From 17c0762676645c90ee734b79e101d52b8d08a670 Mon Sep 17 00:00:00 2001
From: niroz89 <niro@sph.com.sg>
Date: Fri, 15 Dec 2023 16:40:00 +0800
Subject: [PATCH 1/4] Add oam code

---
 README.md                 | 25 +++++++++++++++++-
 modules/.gitkeep          |  0
 modules/link/README.md    | 41 ++++++++++++++++++++++++++++++
 modules/link/main.tf      |  6 +++++
 modules/link/outputs.tf   | 14 +++++++++++
 modules/link/variables.tf | 46 +++++++++++++++++++++++++++++++++
 modules/link/versions.tf  | 10 ++++++++
 modules/sink/README.md    | 43 +++++++++++++++++++++++++++++++
 modules/sink/locals.tf    | 49 ++++++++++++++++++++++++++++++++++++
 modules/sink/main.tf      | 19 ++++++++++++++
 modules/sink/outputs.tf   |  9 +++++++
 modules/sink/variables.tf | 53 +++++++++++++++++++++++++++++++++++++++
 modules/sink/versions.tf  | 10 ++++++++
 13 files changed, 324 insertions(+), 1 deletion(-)
 delete mode 100644 modules/.gitkeep
 create mode 100644 modules/link/README.md
 create mode 100644 modules/link/main.tf
 create mode 100644 modules/link/outputs.tf
 create mode 100644 modules/link/variables.tf
 create mode 100644 modules/link/versions.tf
 create mode 100644 modules/sink/README.md
 create mode 100644 modules/sink/locals.tf
 create mode 100644 modules/sink/main.tf
 create mode 100644 modules/sink/outputs.tf
 create mode 100644 modules/sink/variables.tf
 create mode 100644 modules/sink/versions.tf

