Merge pull request #7 from SumoLogic/aws

Updating modules for conditions related to role and sns topic

Author: arunpatyal

aws/cloudtrail/README.md

@@ -35,7 +35,7 @@ This module is used to create AWS and Sumo Logic resource to collect CloudTrail
 | collector\_details | Provide details for the Sumo Logic collector. If not provided, then defaults will be used. | <pre>object({<br>    collector_name = string<br>    description    = string<br>    fields         = map(string)<br>  })</pre> | <pre>{<br>  "collector_name": "SumoLogic CloudTrail Collector <Random ID>",<br>  "description": "This collector is created using Sumo Logic terraform AWS cloudtrail module to collect AWS cloudtrail logs.",<br>  "fields": {}<br>}</pre> | no |
 | create\_collector | Provide "true" if you would like to create the Sumo Logic Collector. | `bool` | n/a | yes |
 | create\_trail | Provide "true" if you would like to create the AWS CloudTrail. If the bucket is created by the module, module by default creates the AWS cloudtrail. | `bool` | n/a | yes |
-| source\_details | Provide details for the Sumo Logic CloudTrail source. If not provided, then defaults will be used. | <pre>object({<br>    source_name     = string<br>    source_category = string<br>    collector_id    = string<br>    description     = string<br>    bucket_details = object({<br>      create_bucket        = bool<br>      bucket_name          = string<br>      path_expression      = string<br>      force_destroy_bucket = bool<br>    })<br>    paused               = bool<br>    scan_interval        = string<br>    sumo_account_id      = number<br>    cutoff_relative_time = string<br>    fields               = map(string)<br>    iam_role_arn         = string<br>    sns_topic_arn        = string<br>  })</pre> | <pre>{<br>  "bucket_details": {<br>    "bucket_name": "cloudtrail-logs-random-id",<br>    "create_bucket": true,<br>    "force_destroy_bucket": true,<br>    "path_expression": "AWSLogs/<ACCOUNT-ID>/CloudTrail/<REGION-NAME>/*"<br>  },<br>  "collector_id": "",<br>  "cutoff_relative_time": "-1d",<br>  "description": "This source is created using Sumo Logic terraform AWS cloudtrail module to collect AWS cloudtrail logs.",<br>  "fields": {},<br>  "iam_role_arn": "",<br>  "paused": false,<br>  "scan_interval": 300000,<br>  "sns_topic_arn": "",<br>  "source_category": "Labs/aws/cloudtrail",<br>  "source_name": "CloudTrail Source",<br>  "sumo_account_id": 926226587429<br>}</pre> | no |
+| source\_details | Provide details for the Sumo Logic CloudTrail source. If not provided, then defaults will be used. | <pre>object({<br>    source_name     = string<br>    source_category = string<br>    collector_id    = string<br>    description     = string<br>    bucket_details = object({<br>      create_bucket        = bool<br>      bucket_name          = string<br>      path_expression      = string<br>      force_destroy_bucket = bool<br>    })<br>    paused               = bool<br>    scan_interval        = string<br>    sumo_account_id      = number<br>    cutoff_relative_time = string<br>    fields               = map(string)<br>    iam_details = object({<br>      create_iam_role = bool<br>      iam_role_arn    = string<br>    })<br>    sns_topic_details = object({<br>      create_sns_topic = bool<br>      sns_topic_arn    = string<br>    })<br>  })</pre> | <pre>{<br>  "bucket_details": {<br>    "bucket_name": "cloudtrail-logs-random-id",<br>    "create_bucket": true,<br>    "force_destroy_bucket": true,<br>    "path_expression": "AWSLogs/<ACCOUNT-ID>/CloudTrail/<REGION-NAME>/*"<br>  },<br>  "collector_id": "",<br>  "cutoff_relative_time": "-1d",<br>  "description": "This source is created using Sumo Logic terraform AWS cloudtrail module to collect AWS cloudtrail logs.",<br>  "fields": {},<br>  "iam_details": {<br>    "create_iam_role": true,<br>    "iam_role_arn": null<br>  },<br>  "paused": false,<br>  "scan_interval": 300000,<br>  "sns_topic_details": {<br>    "create_sns_topic": true,<br>    "sns_topic_arn": null<br>  },<br>  "source_category": "Labs/aws/cloudtrail",<br>  "source_name": "CloudTrail Source",<br>  "sumo_account_id": 926226587429<br>}</pre> | no |
 | sumologic\_organization\_id | Appears on the Account Overview page that displays information about your Sumo Logic organization. Used for IAM Role in Sumo Logic AWS Sources. | `string` | n/a | yes |
 
