Skip to content

Commit

Permalink
feat: add cloud watch subscription filter to open search module (#82)
Browse files Browse the repository at this point in the history
  • Loading branch information
@tony-griffin
tony-griffin authored Apr 18, 2024
1 parent 73b2385 commit fd22b9b
Show file tree
Hide file tree
Showing 3 changed files with 103 additions and 2 deletions.
43 changes: 43 additions & 0 deletions opensearch/cloudwatch.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
data "aws_ssm_parameter" "destination-arn" {
name = "/copilot/tools/central_log_groups"
}

resource "aws_cloudwatch_log_subscription_filter" "opensearch_log_group_index_slow_logs" {
name = "/aws/opensearch/${var.application}/${var.environment}/${var.name}/opensearch_log_group_index_slow"
role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/CWLtoSubscriptionFilterRole"
log_group_name = "/aws/opensearch/${local.domain_name}/index-slow"
filter_pattern = ""
destination_arn = jsondecode(data.aws_ssm_parameter.destination-arn.value)["prod"]

depends_on = [aws_cloudwatch_log_group.opensearch_log_group_index_slow_logs]
}

resource "aws_cloudwatch_log_subscription_filter" "opensearch_log_group_search_slow_logs" {
name = "/aws/opensearch/${var.application}/${var.environment}/${var.name}/opensearch_log_group_search_slow"
role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/CWLtoSubscriptionFilterRole"
log_group_name = "/aws/opensearch/${local.domain_name}/search-slow"
filter_pattern = ""
destination_arn = jsondecode(data.aws_ssm_parameter.destination-arn.value)["prod"]

depends_on = [aws_cloudwatch_log_group.opensearch_log_group_search_slow_logs]
}

resource "aws_cloudwatch_log_subscription_filter" "opensearch_log_group_es_application_logs" {
name = "/aws/opensearch/${var.application}/${var.environment}/${var.name}/opensearch_log_group_es_application"
role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/CWLtoSubscriptionFilterRole"
log_group_name = "/aws/opensearch/${local.domain_name}/es-application"
filter_pattern = ""
destination_arn = jsondecode(data.aws_ssm_parameter.destination-arn.value)["prod"]

depends_on = [aws_cloudwatch_log_group.opensearch_log_group_es_application_logs]
}

resource "aws_cloudwatch_log_subscription_filter" "opensearch_log_group_audit_logs" {
name = "/aws/opensearch/${var.application}/${var.environment}/${var.name}/opensearch_log_group_audit"
role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/CWLtoSubscriptionFilterRole"
log_group_name = "/aws/opensearch/${local.domain_name}/audit"
filter_pattern = ""
destination_arn = jsondecode(data.aws_ssm_parameter.destination-arn.value)["prod"]

depends_on = [aws_cloudwatch_log_group.opensearch_log_group_audit_logs]
}
3 changes: 1 addition & 2 deletions opensearch/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,7 @@ locals {
name = replace(var.name, "_", "-")
domain_name = substr(replace("${var.environment}-${local.name}", "_", "-"), 0, 28)
ssm_parameter_name = "/copilot/${var.application}/${var.environment}/secrets/${upper(replace("${var.name}_ENDPOINT", "-", "_"))}"

master_user = "opensearch_user"
master_user = "opensearch_user"

instances = coalesce(var.config.instances, 1)
zone_awareness_enabled = local.instances > 1
Expand Down
59 changes: 59 additions & 0 deletions opensearch/tests/opensearch.tftest.hcl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -309,3 +309,62 @@ run "test_domain_name_truncation" {
error_message = "Opensearch domain_name should be 'my-prod-environment-my-reall'"
}
}

run "test_create_cloudwatch_subscription_filters" {
command = plan

variables {
application = "my_app"
environment = "my_env"
name = "my_name"
vpc_name = "terraform-tests-vpc"

config = {
engine = "2.5"
instance = "t3.small.search"
instances = 1
volume_size = 80
master = false
}
}

assert {
condition = aws_cloudwatch_log_subscription_filter.opensearch_log_group_index_slow_logs.name == "/aws/opensearch/my_app/my_env/my_name/opensearch_log_group_index_slow"
error_message = "Cloudwatch log subscription filter name for cloudwatch log 'opensearch_log_group_index_slow_logs' should be '/aws/opensearch/my_app/my_env/my_name/opensearch_log_group_index_slow'"
}

assert {
condition = aws_cloudwatch_log_subscription_filter.opensearch_log_group_search_slow_logs.name == "/aws/opensearch/my_app/my_env/my_name/opensearch_log_group_search_slow"
error_message = "Cloudwatch log subscription filter name for cloudwatch log 'opensearch_log_group_search_slow_logs' should be '/aws/opensearch/my_app/my_env/my_name/opensearch_log_group_search_slow'"
}

assert {
condition = aws_cloudwatch_log_subscription_filter.opensearch_log_group_es_application_logs.name == "/aws/opensearch/my_app/my_env/my_name/opensearch_log_group_es_application"
error_message = "Cloudwatch log subscription filter name for cloudwatch log 'opensearch_log_group_es_application_logs' should be '/aws/opensearch/my_app/my_env/my_name/opensearch_log_group_es_application'"
}

assert {
condition = aws_cloudwatch_log_subscription_filter.opensearch_log_group_audit_logs.name == "/aws/opensearch/my_app/my_env/my_name/opensearch_log_group_audit"
error_message = "Cloudwatch log subscription filter name for cloudwatch log 'opensearch_log_group_audit_logs' should be '/aws/opensearch/my_app/my_env/my_name/opensearch_log_group_audit'"
}

assert {
condition = aws_cloudwatch_log_subscription_filter.opensearch_log_group_index_slow_logs.log_group_name == "/aws/opensearch/my-env-my-name/index-slow"
error_message = "Cloudwatch log subscription filter log group name for cloudwatch log 'opensearch_log_group_index_slow_logs' should be '/aws/opensearch/my-env-my-name/index-slow'"
}

assert {
condition = aws_cloudwatch_log_subscription_filter.opensearch_log_group_search_slow_logs.log_group_name == "/aws/opensearch/my-env-my-name/search-slow"
error_message = "Cloudwatch log subscription filter log group name for cloudwatch log 'opensearch_log_group_search_slow_logs' should be '/aws/opensearch/my-env-my-name/search-slow'"
}

assert {
condition = aws_cloudwatch_log_subscription_filter.opensearch_log_group_es_application_logs.log_group_name == "/aws/opensearch/my-env-my-name/es-application"
error_message = "Cloudwatch log subscription filter log group name for cloudwatch log 'opensearch_log_group_es_application_logs' should be '/aws/opensearch/my-env-my-name/es-application'"
}

assert {
condition = aws_cloudwatch_log_subscription_filter.opensearch_log_group_audit_logs.log_group_name == "/aws/opensearch/my-env-my-name/audit"
error_message = "Cloudwatch log subscription filter log group name for cloudwatch log 'opensearch_log_group_audit_logs' should be '/aws/opensearch/my-env-my-name/audit'"
}
}

0 comments on commit fd22b9b

Please sign in to comment.