Skip to content

Instantly share code, notes, and snippets.

@shadycuz
Created June 21, 2022 00:35
Show Gist options
  • Save shadycuz/b6bb9980304b76f5bd9d353044e18622 to your computer and use it in GitHub Desktop.
Save shadycuz/b6bb9980304b76f5bd9d353044e18622 to your computer and use it in GitHub Desktop.
aws_central_logging CF converted to TF using cf2tf
data "aws_caller_identity" "current" {
}
data "aws_partition" "current" {
}
data "aws_region" "current" {
}
locals {
CLMap = {
Metric = {
SendAnonymousMetric = "Yes"
MetricsEndpoint = "https://metrics.awssolutionsbuilder.com/generic"
}
}
ESMap = {
NodeCount = {
Small = "4"
Medium = "6"
Large = "6"
}
MasterSize = {
Small = "c5.large.elasticsearch"
Medium = "c5.large.elasticsearch"
Large = "c5.large.elasticsearch"
}
InstanceSize = {
Small = "r5.large.elasticsearch"
Medium = "r5.2xlarge.elasticsearch"
Large = "r5.4xlarge.elasticsearch"
}
}
demoDeploymentCheck = var.demo_template == "Yes"
JumpboxDeploymentCheck = var.jumpbox_deploy == "Yes"
CDKMetadataAvailable = anytrue(['anytrue([\'data.aws_region.current.name == "af-south-1"\', \'data.aws_region.current.name == "ap-east-1"\', \'data.aws_region.current.name == "ap-northeast-1"\', \'data.aws_region.current.name == "ap-northeast-2"\', \'data.aws_region.current.name == "ap-south-1"\', \'data.aws_region.current.name == "ap-southeast-1"\', \'data.aws_region.current.name == "ap-southeast-2"\', \'data.aws_region.current.name == "ca-central-1"\', \'data.aws_region.current.name == "cn-north-1"\', \'data.aws_region.current.name == "cn-northwest-1"\'])', 'anytrue([\'data.aws_region.current.name == "eu-central-1"\', \'data.aws_region.current.name == "eu-north-1"\', \'data.aws_region.current.name == "eu-south-1"\', \'data.aws_region.current.name == "eu-west-1"\', \'data.aws_region.current.name == "eu-west-2"\', \'data.aws_region.current.name == "eu-west-3"\', \'data.aws_region.current.name == "me-south-1"\', \'data.aws_region.current.name == "sa-east-1"\', \'data.aws_region.current.name == "us-east-1"\', \'data.aws_region.current.name == "us-east-2"\'])', 'anytrue([\'data.aws_region.current.name == "us-west-1"\', \'data.aws_region.current.name == "us-west-2"\'])'])
}
variable "domain_name" {
type = string
default = "centralizedlogging"
}
variable "admin_email" {
type = string
}
variable "cluster_size" {
description = "Elasticsearch cluster size; small (4 data nodes), medium (6 data nodes), large (6 data nodes)"
type = string
default = "Small"
}
variable "demo_template" {
description = "Deploy demo template for sample data and logs?"
type = string
default = "No"
}
variable "spoke_accounts" {
description = "Account IDs which you want to allow for centralized logging (comma separated list eg. 11111111,22222222)"
type = string
}
variable "spoke_regions" {
description = "Regions which you want to allow for centralized logging (comma separated list eg. us-east-1,us-west-2)"
type = string
default = "All"
}
variable "jumpbox_deploy" {
description = "Do you want to deploy jumbox?"
type = string
default = "No"
}
variable "jumpbox_key" {
description = "Key pair name for jumpbox (You may leave this empty if you chose 'No' above)"
type = string
}
variable "windows_ami" {
type = string
default = "/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base"
}
resource "aws_iam_role" "helper_role_d1833_f54" {
assume_role_policy = {
Statement = [{'Action': '"sts:AssumeRole"', 'Effect': '"Allow"', 'Principal': {'Service': '"lambda.amazonaws.com"'}}]
Version = "2012-10-17"
}
}
resource "aws_iam_policy" "helper_role_policy175990_bad" {
policy = {
Statement = [{'Action': ['"logs:CreateLogStream"', '"logs:PutLogEvents"', '"logs:CreateLogGroup"'], 'Effect': '"Allow"', 'Resource': ['join("", ["arn:", data.aws_region.current.name, ":logs:", data.aws_region.current.name, ":", data.aws_region.current.name, ":log-group:*"])', 'join("", ["arn:", data.aws_region.current.name, ":logs:", data.aws_region.current.name, ":", data.aws_region.current.name, ":log-group:*:log-stream:*"])']}, {'Action': ['"ec2:DescribeRegions"', '"logs:PutDestination"', '"logs:DeleteDestination"', '"logs:PutDestinationPolicy"'], 'Effect': '"Allow"', 'Resource': '"*"'}, {'Action': '"iam:CreateServiceLinkedRole"', 'Condition': {'StringLike': {'iam:AWSServiceName': '"es.amazonaws.com"'}}, 'Effect': '"Allow"', 'Resource': 'join("", ["arn:", data.aws_region.current.name, ":iam::*:role/aws-service-role/es.amazonaws.com/AWSServiceRoleForAmazonElasticsearchService*"])'}]
Version = "2012-10-17"
}
name = "HelperRolePolicy175990BAD"
// CF Property(Roles) = ['aws_iam_role.helper_role_d1833_f54.arn']
}
resource "aws_lambda_function" "helper_lambda_ac9474_f4" {
