                 = var.source_details.source_name
+  paused               = var.source_details.paused
+  scan_interval        = var.source_details.scan_interval
+  authentication {
+    type     = "AWSRoleBasedAuthentication"
+    role_arn = var.source_details.iam_details.create_iam_role ? aws_iam_role.source_iam_role["source_iam_role"].arn : var.source_details.iam_details.iam_role_arn
+  }
+
+  path {
+    type            = "S3BucketPathExpression"
+    bucket_name     = var.source_details.bucket_details.create_bucket ? aws_s3_bucket.s3_bucket["s3_bucket"].id : local.bucket_name
+    path_expression = local.logs_path_expression
+  }
+}
+
+resource "aws_sns_topic_subscription" "subscription" {
+  delivery_policy = jsonencode({
+    "guaranteed" = false,
+    "healthyRetryPolicy" = {
+      "numRetries"         = 40,
+      "minDelayTarget"     = 10,
+      "maxDelayTarget"     = 300,
+      "numMinDelayRetries" = 3,
+      "numMaxDelayRetries" = 5,
+      "numNoDelayRetries"  = 0,
+      "backoffFunction"    = "exponential"
+    },
+    "sicklyRetryPolicy" = null,
+    "throttlePolicy"    = null
+  })
+  endpoint               = sumologic_elb_source.source.url
+  endpoint_auto_confirms = true
+  protocol               = "https"
+  topic_arn              = var.source_details.sns_topic_details.create_sns_topic ? aws_sns_topic.sns_topic["sns_topic"].arn : var.source_details.sns_topic_details.sns_topic_arn
+}
+
+# Reason to use the SAM app, is to have single source of truth for Auto Enable access logs functionality.
+resource "aws_serverlessapplicationrepository_cloudformation_stack" "auto_enable_access_logs" {
+  for_each = toset(local.auto_enable_access_logs ? ["auto_enable_access_logs"] : [])
+
+  name             = "Auto-Enable-Access-Logs-${var.auto_enable_access_logs_options.auto_enable_logging}-${random_string.aws_random.id}"
+  application_id   = "arn:aws:serverlessrepo:us-east-1:956882708938:applications/sumologic-s3-logging-auto-enable"
+  semantic_version = var.app_semantic_version
+  capabilities     = data.aws_serverlessapplicationrepository_application.app.required_capabilities
+  parameters = {
+    BucketName                = local.bucket_name
+    BucketPrefix              = var.auto_enable_access_logs_options.bucket_prefix
+    AutoEnableLogging         = var.auto_enable_access_logs_options.auto_enable_logging
+    AutoEnableResourceOptions = var.auto_enable_access_logs
+    FilterExpression          = var.auto_enable_access_logs_options.filter
+    RemoveOnDeleteStack       = var.auto_enable_access_logs_options.remove_on_delete_stack
+  }
+}

aws/elasticloadbalancing/locals.tf

@@ -0,0 +1,46 @@
+locals {
+
+  aws_account_id = data.aws_caller_identity.current.account_id
+
+  aws_region = data.aws_region.current.id
+
+  # Get the default collector name if no collector name is provided.
+  collector_name = var.collector_details.collector_name == "SumoLogic Elb Collector <Random ID>" ? "SumoLogic Elb Collector ${random_string.aws_random.id}" : var.collector_details.collector_name
+
+  # Get the default bucket name when no bucket is provided and create_bucket is true.
+  bucket_name = var.source_details.bucket_details.create_bucket && var.source_details.bucket_details.bucket_name == "elb-logs-random-id" ? "elb-logs-${random_string.aws_random.id}" : var.source_details.bucket_details.bucket_name
+
+  # Auto enable should be called if input is anything other than None.
+  auto_enable_access_logs = var.auto_enable_access_logs != "None" ? true : false
+
+  # If we create the bucket, then get the default PATH expression.
+logs_path_expression = var.source_details.bucket_details.create_bucket ? "*${var.auto_enable_access_logs_options.bucket_prefix}/AWSLogs/${local.aws_account_id}/elasticloadbalancing/${local.aws_region}/*" : var.source_details.bucket_details.path_expression
+
+  region_to_elb_account_id = {
+    "us-east-1"      = "127311923021",
+    "us-east-2"      = "033677994240",
+    "us-west-1"      = "027434742980",
+    "us-west-2"      = "797873946194",
+    "af-south-1"     = "098369216593",
+    "ca-central-1"   = "985666609251",
+    "eu-central-1"   = "054676820928",
+    "eu-west-1"      = "156460612806",
+    "eu-west-2"      = "652711504416",
+    "eu-south-1"     = "635631232127",
+    "eu-west-3"      = "009996457667",
+    "eu-north-1"     = "897822967062",
+    "ap-east-1"      = "754344448648",
+    "ap-northeast-1" = "582318560864",
+    "ap-northeast-2" = "600734575887",
+    "ap-northeast-3" = "383597477331",
+    "ap-southeast-1" = "114774131450",
+    "ap-southeast-2" = "783225319266",
+    "ap-south-1"     = "718504428378",
+    "me-south-1"     = "076674570225",
+    "sa-east-1"      = "507241528517",
+    "us-gov-west-1"  = "048591011584",
+    "us-gov-east-1"  = "190560391635",
+    "cn-north-1"     = "638102146993",
+    "cn-northwest-1" = "037604701340"
+  }
+}