 ## Outputs

aws/cloudtrail/cloudtrail.tf

@@ -24,7 +24,7 @@ resource "aws_s3_bucket" "s3_bucket" {
 }
 
 resource "aws_sns_topic" "sns_topic" {
-  for_each = toset(local.create_sns_topic ? ["sns_topic"] : [])
+  for_each = toset(var.source_details.sns_topic_details.create_sns_topic ? ["sns_topic"] : [])
 
   name = "SumoLogic-Terraform-CloudTrail-Module-${random_string.aws_random.id}"
   policy = templatefile("${path.module}/templates/sns_topic_policy.tmpl", {
@@ -36,7 +36,7 @@ resource "aws_sns_topic" "sns_topic" {
 }
 
 resource "aws_s3_bucket_notification" "bucket_notification" {
-  for_each = toset(local.create_sns_topic && var.source_details.bucket_details.create_bucket ? ["bucket_notification"] : [])
+  for_each = toset(var.source_details.sns_topic_details.create_sns_topic && var.source_details.bucket_details.create_bucket ? ["bucket_notification"] : [])
 
   bucket = aws_s3_bucket.s3_bucket["s3_bucket"].id
 
@@ -57,7 +57,7 @@ resource "aws_cloudtrail" "cloudtrail" {
 }
 
 resource "aws_iam_role" "source_iam_role" {
-  for_each = toset(local.create_iam_role ? ["source_iam_role"] : [])
+  for_each = toset(var.source_details.iam_details.create_iam_role ? ["source_iam_role"] : [])
 
   name = "SumoLogic-Terraform-CloudTrail-Module-${random_string.aws_random.id}"
   path = "/"
@@ -72,7 +72,7 @@ resource "aws_iam_role" "source_iam_role" {
 }
 
 resource "aws_iam_policy" "iam_policy" {
-  for_each = toset(local.create_iam_role ? ["iam_policy"] : [])
+  for_each = toset(var.source_details.iam_details.create_iam_role ? ["iam_policy"] : [])
 
   name = "SumoLogicCloudTrailSource-${random_string.aws_random.id}"
   policy = templatefile("${path.module}/templates/sumologic_source_policy.tmpl", {
@@ -111,7 +111,7 @@ resource "sumologic_cloudtrail_source" "source" {
   scan_interval        = var.source_details.scan_interval
   authentication {
     type     = "AWSRoleBasedAuthentication"
-    role_arn = local.create_iam_role ? aws_iam_role.source_iam_role["source_iam_role"].arn : var.source_details.iam_role_arn
+    role_arn = var.source_details.iam_details.create_iam_role ? aws_iam_role.source_iam_role["source_iam_role"].arn : var.source_details.iam_details.iam_role_arn
   }
 
   path {
@@ -139,5 +139,5 @@ resource "aws_sns_topic_subscription" "subscription" {
   endpoint               = sumologic_cloudtrail_source.source.url
   endpoint_auto_confirms = true
   protocol               = "https"
-  topic_arn              = local.create_sns_topic ? aws_sns_topic.sns_topic["sns_topic"].arn : var.source_details.sns_topic_arn
+  topic_arn              = var.source_details.sns_topic_details.create_sns_topic ? aws_sns_topic.sns_topic["sns_topic"].arn : var.source_details.sns_topic_details.sns_topic_arn
 }

aws/cloudtrail/locals.tf

@@ -13,12 +13,6 @@ locals {
   # Get the default bucket name when no bucket is provided and create_bucket is true.
   bucket_name = var.source_details.bucket_details.create_bucket && var.source_details.bucket_details.bucket_name == "cloudtrail-logs-random-id" ? "cloudtrail-logs-${random_string.aws_random.id}" : var.source_details.bucket_details.bucket_name
 
-  # Create IAM role condition if no IAM ROLE ARN is provided.
-  create_iam_role = var.source_details.iam_role_arn != "" ? false : true
-
-  # Create SNS topic condition if no SNS topic arn is provided.
-  create_sns_topic = var.source_details.sns_topic_arn != "" ? false : true
-
   # Trail should be created when we create the bucket. If we do not create the bucket, user should have capability to create and not create trail.
   create_trail = var.source_details.bucket_details.create_bucket ? true : var.create_trail
 

