Add logging configuration for Aws Verified Access

examples/main.tf

@@ -178,3 +178,11 @@ module "alb" {
     Project     = "Example"
   }
 }
+
+module "verified_access_logging" {
+  source = "../modules/logging_configuration"
+
+  enable_logging              = true
+  create_cloudwatch_log_group = true
+  aws_verifiedaccess_instance = module.verified_access_oidc.verifiedaccess_instance_id
+}

modules/logging_configuration/README.md

@@ -0,0 +1,54 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.24 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.24 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.log_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_verifiedaccess_instance_logging_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/verifiedaccess_instance_logging_configuration) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_alias"></a> [alias](#input\_alias) | Alias for kms key | `string` | `"alias/ava/loggroup"` | no |
+| <a name="input_aws_verifiedaccess_instance"></a> [aws\_verifiedaccess\_instance](#input\_aws\_verifiedaccess\_instance) | Verified access Instance to be associated with logging | `string` | `""` | no |
+| <a name="input_cloudwatch_log_group_name"></a> [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | New CW log group name if creating a new group | `string` | `"default-ava-cloudwatch-loggroup"` | no |
+| <a name="input_cloudwatch_logs"></a> [cloudwatch\_logs](#input\_cloudwatch\_logs) | Configuration for CloudWatch logs | <pre>object({<br>    enable    = bool<br>    log_group = string<br>  })</pre> | <pre>{<br>  "enable": false,<br>  "log_group": ""<br>}</pre> | no |
+| <a name="input_create_cloudwatch_log_group"></a> [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Enable/disable CloudWatch Log Group, if false provide existing group | `bool` | `false` | no |
+| <a name="input_enable_kms_key_rotation"></a> [enable\_kms\_key\_rotation](#input\_enable\_kms\_key\_rotation) | enable/disable automatic rotation of the KMS key | `bool` | `true` | no |
+| <a name="input_enable_logging"></a> [enable\_logging](#input\_enable\_logging) | Enable/disable logging config | `bool` | `false` | no |
+| <a name="input_include_trust_context"></a> [include\_trust\_context](#input\_include\_trust\_context) | Trust providers in AVA logs | `bool` | `false` | no |
+| <a name="input_kinesis_data_firehose"></a> [kinesis\_data\_firehose](#input\_kinesis\_data\_firehose) | Configuration for Kinesis Data Firehose logs | <pre>object({<br>    enable          = bool<br>    delivery_stream = string<br>  })</pre> | <pre>{<br>  "delivery_stream": "",<br>  "enable": false<br>}</pre> | no |
+| <a name="input_kms_key_deletion_window_in_days"></a> [kms\_key\_deletion\_window\_in\_days](#input\_kms\_key\_deletion\_window\_in\_days) | The wait period(days) before rotating | `number` | `10` | no |
+| <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | Retain logs in the CW Log Group. | `number` | `90` | no |
+| <a name="input_log_version"></a> [log\_version](#input\_log\_version) | Log version for AVA logs | `string` | `""` | no |
+| <a name="input_override_cloudwatch_log_group_name"></a> [override\_cloudwatch\_log\_group\_name](#input\_override\_cloudwatch\_log\_group\_name) | Existing CW log group name (optional) | `string` | `""` | no |
+| <a name="input_s3_logs"></a> [s3\_logs](#input\_s3\_logs) | Configuration for S3 logs | <pre>object({<br>    enable       = bool<br>    bucket_name  = string<br>    bucket_owner = optional(number)<br>    prefix       = string<br>  })</pre> | <pre>{<br>  "bucket_name": "",<br>  "enable": false,<br>  "prefix": ""<br>}</pre> | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cloudwatch_log_group_name"></a> [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | CloudWatch Log Group for AVA logging. |
+| <a name="output_kms_key_arn"></a> [kms\_key\_arn](#output\_kms\_key\_arn) | KMS key ARN for encryption |

modules/logging_configuration/data.tf

@@ -0,0 +1,3 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}

modules/logging_configuration/kms.tf

@@ -0,0 +1,48 @@
+resource "aws_kms_key" "log_encryption_key" {
+  description             = "KMS key for encrypting CloudWatch logs of AWS Verified Access."
+  deletion_window_in_days = var.kms_key_deletion_window_in_days
+  enable_key_rotation     = var.enable_kms_key_rotation
+
+  policy = data.aws_iam_policy_document.cloudwatch_log_group.json
+}
+
+resource "aws_kms_alias" "key" {
+  count = var.alias != null && var.alias != "" ? 1 : 0
+
+  name          = var.alias
+  target_key_id = aws_kms_key.log_encryption_key.key_id
+}
+
+
+################
+# KMS policy to allow cloudwatch log groups
+################
+data "aws_iam_policy_document" "cloudwatch_log_group" {
+  #checkov:skip=CKV_AWS_283=Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource
+  #checkov:skip=CKV_AWS_111=Ensure IAM policies does not allow write access without constraints
+  #checkov:skip=CKV_AWS_109: "Ensure IAM policies does not allow permissions management (only give for describe key)"
+  #checkov:skip=CKV_AWS_356:Ensure IAM policies limit resource access
+  statement {
+    sid = "Add permission to cw to access KMS key"
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "*"
+      ]
+    }
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "ArnLike"
+      variable = "kms:EncryptionContext:aws:logs:arn"
+      values   = ["arn:aws:logs:${local.aws_region}:${local.account_id}:log-group:*"]
+    }
+  }
+}

