Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Global Alert Firehose #468

Merged
merged 4 commits into from
Nov 13, 2017
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
408 changes: 133 additions & 275 deletions manage.py

Large diffs are not rendered by default.

7 changes: 7 additions & 0 deletions stream_alert_cli/terraform/generate.py
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,13 @@ def generate_main(**kwargs):
's3_bucket_name': firehose_s3_bucket_name
}

main_dict['module']['globals'] = {
'source': 'modules/tf_stream_alert_globals',
'account_id': config['global']['account']['aws_account_id'],
'region': config['global']['account']['region'],
'prefix': config['global']['account']['prefix']
}

# KMS Key and Alias creation
main_dict['resource']['aws_kms_key']['stream_alert_secrets'] = {
'enable_key_rotation': True,
Expand Down
6 changes: 3 additions & 3 deletions terraform/modules/tf_stream_alert/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ data "aws_iam_policy_document" "rule_processor_invoke_alert_proc" {
}
}

// IAM Role Policy: Allow the Rule Processor to put records on Firehose
// IAM Role Policy: Allow the Rule Processor to put data on Firehose
resource "aws_iam_role_policy" "streamalert_rule_processor_firehose" {
name = "FirehoseWriteData"
role = "${aws_iam_role.streamalert_rule_processor_role.id}"
Expand Down Expand Up @@ -216,7 +216,7 @@ resource "aws_iam_role_policy" "streamalert_alert_processor_s3_outputs" {
EOF
}

// IAM Role Policy: Allow the Alert Processor to to Firehose
// IAM Role Policy: Allow the Alert Processor to write alerts to Firehose
resource "aws_iam_role_policy" "streamalert_alert_processor_firehose" {
name = "FirehoseWriteAlerts"
role = "${aws_iam_role.streamalert_alert_processor_role.id}"
Expand All @@ -234,7 +234,7 @@ data "aws_iam_policy_document" "alert_processor_firehose" {
]

resources = [
"${aws_kinesis_firehose_delivery_stream.stream_alerts.arn}",
"arn:aws:firehose:${var.region}:${var.account_id}:deliverystream/${var.prefix}_streamalert_alert_delivery",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason to use full arn of firehose delivery stream, instead of ${aws_kinesis_firehose_delivery_stream.stream_alerts.arn}?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That resource isn't in this module, so that interpolation isn't possible. I'd have to pass it in as a variable to this module instead, which I can do!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right. Thanks for the explanation.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm actually going to leave it, since we do the same thing for Athena data streams

]
}
}
Expand Down
12 changes: 0 additions & 12 deletions terraform/modules/tf_stream_alert/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -54,18 +54,6 @@ variable "input_sns_topics" {
default = []
}

variable "firehose_buffer_size" {
default = 128
}

variable "firehose_buffer_interval" {
default = 300
}

variable "firehose_compression_format" {
default = "GZIP"
}

variable "kms_key_arn" {
type = "string"
}
Expand Down
51 changes: 51 additions & 0 deletions terraform/modules/tf_stream_alert_globals/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# Stream Alert Globals
* This Terraform module creates various global infrastructure components

## Components
* Kinesis Firehose Delivery Stream for Putting Alerts on S3

## Example
```
module "globals" {
source = "../modules/tf_stream_alert_globals"
account_id = "112233445566"
region = "us-east-1"
prefix = "mycompany"
}
```

## Inputs
<table>
<tr>
<th>Property</th>
<th>Description</th>
<th>Default</th>
<th>Required</th>
</tr>
<tr>
<td>account_id</td>
<td>Your AWS Account ID</td>
<td>None</td>
<td>True</td>
</tr>
<tr>
<td>region</td>
<td>The AWS region for your stream</td>
<td>None</td>
<td>True</td>
</tr>
<tr>
<td>prefix</td>
<td>The resource prefix, normally an organizational name or descriptor</td>
<td>None</td>
<td>True</td>
</tr>
</table>

