Support eventbridge for cloudwatch-log-policy module

tedilabs · Dec 21, 2023 · 0f42f6b · 0f42f6b
1 parent fcb4324
commit 0f42f6b
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 21 deletions.
diff --git a/modules/cloudwatch-log-policy/README.md b/modules/cloudwatch-log-policy/README.md
@@ -16,7 +16,7 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.31.0 |
 
 ## Modules
 
@@ -36,7 +36,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_name"></a> [name](#input\_name) | (Required) The name of the CloudWatch Logs resource policy. | `string` | n/a | yes |
-| <a name="input_service"></a> [service](#input\_service) | (Required) Specify the identity of the AWS service principal to allow delivering logs to this account. Valid values are `delivery.logs.amazonaws.com`, `es.amazonaws.com`, `route53.amazonaws.com`. | `string` | n/a | yes |
+| <a name="input_service"></a> [service](#input\_service) | (Required) Specify the identity of the AWS service principal to allow delivering logs to this account. Valid values are `delivery.logs.amazonaws.com`, `es.amazonaws.com`, `events.amazonaws.com`, `route53.amazonaws.com`. | `string` | n/a | yes |
 | <a name="input_statements"></a> [statements](#input\_statements) | (Required) A list of statements for CloudWatch Logs resource policy. Each item of `statements` as defined below.<br>    (Required) `log_groups` - A list of Log group patterns that the resource policy applies to. Whildcard is supported. Configure `*` to allow all log groups.<br>    (Optional) `account_whiteilst` - A whitelist of AWS Account IDs making the call to CloudWatch Logs.<br>    (Optional) `resource_whiteilst` - A whitelist of the ARN of AWS resources making the call to CloudWatch Logs. | `list(map(set(string)))` | `[]` | no |
 
 ## Outputs

diff --git a/modules/cloudwatch-log-policy/policy.tf b/modules/cloudwatch-log-policy/policy.tf
@@ -5,20 +5,45 @@ locals {
   account_id = data.aws_caller_identity.this.account_id
   region     = data.aws_region.this.name
 
-  service_actions = {
-    "delivery.logs.amazonaws.com" = [
-      "logs:CreateLogStream",
-      "logs:PutLogEvents",
-    ]
-    "es.amazonaws.com" = [
-      "logs:CreateLogStream",
-      "logs:PutLogEvents",
-      "logs:PutLogEventsBatch",
-    ]
-    "route53.amazonaws.com" = [
-      "logs:CreateLogStream",
-      "logs:PutLogEvents",
-    ]
+  service_statements = {
+    "delivery.logs.amazonaws.com" = {
+      services = [
+        "delivery.logs.amazonaws.com",
+      ]
+      actions = [
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+      ]
+    }
+    "es.amazonaws.com" = {
+      services = [
+        "es.amazonaws.com",
+      ]
+      actions = [
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+        "logs:PutLogEventsBatch",
+      ]
+    }
+    "events.amazonaws.com" = {
+      services = [
+        "events.amazonaws.com",
+        "delivery.logs.amazonaws.com",
+      ]
+      actions = [
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+      ]
+    }
+    "route53.amazonaws.com" = {
+      services = [
+        "route53.amazonaws.com",
+      ]
+      actions = [
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+      ]
+    }
   }
 }
 
@@ -33,15 +58,15 @@ data "aws_iam_policy_document" "this" {
     content {
       sid = "${var.name}-${statement.key}"
 
-      actions = local.service_actions[var.service]
+      actions = local.service_statements[var.service].actions
 
       resources = [
         for log_group in statement.value.log_groups :
         "arn:aws:logs:${local.region}:${local.account_id}:log-group:${log_group}"
       ]
 
       principals {
-        identifiers = [var.service]
+        identifiers = local.service_statements[var.service].services
         type        = "Service"
       }
 

diff --git a/modules/cloudwatch-log-policy/variables.tf b/modules/cloudwatch-log-policy/variables.tf
@@ -5,13 +5,13 @@ variable "name" {
 }
 
 variable "service" {
-  description = "(Required) Specify the identity of the AWS service principal to allow delivering logs to this account. Valid values are `delivery.logs.amazonaws.com`, `es.amazonaws.com`, `route53.amazonaws.com`."
+  description = "(Required) Specify the identity of the AWS service principal to allow delivering logs to this account. Valid values are `delivery.logs.amazonaws.com`, `es.amazonaws.com`, `events.amazonaws.com`, `route53.amazonaws.com`."
   type        = string
   nullable    = false
 
   validation {
-    condition     = contains(["delivery.logs.amazonaws.com", "es.amazonaws.com", "route53.amazonaws.com"], var.service)
-    error_message = "Valid values for `service` are `delivery.logs.amazonaws.com`, `es.amazonaws.com`, `route53.amazonaws.com`."
+    condition     = contains(["delivery.logs.amazonaws.com", "es.amazonaws.com", "events.amazonaws.com", "route53.amazonaws.com"], var.service)
+    error_message = "Valid values for `service` are `delivery.logs.amazonaws.com`, `es.amazonaws.com`, `events.amazonaws.com`, `route53.amazonaws.com`."
   }
 }