-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
13 changed files
with
324 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,24 @@ | ||
# Terraform Modules Template | ||
# Observability Access Manager | ||
|
||
## Overview | ||
|
||
## What is OAM? | ||
|
||
**OAM is for centralized logging across accounts.** | ||
|
||
To set up OAM, we choose one or more AWS accounts as monitoring accounts and link them with multiple source accounts. A monitoring account is a central AWS account that can view and interact with observability data generated from source accounts. A source account is an individual AWS account that generates observability data for the resources that reside in it. Source accounts share their observability data with the monitoring account. | ||
|
||
The shared observability data can include metrics in Amazon CloudWatch, logs in Amazon CloudWatch Logs, and traces in AWS X-Ray. | ||
|
||
## OAM Components | ||
|
||
CloudWatch OAM consists of two major components which enable cross-account observability - | ||
|
||
### Sink | ||
|
||
A sink is a resource that represents an attachment point in a monitoring account. Source accounts can link to the sink to send observability data. After you create a sink, you must create a sink policy that allows source accounts to attach to it. | ||
|
||
### Link | ||
|
||
A link is a connection between a source account and a sink that you have created in a monitoring account. | ||
Before you create a link, you must create a sink in the monitoring account and create a sink policy in that account. The sink policy must permit the source account to link to it. You can grant permission to source accounts by granting permission to an entire organization or to individual accounts. |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
<!-- BEGIN_TF_DOCS --> | ||
## Requirements | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 | | ||
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.15 | | ||
|
||
## Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.15 | | ||
|
||
## Modules | ||
|
||
No modules. | ||
|
||
## Resources | ||
|
||
| Name | Type | | ||
|------|------| | ||
| [aws_oam_link.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/oam_link) | resource | | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| <a name="input_account_label"></a> [account\_label](#input\_account\_label) | Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.<br> You can include the following variables in your template:<br> - `$AccountName` is the name of the account<br> - `$AccountEmail` is a globally-unique email address, which includes the email domain, such as [email protected]<br> - `$AccountEmailNoDomain` is an email address without the domain name, such as mariagarcia | `string` | `"$AccountName"` | no | | ||
| <a name="input_resource_types"></a> [resource\_types](#input\_resource\_types) | An array of strings that define which types of data that the source account shares with the monitoring account. | `list(string)` | <pre>[<br> "AWS::CloudWatch::Metric",<br> "AWS::Logs::LogGroup",<br> "AWS::XRay::Trace"<br>]</pre> | no | | ||
| <a name="input_sink_identifier"></a> [sink\_identifier](#input\_sink\_identifier) | The ARN of the sink in the monitoring account that you want to link to. | `string` | n/a | yes | | ||
| <a name="input_tags"></a> [tags](#input\_tags) | An array of key-value pairs to apply to the link. | `map(string)` | `{}` | no | | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the link. | | ||
| <a name="output_id"></a> [id](#output\_id) | The ID string that AWS generated as part of the link ARN. | | ||
| <a name="output_sink_arn"></a> [sink\_arn](#output\_sink\_arn) | ARN of the sink that is used for this link. | | ||
<!-- END_TF_DOCS --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
resource "aws_oam_link" "this" { | ||
label_template = var.account_label | ||
resource_types = var.resource_types | ||