modules/logging_configuration/local.tf

@@ -0,0 +1,6 @@
+locals {
+  # tflint-ignore: terraform_unused_declarations
+  cloudwatch_log_group_name = var.enable_logging ? (var.override_cloudwatch_log_group_name != "" ? var.override_cloudwatch_log_group_name : aws_cloudwatch_log_group.cloudwatch_log_group[0].arn) : ""
+  account_id                = data.aws_caller_identity.current.account_id
+  aws_region                = data.aws_region.current.name
+}

modules/logging_configuration/main.tf

@@ -0,0 +1,37 @@
+resource "aws_verifiedaccess_instance_logging_configuration" "this" {
+
+  count = var.enable_logging ? 1 : 0
+
+  access_logs {
+    cloudwatch_logs {
+      enabled   = var.cloudwatch_logs.enable
+      log_group = aws_cloudwatch_log_group.cloudwatch_log_group[0].arn
+    }
+
+    kinesis_data_firehose {
+      enabled         = var.kinesis_data_firehose.enable
+      delivery_stream = var.kinesis_data_firehose.delivery_stream
+    }
+
+    s3 {
+      enabled      = var.s3_logs.enable
+      bucket_name  = var.s3_logs.bucket_name
+      bucket_owner = var.s3_logs.bucket_owner
+      prefix       = var.s3_logs.prefix
+    }
+
+    log_version           = var.log_version
+    include_trust_context = var.include_trust_context
+  }
+
+  verifiedaccess_instance_id = var.aws_verifiedaccess_instance
+
+}
+
+resource "aws_cloudwatch_log_group" "cloudwatch_log_group" {
+  #checkov:skip=CKV_AWS_338:Ensure CloudWatch log groups retains logs for at least 1 year
+  count             = var.create_cloudwatch_log_group && var.enable_logging ? 1 : 0
+  name              = var.cloudwatch_log_group_name
+  kms_key_id        = aws_kms_key.log_encryption_key.arn
+  retention_in_days = var.log_retention_in_days
+}

modules/logging_configuration/outputs.tf

@@ -0,0 +1,9 @@
+output "kms_key_arn" {
+  value       = aws_kms_key.log_encryption_key.arn
+  description = "KMS key ARN for encryption"
+}
+
+output "cloudwatch_log_group_name" {
+  value       = var.cloudwatch_log_group_name
+  description = "CloudWatch Log Group for AVA logging."
+}

modules/logging_configuration/variables.tf

@@ -0,0 +1,106 @@
+#Logging
+variable "enable_logging" {
+  description = "Enable/disable logging config"
+  type        = bool
+  default     = false
+}
+
+variable "aws_verifiedaccess_instance" {
+  description = "Verified access Instance to be associated with logging"
+  type        = string
+  default     = ""
+}
+
+variable "cloudwatch_logs" {
+  description = "Configuration for CloudWatch logs"
+  type = object({
+    enable    = bool
+    log_group = string
+  })
+  default = {
+    enable    = false
+    log_group = ""
+  }
+}
+
+variable "kinesis_data_firehose" {
+  description = "Configuration for Kinesis Data Firehose logs"
+  type = object({
+    enable          = bool
+    delivery_stream = string
+  })
+  default = {
+    enable          = false
+    delivery_stream = ""
+  }
+}
+
+variable "s3_logs" {
+  description = "Configuration for S3 logs"
+  type = object({
+    enable       = bool
+    bucket_name  = string
+    bucket_owner = optional(number)
+    prefix       = string
+  })
+  default = {
+    enable      = false
+    bucket_name = ""
+    prefix      = ""
+  }
+}
+
+variable "log_version" {
+  description = "Log version for AVA logs"
+  type        = string
+  default     = ""
+}
+
+variable "include_trust_context" {
+  description = "Trust providers in AVA logs"
+  type        = bool
+  default     = false
+}
+
+#Cloudwatch Log group
+variable "create_cloudwatch_log_group" {
+  description = "Enable/disable CloudWatch Log Group, if false provide existing group"
+  type        = bool
+  default     = false
+}
+
+variable "cloudwatch_log_group_name" {
+  type        = string
+  description = "New CW log group name if creating a new group"
+  default     = "default-ava-cloudwatch-loggroup"
+}
+
+variable "override_cloudwatch_log_group_name" {
+  type        = string
+  description = "Existing CW log group name (optional)"
+  default     = ""
+}
+
+variable "log_retention_in_days" {
+  description = "Retain logs in the CW Log Group."
+  type        = number
+  default     = 90
+}
+
+variable "enable_kms_key_rotation" {
+  description = "enable/disable automatic rotation of the KMS key"
+  type        = bool
+  default     = true
+}
+
+variable "alias" {
+  description = "Alias for kms key"
+  type        = string
+  default     = "alias/ava/loggroup"
+}
+
+variable "kms_key_deletion_window_in_days" {
+  description = "The wait period(days) before rotating"
+  type        = number
+  default     = 10
+}

modules/logging_configuration/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.24"
+    }
+  }
+}

outputs.tf

@@ -2,3 +2,8 @@ output "verifiedaccess_group_id" {
   description = "The ID of the Verified Access group to associate the endpoint with."
   value       = aws_verifiedaccess_group.this.id
 }
+
+output "verifiedaccess_instance_id" {
+  description = "The ID of the Verified Access instance to associate the logging configuration."
+  value       = aws_verifiedaccess_instance.this.id
+}