aws/cloudtrail/outputs.tf

@@ -9,12 +9,12 @@ output "aws_s3_bucket" {
 }
 
 output "aws_sns_topic" {
-  value       = local.create_sns_topic ? aws_sns_topic.sns_topic : {}
+  value       = var.source_details.sns_topic_details.create_sns_topic ? aws_sns_topic.sns_topic : {}
   description = "AWS SNS topic attached to the AWS S3 bucket."
 }
 
 output "aws_s3_bucket_notification" {
-  value       = local.create_sns_topic && var.source_details.bucket_details.create_bucket ? aws_s3_bucket_notification.bucket_notification : {}
+  value       = var.source_details.sns_topic_details.create_sns_topic && var.source_details.bucket_details.create_bucket ? aws_s3_bucket_notification.bucket_notification : {}
   description = "AWS S3 Bucket Notification attached to the AWS S3 Bucket"
 }
 
@@ -24,7 +24,7 @@ output "aws_cloudtrail" {
 }
 
 output "aws_iam_role" {
-  value       = local.create_iam_role ? aws_iam_role.source_iam_role : {}
+  value       = var.source_details.iam_details.create_iam_role ? aws_iam_role.source_iam_role : {}
   description = "AWS IAM role with permission to allow Sumo Logic to read logs from S3 Bucket."
 }
 

aws/cloudtrail/variables.tf

@@ -34,8 +34,14 @@ variable "source_details" {
     sumo_account_id      = number
     cutoff_relative_time = string
     fields               = map(string)
-    iam_role_arn         = string
-    sns_topic_arn        = string
+    iam_details = object({
+      create_iam_role = bool
+      iam_role_arn    = string
+    })
+    sns_topic_details = object({
+      create_sns_topic = bool
+      sns_topic_arn    = string
+    })
   })
   description = "Provide details for the Sumo Logic CloudTrail source. If not provided, then defaults will be used."
   default = {
@@ -54,8 +60,14 @@ variable "source_details" {
     sumo_account_id      = 926226587429
     cutoff_relative_time = "-1d"
     fields               = {}
-    iam_role_arn         = ""
-    sns_topic_arn        = ""
+    iam_details = {
+      create_iam_role = true
+      iam_role_arn    = null
+    }
+    sns_topic_details = {
+      create_sns_topic = true
+      sns_topic_arn    = null
+    }
   }
   validation {
     condition     = can(regex("[a-z0-9-.]{3,63}$", var.source_details.bucket_details.bucket_name))

aws/cloudwatchmetrics/README.md

@@ -30,7 +30,7 @@ This module is used to create the SumoLogic AWS CloudWatch metrics source. Featu
 |------|-------------|------|---------|:--------:|
 | collector\_details | Provide details for the Sumo Logic collector. If not provided, then defaults will be used. | <pre>object({<br>    collector_name = string<br>    description    = string<br>    fields         = map(string)<br>  })</pre> | <pre>{<br>  "collector_name": "SumoLogic CloudWatch Metrics Collector <Random ID>",<br>  "description": "This collector is created using Sumo Logic terraform AWS Cloudwatch metrics module to collect AWS cloudwatch metrics.",<br>  "fields": {}<br>}</pre> | no |
 | create\_collector | Provide "true" if you would like to create the Sumo Logic Collector. | `bool` | n/a | yes |
-| source\_details | Provide details for the Sumo Logic Cloudwatch Metrics source. If not provided, then defaults will be used. | <pre>object({<br>    source_name         = string<br>    source_category     = string<br>    collector_id        = string<br>    description         = string<br>    limit_to_regions    = list(string)<br>    limit_to_namespaces = list(string)<br>    paused              = bool<br>    scan_interval       = number<br>    sumo_account_id     = number<br>    fields              = map(string)<br>    iam_role_arn        = string<br>  })</pre> | <pre>{<br>  "collector_id": "",<br>  "description": "This source is created using Sumo Logic terraform AWS CloudWatch Metrics module to collect AWS Cloudwatch metrics.",<br>  "fields": {},<br>  "iam_role_arn": "",<br>  "limit_to_namespaces": [],<br>  "limit_to_regions": [],<br>  "paused": false,<br>  "scan_interval": 300000,<br>  "source_category": "Labs/aws/cloudwatch/metrics",<br>  "source_name": "CloudWatch Metrics Source",<br>  "sumo_account_id": 926226587429<br>}</pre> | no |
+| source\_details | Provide details for the Sumo Logic Cloudwatch Metrics source. If not provided, then defaults will be used. | <pre>object({<br>    source_name         = string<br>    source_category     = string<br>    collector_id        = string<br>    description         = string<br>    limit_to_regions    = list(string)<br>    limit_to_namespaces = list(string)<br>    paused              = bool<br>    scan_interval       = number<br>    sumo_account_id     = number<br>    fields              = map(string)<br>    iam_details = object({<br>      create_iam_role = bool<br>      iam_role_arn    = string<br>    })<br>  })</pre> | <pre>{<br>  "collector_id": "",<br>  "description": "This source is created using Sumo Logic terraform AWS CloudWatch Metrics module to collect AWS Cloudwatch metrics.",<br>  "fields": {},<br>  "iam_details": {<br>    "create_iam_role": true,<br>    "iam_role_arn": null<br>  },<br>  "limit_to_namespaces": [],<br>  "limit_to_regions": [],<br>  "paused": false,<br>  "scan_interval": 300000,<br>  "source_category": "Labs/aws/cloudwatch/metrics",<br>  "source_name": "CloudWatch Metrics Source",<br>  "sumo_account_id": 926226587429<br>}</pre> | no |
 | sumologic\_organization\_id | Appears on the Account Overview page that displays information about your Sumo Logic organization. Used for IAM Role in Sumo Logic AWS Sources. | `string` | n/a | yes |
 