sink_identifier = var.sink_identifier | ||
tags = var.tags | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
output "arn" { | ||
description = "The ARN of the link." | ||
value = aws_oam_link.this.arn | ||
} | ||
|
||
output "id" { | ||
description = "The ID string that AWS generated as part of the link ARN." | ||
value = aws_oam_link.this.link_id | ||
} | ||
|
||
output "sink_arn" { | ||
description = "ARN of the sink that is used for this link." | ||
value = aws_oam_link.this.sink_arn | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
variable "account_label" { | ||
description = <<EOF | ||
Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account. | ||
You can include the following variables in your template: | ||
- `$AccountName` is the name of the account | ||
- `$AccountEmail` is a globally-unique email address, which includes the email domain, such as [email protected] | ||
- `$AccountEmailNoDomain` is an email address without the domain name, such as mariagarcia | ||
EOF | ||
type = string | ||
default = "$AccountName" | ||
} | ||
|
||
variable "resource_types" { | ||
type = list(string) | ||
description = "An array of strings that define which types of data that the source account shares with the monitoring account." | ||
|
||
validation { | ||
condition = alltrue([ | ||
for resource_type in var.resource_types : | ||
contains([ | ||
"AWS::CloudWatch::Metric", | ||
"AWS::Logs::LogGroup", | ||
"AWS::XRay::Trace", | ||
"AWS::ApplicationInsights::Application", | ||
], resource_type) | ||
]) | ||
error_message = "Valid values for OAM `resource_types` are `AWS::CloudWatch::Metric`, `AWS::Logs::LogGroup`, `AWS::XRay::Trace`, `AWS::ApplicationInsights::Application`." | ||
} | ||
|
||
default = [ | ||
"AWS::CloudWatch::Metric", | ||
"AWS::Logs::LogGroup", | ||
"AWS::XRay::Trace", | ||
] | ||
} | ||
|
||
variable "sink_identifier" { | ||
description = "The ARN of the sink in the monitoring account that you want to link to." | ||
type = string | ||
} | ||
|
||
variable "tags" { | ||
description = "An array of key-value pairs to apply to the link." | ||
type = map(string) | ||
default = {} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
terraform { | ||
required_version = ">= 1.5" | ||
|
||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = ">= 5.15" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
<!-- BEGIN_TF_DOCS --> | ||
## Requirements | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 | | ||
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.15 | | ||
|
||
## Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.15 | | ||
|
||
## Modules | ||
|
||
No modules. | ||
|
||
## Resources | ||
|
||
| Name | Type | | ||
|------|------| | ||
| [aws_oam_sink.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/oam_sink) | resource | | ||
| [aws_oam_sink_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/oam_sink_policy) | resource | | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| <a name="input_name"></a> [name](#input\_name) | Name of the OAM sink | `string` | `null` | no | | ||
| <a name="input_resource_types"></a> [resource\_types](#input\_resource\_types) | Resource types to retrieve with OAM | `list(string)` | <pre>[<br> "AWS::CloudWatch::Metric",<br> "AWS::Logs::LogGroup",<br> "AWS::XRay::Trace"<br>]</pre> | no | | ||
| <a name="input_source_account_ids"></a> [source\_account\_ids](#input\_source\_account\_ids) | List of source AWS account IDs for OAM | `list(string)` | `[]` | no | | ||
| <a name="input_source_org_ids"></a> [source\_org\_ids](#input\_source\_org\_ids) | List of source Organisation ID's for OAM | `list(string)` | `[]` | no | | ||
| <a name="input_source_org_paths"></a> [source\_org\_paths](#input\_source\_org\_paths) | List of source Organisation unit paths for OAM | `list(string)` | `[]` | no | | ||
