Skip to content

Commit

Permalink
Add oam code
Browse files Browse the repository at this point in the history
  • Loading branch information
niroz89 committed Dec 15, 2023
1 parent b4d950c commit 17c0762
Show file tree
Hide file tree
Showing 13 changed files with 324 additions and 1 deletion.
25 changes: 24 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1 +1,24 @@
# Terraform Modules Template
# Observability Access Manager

## Overview

## What is OAM?

**OAM is for centralized logging across accounts.**

To set up OAM, we choose one or more AWS accounts as monitoring accounts and link them with multiple source accounts. A monitoring account is a central AWS account that can view and interact with observability data generated from source accounts. A source account is an individual AWS account that generates observability data for the resources that reside in it. Source accounts share their observability data with the monitoring account.

The shared observability data can include metrics in Amazon CloudWatch, logs in Amazon CloudWatch Logs, and traces in AWS X-Ray.

## OAM Components

CloudWatch OAM consists of two major components which enable cross-account observability -

### Sink

A sink is a resource that represents an attachment point in a monitoring account. Source accounts can link to the sink to send observability data. After you create a sink, you must create a sink policy that allows source accounts to attach to it.

### Link

A link is a connection between a source account and a sink that you have created in a monitoring account.
Before you create a link, you must create a sink in the monitoring account and create a sink policy in that account. The sink policy must permit the source account to link to it. You can grant permission to source accounts by granting permission to an entire organization or to individual accounts.
Empty file removed modules/.gitkeep
Empty file.
41 changes: 41 additions & 0 deletions modules/link/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
<!-- BEGIN_TF_DOCS -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.15 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.15 |

## Modules

No modules.

## Resources

| Name | Type |
|------|------|
| [aws_oam_link.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/oam_link) | resource |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_account_label"></a> [account\_label](#input\_account\_label) | Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.<br> You can include the following variables in your template:<br> - `$AccountName` is the name of the account<br> - `$AccountEmail` is a globally-unique email address, which includes the email domain, such as [email protected]<br> - `$AccountEmailNoDomain` is an email address without the domain name, such as mariagarcia | `string` | `"$AccountName"` | no |
| <a name="input_resource_types"></a> [resource\_types](#input\_resource\_types) | An array of strings that define which types of data that the source account shares with the monitoring account. | `list(string)` | <pre>[<br> "AWS::CloudWatch::Metric",<br> "AWS::Logs::LogGroup",<br> "AWS::XRay::Trace"<br>]</pre> | no |
| <a name="input_sink_identifier"></a> [sink\_identifier](#input\_sink\_identifier) | The ARN of the sink in the monitoring account that you want to link to. | `string` | n/a | yes |
| <a name="input_tags"></a> [tags](#input\_tags) | An array of key-value pairs to apply to the link. | `map(string)` | `{}` | no |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the link. |
| <a name="output_id"></a> [id](#output\_id) | The ID string that AWS generated as part of the link ARN. |
| <a name="output_sink_arn"></a> [sink\_arn](#output\_sink\_arn) | ARN of the sink that is used for this link. |
<!-- END_TF_DOCS -->
6 changes: 6 additions & 0 deletions modules/link/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
resource "aws_oam_link" "this" {
label_template = var.account_label
resource_types = var.resource_types
sink_identifier = var.sink_identifier
tags = var.tags
}
14 changes: 14 additions & 0 deletions modules/link/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
output "arn" {
description = "The ARN of the link."
value = aws_oam_link.this.arn
}

output "id" {
description = "The ID string that AWS generated as part of the link ARN."
value = aws_oam_link.this.link_id
}

output "sink_arn" {
description = "ARN of the sink that is used for this link."
value = aws_oam_link.this.sink_arn
}
46 changes: 46 additions & 0 deletions modules/link/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
variable "account_label" {
description = <<EOF
Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.
You can include the following variables in your template:
- `$AccountName` is the name of the account
- `$AccountEmail` is a globally-unique email address, which includes the email domain, such as [email protected]
- `$AccountEmailNoDomain` is an email address without the domain name, such as mariagarcia
EOF
type = string
default = "$AccountName"
}

variable "resource_types" {
type = list(string)
description = "An array of strings that define which types of data that the source account shares with the monitoring account."

validation {
condition = alltrue([
for resource_type in var.resource_types :
contains([
"AWS::CloudWatch::Metric",
"AWS::Logs::LogGroup",
"AWS::XRay::Trace",
"AWS::ApplicationInsights::Application",
], resource_type)
])
error_message = "Valid values for OAM `resource_types` are `AWS::CloudWatch::Metric`, `AWS::Logs::LogGroup`, `AWS::XRay::Trace`, `AWS::ApplicationInsights::Application`."
}

default = [
"AWS::CloudWatch::Metric",
"AWS::Logs::LogGroup",
"AWS::XRay::Trace",
]
}

variable "sink_identifier" {
description = "The ARN of the sink in the monitoring account that you want to link to."
type = string
}

variable "tags" {
description = "An array of key-value pairs to apply to the link."
type = map(string)
default = {}
}
10 changes: 10 additions & 0 deletions modules/link/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
terraform {
required_version = ">= 1.5"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.15"
}
}
}
43 changes: 43 additions & 0 deletions modules/sink/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
<!-- BEGIN_TF_DOCS -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.15 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.15 |

## Modules

No modules.

