Merge pull request #1 from SPHTech-Platform/add_mod

Add oam sink/link module

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2022-present SPH Media
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1 +1,24 @@
-# Terraform Modules Template
+# Observability Access Manager
+
+## Overview
+
+## What is OAM?
+
+**OAM is for centralized logging across accounts.**
+
+To set up OAM, we choose one or more AWS accounts as monitoring accounts and link them with multiple source accounts. A monitoring account is a central AWS account that can view and interact with observability data generated from source accounts. A source account is an individual AWS account that generates observability data for the resources that reside in it. Source accounts share their observability data with the monitoring account.
+
+The shared observability data can include metrics in Amazon CloudWatch, logs in Amazon CloudWatch Logs, and traces in AWS X-Ray.
+
+## OAM Components
+
+CloudWatch OAM consists of two major components which enable cross-account observability -
+
+### Sink
+
+A sink is a resource that represents an attachment point in a monitoring account. Source accounts can link to the sink to send observability data. After you create a sink, you must create a sink policy that allows source accounts to attach to it.
+
+### Link
+
+A link is a connection between a source account and a sink that you have created in a monitoring account.
+Before you create a link, you must create a sink in the monitoring account and create a sink policy in that account. The sink policy must permit the source account to link to it. You can grant permission to source accounts by granting permission to an entire organization or to individual accounts.

modules/link/README.md

@@ -0,0 +1,41 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.15 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.15 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_oam_link.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/oam_link) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_label"></a> [account\_label](#input\_account\_label) | Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.<br>    You can include the following variables in your template:<br>    - `$AccountName` is the name of the account<br>    - `$AccountEmail` is a globally-unique email address, which includes the email domain, such as [email protected]<br>    - `$AccountEmailNoDomain` is an email address without the domain name, such as mariagarcia | `string` | `"$AccountName"` | no |
+| <a name="input_resource_types"></a> [resource\_types](#input\_resource\_types) | An array of strings that define which types of data that the source account shares with the monitoring account. | `list(string)` | <pre>[<br>  "AWS::CloudWatch::Metric",<br>  "AWS::Logs::LogGroup",<br>  "AWS::XRay::Trace"<br>]</pre> | no |
+| <a name="input_sink_identifier"></a> [sink\_identifier](#input\_sink\_identifier) | The ARN of the sink in the monitoring account that you want to link to. | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | An array of key-value pairs to apply to the link. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the link. |
+| <a name="output_id"></a> [id](#output\_id) | The ID string that AWS generated as part of the link ARN. |
+| <a name="output_sink_arn"></a> [sink\_arn](#output\_sink\_arn) | ARN of the sink that is used for this link. |
+<!-- END_TF_DOCS -->

modules/link/main.tf

@@ -0,0 +1,6 @@
+resource "aws_oam_link" "this" {
+  label_template  = var.account_label
+  resource_types  = var.resource_types
+  sink_identifier = var.sink_identifier
+  tags            = var.tags
+}

modules/link/outputs.tf

@@ -0,0 +1,14 @@
+output "arn" {
+  description = "The ARN of the link."
+  value       = aws_oam_link.this.arn
+}
+
+output "id" {
+  description = "The ID string that AWS generated as part of the link ARN."
+  value       = aws_oam_link.this.link_id
+}
+
+output "sink_arn" {
+  description = "ARN of the sink that is used for this link."
+  value       = aws_oam_link.this.sink_arn
+}

modules/link/variables.tf

@@ -0,0 +1,46 @@
+variable "account_label" {
+  description = <<EOF
+    Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.
+    You can include the following variables in your template:
+    - `$AccountName` is the name of the account
+    - `$AccountEmail` is a globally-unique email address, which includes the email domain, such as [email protected]
+    - `$AccountEmailNoDomain` is an email address without the domain name, such as mariagarcia
+    EOF
+  type        = string
+  default     = "$AccountName"
+}
+
+variable "resource_types" {
+  type        = list(string)
+  description = "An array of strings that define which types of data that the source account shares with the monitoring account."
+
+  validation {
+    condition = alltrue([
+      for resource_type in var.resource_types :
+      contains([
+        "AWS::CloudWatch::Metric",
+        "AWS::Logs::LogGroup",
+        "AWS::XRay::Trace",
+        "AWS::ApplicationInsights::Application",
+      ], resource_type)
+    ])
+    error_message = "Valid values for OAM `resource_types` are `AWS::CloudWatch::Metric`, `AWS::Logs::LogGroup`, `AWS::XRay::Trace`, `AWS::ApplicationInsights::Application`."
+  }
+
+  default = [
+    "AWS::CloudWatch::Metric",
+    "AWS::Logs::LogGroup",
+    "AWS::XRay::Trace",
+  ]
+}
+
+variable "sink_identifier" {
+  description = "The ARN of the sink in the monitoring account that you want to link to."
+  type        = string
+}
+
+variable "tags" {
+  description = "An array of key-value pairs to apply to the link."
+  type        = map(string)
+  default     = {}
+}

modules/link/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.15"
+    }
+  }
+}