code_signing_config_arn = {
S3Bucket = "solutions-${data.aws_region.current.name}"
S3Key = "centralized-logging/v4.0.1/asset9b4c683682a0773735625e441eabc438ac1d2b4ef65d28093ba33154aaaa2a66.zip"
}
role = aws_iam_role.helper_role_d1833_f54.arn
description = "centralized-logging - solution helper functions"
environment {
variables = {
LOG_LEVEL = "info"
METRICS_ENDPOINT = local.CLMap["Metric"]["MetricsEndpoint"]
SEND_METRIC = local.CLMap["Metric"]["SendAnonymousMetric"]
CUSTOM_SDK_USER_AGENT = "AwsSolution/SO0009/v4.0.1"
}
}
handler = "index.handler"
runtime = "nodejs14.x"
timeout = "300"
}
resource "aws_iam_role" "helper_providerframeworkon_event_service_role1962_dd43" {
assume_role_policy = {
Statement = [{'Action': '"sts:AssumeRole"', 'Effect': '"Allow"', 'Principal': {'Service': '"lambda.amazonaws.com"'}}]
Version = "2012-10-17"
}
managed_policy_arns = ['join("", ["arn:", data.aws_region.current.name, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"])']
}
resource "aws_iam_policy" "helper_providerframeworkon_event_service_role_default_policy7_c54367_b" {
policy = {
Statement = [{'Action': '"lambda:InvokeFunction"', 'Effect': '"Allow"', 'Resource': 'aws_lambda_function.helper_lambda_ac9474_f4.arn'}]
Version = "2012-10-17"
}
name = "HelperProviderframeworkonEventServiceRoleDefaultPolicy7C54367B"
// CF Property(Roles) = ['aws_iam_role.helper_providerframeworkon_event_service_role1962_dd43.arn']
}
resource "aws_lambda_function" "helper_providerframeworkon_event1079_de9_d" {
code_signing_config_arn = {
S3Bucket = "solutions-${data.aws_region.current.name}"
S3Key = "centralized-logging/v4.0.1/assetc691172cdeefa2c91b5a2907f9d81118e47597634943344795f1a844192dd49c.zip"
}
role = aws_iam_role.helper_providerframeworkon_event_service_role1962_dd43.arn
description = "AWS CDK resource provider framework - onEvent (CL-PrimaryStack/HelperProvider)"
environment {
variables = {
USER_ON_EVENT_FUNCTION_ARN = aws_lambda_function.helper_lambda_ac9474_f4.arn
}
}
handler = "assetc691172cdeefa2c91b5a2907f9d81118e47597634943344795f1a844192dd49c/framework.onEvent"
runtime = "nodejs12.x"
timeout = "900"
}
resource "aws_shield_protection" "create_uuid" {
// CF Property(ServiceToken) = aws_lambda_function.helper_providerframeworkon_event1079_de9_d.arn
}
resource "aws_iam_service_linked_role" "create_es_service_role" {
aws_service_name = aws_lambda_function.helper_providerframeworkon_event1079_de9_d.arn
}
resource "aws_macie2_custom_data_identifier" "launch_data" {
description = "SO0009"
// CF Property(SolutionVersion) = "v4.0.1"
// CF Property(SolutionUuid) = aws_shield_protection.create_uuid.id
maximum_match_distance = "PrimaryStack"
}
resource "aws_cognito_user_pool" "es_user_pool7_dc126_a8" {
account_recovery_setting {
// CF Property(RecoveryMechanisms) = [{'Name': '"verified_email"', 'Priority': '"1"'}]
}
admin_create_user_config = {
AllowAdminCreateUserOnly = "True"
}
auto_verified_attributes = ['"email"']
email_verification_message = "The verification code to your new account is {####}"
email_verification_subject = "Verify your new account"
password_policy = {
PasswordPolicy = {
MinimumLength = "8"
RequireLowercase = "True"
RequireNumbers = "True"
RequireSymbols = "True"
RequireUppercase = "True"
TemporaryPasswordValidityDays = "3"
}
}
schema = [{'mutable': '"True"', 'name': '"email"', 'required': '"True"'}]
sms_verification_message = "The verification code to your new account is {####}"
username_attributes = ['"email"']
user_pool_add_ons = {
AdvancedSecurityMode = "ENFORCED"
}
verification_message_template = {
DefaultEmailOption = "CONFIRM_WITH_CODE"
EmailMessage = "The verification code to your new account is {####}"
EmailSubject = "Verify your new account"
SmsMessage = "The verification code to your new account is {####}"
}
}
resource "aws_cognito_user_pool_domain" "es_user_pool_es_cognito_domain4_e1_d658_b" {
domain = join("", [var.domain_name, "-", aws_shield_protection.create_uuid.id])
user_pool_id = aws_cognito_user_pool.es_user_pool7_dc126_a8.arn
}
resource "aws_cognito_user_pool" "admin_user" {
admin_create_user_config = aws_cognito_user_pool.es_user_pool7_dc126_a8.arn
username_attributes = [{'Name': '"email"', 'Value': 'var.admin_email'}]
name = var.admin_email
}
resource "aws_cognito_identity_pool" "es_identity_pool" {
allow_unauthenticated_identities = False
}
resource "aws_iam_role" "cognito_auth_role7_b7_e27_c0" {
assume_role_policy = {
Statement = [{'Action': '"sts:AssumeRoleWithWebIdentity"', 'Condition': {'StringEquals': {'cognito-identity.amazonaws.com:aud': 'aws_cognito_identity_pool.es_identity_pool.id'}, 'ForAnyValue:StringLike': {'cognito-identity.amazonaws.com:amr': '"authenticated"'}}, 'Effect': '"Allow"', 'Principal': {'Federated': '"cognito-identity.amazonaws.com"'}}]