## Resources

| Name | Type |
|------|------|
| [aws_oam_sink.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/oam_sink) | resource |
| [aws_oam_sink_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/oam_sink_policy) | resource |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_name"></a> [name](#input\_name) | Name of the OAM sink | `string` | `null` | no |
| <a name="input_resource_types"></a> [resource\_types](#input\_resource\_types) | Resource types to retrieve with OAM | `list(string)` | <pre>[<br> "AWS::CloudWatch::Metric",<br> "AWS::Logs::LogGroup",<br> "AWS::XRay::Trace"<br>]</pre> | no |
| <a name="input_source_account_ids"></a> [source\_account\_ids](#input\_source\_account\_ids) | List of source AWS account IDs for OAM | `list(string)` | `[]` | no |
| <a name="input_source_org_ids"></a> [source\_org\_ids](#input\_source\_org\_ids) | List of source Organisation ID's for OAM | `list(string)` | `[]` | no |
| <a name="input_source_org_paths"></a> [source\_org\_paths](#input\_source\_org\_paths) | List of source Organisation unit paths for OAM | `list(string)` | `[]` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | An array of key-value pairs to apply to the sink. | `map(string)` | `{}` | no |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_oam_sink_arn"></a> [oam\_sink\_arn](#output\_oam\_sink\_arn) | ARN of OAM sink |
| <a name="output_oam_sink_id"></a> [oam\_sink\_id](#output\_oam\_sink\_id) | ID of OAM sink |
<!-- END_TF_DOCS -->
49 changes: 49 additions & 0 deletions modules/sink/locals.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
locals {
source_accounts_statement = {
Effect = "Allow"
Principal = {
"AWS" = var.source_account_ids
}
Action = ["oam:CreateLink", "oam:UpdateLink"]
Resource = "*"
Condition = {
"ForAllValues:StringEquals" = {
"oam:ResourceTypes" = var.resource_types
}
}
}
source_organizations_statement = {
Effect = "Allow"
Principal = "*"
Action = ["oam:CreateLink", "oam:UpdateLink"]
Resource = "*"
Condition = {
"ForAllValues:StringEquals" = {
"oam:ResourceTypes" = var.resource_types
}
"ForAnyValue:StringEquals" = {
"aws:PrincipalOrgID" = var.source_org_ids
}
}
}
source_organization_paths_statement = {
Effect = "Allow"
Principal = "*"
Action = ["oam:CreateLink", "oam:UpdateLink"]
Resource = "*"
Condition = {
"ForAllValues:StringEquals" = {
"oam:ResourceTypes" = var.resource_types
}
"ForAnyValue:StringLike" : {
"aws:PrincipalOrgPaths" : var.source_org_paths
}
}
}

policy_required = length(concat(
var.source_account_ids,
var.source_org_ids,
var.source_org_paths,
)) > 0
}
19 changes: 19 additions & 0 deletions modules/sink/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
resource "aws_oam_sink" "this" {
name = var.name
tags = var.tags
}

resource "aws_oam_sink_policy" "this" {
count = local.policy_required ? 1 : 0

sink_identifier = aws_oam_sink.this.arn

policy = jsonencode({
Version = "2012-10-17"
Statement = concat(
length(var.source_account_ids) > 0 ? [local.source_accounts_statement] : [],
length(var.source_org_ids) > 0 ? [local.source_organizations_statement] : [],
length(var.source_org_paths) > 0 ? [local.source_organization_paths_statement] : [],
)
})
}
9 changes: 9 additions & 0 deletions modules/sink/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
output "oam_sink_id" {
description = "ID of OAM sink"
value = aws_oam_sink.this.id
}

output "oam_sink_arn" {
description = "ARN of OAM sink"
value = aws_oam_sink.this.arn
}
53 changes: 53 additions & 0 deletions modules/sink/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
variable "name" {
description = "Name of the OAM sink"
type = string
default = null
}

variable "source_account_ids" {
description = "List of source AWS account IDs for OAM"
type = list(string)
default = []
}

variable "source_org_ids" {
description = "List of source Organisation ID's for OAM"
type = list(string)
default = []
}

variable "source_org_paths" {
description = "List of source Organisation unit paths for OAM"
type = list(string)
default = []
}

variable "resource_types" {
description = "Resource types to retrieve with OAM"
type = list(string)

validation {
condition = alltrue([
for resource_type in var.resource_types :
contains([
"AWS::CloudWatch::Metric",
"AWS::Logs::LogGroup",
"AWS::XRay::Trace",
"AWS::ApplicationInsights::Application",
], resource_type)
])
error_message = "Invalid values for `oam_resource_types`."
}

default = [
"AWS::CloudWatch::Metric",
"AWS::Logs::LogGroup",
"AWS::XRay::Trace",
]
}

variable "tags" {
description = "An array of key-value pairs to apply to the sink."
type = map(string)
default = {}
}
10 changes: 10 additions & 0 deletions modules/sink/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
terraform {
required_version = ">= 1.5"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.15"
}
}
}

0 comments on commit 17c0762

Please sign in to comment.