correcting ELB module to create IAM role and SNS topic based on condition.

Author: sourabh

aws/elb/README.md

@@ -35,7 +35,7 @@ This module is used to create AWS and Sumo Logic resource to collect ELB logs fr
 | auto\_enable\_access\_logs\_options | filter - provide a regex to filter the ELB for which access logs should be enabled. Empty means all resources. For eg :- 'Type': 'application'\|'type': 'application', will enable access logs for Application load balancer only.<br>            remove\_on\_delete\_stack - provide true if you would like to disable access logging when you destroy the terraform resources. | <pre>object({<br>    filter                 = string<br>    remove_on_delete_stack = bool<br>  })</pre> | <pre>{<br>  "filter": "",<br>  "remove_on_delete_stack": true<br>}</pre> | no |
 | collector\_details | Provide details for the Sumo Logic collector. If not provided, then defaults will be used. | <pre>object({<br>    collector_name = string<br>    description    = string<br>    fields         = map(string)<br>  })</pre> | <pre>{<br>  "collector_name": "SumoLogic Elb Collector <Random ID>",<br>  "description": "This collector is created using Sumo Logic terraform AWS ELB module to collect AWS elb logs.",<br>  "fields": {}<br>}</pre> | no |
 | create\_collector | Provide "true" if you would like to create the Sumo Logic Collector. | `bool` | n/a | yes |
-| source\_details | Provide details for the Sumo Logic ELB source. If not provided, then defaults will be used. | <pre>object({<br>    source_name     = string<br>    source_category = string<br>    collector_id    = string<br>    description     = string<br>    bucket_details = object({<br>      create_bucket        = bool<br>      bucket_name          = string<br>      path_expression      = string<br>      force_destroy_bucket = bool<br>    })<br>    paused               = bool<br>    scan_interval        = string<br>    sumo_account_id      = number<br>    cutoff_relative_time = string<br>    fields               = map(string)<br>    iam_role_arn         = string<br>    sns_topic_arn        = string<br>  })</pre> | <pre>{<br>  "bucket_details": {<br>    "bucket_name": "elb-logs-random-id",<br>    "create_bucket": true,<br>    "force_destroy_bucket": true,<br>    "path_expression": "*AWSLogs/<ACCOUNT-ID>/elasticloadbalancing/<REGION-NAME>/*"<br>  },<br>  "collector_id": "",<br>  "cutoff_relative_time": "-1d",<br>  "description": "This source is created using Sumo Logic terraform AWS elb module to collect AWS elb logs.",<br>  "fields": {},<br>  "iam_role_arn": "",<br>  "paused": false,<br>  "scan_interval": 300000,<br>  "sns_topic_arn": "",<br>  "source_category": "Labs/aws/elb",<br>  "source_name": "Elb Source",<br>  "sumo_account_id": 926226587429<br>}</pre> | no |
+| source\_details | Provide details for the Sumo Logic ELB source. If not provided, then defaults will be used. | <pre>object({<br>    source_name     = string<br>    source_category = string<br>    collector_id    = string<br>    description     = string<br>    bucket_details = object({<br>      create_bucket        = bool<br>      bucket_name          = string<br>      path_expression      = string<br>      force_destroy_bucket = bool<br>    })<br>    paused               = bool<br>    scan_interval        = string<br>    sumo_account_id      = number<br>    cutoff_relative_time = string<br>    fields               = map(string)<br>    iam_details = object({<br>      create_iam_role = bool<br>      iam_role_arn    = string<br>    })<br>    sns_topic_details = object({<br>      create_sns_topic = bool<br>      sns_topic_arn    = string<br>    })<br>  })</pre> | <pre>{<br>  "bucket_details": {<br>    "bucket_name": "elb-logs-random-id",<br>    "create_bucket": true,<br>    "force_destroy_bucket": true,<br>    "path_expression": "*AWSLogs/<ACCOUNT-ID>/elasticloadbalancing/<REGION-NAME>/*"<br>  },<br>  "collector_id": "",<br>  "cutoff_relative_time": "-1d",<br>  "description": "This source is created using Sumo Logic terraform AWS elb module to collect AWS elb logs.",<br>  "fields": {},<br>  "iam_details": {<br>    "create_iam_role": true,<br>    "iam_role_arn": null<br>  },<br>  "paused": false,<br>  "scan_interval": 300000,<br>  "sns_topic_details": {<br>    "create_sns_topic": true,<br>    "sns_topic_arn": null<br>  },<br>  "source_category": "Labs/aws/elb",<br>  "source_name": "Elb Source",<br>  "sumo_account_id": 926226587429<br>}</pre> | no |
 | sumologic\_organization\_id | Appears on the Account Overview page that displays information about your Sumo Logic organization. Used for IAM Role in Sumo Logic AWS Sources. | `string` | n/a | yes |
 
