adding cloudwatchlogs forwarder.

Author: sourabh

aws/cloudwatchlogsforwarder/README.md

@@ -0,0 +1,54 @@
+# SumoLogic-AWS-CloudWatchLogsForwarder
+
+This module is used to create the SumoLogic AWS HTTP source to collect AWS CloudWatch logs. Features include
+- Create AWS resources to setup IAM Roles, SQS, SNS, Metric Alarm, Lambda functions.
+- Create Sumo Logic hosted collector. Existing collector can also be used.
+- Create Sumo Logic HTTP Source for logs.
+- Auto enable logs subscription for Existing and New log groups after installing the module.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 0.13.0 |
+| aws | >= 3.42.0 |
+| random | >= 3.1.0 |
+| sumologic | >= 2.9.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | >= 3.42.0 |
+| random | >= 3.1.0 |
+| sumologic | >= 2.9.0 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| auto\_enable\_logs\_subscription | New - Automatically subscribes new log groups to send logs to Sumo Logic.<br>                              Existing - Automatically subscribes existing log groups to send logs to Sumo Logic.<br>                           Both - Automatically subscribes new and existing log groups.<br>                                None - Skips Automatic subscription. | `string` | `"Both"` | no |
+| auto\_enable\_logs\_subscription\_options | filter - Enter regex for matching logGroups. Regex will check for the name. Visit https://help.sumologic.com/03Send-Data/Collect-from-Other-Data-Sources/Auto-Subscribe_AWS_Log_Groups_to_a_Lambda_Function#Configuring_parameters | <pre>object({<br>    filter = string<br>  })</pre> | <pre>{<br>  "filter": "lambda"<br>}</pre> | no |
+| collector\_details | Provide details for the Sumo Logic collector. If not provided, then defaults will be used. | <pre>object({<br>    collector_name = string<br>    description    = string<br>    fields         = map(string)<br>  })</pre> | <pre>{<br>  "collector_name": "SumoLogic CloudWatch Logs Collector <Random ID>",<br>  "description": "This collector is created using Sumo Logic terraform AWS CloudWatch Logs forwarder to collect AWS cloudwatch logs.",<br>  "fields": {}<br>}</pre> | no |
+| create\_collector | Provide "true" if you would like to create the Sumo Logic Collector. | `bool` | n/a | yes |
+| email\_id | Email for receiving alerts. A confirmation email is sent after the deployment is complete. It can be confirmed to subscribe for alerts. | `string` | `"[email protected]"` | no |
+| include\_log\_group\_info | Enable loggroup/logstream values in logs. | `bool` | `true` | no |
+| log\_format | Service for Cloudwatch logs source. | `string` | `"Others"` | no |
+| log\_stream\_prefix | LogStream name prefixes to filter by logStream. Please note this is separate from a logGroup. This is used only to send certain logStreams within a Cloudwatch logGroup(s). LogGroups still need to be subscribed to the created Lambda function regardless of this input value. | `list(string)` | `[]` | no |
+| source\_details | Provide details for the Sumo Logic HTTP source. If not provided, then defaults will be used. | <pre>object({<br>    source_name     = string<br>    source_category = string<br>    collector_id    = string<br>    description     = string<br>    fields          = map(string)<br>  })</pre> | <pre>{<br>  "collector_id": "",<br>  "description": "This source is created using Sumo Logic terraform AWS CloudWatch Logs forwarder to collect AWS cloudwatch logs.",<br>  "fields": {},<br>  "source_category": "Labs/aws/cloudwatch",<br>  "source_name": "CloudWatch Logs Source"<br>}</pre> | no |
+| workers | Number of lambda function invocations for Cloudwatch logs source Dead Letter Queue processing. | `number` | `4` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| aws\_cloudwatch\_log\_group | AWS Log group created to attach to the lambda function. |
+| aws\_cloudwatch\_metric\_alarm | AWS CLoudWatch metric alarm. |
+| aws\_cw\_lambda\_function | AWS Lambda fucntion to send logs to Sumo Logic. |
+| aws\_iam\_role | AWS IAM role with permission to setup lambda. |
+| aws\_serverlessapplicationrepository\_cloudformation\_stack | AWS CloudFormation stack for Auto Enable logs subscription. |
+| aws\_sns\_topic | AWS SNS topic |
+| aws\_sqs\_queue | AWS SQS queue to Store the Failed data. |
+| random\_string | Random String value created. |
+| sumologic\_collector | Sumo Logic hosted collector. |
+| sumologic\_source | Sumo Logic HTTP source. |