diff --git a/README.md b/README.md
index 2854f8d..8c69880 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,24 @@
-# Terraform Modules Template
+# Observability Access Manager
+
+## Overview
+
+## What is OAM?
+
+**OAM is for centralized logging across accounts.**
+
+To set up OAM, we choose one or more AWS accounts as monitoring accounts and link them with multiple source accounts. A monitoring account is a central AWS account that can view and interact with observability data generated from source accounts. A source account is an individual AWS account that generates observability data for the resources that reside in it. Source accounts share their observability data with the monitoring account.
+
+The shared observability data can include metrics in Amazon CloudWatch, logs in Amazon CloudWatch Logs, and traces in AWS X-Ray.
+
+## OAM Components
+
+CloudWatch OAM consists of two major components which enable cross-account observability -
+
+### Sink
+
+A sink is a resource that represents an attachment point in a monitoring account. Source accounts can link to the sink to send observability data. After you create a sink, you must create a sink policy that allows source accounts to attach to it.
+
+### Link
+
+A link is a connection between a source account and a sink that you have created in a monitoring account.
+Before you create a link, you must create a sink in the monitoring account and create a sink policy in that account. The sink policy must permit the source account to link to it. You can grant permission to source accounts by granting permission to an entire organization or to individual accounts.
diff --git a/modules/.gitkeep b/modules/.gitkeep
deleted file mode 100644
index e69de29..0000000
diff --git a/modules/link/README.md b/modules/link/README.md
new file mode 100644
index 0000000..c1e8950
--- /dev/null
+++ b/modules/link/README.md
@@ -0,0 +1,41 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.15 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.15 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_oam_link.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/oam_link) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_label"></a> [account\_label](#input\_account\_label) | Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.<br>    You can include the following variables in your template:<br>    - `$AccountName` is the name of the account<br>    - `$AccountEmail` is a globally-unique email address, which includes the email domain, such as mariagarcia@example.com<br>    - `$AccountEmailNoDomain` is an email address without the domain name, such as mariagarcia | `string` | `"$AccountName"` | no |
+| <a name="input_resource_types"></a> [resource\_types](#input\_resource\_types) | An array of strings that define which types of data that the source account shares with the monitoring account. | `list(string)` | <pre>[<br>  "AWS::CloudWatch::Metric",<br>  "AWS::Logs::LogGroup",<br>  "AWS::XRay::Trace"<br>]</pre> | no |
+| <a name="input_sink_identifier"></a> [sink\_identifier](#input\_sink\_identifier) | The ARN of the sink in the monitoring account that you want to link to. | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | An array of key-value pairs to apply to the link. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the link. |
+| <a name="output_id"></a> [id](#output\_id) | The ID string that AWS generated as part of the link ARN. |
+| <a name="output_sink_arn"></a> [sink\_arn](#output\_sink\_arn) | ARN of the sink that is used for this link. |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/modules/link/main.tf b/modules/link/main.tf
new file mode 100644
index 0000000..efd6ea0
--- /dev/null
+++ b/modules/link/main.tf
@@ -0,0 +1,6 @@
+resource "aws_oam_link" "this" {
+  label_template  = var.account_label
+  resource_types  = var.resource_types
+  sink_identifier = var.sink_identifier
+  tags            = var.tags
+}
diff --git a/modules/link/outputs.tf b/modules/link/outputs.tf
new file mode 100644
index 0000000..3d390c0
--- /dev/null
+++ b/modules/link/outputs.tf
@@ -0,0 +1,14 @@
+output "arn" {
+  description = "The ARN of the link."
+  value       = aws_oam_link.this.arn
+}
+
+output "id" {
+  description = "The ID string that AWS generated as part of the link ARN."
+  value       = aws_oam_link.this.link_id
+}
+
+output "sink_arn" {
+  description = "ARN of the sink that is used for this link."
+  value       = aws_oam_link.this.sink_arn
+}
diff --git a/modules/link/variables.tf b/modules/link/variables.tf
new file mode 100644
index 0000000..5c42fec
--- /dev/null
+++ b/modules/link/variables.tf
@@ -0,0 +1,46 @@
+variable "account_label" {
+  description = <<EOF
+    Specify a friendly human-readable name to use to identify this source account when you are viewing data from it in the monitoring account.
+    You can include the following variables in your template:
+    - `$AccountName` is the name of the account
+    - `$AccountEmail` is a globally-unique email address, which includes the email domain, such as mariagarcia@example.com
+    - `$AccountEmailNoDomain` is an email address without the domain name, such as mariagarcia
+    EOF
+  type        = string
+  default     = "$AccountName"
+}
+
+variable "resource_types" {
+  type        = list(string)
+  description = "An array of strings that define which types of data that the source account shares with the monitoring account."
+
+  validation {
+    condition = alltrue([
+      for resource_type in var.resource_types :
+      contains([
+        "AWS::CloudWatch::Metric",
+        "AWS::Logs::LogGroup",
+        "AWS::XRay::Trace",
+        "AWS::ApplicationInsights::Application",
+      ], resource_type)
+    ])
+    error_message = "Valid values for OAM `resource_types` are `AWS::CloudWatch::Metric`, `AWS::Logs::LogGroup`, `AWS::XRay::Trace`, `AWS::ApplicationInsights::Application`."
+  }
+
+  default = [
+    "AWS::CloudWatch::Metric",
+    "AWS::Logs::LogGroup",
+    "AWS::XRay::Trace",
+  ]
+}
+
+variable "sink_identifier" {
+  description = "The ARN of the sink in the monitoring account that you want to link to."
+  type        = string
+}
+
+variable "tags" {