 ## Outputs

aws/elb/elb.tf

@@ -25,7 +25,7 @@ resource "aws_s3_bucket" "s3_bucket" {
 }
 
 resource "aws_sns_topic" "sns_topic" {
-  for_each = toset(local.create_sns_topic ? ["sns_topic"] : [])
+  for_each = toset(var.source_details.sns_topic_details.create_sns_topic ? ["sns_topic"] : [])
 
   name = "SumoLogic-Terraform-Elb-Module-${random_string.aws_random.id}"
   policy = templatefile("${path.module}/templates/sns_topic_policy.tmpl", {
@@ -37,7 +37,7 @@ resource "aws_sns_topic" "sns_topic" {
 }
 
 resource "aws_s3_bucket_notification" "bucket_notification" {
-  for_each = toset(local.create_sns_topic && var.source_details.bucket_details.create_bucket ? ["bucket_notification"] : [])
+  for_each = toset(var.source_details.sns_topic_details.create_sns_topic && var.source_details.bucket_details.create_bucket ? ["bucket_notification"] : [])
 
   bucket = aws_s3_bucket.s3_bucket["s3_bucket"].id
 
@@ -48,7 +48,7 @@ resource "aws_s3_bucket_notification" "bucket_notification" {
 }
 
 resource "aws_iam_role" "source_iam_role" {
-  for_each = toset(local.create_iam_role ? ["source_iam_role"] : [])
+  for_each = toset(var.source_details.iam_details.create_iam_role ? ["source_iam_role"] : [])
 
   name = "SumoLogic-Terraform-Elb-Module-${random_string.aws_random.id}"
   path = "/"
@@ -63,7 +63,7 @@ resource "aws_iam_role" "source_iam_role" {
 }
 
 resource "aws_iam_policy" "iam_policy" {
-  for_each = toset(local.create_iam_role ? ["iam_policy"] : [])
+  for_each = toset(var.source_details.iam_details.create_iam_role ? ["iam_policy"] : [])
 
   name = "SumoLogicElbSource-${random_string.aws_random.id}"
   policy = templatefile("${path.module}/templates/sumologic_source_policy.tmpl", {
@@ -102,7 +102,7 @@ resource "sumologic_elb_source" "source" {
   scan_interval        = var.source_details.scan_interval
   authentication {
     type     = "AWSRoleBasedAuthentication"
-    role_arn = local.create_iam_role ? aws_iam_role.source_iam_role["source_iam_role"].arn : var.source_details.iam_role_arn
+    role_arn = var.source_details.iam_details.create_iam_role ? aws_iam_role.source_iam_role["source_iam_role"].arn : var.source_details.iam_details.iam_role_arn
   }
 
   path {
@@ -130,7 +130,7 @@ resource "aws_sns_topic_subscription" "subscription" {
   endpoint               = sumologic_elb_source.source.url
   endpoint_auto_confirms = true
   protocol               = "https"
-  topic_arn              = local.create_sns_topic ? aws_sns_topic.sns_topic["sns_topic"].arn : var.source_details.sns_topic_arn
+  topic_arn              = var.source_details.sns_topic_details.create_sns_topic ? aws_sns_topic.sns_topic["sns_topic"].arn : var.source_details.sns_topic_details.sns_topic_arn
 }
 
 # Reason to use the SAM app, is to have single source of truth for Auto Enable access logs functionality.

aws/elb/locals.tf

@@ -10,12 +10,6 @@ locals {
   # Get the default bucket name when no bucket is provided and create_bucket is true.
   bucket_name = var.source_details.bucket_details.create_bucket && var.source_details.bucket_details.bucket_name == "elb-logs-random-id" ? "elb-logs-${random_string.aws_random.id}" : var.source_details.bucket_details.bucket_name
 
-  # Create IAM role condition if no IAM ROLE ARN is provided.
-  create_iam_role = var.source_details.iam_role_arn != "" ? false : true
-
-  # Create SNS topic condition if no SNS topic arn is provided.
-  create_sns_topic = var.source_details.sns_topic_arn != "" ? false : true
-
   # Auto enable should be called if input is anything other than None.
   auto_enable_access_logs = var.auto_enable_access_logs != "None" ? true : false
 

aws/elb/outputs.tf

@@ -9,17 +9,17 @@ output "aws_s3_bucket" {
 }
 
 output "aws_sns_topic" {
-  value       = local.create_sns_topic ? aws_sns_topic.sns_topic : {}
+  value       = var.source_details.sns_topic_details.create_sns_topic ? aws_sns_topic.sns_topic : {}
   description = "AWS SNS topic attached to the AWS S3 bucket."
 }
 