aws/cloudwatchlogsforwarder/cloudwatchlogsforwarder.tf

@@ -0,0 +1,201 @@
+# *************** Steps are as Below to create Sumo Logic Kinesis Firehose for Logs source *************** #
+# 1. Create AWS S3 Bucket and use an existing bucket as provided in the inputs.
+# 2. Create Log Groups and Log Streams to attach to the kinesis firehose delivery stream.
+# 3. Create IAM roles and IAM policies to attach to Kinesis Firehose and delivery stream.
+# 4. Create a Kinesis Firehose delivery stream.
+# 5. Create subscription for log group.
+
+resource "random_string" "aws_random" {
+  length  = 10
+  special = false
+  upper   = false
+}
+
+resource "aws_cloudwatch_log_group" "cloudwatch_log_group" {
+  name              = "SumoCWLogGroup-${random_string.aws_random.id}"
+  retention_in_days = 7
+}
+
+resource "aws_cloudwatch_log_subscription_filter" "cloudwatch_log_subscription_filter" {
+  destination_arn = aws_lambda_function.logs_lambda_function.arn
+  filter_pattern  = ""
+  log_group_name  = aws_cloudwatch_log_group.cloudwatch_log_group.name
+  name            = "SumoCWLogSubscriptionFilter"
+}
+
+resource "aws_lambda_permission" "logs_lambda_invoke_permission" {
+  action         = "lambda:InvokeFunction"
+  function_name  = aws_lambda_function.logs_lambda_function.function_name
+  principal      = "logs.${local.aws_region}.amazonaws.com"
+  source_account = local.aws_account_id
+}
+
+resource "aws_sqs_queue" "sqs_queue" {
+  name = "SumoCWDeadLetterQueue-${random_string.aws_random.id}"
+}
+
+resource "aws_iam_role" "lambda_iam_role" {
+  name = "SumoCWLambdaExecutionRole-${random_string.aws_random.id}"
+  path = "/"
+
+  assume_role_policy = templatefile("${path.module}/templates/logs_assume_role.tmpl", {})
+}
+
+resource "aws_iam_policy" "lambda_sqs_policy" {
+  name = "SQSCreateLogs-${random_string.aws_random.id}"
+  policy = templatefile("${path.module}/templates/lambda_sqs.tmpl", {
+    DEAD_LETTER_QUEUE_ARN = aws_sqs_queue.sqs_queue.arn
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_sqs_policy_attachment" {
+  role       = aws_iam_role.lambda_iam_role.name
+  policy_arn = aws_iam_policy.lambda_sqs_policy.arn
+}
+
+resource "aws_iam_policy" "create_logs_policy" {
+  name = "CloudWatchCreateLogs-${random_string.aws_random.id}"
+  policy = templatefile("${path.module}/templates/lambda_logs.tmpl", {
+    LOG_GROUP_ARN = aws_cloudwatch_log_group.cloudwatch_log_group.arn
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "create_logs_policy_attachment" {
+  role       = aws_iam_role.lambda_iam_role.name
+  policy_arn = aws_iam_policy.create_logs_policy.arn
+}
+
+resource "aws_iam_policy" "invoke_lambda_policy" {
+  name = "InvokeLambda-${random_string.aws_random.id}"
+  policy = templatefile("${path.module}/templates/invoke_lambda.tmpl", {
+    LAMBDA_ARN = aws_lambda_function.process_dead_letter_queue_lambda.arn
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "invoke_lambda_policy_attachment" {
+  role       = aws_iam_role.lambda_iam_role.name
+  policy_arn = aws_iam_policy.invoke_lambda_policy.arn
+}
+
+resource "aws_lambda_function" "logs_lambda_function" {
+  function_name = "SumoCWLogsLambda-${random_string.aws_random.id}"
+  handler       = "cloudwatchlogs_lambda.handler"
+  runtime       = "nodejs14.x"
+  role          = aws_iam_role.lambda_iam_role.arn
+  s3_bucket     = "appdevzipfiles-${local.aws_region}"
+  s3_key        = "cloudwatchlogs-with-dlq.zip"
+  timeout       = 300
+  memory_size   = 128
+  dead_letter_config {
+    target_arn = aws_sqs_queue.sqs_queue.arn
+  }
+
+  environment {
+    variables = {
+      "SUMO_ENDPOINT"     = sumologic_http_source.source.url,
+      "LOG_FORMAT"        = var.log_format,
+      "INCLUDE_LOG_INFO"  = var.include_log_group_info,
+      "LOG_STREAM_PREFIX" = join(",", var.log_stream_prefix)
+    }
+  }
+}
+
+resource "aws_lambda_function" "process_dead_letter_queue_lambda" {
+  function_name = "SumoCWProcessDLQLambda-${random_string.aws_random.id}"