aws/elasticloadbalancing/outputs.tf

@@ -0,0 +1,44 @@
+output "random_string" {
+  value       = random_string.aws_random
+  description = "Random String value created."
+}
+
+output "aws_s3_bucket" {
+  value       = var.source_details.bucket_details.create_bucket ? aws_s3_bucket.s3_bucket : {}
+  description = "AWS S3 Bucket name created to Store the ELB logs."
+}
+
+output "aws_sns_topic" {
+  value       = var.source_details.sns_topic_details.create_sns_topic ? aws_sns_topic.sns_topic : {}
+  description = "AWS SNS topic attached to the AWS S3 bucket."
+}
+
+output "aws_s3_bucket_notification" {
+  value       = var.source_details.sns_topic_details.create_sns_topic && var.source_details.bucket_details.create_bucket ? aws_s3_bucket_notification.bucket_notification : {}
+  description = "AWS S3 Bucket Notification attached to the AWS S3 Bucket"
+}
+
+output "aws_iam_role" {
+  value       = var.source_details.iam_details.create_iam_role ? aws_iam_role.source_iam_role : {}
+  description = "AWS IAM role with permission to allow Sumo Logic to read logs from S3 Bucket."
+}
+
+output "sumologic_collector" {
+  value       = var.create_collector ? sumologic_collector.collector : {}
+  description = "Sumo Logic hosted collector."
+}
+
+output "sumologic_source" {
+  value       = sumologic_elb_source.source
+  description = "Sumo Logic AWS ELB source."
+}
+
+output "aws_sns_subscription" {
+  value       = aws_sns_topic_subscription.subscription
+  description = "AWS SNS subscription to Sumo Logic AWS ELB source."
+}
+
+output "aws_serverlessapplicationrepository_cloudformation_stack" {
+  value       = local.auto_enable_access_logs ? aws_serverlessapplicationrepository_cloudformation_stack.auto_enable_access_logs : {}
+  description = "AWS CloudFormation stack for ALB Auto Enable access logs."
+}

aws/elasticloadbalancing/templates/elb_bucket_policy.tmpl

@@ -0,0 +1,34 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::${ELB_ACCCOUNT_ID}:root"
+      },
+      "Action": "s3:PutObject",
+      "Resource": "arn:aws:s3:::${BUCKET_NAME}/*"
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "delivery.logs.amazonaws.com"
+      },
+      "Action": "s3:PutObject",
+      "Resource": "arn:aws:s3:::${BUCKET_NAME}/*",
+      "Condition": {
+        "StringEquals": {
+          "s3:x-amz-acl": "bucket-owner-full-control"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "delivery.logs.amazonaws.com"
+      },
+      "Action": "s3:GetBucketAcl",
+      "Resource": "arn:aws:s3:::${BUCKET_NAME}"
+    }
+  ]
+}

aws/elasticloadbalancing/templates/sns_topic_policy.tmpl

@@ -0,0 +1,21 @@
+{
+  "Statement": [
+    {
+      "Action": "sns:Publish",
+      "Condition": {
+        "StringEquals": {
+          "aws:SourceAccount": "${AWS_ACCOUNT}"
+        },
+        "ArnLike": {
+          "aws:SourceArn": "arn:aws:s3:::${BUCKET_NAME}"
+        }
+      },
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "s3.amazonaws.com"
+      },
+      "Resource": "arn:aws:sns:${AWS_REGION}:${AWS_ACCOUNT}:${SNS_TOPIC_NAME}"
+    }
+  ],
+  "Version": "2008-10-17"
+}

aws/elasticloadbalancing/templates/sumologic_assume_role.tmpl

@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "AWS": "arn:aws:iam::${SUMO_LOGIC_ACCOUNT_ID}:root"
+      },
+      "Effect": "Allow",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "${ENVIRONMENT}:${SUMO_LOGIC_ORG_ID}"
+        }
+      }
+    }
+  ]
+}