 output "aws_s3_bucket_notification" {
-  value       = local.create_sns_topic && var.source_details.bucket_details.create_bucket ? aws_s3_bucket_notification.bucket_notification : {}
+  value       = var.source_details.sns_topic_details.create_sns_topic && var.source_details.bucket_details.create_bucket ? aws_s3_bucket_notification.bucket_notification : {}
   description = "AWS S3 Bucket Notification attached to the AWS S3 Bucket"
 }
 
 output "aws_iam_role" {
-  value       = local.create_iam_role ? aws_iam_role.source_iam_role : {}
+  value       = var.source_details.iam_details.create_iam_role ? aws_iam_role.source_iam_role : {}
   description = "AWS IAM role with permission to allow Sumo Logic to read logs from S3 Bucket."
 }
 

aws/elb/variables.tf

@@ -34,8 +34,14 @@ variable "source_details" {
     sumo_account_id      = number
     cutoff_relative_time = string
     fields               = map(string)
-    iam_role_arn         = string
-    sns_topic_arn        = string
+    iam_details = object({
+      create_iam_role = bool
+      iam_role_arn    = string
+    })
+    sns_topic_details = object({
+      create_sns_topic = bool
+      sns_topic_arn    = string
+    })
   })
   description = "Provide details for the Sumo Logic ELB source. If not provided, then defaults will be used."
   default = {
@@ -54,8 +60,14 @@ variable "source_details" {
     sumo_account_id      = 926226587429
     cutoff_relative_time = "-1d"
     fields               = {}
-    iam_role_arn         = ""
-    sns_topic_arn        = ""
+    iam_details = {
+      create_iam_role = true
+      iam_role_arn    = null
+    }
+    sns_topic_details = {
+      create_sns_topic = true
+      sns_topic_arn    = null
+    }
   }
   validation {
     condition     = can(regex("[a-z0-9-.]{3,63}$", var.source_details.bucket_details.bucket_name))

terratest/aws/elb/elb_test.go

@@ -109,8 +109,14 @@ func TestWithExistingResourcesValues(t *testing.T) {
 			},
 			"sumo_account_id": "926226587429",
 			"collector_id":    COLLECTOR_ID,
-			"iam_role_arn":    IAM_ROLE,
-			"sns_topic_arn":   SNS_TOPIC,
+			"iam_details": map[string]interface{}{
+				"create_iam_role": false,
+				"iam_role_arn":    IAM_ROLE,
+			},
+			"sns_topic_details": map[string]interface{}{
+				"create_sns_topic": false,
+				"sns_topic_arn":    SNS_TOPIC,
+			},
 		},
 	}
 
@@ -130,7 +136,7 @@ func TestWithExistingResourcesValues(t *testing.T) {
 		"OrgId":          common.SumologicOrganizationId,
 		"BucketName":     BUCKET_NAME,
 		"PathExpression": PATH_EXPRESSION,
-		"RandomString":  outputs["random_string"].(map[string]interface{})["id"].(string),
+		"RandomString":   outputs["random_string"].(map[string]interface{})["id"].(string),
 	}
 	// Assert if the outputs are actually created in AWS and Sumo Logic.
 	// This also checks if your expectation are matched with the outputs, so provide an JSON with expected outputs.
@@ -177,8 +183,14 @@ func TestWithExistingCollectorIAMNewSNSResources(t *testing.T) {
 			},
 			"sumo_account_id": "926226587429",
 			"collector_id":    COLLECTOR_ID,
-			"iam_role_arn":    IAM_ROLE,
-			"sns_topic_arn":   "",
+			"iam_details": map[string]interface{}{
+				"create_iam_role": false,
+				"iam_role_arn":    IAM_ROLE,
+			},
+			"sns_topic_details": map[string]interface{}{
+				"create_sns_topic": true,
+				"sns_topic_arn":    nil,
+			},
 		},
 	}
 
@@ -198,7 +210,7 @@ func TestWithExistingCollectorIAMNewSNSResources(t *testing.T) {
 		"OrgId":          common.SumologicOrganizationId,
 		"BucketName":     BUCKET_NAME,
 		"PathExpression": PATH_EXPRESSION,
-		"RandomString":  outputs["random_string"].(map[string]interface{})["id"].(string),
+		"RandomString":   outputs["random_string"].(map[string]interface{})["id"].(string),
 	}
 	// Assert if the outputs are actually created in AWS and Sumo Logic.
 	// This also checks if your expectation are matched with the outputs, so provide an JSON with expected outputs.