terraform-aws-mcaf-saas-audit-logs
Terraform module to fetch audit logs from SaaS providers.
This module will create the necessary resources to fetch audit logs from SaaS providers and store them in an S3 bucket. Currently these providers are supported:
- GitLab
- Okta
- Terraform Cloud
[!NOTE] This module was created as a way to store audit logs in a central location for compliance purposes. At this time the lambdas collect logs for the previous day and can only be scheduled once per day. In a future version we will add log deduplication and the ability to fetch logs more frequently.
Usage
The module requires at least var.kms_key_arn and one source configured in var.sources. Below shows the most minimal configuration for each source:
module "saas_audit_logs" {
source = "schubergphilis/mcaf-saas-audit-logs/aws"
kms_key_arn = module.kms_key.arn
sources = {
gitlab = {
api_token = var.gitlab_api_token
}
okta = {
api_token = var.okta_api_token
api_url = "https://yourorg.okta.com"
}
terraform-cloud = {
api_token = var.terraform_api_token
}
}
}
With this configuration the module will
- Create 3 buckets:
- A bucket for audit logs
- A bucket for the audit logs access logs
- A bucket for the lambda packages
- Deploy a lambda per source to fetch the logs and store in the audit log bucket, using the provider name as a bucket prefix
- Schedule the lambdas to run at 9am UTC every day
Optionally you can create a bucket per source, by setting var.create_bucket_per_source to true, or bring your own bucket by populating the var.created_bucket_names:
created_bucket_names = {
audit_logs = "your-audit-logs-bucket"
lambda_package = "your-lambda-packages-bucket"
}
}
Tuning
Each source can be tuned by setting the following optional fields:
| field | description |
|---|---|
bucket_prefix |
Set a custom prefix for the stored logs for this source (defaults to source name) |
compress_audit_logs |
Store logs as compressed files (defaults to true) |
lambda_name |
Set a custom name for the lambda function |
lambda_memory_size |
Set the memory size for the lambda function (defaults to 256) |
lambda_log_level |
Set the log level for the lambda function (defaults to INFO) |
secret_name |
Set a custom secret name for the lambda function (defaults to /audit-log-tokens/${source_name)) |
tags |
Any additional tags to apply to the created resources |
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.9 |
| aws | ~> 5.32 |
Providers
| Name | Version |
|---|---|
| aws | ~> 5.32 |
Modules
| Name | Source | Version |
|---|---|---|
| bucket_for_access_logs | schubergphilis/mcaf-s3/aws | ~> 0.14.1 |
| bucket_for_audit_logs | schubergphilis/mcaf-s3/aws | ~> 0.14.1 |
| bucket_for_lambda_package | schubergphilis/mcaf-s3/aws | ~> 0.14.1 |
| lambda | ./modules/audit-lambda | n/a |
Resources
| Name | Type |
|---|---|
| aws_lambda_event_source_mapping.terraform_audit_sqs_trigger | resource |
| aws_sqs_queue.terraform_cloud_audit_log | resource |
| aws_sqs_queue.terraform_cloud_audit_log_dlq | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.terraform_cloud | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| kms_key_arn | The ARN of the KMS key used to encrypt the resources | string |
n/a | yes |
| sources | Map of sources to fetch audit logs from | map(object({ api_token = string api_url = optional(string) bucket_prefix = optional(string) compress_audit_logs = optional(bool) lambda_name = optional(string) lambda_memory_size = optional(number) lambda_log_level = optional(string, "info") secret_name = optional(string) tags = optional(map(string)) })) | n/a | yes |
| bucket_base_name | The base name for the S3 buckets | string |
"saas-audit-logs" |
no |
| compress_audit_logs | Whether to compress the audit logs before uploading to S3 | bool |
true |
no |
| create_bucket | Whether to create the S3 bucket(s) | bool |
true |
no |
| create_bucket_per_source | Whether to create separate buckets per source | bool |
false |
no |
| created_bucket_names | Names of existing S3 buckets to use | object({ audit_logs = string lambda_package = string }) | null |
no |
| lambda_log_retention | The number of days to retain the logs for the Lambda function | number |
365 |
no |
| object_locking | Object locking configuration for S3 log and access-log buckets | object({ mode = optional(string, "GOVERNANCE") years = optional(number, 1) }) | { "mode": "GOVERNANCE", "years": 1} | no |
| scheduled_time | Time of day to trigger the audit Lambda functions (runs once a day) | string |
"09:00" |
no |
| tags | A map of tags to assign to created resources | map(string) |
{} |
no |
Outputs
No outputs.
License
Copyright: Schuberg Philis
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.