 ## Outputs

aws/cloudwatchmetrics/cloudwatchmetrics.tf

@@ -9,7 +9,7 @@ resource "random_string" "aws_random" {
 }
 
 resource "aws_iam_role" "source_iam_role" {
-  for_each = toset(local.create_iam_role ? ["source_iam_role"] : [])
+  for_each = toset(var.source_details.iam_details.create_iam_role ? ["source_iam_role"] : [])
 
   name = "SumoLogic-CloudWatch-Metrics-Module-${random_string.aws_random.id}"
   path = "/"
@@ -24,7 +24,7 @@ resource "aws_iam_role" "source_iam_role" {
 }
 
 resource "aws_iam_policy" "iam_policy" {
-  for_each = toset(local.create_iam_role ? ["iam_policy"] : [])
+  for_each = toset(var.source_details.iam_details.create_iam_role ? ["iam_policy"] : [])
 
   name   = "SumoLogicCloudWatchMetricsSource-${random_string.aws_random.id}"
   policy = templatefile("${path.module}/templates/sumologic_source_policy.tmpl", {})
@@ -57,7 +57,7 @@ resource "sumologic_cloudwatch_source" "cloudwatch_metrics_sources" {
 
   authentication {
     type     = "AWSRoleBasedAuthentication"
-    role_arn = local.create_iam_role ? aws_iam_role.source_iam_role["source_iam_role"].arn : var.source_details.iam_role_arn
+    role_arn = var.source_details.iam_details.create_iam_role ? aws_iam_role.source_iam_role["source_iam_role"].arn : var.source_details.iam_details.iam_role_arn
   }
 
   path {

aws/cloudwatchmetrics/locals.tf

@@ -3,6 +3,4 @@ locals {
   # Get the default collector name if no collector name is provided.
   collector_name = var.collector_details.collector_name == "SumoLogic CloudWatch Metrics Collector <Random ID>" ? "SumoLogic CloudWatch Metrics Collector ${random_string.aws_random.id}" : var.collector_details.collector_name
 
-  # Create IAM role condition if no IAM ROLE ARN is provided.
-  create_iam_role = var.source_details.iam_role_arn != "" ? false : true
 }

aws/cloudwatchmetrics/outputs.tf

@@ -4,7 +4,7 @@ output "random_string" {
 }
 
 output "aws_iam_role" {
-  value       = local.create_iam_role ? aws_iam_role.source_iam_role : {}
+  value       = var.source_details.iam_details.create_iam_role ? aws_iam_role.source_iam_role : {}
   description = "AWS IAM role with permission to allow Sumo Logic to read logs from S3 Bucket."
 }
 

aws/cloudwatchmetrics/variables.tf

@@ -29,7 +29,10 @@ variable "source_details" {
     scan_interval       = number
     sumo_account_id     = number
     fields              = map(string)
-    iam_role_arn        = string
+    iam_details = object({
+      create_iam_role = bool
+      iam_role_arn    = string
+    })
   })
   description = "Provide details for the Sumo Logic Cloudwatch Metrics source. If not provided, then defaults will be used."
   default = {
@@ -43,7 +46,10 @@ variable "source_details" {
     paused              = false
     sumo_account_id     = 926226587429
     fields              = {}
-    iam_role_arn        = ""
+    iam_details = {
+      create_iam_role = true
+      iam_role_arn    = null
+    }
   }
 }