+  handler       = "DLQProcessor.handler"
+  runtime       = "nodejs14.x"
+  role          = aws_iam_role.lambda_iam_role.arn
+  s3_bucket     = "appdevzipfiles-${local.aws_region}"
+  s3_key        = "cloudwatchlogs-with-dlq.zip"
+  timeout       = 300
+  memory_size   = 128
+  dead_letter_config {
+    target_arn = aws_sqs_queue.sqs_queue.arn
+  }
+
+  environment {
+    variables = {
+      "SUMO_ENDPOINT"     = sumologic_http_source.source.url,
+      "LOG_FORMAT"        = var.log_format,
+      "INCLUDE_LOG_INFO"  = var.include_log_group_info,
+      "LOG_STREAM_PREFIX" = join(",", var.log_stream_prefix),
+      "TASK_QUEUE_URL"    = aws_sqs_queue.sqs_queue.arn,
+      "NUM_OF_WORKERS"    = var.workers
+    }
+  }
+}
+
+resource "aws_lambda_permission" "process_dead_letter_queue_lambda_permission" {
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.process_dead_letter_queue_lambda.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.process_dead_letter_queue_event_rule.arn
+}
+
+resource "aws_cloudwatch_event_rule" "process_dead_letter_queue_event_rule" {
+  description         = "Events rule for Cron"
+  schedule_expression = "rate(5 minutes)"
+  is_enabled          = true
+}
+
+resource "aws_cloudwatch_event_target" "process_dead_letter_queue_event_rule_target" {
+  arn       = aws_lambda_function.process_dead_letter_queue_lambda.arn
+  rule      = aws_cloudwatch_event_rule.process_dead_letter_queue_event_rule.name
+  target_id = "TargetFunctionV1"
+}
+
+resource "aws_sns_topic" "sns_topic" {
+  name = "SumoCWEmailSNSTopic-${random_string.aws_random.id}"
+}
+
+resource "aws_sns_topic_subscription" "sns_topic_subscription" {
+  endpoint  = var.email_id
+  protocol  = "email"
+  topic_arn = aws_sns_topic.sns_topic.arn
+}
+
+resource "aws_cloudwatch_metric_alarm" "metric_alarm" {
+  alarm_actions       = [aws_sns_topic.sns_topic.arn]
+  alarm_description   = "Notify via email if number of messages in DeadLetterQueue exceeds threshold"
+  alarm_name          = "SumoCWSpilloverAlarm-${random_string.aws_random.id}"
+  comparison_operator = "GreaterThanThreshold"
+  dimensions          = { "QueueName" = aws_sqs_queue.sqs_queue.name }
+  evaluation_periods  = 1
+  metric_name         = "ApproximateNumberOfMessagesVisible"
+  namespace           = "AWS/SQS"
+  period              = 3600
+  statistic           = "Sum"
+  threshold           = 100000
+}
+
+resource "sumologic_collector" "collector" {
+  for_each    = toset(var.create_collector ? ["collector"] : [])
+  name        = local.collector_name
+  description = var.collector_details.description
+  fields      = var.collector_details.fields
+  timezone    = "UTC"
+}
+
+resource "sumologic_http_source" "source" {
+  name         = var.source_details.source_name
+  description  = var.source_details.description
+  category     = var.source_details.source_category
+  collector_id = var.create_collector ? sumologic_collector.collector["collector"].id : var.source_details.collector_id
+  fields       = var.source_details.fields
+}
+
+# Reason to use the SAM app, is to have single source of truth for Auto Subscribe functionality.
+resource "aws_serverlessapplicationrepository_cloudformation_stack" "auto_enable_logs_subscription" {
+  for_each = toset(local.auto_enable_logs_subscription ? ["auto_enable_logs_subscription"] : [])
+
+  name             = "Auto-Enable-Logs-Subscription-${random_string.aws_random.id}"
+  application_id   = "arn:aws:serverlessrepo:us-east-1:956882708938:applications/sumologic-loggroup-connector"
+  semantic_version = "1.0.5"
+  capabilities     = data.aws_serverlessapplicationrepository_application.app.required_capabilities
+  parameters = {
+    DestinationArnType  = "Lambda"
+    DestinationArnValue = aws_lambda_function.logs_lambda_function.arn
+    LogGroupPattern     = var.auto_enable_logs_subscription_options.filter
+    UseExistingLogs     = local.auto_enable_existing
+  }
+}