## Outputs
<table>
<tr>
<th>Property</th>
<th>Description</th>
</tr>
</table>
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// IAM Role: Alert Firehose S3 Role
resource "aws_iam_role" "firehose" {
name = "${var.prefix}_${var.cluster}_streamalert_delivery_firehose"
name = "${var.prefix}_streamalert_delivery_firehose"

assume_role_policy = "${data.aws_iam_policy_document.firehose_assume_role_policy.json}"
}
Expand Down Expand Up @@ -50,7 +50,7 @@ data "aws_iam_policy_document" "firehose_s3" {

// CloudWatch Log Group: Firehose
resource "aws_cloudwatch_log_group" "firehose" {
name = "/aws/kinesisfirehose/${var.prefix}_${var.cluster}_streamalert_alert_delivery"
name = "/aws/kinesisfirehose/${var.prefix}_streamalert_alert_delivery"
retention_in_days = "${var.cloudwatch_log_retention}"
}

Expand Down Expand Up @@ -91,28 +91,7 @@ data "aws_iam_policy_document" "firehose_cloudwatch" {
]

resources = [
"arn:aws:logs:${var.region}:${var.account_id}:log-group:/aws/kinesisfirehose/${var.prefix}_${var.cluster}_streamalert_alert_delivery:*",
"arn:aws:logs:${var.region}:${var.account_id}:log-group:/aws/kinesisfirehose/${var.prefix}_streamalert_alert_delivery:*",
]
}
}

// AWS Firehose Stream for Alerts
resource "aws_kinesis_firehose_delivery_stream" "stream_alerts" {
name = "${var.prefix}_${var.cluster}_streamalert_alert_delivery"
destination = "s3"

s3_configuration {
role_arn = "${aws_iam_role.firehose.arn}"
bucket_arn = "arn:aws:s3:::${var.prefix}.streamalerts"
prefix = "alerts/"
buffer_size = "${var.firehose_buffer_size}"
buffer_interval = "${var.firehose_buffer_interval}"
compression_format = "${var.firehose_compression_format}"

cloudwatch_logging_options {
enabled = true
log_group_name = "/aws/kinesisfirehose/${var.prefix}_${var.cluster}_streamalert_alert_delivery"
log_stream_name = "S3Delivery"
}
}
}
20 changes: 20 additions & 0 deletions terraform/modules/tf_stream_alert_globals/alerts_firehose/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
// AWS Firehose Stream for Alerts to S3
resource "aws_kinesis_firehose_delivery_stream" "stream_alerts" {
name = "${var.prefix}_streamalert_alert_delivery"
destination = "s3"

s3_configuration {
role_arn = "${aws_iam_role.firehose.arn}"
bucket_arn = "arn:aws:s3:::${var.prefix}.streamalerts"
prefix = "alerts/"
buffer_size = "${var.buffer_size}"
buffer_interval = "${var.buffer_interval}"
compression_format = "${var.compression_format}"

cloudwatch_logging_options {
enabled = true
log_group_name = "/aws/kinesisfirehose/${var.prefix}_streamalert_alert_delivery"
log_stream_name = "S3Delivery"
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
variable "account_id" {}

variable "buffer_size" {
default = 128
}

variable "buffer_interval" {
default = 300
}

variable "cloudwatch_log_retention" {
default = 30
}

variable "compression_format" {
default = "GZIP"
}

variable "prefix" {}

variable "region" {}
6 changes: 6 additions & 0 deletions terraform/modules/tf_stream_alert_globals/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
module "alerts_firehose" {
source = "alerts_firehose"
account_id = "${var.account_id}"
prefix = "${var.prefix}"
region = "${var.region}"
}
Empty file.
5 changes: 5 additions & 0 deletions terraform/modules/tf_stream_alert_globals/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
variable "account_id" {}

variable "prefix" {}

variable "region" {}