Version = "2012-10-17"
}
}
resource "aws_cognito_identity_pool_roles_attachment" "identity_pool_role_attachment" {
identity_pool_id = aws_cognito_identity_pool.es_identity_pool.id
roles = {
authenticated = aws_iam_role.cognito_auth_role7_b7_e27_c0.arn
}
}
resource "aws_iam_role" "es_cognito_role0_fb5690_b" {
assume_role_policy = {
Statement = [{'Action': '"sts:AssumeRole"', 'Effect': '"Allow"', 'Principal': {'Service': '"es.amazonaws.com"'}}]
Version = "2012-10-17"
}
force_detach_policies = [{'PolicyDocument': {'Statement': [{'Action': ['"cognito-idp:DescribeUserPool"', '"cognito-idp:CreateUserPoolClient"', '"cognito-idp:DeleteUserPoolClient"', '"cognito-idp:DescribeUserPoolClient"', '"cognito-idp:AdminInitiateAuth"', '"cognito-idp:AdminUserGlobalSignOut"', '"cognito-idp:ListUserPoolClients"', '"cognito-identity:DescribeIdentityPool"', '"cognito-identity:UpdateIdentityPool"', '"cognito-identity:SetIdentityPoolRoles"', '"cognito-identity:GetIdentityPoolRoles"'], 'Effect': '"Allow"', 'Resource': '"*"'}], 'Version': '"2012-10-17"'}, 'PolicyName': '"ESCognitoAccess"'}]
}
resource "aws_iam_policy" "es_cognito_role_default_policy007_a3108" {
policy = {
Statement = [{'Action': '"iam:PassRole"', 'Condition': {'StringLike': {'iam:PassedToService': '"cognito-identity.amazonaws.com"'}}, 'Effect': '"Allow"', 'Resource': 'aws_iam_role.es_cognito_role0_fb5690_b.arn'}]
Version = "2012-10-17"
}
name = "ESCognitoRoleDefaultPolicy007A3108"
// CF Property(Roles) = ['aws_iam_role.es_cognito_role0_fb5690_b.arn']
}
resource "aws_iam_role" "firehose_role_aa67_c190" {
assume_role_policy = {
Statement = [{'Action': '"sts:AssumeRole"', 'Effect': '"Allow"', 'Principal': {'Service': '"firehose.amazonaws.com"'}}]
Version = "2012-10-17"
}
}
resource "aws_iot_thing_group" "vpc_flow_log_group9559_e1_e7" {
// CF Property(RetentionInDays) = "731"
}
resource "aws_iam_role" "flow_role5_e4_ef2_f1" {
assume_role_policy = {
Statement = [{'Action': '"sts:AssumeRole"', 'Effect': '"Allow"', 'Principal': {'Service': '"vpc-flow-logs.amazonaws.com"'}}]
Version = "2012-10-17"
}
}
resource "aws_iam_policy" "flow_role_default_policy_a5122836" {
policy = {
Statement = [{'Action': ['"logs:CreateLogStream"', '"logs:PutLogEvents"', '"logs:DescribeLogStreams"'], 'Effect': '"Allow"', 'Resource': 'aws_iot_thing_group.vpc_flow_log_group9559_e1_e7.arn'}, {'Action': '"iam:PassRole"', 'Effect': '"Allow"', 'Resource': 'aws_iam_role.flow_role5_e4_ef2_f1.arn'}]
Version = "2012-10-17"
}
name = "flowRoleDefaultPolicyA5122836"
// CF Property(Roles) = ['aws_iam_role.flow_role5_e4_ef2_f1.arn']
}
resource "aws_vpc" "esvpc3_cead2_a7" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = "True"
enable_dns_support = "True"
instance_tenancy = "default"
tags = [{'Key': '"Name"', 'Value': '"CL-PrimaryStack/ESVPC"'}]
}
resource "aws_subnet" "esvpces_isolated_subnet_subnet1_subnet_bc48_a527" {
cidr_block = "10.0.0.0/24"
vpc_id = aws_vpc.esvpc3_cead2_a7.arn
availability_zone = element(data.aws_availability_zones.available.names, 0)
map_public_ip_on_launch = False
tags = [{'Key': '"aws-cdk:subnet-name"', 'Value': '"ESIsolatedSubnet"'}, {'Key': '"aws-cdk:subnet-type"', 'Value': '"Isolated"'}, {'Key': '"Name"', 'Value': '"CL-PrimaryStack/ESVPC/ESIsolatedSubnetSubnet1"'}]
}
resource "aws_route_table" "esvpces_isolated_subnet_subnet1_route_table122122_fc" {
vpc_id = aws_vpc.esvpc3_cead2_a7.arn
tags = [{'Key': '"Name"', 'Value': '"CL-PrimaryStack/ESVPC/ESIsolatedSubnetSubnet1"'}]
}
resource "aws_route_table_association" "esvpces_isolated_subnet_subnet1_route_table_association9_f413854" {
route_table_id = aws_route_table.esvpces_isolated_subnet_subnet1_route_table122122_fc.id
subnet_id = aws_subnet.esvpces_isolated_subnet_subnet1_subnet_bc48_a527.id
}
resource "aws_subnet" "esvpces_isolated_subnet_subnet2_subnet_f8_d4_db34" {
cidr_block = "10.0.1.0/24"
vpc_id = aws_vpc.esvpc3_cead2_a7.arn
availability_zone = element(data.aws_availability_zones.available.names, 1)
map_public_ip_on_launch = False
tags = [{'Key': '"aws-cdk:subnet-name"', 'Value': '"ESIsolatedSubnet"'}, {'Key': '"aws-cdk:subnet-type"', 'Value': '"Isolated"'}, {'Key': '"Name"', 'Value': '"CL-PrimaryStack/ESVPC/ESIsolatedSubnetSubnet2"'}]
}
resource "aws_route_table" "esvpces_isolated_subnet_subnet2_route_table4_a8_b83_e0" {
vpc_id = aws_vpc.esvpc3_cead2_a7.arn
tags = [{'Key': '"Name"', 'Value': '"CL-PrimaryStack/ESVPC/ESIsolatedSubnetSubnet2"'}]
}
resource "aws_route_table_association" "esvpces_isolated_subnet_subnet2_route_table_association_a11_eb5_c0" {
