empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 17:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
ac797c8f81
fleet/terraform/addons/logging-alb/README.md
Robert Fairburn 7370e80fd7
Update terraform logging addon (#12339) 
This should allow us to pass in policies for kms and both s3 buckets.
This is needed in order to allow for the new sns alerting lambda to
query athena for 5xx errors.
2023-06-14 19:01:13 -05:00

4.6 KiB
Raw Blame History

ALB Logging Addon

This addon creates alb logging bucket(s) in s3 and optionally an athena database for those logs.

Example Configuration

This assumes your fleet module is main and is configured with it's default documentation.

See https://github.com/fleetdm/fleet/blob/main/terraform/example/main.tf for details.

module "main" {
  source          = "github.com/fleetdm/fleet//terraform?ref=main"
  certificate_arn = module.acm.acm_certificate_arn
  vpc = {
    name = random_pet.main.id
  }
  fleet_config = {
    extra_environment_variables = module.firehose-logging.fleet_extra_environment_variables
    extra_iam_policies          = module.firehose-logging.fleet_extra_iam_policies
  }
  alb_config = {
    access_logs = {
      bucket  = module.logging_alb.log_s3_bucket_id
      prefix  = "fleet"
      enabled = true
    }
  }
}

module "logging_alb" {
  source        = "github.com/fleetdm/fleet//terraform/addons/logging-alb?ref=main"
  prefix        = "fleet"
  enable_athena = true
}

Additional Information

Once this terraform is applied, the Athena table will need to be created. See https://docs.aws.amazon.com/athena/latest/ug/application-load-balancer-logs.html for help with creating the table.

For this implementation, the S3 pattern for the CREATE TABLE query should look like this:

s3://your-alb-logs-bucket/<PREFIX>/AWSLogs/<ACCOUNT-ID>/elasticloadbalancing/<REGION>/

Requirements

No requirements.

Providers

Name Version
aws n/a

Modules

Name Source Version
athena-s3-bucket terraform-aws-modules/s3-bucket/aws 3.11.0
s3_bucket_for_logs terraform-aws-modules/s3-bucket/aws 3.11.0

Resources

Name Type
aws_athena_database.logs resource
aws_athena_workgroup.logs resource
aws_kms_alias.logs_alias resource
aws_kms_key.logs resource
aws_caller_identity.current data source
aws_iam_policy_document.kms data source
aws_iam_policy_document.s3_athena_bucket data source
aws_iam_policy_document.s3_log_bucket data source
aws_region.current data source

Inputs

Name Description Type Default Required
enable_athena n/a bool true no
extra_kms_policies n/a list(any) [] no
extra_s3_athena_policies n/a list(any) [] no
extra_s3_log_policies n/a list(any) [] no
prefix n/a string "fleet" no
s3_expiration_days n/a number 90 no
s3_newer_noncurrent_versions n/a number 5 no
s3_noncurrent_version_expiration_days n/a number 30 no
s3_transition_days n/a number 30 no

Outputs

Name Description
log_s3_bucket_id n/a