modules/sink/README.md

@@ -0,0 +1,43 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.15 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.15 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_oam_sink.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/oam_sink) | resource |
+| [aws_oam_sink_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/oam_sink_policy) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | Name of the OAM sink | `string` | `null` | no |
+| <a name="input_resource_types"></a> [resource\_types](#input\_resource\_types) | Resource types to retrieve with OAM | `list(string)` | <pre>[<br>  "AWS::CloudWatch::Metric",<br>  "AWS::Logs::LogGroup",<br>  "AWS::XRay::Trace"<br>]</pre> | no |
+| <a name="input_source_account_ids"></a> [source\_account\_ids](#input\_source\_account\_ids) | List of source AWS account IDs for OAM | `list(string)` | `[]` | no |
+| <a name="input_source_org_ids"></a> [source\_org\_ids](#input\_source\_org\_ids) | List of source Organisation ID's for OAM | `list(string)` | `[]` | no |
+| <a name="input_source_org_paths"></a> [source\_org\_paths](#input\_source\_org\_paths) | List of source Organisation unit paths for OAM | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | An array of key-value pairs to apply to the sink. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | ARN of OAM sink |
+| <a name="output_id"></a> [id](#output\_id) | ID of OAM sink |
+<!-- END_TF_DOCS -->

modules/sink/locals.tf

@@ -0,0 +1,49 @@
+locals {
+  source_accounts_statement = {
+    Effect = "Allow"
+    Principal = {
+      "AWS" = var.source_account_ids
+    }
+    Action   = ["oam:CreateLink", "oam:UpdateLink"]
+    Resource = "*"
+    Condition = {
+      "ForAllValues:StringEquals" = {
+        "oam:ResourceTypes" = var.resource_types
+      }
+    }
+  }
+  source_organizations_statement = {
+    Effect    = "Allow"
+    Principal = "*"
+    Action    = ["oam:CreateLink", "oam:UpdateLink"]
+    Resource  = "*"
+    Condition = {
+      "ForAllValues:StringEquals" = {
+        "oam:ResourceTypes" = var.resource_types
+      }
+      "ForAnyValue:StringEquals" = {
+        "aws:PrincipalOrgID" = var.source_org_ids
+      }
+    }
+  }
+  source_organization_paths_statement = {
+    Effect    = "Allow"
+    Principal = "*"
+    Action    = ["oam:CreateLink", "oam:UpdateLink"]
+    Resource  = "*"
+    Condition = {
+      "ForAllValues:StringEquals" = {
+        "oam:ResourceTypes" = var.resource_types
+      }
+      "ForAnyValue:StringLike" : {
+        "aws:PrincipalOrgPaths" : var.source_org_paths
+      }
+    }
+  }
+
+  policy_required = length(concat(
+    var.source_account_ids,
+    var.source_org_ids,
+    var.source_org_paths,
+  )) > 0
+}

modules/sink/main.tf

@@ -0,0 +1,19 @@
+resource "aws_oam_sink" "this" {
+  name = var.name
+  tags = var.tags
+}
+
+resource "aws_oam_sink_policy" "this" {
+  count = local.policy_required ? 1 : 0
+
+  sink_identifier = aws_oam_sink.this.arn
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = concat(
+      length(var.source_account_ids) > 0 ? [local.source_accounts_statement] : [],
+      length(var.source_org_ids) > 0 ? [local.source_organizations_statement] : [],
+      length(var.source_org_paths) > 0 ? [local.source_organization_paths_statement] : [],
+    )
+  })
+}

modules/sink/outputs.tf

@@ -0,0 +1,9 @@
+output "id" {
+  description = "ID of OAM sink"
+  value       = aws_oam_sink.this.id
+}
+
+output "arn" {
+  description = "ARN of OAM sink"
+  value       = aws_oam_sink.this.arn
+}

modules/sink/variables.tf

@@ -0,0 +1,53 @@
+variable "name" {
+  description = "Name of the OAM sink"
+  type        = string
+  default     = null
+}
+
+variable "source_account_ids" {
+  description = "List of source AWS account IDs for OAM"
+  type        = list(string)
+  default     = []
+}
+
+variable "source_org_ids" {
+  description = "List of source Organisation ID's for OAM"
+  type        = list(string)
+  default     = []
+}
+
+variable "source_org_paths" {
+  description = "List of source Organisation unit paths for OAM"
+  type        = list(string)
+  default     = []
+}
+
+variable "resource_types" {
+  description = "Resource types to retrieve with OAM"
+  type        = list(string)
+
+  validation {
+    condition = alltrue([
+      for resource_type in var.resource_types :
+      contains([
+        "AWS::CloudWatch::Metric",
+        "AWS::Logs::LogGroup",
+        "AWS::XRay::Trace",
+        "AWS::ApplicationInsights::Application",
+      ], resource_type)
+    ])
+    error_message = "Invalid values for `oam_resource_types`."
+  }
+
+  default = [
+    "AWS::CloudWatch::Metric",
+    "AWS::Logs::LogGroup",
+    "AWS::XRay::Trace",
+  ]
+}
+
+variable "tags" {
+  description = "An array of key-value pairs to apply to the sink."
+  type        = map(string)
+  default     = {}
+}

modules/sink/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.15"
+    }
+  }
+}