route_table_id = aws_route_table.esvpces_isolated_subnet_subnet2_route_table4_a8_b83_e0.id
subnet_id = aws_subnet.esvpces_isolated_subnet_subnet2_subnet_f8_d4_db34.id
}
resource "aws_subnet" "esvpces_public_subnet_subnet1_subnet12560704" {
cidr_block = "10.0.2.0/24"
vpc_id = aws_vpc.esvpc3_cead2_a7.arn
availability_zone = element(data.aws_availability_zones.available.names, 0)
map_public_ip_on_launch = "True"
tags = [{'Key': '"aws-cdk:subnet-name"', 'Value': '"ESPublicSubnet"'}, {'Key': '"aws-cdk:subnet-type"', 'Value': '"Public"'}, {'Key': '"Name"', 'Value': '"CL-PrimaryStack/ESVPC/ESPublicSubnetSubnet1"'}]
}
resource "aws_route_table" "esvpces_public_subnet_subnet1_route_table45432090" {
vpc_id = aws_vpc.esvpc3_cead2_a7.arn
tags = [{'Key': '"Name"', 'Value': '"CL-PrimaryStack/ESVPC/ESPublicSubnetSubnet1"'}]
}
resource "aws_route_table_association" "esvpces_public_subnet_subnet1_route_table_association1_e172_c60" {
route_table_id = aws_route_table.esvpces_public_subnet_subnet1_route_table45432090.id
subnet_id = aws_subnet.esvpces_public_subnet_subnet1_subnet12560704.id
}
resource "aws_route" "esvpces_public_subnet_subnet1_default_route2_aa9703_d" {
route_table_id = aws_route_table.esvpces_public_subnet_subnet1_route_table45432090.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.esvpcigw68_e8_aea9.id
}
resource "aws_subnet" "esvpces_public_subnet_subnet2_subnet9_c1_fc6_f7" {
cidr_block = "10.0.3.0/24"
vpc_id = aws_vpc.esvpc3_cead2_a7.arn
availability_zone = element(data.aws_availability_zones.available.names, 1)
map_public_ip_on_launch = "True"
tags = [{'Key': '"aws-cdk:subnet-name"', 'Value': '"ESPublicSubnet"'}, {'Key': '"aws-cdk:subnet-type"', 'Value': '"Public"'}, {'Key': '"Name"', 'Value': '"CL-PrimaryStack/ESVPC/ESPublicSubnetSubnet2"'}]
}
resource "aws_route_table" "esvpces_public_subnet_subnet2_route_table_ec1_d6_b54" {
vpc_id = aws_vpc.esvpc3_cead2_a7.arn
tags = [{'Key': '"Name"', 'Value': '"CL-PrimaryStack/ESVPC/ESPublicSubnetSubnet2"'}]
}
resource "aws_route_table_association" "esvpces_public_subnet_subnet2_route_table_association63160086" {
route_table_id = aws_route_table.esvpces_public_subnet_subnet2_route_table_ec1_d6_b54.id
subnet_id = aws_subnet.esvpces_public_subnet_subnet2_subnet9_c1_fc6_f7.id
}
resource "aws_route" "esvpces_public_subnet_subnet2_default_route93518_dd8" {
route_table_id = aws_route_table.esvpces_public_subnet_subnet2_route_table_ec1_d6_b54.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.esvpcigw68_e8_aea9.id
}
resource "aws_internet_gateway" "esvpcigw68_e8_aea9" {
tags = [{'Key': '"Name"', 'Value': '"CL-PrimaryStack/ESVPC"'}]
}
resource "aws_vpn_gateway_attachment" "esvpcvpcgw707_ec835" {
vpc_id = aws_internet_gateway.esvpcigw68_e8_aea9.id
}
resource "aws_flow_log" "esvpces_vpc_flow_flow_log10_a9_b76_f" {
eni_id = aws_vpc.esvpc3_cead2_a7.arn
log_destination_type = "cloud-watch-logs"
traffic_type = "ALL"
iam_role_arn = aws_iam_role.flow_role5_e4_ef2_f1.arn
log_group_name = aws_iot_thing_group.vpc_flow_log_group9559_e1_e7.arn
tags = [{'Key': '"Name"', 'Value': '"CL-PrimaryStack/ESVPC"'}]
}
resource "aws_security_group" "essge420_b5_a1" {
description = "CL-PrimaryStack/ESSG"
egress = [{'cidr_blocks': 'aws_vpc.esvpc3_cead2_a7.cidr_block', 'description': '"allow outbound https"', 'from_port': '"443"', 'protocol': '"tcp"', 'to_port': '"443"'}]
ingress = [{'cidr_blocks': 'aws_vpc.esvpc3_cead2_a7.cidr_block', 'description': '"allow inbound https traffic"', 'from_port': '"443"', 'protocol': '"tcp"', 'to_port': '"443"'}]
vpc_id = aws_vpc.esvpc3_cead2_a7.arn
}
resource "aws_elasticsearch_domain" "es_domain_b45006_da" {
access_policies = {
Version = "2012-10-17"
Statement = [{'Effect': '"Allow"', 'Action': ['"es:ESHttpGet"', '"es:ESHttpDelete"', '"es:ESHttpPut"', '"es:ESHttpPost"', '"es:ESHttpHead"', '"es:ESHttpPatch"'], 'Principal': {'AWS': 'aws_iam_role.cognito_auth_role7_b7_e27_c0.arn'}, 'Resource': 'join("", ["arn:", data.aws_region.current.name, ":es:", data.aws_region.current.name, ":", data.aws_region.current.name, ":domain/", var.domain_name, "/*"])'}, {'Effect': '"Allow"', 'Action': ['"es:DescribeElasticsearchDomain"', '"es:DescribeElasticsearchDomains"', '"es:DescribeElasticsearchDomainConfig"', '"es:ESHttpPost"', '"es:ESHttpPut"', '"es:HttpGet"'], 'Principal': {'AWS': 'aws_iam_role.firehose_role_aa67_c190.arn'}, 'Resource': 'join("", ["arn:", data.aws_region.current.name, ":es:", data.aws_region.current.name, ":", data.aws_region.current.name, ":domain/", var.domain_name, "/*"])'}]
}
cognito_options = {
Enabled = "True"
IdentityPoolId = aws_cognito_identity_pool.es_identity_pool.id
RoleArn = aws_iam_role.es_cognito_role0_fb5690_b.arn