+  description = "An array of key-value pairs to apply to the link."
+  type        = map(string)
+  default     = {}
+}
diff --git a/modules/link/versions.tf b/modules/link/versions.tf
new file mode 100644
index 0000000..2885716
--- /dev/null
+++ b/modules/link/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.15"
+    }
+  }
+}
diff --git a/modules/sink/README.md b/modules/sink/README.md
new file mode 100644
index 0000000..3f7f626
--- /dev/null
+++ b/modules/sink/README.md
@@ -0,0 +1,43 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.15 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.15 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_oam_sink.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/oam_sink) | resource |
+| [aws_oam_sink_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/oam_sink_policy) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | Name of the OAM sink | `string` | `null` | no |
+| <a name="input_resource_types"></a> [resource\_types](#input\_resource\_types) | Resource types to retrieve with OAM | `list(string)` | <pre>[<br>  "AWS::CloudWatch::Metric",<br>  "AWS::Logs::LogGroup",<br>  "AWS::XRay::Trace"<br>]</pre> | no |
+| <a name="input_source_account_ids"></a> [source\_account\_ids](#input\_source\_account\_ids) | List of source AWS account IDs for OAM | `list(string)` | `[]` | no |
+| <a name="input_source_org_ids"></a> [source\_org\_ids](#input\_source\_org\_ids) | List of source Organisation ID's for OAM | `list(string)` | `[]` | no |
+| <a name="input_source_org_paths"></a> [source\_org\_paths](#input\_source\_org\_paths) | List of source Organisation unit paths for OAM | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | An array of key-value pairs to apply to the sink. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_oam_sink_arn"></a> [oam\_sink\_arn](#output\_oam\_sink\_arn) | ARN of OAM sink |
+| <a name="output_oam_sink_id"></a> [oam\_sink\_id](#output\_oam\_sink\_id) | ID of OAM sink |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/modules/sink/locals.tf b/modules/sink/locals.tf
new file mode 100644
index 0000000..af954cb
--- /dev/null
+++ b/modules/sink/locals.tf
@@ -0,0 +1,49 @@
+locals {
+  source_accounts_statement = {
+    Effect = "Allow"
+    Principal = {
+      "AWS" = var.source_account_ids
+    }
+    Action   = ["oam:CreateLink", "oam:UpdateLink"]
+    Resource = "*"
+    Condition = {
+      "ForAllValues:StringEquals" = {
+        "oam:ResourceTypes" = var.resource_types
+      }
+    }
+  }
+  source_organizations_statement = {
+    Effect    = "Allow"
+    Principal = "*"
+    Action    = ["oam:CreateLink", "oam:UpdateLink"]
+    Resource  = "*"
+    Condition = {
+      "ForAllValues:StringEquals" = {
+        "oam:ResourceTypes" = var.resource_types
+      }
+      "ForAnyValue:StringEquals" = {
+        "aws:PrincipalOrgID" = var.source_org_ids
+      }
+    }
+  }
+  source_organization_paths_statement = {
+    Effect    = "Allow"
+    Principal = "*"
+    Action    = ["oam:CreateLink", "oam:UpdateLink"]
+    Resource  = "*"
+    Condition = {
+      "ForAllValues:StringEquals" = {
+        "oam:ResourceTypes" = var.resource_types
+      }
+      "ForAnyValue:StringLike" : {
+        "aws:PrincipalOrgPaths" : var.source_org_paths
+      }
+    }
+  }
+
+  policy_required = length(concat(
+    var.source_account_ids,
+    var.source_org_ids,
+    var.source_org_paths,
+  )) > 0
+}
diff --git a/modules/sink/main.tf b/modules/sink/main.tf
new file mode 100644
index 0000000..59ac8e2
--- /dev/null
+++ b/modules/sink/main.tf
@@ -0,0 +1,19 @@
+resource "aws_oam_sink" "this" {
+  name = var.name
+  tags = var.tags
+}
+
+resource "aws_oam_sink_policy" "this" {
+  count = local.policy_required ? 1 : 0
+
+  sink_identifier = aws_oam_sink.this.arn
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = concat(
+      length(var.source_account_ids) > 0 ? [local.source_accounts_statement] : [],
+      length(var.source_org_ids) > 0 ? [local.source_organizations_statement] : [],
+      length(var.source_org_paths) > 0 ? [local.source_organization_paths_statement] : [],
+    )
+  })
+}
diff --git a/modules/sink/outputs.tf b/modules/sink/outputs.tf
new file mode 100644
index 0000000..ce792a5
--- /dev/null
+++ b/modules/sink/outputs.tf
@@ -0,0 +1,9 @@
+output "oam_sink_id" {
+  description = "ID of OAM sink"
+  value       = aws_oam_sink.this.id
+}
+
+output "oam_sink_arn" {
+  description = "ARN of OAM sink"
+  value       = aws_oam_sink.this.arn
+}
diff --git a/modules/sink/variables.tf b/modules/sink/variables.tf
new file mode 100644
index 0000000..1481d68
--- /dev/null
+++ b/modules/sink/variables.tf
@@ -0,0 +1,53 @@
+variable "name" {
+  description = "Name of the OAM sink"
+  type        = string
+  default     = null
+}
+
+variable "source_account_ids" {
+  description = "List of source AWS account IDs for OAM"
+  type        = list(string)
+  default     = []
+}
+
+variable "source_org_ids" {
+  description = "List of source Organisation ID's for OAM"
+  type        = list(string)
+  default     = []
+}
+
+variable "source_org_paths" {
+  description = "List of source Organisation unit paths for OAM"
+  type        = list(string)
+  default     = []
+}
+
+variable "resource_types" {
+  description = "Resource types to retrieve with OAM"
+  type        = list(string)
+
+  validation {
+    condition = alltrue([
+      for resource_type in var.resource_types :
+      contains([
+        "AWS::CloudWatch::Metric",
+        "AWS::Logs::LogGroup",
+        "AWS::XRay::Trace",
+        "AWS::ApplicationInsights::Application",
+      ], resource_type)
+    ])
+    error_message = "Invalid values for `oam_resource_types`."
+  }
+
+  default = [
+    "AWS::CloudWatch::Metric",
+    "AWS::Logs::LogGroup",
+    "AWS::XRay::Trace",
+  ]
+}
+
+variable "tags" {
+  description = "An array of key-value pairs to apply to the sink."
+  type        = map(string)
+  default     = {}
+}
diff --git a/modules/sink/versions.tf b/modules/sink/versions.tf
new file mode 100644
index 0000000..2885716
--- /dev/null
+++ b/modules/sink/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.15"
+    }
+  }
+}