aws/cloudwatchlogsforwarder/data.tf

@@ -0,0 +1,10 @@
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}
+
+data "sumologic_caller_identity" "current" {}
+
+data "aws_serverlessapplicationrepository_application" "app" {
+  application_id   = "arn:aws:serverlessrepo:us-east-1:956882708938:applications/sumologic-loggroup-connector"
+  semantic_version = "1.0.5"
+}

aws/cloudwatchlogsforwarder/locals.tf

@@ -0,0 +1,15 @@
+locals {
+
+  aws_account_id = data.aws_caller_identity.current.account_id
+
+  aws_region = data.aws_region.current.id
+
+  # Get the default collector name if no collector name is provided.
+  collector_name = var.collector_details.collector_name == "SumoLogic CloudWatch Logs Collector <Random ID>" ? "SumoLogic CloudWatch Logs Collector ${random_string.aws_random.id}" : var.collector_details.collector_name
+
+  # Auto enable should be called if input is anything other than None.
+  auto_enable_logs_subscription = var.auto_enable_logs_subscription != "None" ? true : false
+
+  # Existing
+  auto_enable_existing = var.auto_enable_logs_subscription == "Existing" || var.auto_enable_logs_subscription == "Both" ? true : false
+}

aws/cloudwatchlogsforwarder/outputs.tf

@@ -0,0 +1,49 @@
+output "random_string" {
+  value       = random_string.aws_random
+  description = "Random String value created."
+}
+
+output "aws_sqs_queue" {
+  value       = aws_sqs_queue.sqs_queue
+  description = "AWS SQS queue to Store the Failed data."
+}
+
+output "aws_cloudwatch_log_group" {
+  value       = aws_cloudwatch_log_group.cloudwatch_log_group
+  description = "AWS Log group created to attach to the lambda function."
+}
+
+output "aws_iam_role" {
+  value       = aws_iam_role.lambda_iam_role
+  description = "AWS IAM role with permission to setup lambda."
+}
+
+output "aws_sns_topic" {
+  value       = aws_sns_topic.sns_topic
+  description = "AWS SNS topic"
+}
+
+output "aws_cloudwatch_metric_alarm" {
+  value       = aws_cloudwatch_metric_alarm.metric_alarm
+  description = "AWS CLoudWatch metric alarm."
+}
+
+output "aws_cw_lambda_function" {
+  value       = aws_lambda_function.logs_lambda_function
+  description = "AWS Lambda fucntion to send logs to Sumo Logic."
+}
+
+output "sumologic_collector" {
+  value       = var.create_collector ? sumologic_collector.collector : {}
+  description = "Sumo Logic hosted collector."
+}
+
+output "sumologic_source" {
+  value       = sumologic_http_source.source
+  description = "Sumo Logic HTTP source."
+}
+
+output "aws_serverlessapplicationrepository_cloudformation_stack" {
+  value       = local.auto_enable_logs_subscription ? aws_serverlessapplicationrepository_cloudformation_stack.auto_enable_logs_subscription : {}
+  description = "AWS CloudFormation stack for Auto Enable logs subscription."
+}

aws/cloudwatchlogsforwarder/templates/invoke_lambda.tmpl

@@ -0,0 +1,10 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "lambda:InvokeFunction",
+      "Resource": "${LAMBDA_ARN}"
+    }
+  ]
+}

aws/cloudwatchlogsforwarder/templates/lambda_logs.tmpl

@@ -0,0 +1,15 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+        "logs:DescribeLogStreams"
+      ],
+      "Resource": "${LOG_GROUP_ARN}"
+    }
+  ]
+}

aws/cloudwatchlogsforwarder/templates/lambda_sqs.tmpl

@@ -0,0 +1,27 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "sqs:DeleteMessage",
+        "sqs:GetQueueUrl",
+        "sqs:ListQueues",
+        "sqs:ChangeMessageVisibility",
+        "sqs:SendMessageBatch",
+        "sqs:ReceiveMessage",
+        "sqs:SendMessage",
+        "sqs:GetQueueAttributes",
+        "sqs:ListQueueTags",
+        "sqs:ListDeadLetterSourceQueues",
+        "sqs:DeleteMessageBatch",
+        "sqs:PurgeQueue",
+        "sqs:DeleteQueue",
+        "sqs:CreateQueue",
+        "sqs:ChangeMessageVisibilityBatch",
+        "sqs:SetQueueAttributes"
+      ],
+      "Resource": "${DEAD_LETTER_QUEUE_ARN}"
+    }
+  ]
+}