UserPoolId = aws_cognito_user_pool.es_user_pool7_dc126_a8.arn
}
domain_endpoint_options = {
EnforceHTTPS = "True"
TLSSecurityPolicy = "Policy-Min-TLS-1-0-2019-07"
}
domain_name = var.domain_name
ebs_options = {
EBSEnabled = "True"
VolumeSize = "10"
VolumeType = "gp2"
}
cluster_config = {
DedicatedMasterCount = "3"
DedicatedMasterEnabled = "True"
DedicatedMasterType = local.ESMap["MasterSize"]["var.cluster_size"]
InstanceCount = local.ESMap["NodeCount"]["var.cluster_size"]
InstanceType = local.ESMap["InstanceSize"]["var.cluster_size"]
ZoneAwarenessConfig = {
AvailabilityZoneCount = "2"
}
ZoneAwarenessEnabled = "True"
}
elasticsearch_version = "7.7"
advanced_options = {
Enabled = "True"
}
log_publishing_options = {
}
node_to_node_encryption = {
Enabled = "True"
}
vpc_options = {
SecurityGroupIds = ['aws_security_group.essge420_b5_a1.id']
SubnetIds = ['aws_subnet.esvpces_isolated_subnet_subnet1_subnet_bc48_a527.id', 'aws_subnet.esvpces_isolated_subnet_subnet2_subnet_f8_d4_db34.id']
}
}
resource "aws_iam_policy" "auth_role_policy_ab4_a1_e56" {
policy = {
Statement = [{'Action': ['"es:ESHttpGet"', '"es:ESHttpDelete"', '"es:ESHttpPut"', '"es:ESHttpPost"', '"es:ESHttpHead"', '"es:ESHttpPatch"'], 'Effect': '"Allow"', 'Resource': 'aws_elasticsearch_domain.es_domain_b45006_da.arn'}]
Version = "2012-10-17"
}
name = "authRolePolicyAB4A1E56"
// CF Property(Roles) = ['aws_iam_role.cognito_auth_role7_b7_e27_c0.arn']
}
resource "aws_sqs_queue" "dlq09_c78_acc" {
kms_master_key_id = "alias/aws/sqs"
}
resource "aws_iam_role" "cl_transformer_service_role016_cad3_c" {
assume_role_policy = {
Statement = [{'Action': '"sts:AssumeRole"', 'Effect': '"Allow"', 'Principal': {'Service': '"lambda.amazonaws.com"'}}]
Version = "2012-10-17"
}
managed_policy_arns = ['join("", ["arn:", data.aws_region.current.name, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"])']
}
resource "aws_iam_policy" "cl_transformer_service_role_default_policy_c34581_d1" {
policy = {
Statement = [{'Action': '"sqs:SendMessage"', 'Effect': '"Allow"', 'Resource': 'aws_sqs_queue.dlq09_c78_acc.arn'}, {'Action': ['"kinesis:DescribeStreamSummary"', '"kinesis:GetRecords"', '"kinesis:GetShardIterator"', '"kinesis:ListShards"', '"kinesis:SubscribeToShard"'], 'Effect': '"Allow"', 'Resource': 'aws_kinesis_stream.cl_data_stream4_dfb5423.arn'}, {'Action': '"kinesis:DescribeStream"', 'Effect': '"Allow"', 'Resource': 'aws_kinesis_stream.cl_data_stream4_dfb5423.arn'}, {'Action': '"firehose:PutRecordBatch"', 'Effect': '"Allow"', 'Resource': 'aws_kinesis_firehose_delivery_stream.cl_firehose.arn'}]
Version = "2012-10-17"
}
name = "CLTransformerServiceRoleDefaultPolicyC34581D1"
// CF Property(Roles) = ['aws_iam_role.cl_transformer_service_role016_cad3_c.arn']
}
resource "aws_lambda_function" "cl_transformer433_f8853" {
code_signing_config_arn = {
S3Bucket = "solutions-${data.aws_region.current.name}"
S3Key = "centralized-logging/v4.0.1/assetb9316d9a0f47aa8516cdc62510095e3fcad7da2127a60add35eef432d3e28c30.zip"
}
role = aws_iam_role.cl_transformer_service_role016_cad3_c.arn
dead_letter_config = {
TargetArn = aws_sqs_queue.dlq09_c78_acc.arn
}
description = "centralized-logging - Lambda function to transform log events and send to kinesis firehose"
environment {
variables = {
LOG_LEVEL = "info"
SOLUTION_ID = "SO0009"
SOLUTION_VERSION = "v4.0.1"
UUID = aws_shield_protection.create_uuid.id
CLUSTER_SIZE = var.cluster_size
DELIVERY_STREAM = "CL-Firehose"
METRICS_ENDPOINT = local.CLMap["Metric"]["MetricsEndpoint"]
SEND_METRIC = local.CLMap["Metric"]["SendAnonymousMetric"]
CUSTOM_SDK_USER_AGENT = "AwsSolution/SO0009/v4.0.1"
}
}
handler = "index.handler"
runtime = "nodejs14.x"
timeout = "300"
}
resource "aws_lambda_event_source_mapping" "cl_transformer_kinesis_event_source_cl_primary_stack_cl_data_stream_fc34105_c3_b10_d828" {
function_name = aws_lambda_function.cl_transformer433_f8853.arn
batch_size = "100"
event_source_arn = aws_kinesis_stream.cl_data_stream4_dfb5423.arn
starting_position = "TRIM_HORIZON"
}
resource "aws_sns_topic" "topic_bfc7_af6_e" {
display_name = "CL-Lambda-Error"
kms_master_key_id = join("", ["arn:", data.aws_region.current.name, ":kms:", data.aws_region.current.name, ":", data.aws_region.current.name, ":alias/aws/sns"])
}
resource "aws_sns_topic_subscription" "topic_token_subscription178_f3_f75_e" {
protocol = "email"
topic_arn = aws_sns_topic.topic_bfc7_af6_e.id
endpoint = var.admin_email
}
resource "aws_cloudwatch_metric_alarm" "cl_lambda_error_alarm289_f6_b50" {
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
alarm_actions = ['aws_sns_topic.topic_bfc7_af6_e.id']
