This Terraform configuration provisions a (modified) centralized logging solution, based on a solution made available by AWS under the Apache License Version 2.0.
My version of the solution is a derivative work that has been optimized for security in a few places, and comes as a complete Terraform configuration that can be adapted to your needs.
If you need help at any point, feel free to drop me a message at max@skripted.io.
Happy provisioning!
For a technical deep dive, use cases and more detailed step by step, please refer to the available whitepaper.
- Latest AWS CLI installed
- Latest Terraform CLI installed
- 4 AWS accounts: mgt, log-archive and workloads.
Make sure your local terminal is authenticated with the mgt account. Then do the following:
- In
/accounts/mgt
runterraform init
- In
/account/mgt
runterraform apply
- In
/accounts/mgt/state.tf
uncomment the configuration and make sure the S3 bucket name and DynamoDB table match the resources that have been created in step 2. They default tocentral-logging-demo-tf-state
andcentral-logging-demo-tf-lock-table
- In
/accounts/mgt
runterraform init -migrate-state
. This will move the Terraform state from your local machine to the remote bucket.
Make sure your local terminal is authenticated with the log-archive account. Then do the following:
- In
/accounts/log-archive
runterraform init
- In
/accounts/log-archive
runterraform apply
Remember that the Terraform configuration includes an example on how to subscribe your logs to the log destination that was provisioned in log-archive. To illustrate how this would work in a staging/prod environment in multiple regions, there is an example us-east-1 and us-west-2 folders. Each contains the same configuration with the exception of the values for the region and the environment.
To set up the staging example:
- In
/accounts/workload/us-east-1/staging
runterraform init
- In
/accounts/workload/us-east-1/staging
runterraform apply
To set up the production example:
- In
/accounts/workload/us-west-2/prod
runterraform init
- In
/accounts/workload/us-west-2/prod
runterraform apply
.
├── accounts
│ ├── log-archive
│ │ ├── main.tf
│ │ ├── output.tf
│ │ ├── providers.tf
│ │ ├── state.tf
│ │ ├── terraform.tfvars
│ │ └── variables.tf
│ ├── mgt
│ │ ├── main.tf
│ │ ├── output.tf
│ │ ├── providers.tf
│ │ ├── state.tf
│ │ ├── terraform.tfvars
│ │ └── variables.tf
│ └── workload
│ ├── us-east-1
│ │ └── staging
│ │ ├── main.tf
│ │ ├── providers.tf
│ │ ├── state.tf
│ │ ├── terraform.tfvars
│ │ └── variables.tf
│ └── us-west-2
│ └── prod
│ ├── main.tf
│ ├── providers.tf
│ ├── state.tf
│ ├── terraform.tfvars
│ └── variables.tf
├── cognito-user.sh
├── diagram.png
├── modules
│ ├── network
│ │ └── vpc-flow-log
│ │ ├── main.tf
│ │ └── variables.tf
│ ├── observability
│ │ ├── cw-log-destination
│ │ │ ├── main.tf
│ │ │ ├── output.tf
│ │ │ ├── providers.tf
│ │ │ └── variables.tf
│ │ ├── kinesis-firehose
│ │ │ ├── main.tf
│ │ │ ├── output.tf
│ │ │ └── variables.tf
│ │ ├── kinesis-stream
│ │ │ ├── main.tf
│ │ │ ├── output.tf
│ │ │ └── variables.tf
│ │ ├── opensearch-cluster
│ │ │ ├── main.tf
│ │ │ ├── output.tf
│ │ │ └── variables.tf
│ │ └── transformer-lambda
│ │ ├── main.tf
│ │ └── variables.tf
│ └── security
│ ├── cognito-authorizer
│ │ ├── main.tf
│ │ ├── output.tf
│ │ └── variables.tf
│ ├── jumpbox
│ │ ├── main.tf
│ │ └── variables.tf
│ ├── kms-key
│ │ ├── main.tf
│ │ ├── output.tf
│ │ └── variables.tf
│ └── secrets-manager
│ ├── main.tf
│ ├── output.tf
│ └── variables.tf
├── readme.md
└── terraform-role.sh
- Skripted - Infrastructure as Code (website)
- Maxim Schram max@skripted.io