From 54c0ed67b4faf2a906d91601a86ebe4a0c83131a Mon Sep 17 00:00:00 2001
From: niroz89 <niro@sph.com.sg>
Date: Fri, 15 Dec 2023 16:40:23 +0800
Subject: [PATCH 2/4] Add license

---
 LICENSE | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 LICENSE

diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..d67a09a
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2022-present SPH Media
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

From 0fc7d246e9eb89d4ae83312d96a659a4026ac566 Mon Sep 17 00:00:00 2001
From: niroz89 <niro@sph.com.sg>
Date: Fri, 15 Dec 2023 16:43:04 +0800
Subject: [PATCH 3/4] Fix eol

---
 modules/link/README.md | 2 +-
 modules/sink/README.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/link/README.md b/modules/link/README.md
index c1e8950..b28d699 100644
--- a/modules/link/README.md
+++ b/modules/link/README.md
@@ -38,4 +38,4 @@ No modules.
 | <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the link. |
 | <a name="output_id"></a> [id](#output\_id) | The ID string that AWS generated as part of the link ARN. |
 | <a name="output_sink_arn"></a> [sink\_arn](#output\_sink\_arn) | ARN of the sink that is used for this link. |
-<!-- END_TF_DOCS -->
\ No newline at end of file
+<!-- END_TF_DOCS -->
diff --git a/modules/sink/README.md b/modules/sink/README.md
index 3f7f626..778da55 100644
--- a/modules/sink/README.md
+++ b/modules/sink/README.md
@@ -40,4 +40,4 @@ No modules.
 |------|-------------|
 | <a name="output_oam_sink_arn"></a> [oam\_sink\_arn](#output\_oam\_sink\_arn) | ARN of OAM sink |
 | <a name="output_oam_sink_id"></a> [oam\_sink\_id](#output\_oam\_sink\_id) | ID of OAM sink |
-<!-- END_TF_DOCS -->
\ No newline at end of file
+<!-- END_TF_DOCS -->

From 571cd893beb9fc228a4af989675666ad3e6072e2 Mon Sep 17 00:00:00 2001
From: niroz89 <niro@sph.com.sg>
Date: Fri, 15 Dec 2023 17:06:14 +0800
Subject: [PATCH 4/4] Fix output

---
 modules/sink/README.md  | 4 ++--
 modules/sink/outputs.tf | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/sink/README.md b/modules/sink/README.md
index 778da55..d970b56 100644
--- a/modules/sink/README.md
+++ b/modules/sink/README.md
@@ -38,6 +38,6 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_oam_sink_arn"></a> [oam\_sink\_arn](#output\_oam\_sink\_arn) | ARN of OAM sink |
-| <a name="output_oam_sink_id"></a> [oam\_sink\_id](#output\_oam\_sink\_id) | ID of OAM sink |
+| <a name="output_arn"></a> [arn](#output\_arn) | ARN of OAM sink |
+| <a name="output_id"></a> [id](#output\_id) | ID of OAM sink |
 <!-- END_TF_DOCS -->
diff --git a/modules/sink/outputs.tf b/modules/sink/outputs.tf
index ce792a5..d3dc0e3 100644
--- a/modules/sink/outputs.tf
+++ b/modules/sink/outputs.tf
@@ -1,9 +1,9 @@
-output "oam_sink_id" {
+output "id" {
   description = "ID of OAM sink"
   value       = aws_oam_sink.this.id
 }
 
-output "oam_sink_arn" {
+output "arn" {
   description = "ARN of OAM sink"
   value       = aws_oam_sink.this.arn
 }