| <a name="input_tags"></a> [tags](#input\_tags) | An array of key-value pairs to apply to the sink. | `map(string)` | `{}` | no | | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| <a name="output_oam_sink_arn"></a> [oam\_sink\_arn](#output\_oam\_sink\_arn) | ARN of OAM sink | | ||
| <a name="output_oam_sink_id"></a> [oam\_sink\_id](#output\_oam\_sink\_id) | ID of OAM sink | | ||
<!-- END_TF_DOCS --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
locals { | ||
source_accounts_statement = { | ||
Effect = "Allow" | ||
Principal = { | ||
"AWS" = var.source_account_ids | ||
} | ||
Action = ["oam:CreateLink", "oam:UpdateLink"] | ||
Resource = "*" | ||
Condition = { | ||
"ForAllValues:StringEquals" = { | ||
"oam:ResourceTypes" = var.resource_types | ||
} | ||
} | ||
} | ||
source_organizations_statement = { | ||
Effect = "Allow" | ||
Principal = "*" | ||
Action = ["oam:CreateLink", "oam:UpdateLink"] | ||
Resource = "*" | ||
Condition = { | ||
"ForAllValues:StringEquals" = { | ||
"oam:ResourceTypes" = var.resource_types | ||
} | ||
"ForAnyValue:StringEquals" = { | ||
"aws:PrincipalOrgID" = var.source_org_ids | ||
} | ||
} | ||
} | ||
source_organization_paths_statement = { | ||
Effect = "Allow" | ||
Principal = "*" | ||
Action = ["oam:CreateLink", "oam:UpdateLink"] | ||
Resource = "*" | ||
Condition = { | ||
"ForAllValues:StringEquals" = { | ||
"oam:ResourceTypes" = var.resource_types | ||
} | ||
"ForAnyValue:StringLike" : { | ||
"aws:PrincipalOrgPaths" : var.source_org_paths | ||
} | ||
} | ||
} | ||
|
||
policy_required = length(concat( | ||
var.source_account_ids, | ||
var.source_org_ids, | ||
var.source_org_paths, | ||
)) > 0 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
resource "aws_oam_sink" "this" { | ||
name = var.name | ||
tags = var.tags | ||
} | ||
|
||
resource "aws_oam_sink_policy" "this" { | ||
count = local.policy_required ? 1 : 0 | ||
|
||
sink_identifier = aws_oam_sink.this.arn | ||
|
||
policy = jsonencode({ | ||
Version = "2012-10-17" | ||
Statement = concat( | ||
length(var.source_account_ids) > 0 ? [local.source_accounts_statement] : [], | ||
length(var.source_org_ids) > 0 ? [local.source_organizations_statement] : [], | ||
length(var.source_org_paths) > 0 ? [local.source_organization_paths_statement] : [], | ||
) | ||
}) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
output "oam_sink_id" { | ||
description = "ID of OAM sink" | ||
value = aws_oam_sink.this.id | ||
} | ||
|
||
output "oam_sink_arn" { | ||
description = "ARN of OAM sink" | ||
value = aws_oam_sink.this.arn | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
variable "name" { | ||
description = "Name of the OAM sink" | ||
type = string | ||
default = null | ||
} | ||
|
||
variable "source_account_ids" { | ||
description = "List of source AWS account IDs for OAM" | ||
type = list(string) | ||
default = [] | ||
} | ||
|
||
variable "source_org_ids" { | ||
description = "List of source Organisation ID's for OAM" | ||
type = list(string) | ||
default = [] | ||
} | ||
|
||
variable "source_org_paths" { | ||
description = "List of source Organisation unit paths for OAM" | ||
type = list(string) | ||
default = [] | ||
} | ||
|
||
variable "resource_types" { | ||
description = "Resource types to retrieve with OAM" | ||
type = list(string) | ||
|
||
validation { | ||
condition = alltrue([ | ||
for resource_type in var.resource_types : | ||
contains([ | ||
"AWS::CloudWatch::Metric", | ||
"AWS::Logs::LogGroup", | ||
"AWS::XRay::Trace", | ||
"AWS::ApplicationInsights::Application", | ||
], resource_type) | ||
]) | ||
error_message = "Invalid values for `oam_resource_types`." | ||
} | ||
|
||
default = [ | ||
"AWS::CloudWatch::Metric", | ||
"AWS::Logs::LogGroup", | ||
"AWS::XRay::Trace", | ||
] | ||
} | ||
|
||
variable "tags" { | ||
description = "An array of key-value pairs to apply to the sink." | ||
type = map(string) | ||
default = {} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
terraform { | ||
required_version = ">= 1.5" | ||
|
||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = ">= 5.15" | ||
} | ||
} | ||
} |