dimensions = [{'Name': '"FunctionName"', 'Value': 'aws_lambda_function.cl_transformer433_f8853.arn'}]
metric_name = "Errors"
namespace = "AWS/Lambda"
period = "300"
statistic = "Sum"
threshold = "0.05"
}
resource "aws_kinesis_stream" "cl_data_stream4_dfb5423" {
shard_count = "1"
retention_period = "24"
encryption_type = {
EncryptionType = "KMS"
KeyId = "alias/aws/kinesis"
}
}
resource "aws_s3_bucket" "access_logs_bucket83982689" {
acl = "LogDeliveryWrite"
bucket = {
ServerSideEncryptionConfiguration = [{'ServerSideEncryptionByDefault': {'SSEAlgorithm': '"AES256"'}}]
}
grant {
// CF Property(BlockPublicAcls) = "True"
// CF Property(BlockPublicPolicy) = "True"
// CF Property(IgnorePublicAcls) = "True"
uri = "True"
}
}
resource "aws_s3_bucket" "cl_bucket116_f9_f6_b" {
bucket = {
ServerSideEncryptionConfiguration = [{'ServerSideEncryptionByDefault': {'SSEAlgorithm': '"AES256"'}}]
}
logging {
target_bucket = aws_s3_bucket.access_logs_bucket83982689.id
target_prefix = "cl-access-logs"
}
grant {
// CF Property(BlockPublicAcls) = "True"
// CF Property(BlockPublicPolicy) = "True"
// CF Property(IgnorePublicAcls) = "True"
uri = "True"
}
}
resource "aws_s3_bucket_policy" "cl_bucket_policy_f1_df7_d4_f" {
bucket = aws_s3_bucket.cl_bucket116_f9_f6_b.id
policy = {
Statement = [{'Action': ['"s3:Put*"', '"s3:Get*"'], 'Effect': '"Allow"', 'Principal': {'AWS': 'aws_iam_role.firehose_role_aa67_c190.arn'}, 'Resource': ['aws_s3_bucket.cl_bucket116_f9_f6_b.arn', 'join("", [aws_s3_bucket.cl_bucket116_f9_f6_b.arn, "/*"])']}]
Version = "2012-10-17"
}
}
resource "aws_iot_thing_group" "firehose_log_group1_b45149_b" {
name = "/aws/kinesisfirehose/CL-Firehose"
// CF Property(RetentionInDays) = "731"
}
resource "aws_cloudwatch_log_stream" "firehose_es_log_stream_c35_dd04_e" {
log_group_name = aws_iot_thing_group.firehose_log_group1_b45149_b.arn
name = "ElasticsearchDelivery"
}
resource "aws_cloudwatch_log_stream" "firehose_s3_log_stream_b4_dcf7_b1" {
log_group_name = aws_iot_thing_group.firehose_log_group1_b45149_b.arn
name = "S3Delivery"
}
resource "aws_iam_policy" "firehose_policy3_a3_b2_df8" {
policy = {
Statement = [{'Action': ['"s3:AbortMultipartUpload"', '"s3:GetBucketLocation"', '"s3:GetObject"', '"s3:ListBucket"', '"s3:ListBucketMultipartUploads"', '"s3:PutObject"'], 'Effect': '"Allow"', 'Resource': ['join("", ["arn:", data.aws_region.current.name, ":s3:::", aws_s3_bucket.cl_bucket116_f9_f6_b.id])', 'join("", ["arn:", data.aws_region.current.name, ":s3:::", aws_s3_bucket.cl_bucket116_f9_f6_b.id, "/*"])']}, {'Action': ['"kms:GenerateDataKey"', '"kms:Decrypt"'], 'Condition': {'StringEquals': {'kms:ViaService': 'join("", ["s3.", data.aws_region.current.name, ".amazonaws.com"])'}, 'StringLike': {'kms:EncryptionContext:aws:s3:arn': ['join("", ["arn:", data.aws_region.current.name, ":s3:::", aws_s3_bucket.cl_bucket116_f9_f6_b.id, "/*"])']}}, 'Effect': '"Allow"', 'Resource': 'join("", ["arn:", data.aws_region.current.name, ":kms:", data.aws_region.current.name, ":", data.aws_region.current.name, ":key/*"])'}, {'Action': ['"ec2:DescribeVpcs"', '"ec2:DescribeVpcAttribute"', '"ec2:DescribeSubnets"', '"ec2:DescribeSecurityGroups"', '"ec2:DescribeNetworkInterfaces"', '"ec2:CreateNetworkInterface"', '"ec2:CreateNetworkInterfacePermission"', '"ec2:DeleteNetworkInterface"'], 'Effect': '"Allow"', 'Resource': '"*"'}, {'Action': ['"es:DescribeElasticsearchDomain"', '"es:DescribeElasticsearchDomains"', '"es:DescribeElasticsearchDomainConfig"', '"es:ESHttpPost"', '"es:ESHttpPut"'], 'Effect': '"Allow"', 'Resource': ['join("", ["arn:", data.aws_region.current.name, ":es:", data.aws_region.current.name, ":", data.aws_region.current.name, ":domain/", aws_elasticsearch_domain.es_domain_b45006_da.arn])', 'join("", ["arn:", data.aws_region.current.name, ":es:", data.aws_region.current.name, ":", data.aws_region.current.name, ":domain/", aws_elasticsearch_domain.es_domain_b45006_da.arn, "/*"])']}, {'Action': '"es:ESHttpGet"', 'Effect': '"Allow"', 'Resource': ['join("", ["arn:", data.aws_region.current.name, ":es:", data.aws_region.current.name, ":", data.aws_region.current.name, ":domain/", aws_elasticsearch_domain.es_domain_b45006_da.arn, "/_all/_settings"])', 'join("", ["arn:", data.aws_region.current.name, ":es:", data.aws_region.current.name, ":", data.aws_region.current.name, ":domain/", aws_elasticsearch_domain.es_domain_b45006_da.arn, "/_cluster/stats"])', 'join("", ["arn:", data.aws_region.current.name, ":es:", data.aws_region.current.name, ":", data.aws_region.current.name, ":domain/", aws_elasticsearch_domain.es_domain_b45006_da.arn, "/cwl-kinesis/_mapping/kinesis"])', 'join("", ["arn:", data.aws_region.current.name, ":es:", data.aws_region.current.name, ":", data.aws_region.current.name, ":domain/", aws_elasticsearch_domain.es_domain_b45006_da.arn, "/_nodes"])', 'join("", ["arn:", data.aws_region.current.name, ":es:", data.aws_region.current.name, ":", data.aws_region.current.name, ":domain/", aws_elasticsearch_domain.es_domain_b45006_da.arn, "/_nodes/*/stats"])', 'join("", ["arn:", data.aws_region.current.name, ":es:", data.aws_region.current.name, ":", data.aws_region.current.name, ":domain/", aws_elasticsearch_domain.es_domain_b45006_da.arn, "/_stats"])', 'join("", ["arn:", data.aws_region.current.name, ":es:", data.aws_region.current.name, ":", data.aws_region.current.name, ":domain/", aws_elasticsearch_domain.es_domain_b45006_da.arn, "/cwl-kinesis/_stats"])']}, {'Action': ['"logs:PutLogEvents"', '"logs:CreateLogStream"'], 'Effect': '"Allow"', 'Resource': 'aws_iot_thing_group.firehose_log_group1_b45149_b.arn'}, {'Action': '"kms:Decrypt"', 'Condition': {'StringEquals': {'kms:ViaService': 'join("", ["kinesis.", data.aws_region.current.name, ".amazonaws.com"])'}, 'StringLike': {'kms:EncryptionContext:aws:kinesis:arn': 'aws_kinesis_stream.cl_data_stream4_dfb5423.arn'}}, 'Effect': '"Allow"', 'Resource': 'join("", ["arn:", data.aws_region.current.name, ":kms:", data.aws_region.current.name, ":", data.aws_region.current.name, ":key/*"])'}]
Version = "2012-10-17"
}
name = "CL-Firehose-Policy"
// CF Property(Roles) = ['aws_iam_role.firehose_role_aa67_c190.arn']
}
resource "aws_kinesis_firehose_delivery_stream" "cl_firehose" {
kinesis_source_configuration = {
KeyType = "AWS_OWNED_CMK"
}
name = "CL-Firehose"
type = "DirectPut"
elasticsearch_configuration = {
CloudWatchLoggingOptions = {
Enabled = "True"
LogGroupName = "/aws/kinesisfirehose/CL-Firehose"
LogStreamName = aws_cloudwatch_log_stream.firehose_es_log_stream_c35_dd04_e.arn
}
DomainARN = aws_elasticsearch_domain.es_domain_b45006_da.arn
IndexName = "cwl"
IndexRotationPeriod = "OneDay"
RoleARN = aws_iam_role.firehose_role_aa67_c190.arn
S3BackupMode = "AllDocuments"
S3Configuration = {
BucketARN = aws_s3_bucket.cl_bucket116_f9_f6_b.arn
CloudWatchLoggingOptions = {
Enabled = "True"
LogGroupName = "/aws/kinesisfirehose/CL-Firehose"
LogStreamName = aws_cloudwatch_log_stream.firehose_s3_log_stream_b4_dcf7_b1.arn
}
RoleARN = aws_iam_role.firehose_role_aa67_c190.arn
}
VpcConfiguration = {
RoleARN = aws_iam_role.firehose_role_aa67_c190.arn
SecurityGroupIds = ['aws_security_group.essge420_b5_a1.id']
SubnetIds = ['aws_subnet.esvpces_isolated_subnet_subnet1_subnet_bc48_a527.id', 'aws_subnet.esvpces_isolated_subnet_subnet2_subnet_f8_d4_db34.id']
}
}
}
resource "aws_iam_role" "cw_destination_role20_a8055_f" {
assume_role_policy = {
Statement = [{'Effect': '"Allow"', 'Principal': {'Service': '"logs.amazonaws.com"'}, 'Action': '"sts:AssumeRole"'}]
Version = "2012-10-17"
}
}
resource "aws_iam_policy" "cw_dest_policy3_dd10_f82" {
policy = {
Statement = [{'Action': '"kinesis:PutRecord"', 'Effect': '"Allow"', 'Resource': 'aws_kinesis_stream.cl_data_stream4_dfb5423.arn'}]
Version = "2012-10-17"
}
name = "CWDestPolicy3DD10F82"
// CF Property(Roles) = ['aws_iam_role.cw_destination_role20_a8055_f.arn']
}
resource "aws_iam_policy" "helper_role_policy285_d208_f4" {
policy = {
Statement = [{'Action': '"iam:PassRole"', 'Effect': '"Allow"', 'Resource': 'aws_iam_role.cw_destination_role20_a8055_f.arn'}]
Version = "2012-10-17"
}
name = "HelperRolePolicy285D208F4"
// CF Property(Roles) = ['aws_iam_role.helper_role_d1833_f54.arn']
}
resource "aws_cloudwatch_log_destination" "cw_destination" {
// CF Property(ServiceToken) = aws_lambda_function.helper_providerframeworkon_event1079_de9_d.arn
// CF Property(Regions) = var.spoke_regions
name = join("", ["CL-Destination-", aws_shield_protection.create_uuid.id])
role_arn = aws_iam_role.cw_destination_role20_a8055_f.arn
// CF Property(DataStream) = aws_kinesis_stream.cl_data_stream4_dfb5423.arn
// CF Property(SpokeAccounts) = var.spoke_accounts
}
resource "aws_security_group" "cl_jumpbox_jumpbox_sgd93_e94_fc" {
description = "CL-PrimaryStack/CL-Jumpbox/JumpboxSG"
egress = [{'cidr_blocks': '"0.0.0.0/0"', 'description': '"allow outbound https"', 'from_port': '"80"', 'protocol': '"tcp"', 'to_port': '"80"'}, {'cidr_blocks': '"0.0.0.0/0"', 'description': '"allow outbound https"', 'from_port': '"443"', 'protocol': '"tcp"', 'to_port': '"443"'}]
vpc_id = aws_vpc.esvpc3_cead2_a7.arn
}
resource "aws_iam_role" "cl_jumpbox_jumpbox_ec2_instance_role92_dda704" {
assume_role_policy = {
Statement = [{'Action': '"sts:AssumeRole"', 'Effect': '"Allow"', 'Principal': {'Service': 'join("", ["ec2.", data.aws_partition.current.dns_suffix])'}}]
Version = "2012-10-17"
}
tags = [{'Key': '"Name"', 'Value': '"CL-PrimaryStack/CL-Jumpbox/JumpboxEC2"'}]
}
resource "aws_iam_instance_profile" "cl_jumpbox_jumpbox_ec2_instance_profile10_a8921_d" {
role = ['aws_iam_role.cl_jumpbox_jumpbox_ec2_instance_role92_dda704.arn']
}
resource "aws_instance" "cl_jumpbox_jumpbox_ec210_de4297" {
availability_zone = element(data.aws_availability_zones.available.names, 0)
iam_instance_profile = aws_iam_instance_profile.cl_jumpbox_jumpbox_ec2_instance_profile10_a8921_d.arn
private_ip = var.windows_ami
instance_type = "t3.micro"
key_name = var.jumpbox_key
vpc_security_group_ids = ['aws_security_group.cl_jumpbox_jumpbox_sgd93_e94_fc.id']
subnet_id = aws_subnet.esvpces_public_subnet_subnet1_subnet12560704.id
tags = [{'Key': '"Name"', 'Value': '"CL-PrimaryStack/CL-Jumpbox/JumpboxEC2"'}]
user_data = base64encode(<powershell></powershell>)
}
resource "aws_cloudformation_stack" "cl_demo_stack_nested_stack_cl_demo_stack_nested_stack_resource3_db21482" {
template_url = "https://solutions-reference.s3.amazonaws.com/centralized-logging/v4.0.1/aws-centralized-logging-demo.template"
parameters = {
CWDestinationParm = join("", ["arn:", data.aws_region.current.name, ":logs:", data.aws_region.current.name, ":", data.aws_region.current.name, ":destination:CL-Destination-", aws_shield_protection.create_uuid.id])
}
}
resource "aws_ecs_task_set" "cdk_metadata" {
// CF Property(Analytics) = "v2:deflate64:H4sIAAAAAAAA/2VTXW/bMAz8LX1X1CUdsNel2VoM2DAv6fquyEzCxhY9fTgIDP/3UZLteOuTjifS5J3opVw+rOSHu8/q4ha6PN93mizIbueVPovNwRTKqho82Bj8UE2D5hjhhkyJHsmItXPgOf+Ybsg4b4P2YhOcp3oLjoLVEEsmPCenRj+Db4LvRRykQ1XLbktVrotnQRXqa5poQt+4lzIaCksHrKAXlar3pZLdUzA6zcZJE/7agvG71Him4z3bC/ewUFGUk0kbx7J7DPoM/lE5EBnG4gHl4zbXPO6FpqNBT7L77cAWRFVMmfAIvlCt0Myv3jPxTLpLnhn9dfzYPI5mrT2beqqZZEvo6GT3nY7PlkITsyfMYOctqHpgc9AL0CvZvTY60q/FRhQWW+VhF/Ymy76hLQUPL2qfHyrzN47dI40quV+EPdvxX2V+RF4uJp+5xUVdh6ZDdFMiniq68JDpSQe4Ax0s656k/UuM6zFfFVZXKedRO1BWn2R3czkjfv0/bNivACEVJsCkYfKFGkyuZMBinLbYjJs2j/nZKwrlRfnYZF0pm1xOoBdnNODQxd9s9H80f7g6oIUTOZBxMKiwBXsdU3T6sxZ2+Iuc5P1vsQTbC0MlyDd33y4/yuUnubp7c4gLG3g9apDbfP4F2FLoQfQDAAA="
}
output "destination_subscription_command" {
description = "Command to run in spoke accounts/regions"
value = join("", ["aws logs put-subscription-filter --destination-arn arn:", data.aws_region.current.name, ":logs:<region>:", data.aws_region.current.name, ":destination:CL-Destination-", aws_shield_protection.create_uuid.id, " --log-group-name <MyLogGroup> --filter-name <MyFilterName> --filter-pattern <MyFilterPattern> --profile <MyAWSProfile> "])
}
output "unique_id" {
description = "UUID for Centralized Logging Stack"
value = aws_shield_protection.create_uuid.id
}
output "admin_email" {
description = "Admin Email address"
value = var.admin_email
}
output "domain_name" {
description = "ES Domain Name"
value = var.domain_name
}
output "kibana_url" {
description = "Kibana URL"
value = join("", ["https://", aws_elasticsearch_domain.es_domain_b45006_da.endpoint, "/_plugin/kibana/"])
}
output "cluster_size" {
description = "ES Cluster Size"
value = var.cluster_size
}
output "demo_deployment" {
description = "Demo data deployed?"
value = var.demo_template
}
@chunkingz
Copy link

@shadycuz awesome man! thanks alot for this! anyway we can keep in touch? I have some more pressing issues at hand if you don't mind.

@shadycuz
Copy link
Author

@chunkingz sure thing. Just remember that this will need some manual work before it will validate or deploy with Terraform.

@chunkingz
Copy link

image

So once again thanks for this tool...I downloaded it to my mac and opened it in vscode, I think there might be a bug with the converter, as you can see from the image above, I duplicated line 40 to line 41, when I get rid of the single quotes and backslashes, the error goes away, even tho it says double quotes, but actually the double quotes dont work.

image

Dont worry about the error on line 41, that's just an attribute redefined error

So we may want to look into checking if it's CDKMetadataAvailable and not add single quotes?

After manual cleanup of that line, this is what it looks like (when using line breaks).

image

As we can see, no more errors. Also there's a lot of this reoccurence so manual cleanup would be a bit time consuming since it's a huge template. However, let me know what you think @shadycuz

@chunkingz
Copy link

@chunkingz sure thing. Just remember that this will need some manual work before it will validate or deploy with Terraform.

Oh just seeing this

@shadycuz
Copy link
Author

anytrue is definitely bugged but should be fixable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment