Implement module for CloudWatch logs (#1)

.gitignore

@@ -4,3 +4,6 @@
 
 # Module directory
 .terraform/
+
+.build-harness
+build-harness

.travis.yml

@@ -0,0 +1,16 @@
+addons:
+  apt:
+    packages:
+      - git
+      - make
+      - curl
+
+install:
+  - make init
+
+script:
+  - make terraform:install
+  - make terraform:get-plugins
+  - make terraform:get-modules
+  - make terraform:lint
+  - make terraform:validate

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright {yyyy} {name of copyright owner}
+      Copyright 2017 Cloud Posse, LLC
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

Makefile

@@ -0,0 +1,6 @@
+SHELL := /bin/bash
+
+-include $(shell curl -sSL -o .build-harness "https://git.io/build-harness"; echo .build-harness)
+
+lint:
+	$(SELF) terraform:install terraform:get-modules terraform:get-plugins terraform:lint terraform:validate

README.md

@@ -1 +1,46 @@
-# terraform-aws-cloudwatch-logs
+# terraform-aws-cloudwatch-logs [![Build Status](https://travis-ci.org/cloudposse/terraform-aws-cloudwatch-logs.svg?branch=master)](https://travis-ci.org/cloudposse/terraform-aws-cloudwatch-logs)
+
+Terraform module for creation streams and group for them.
+
+## Usage
+
+```terraform
+module "cloudwatch_log" {
+  namespace    = "${var.namespace}"
+  stage        = "${var.stage}"
+  stream_names = ["kafka-instance-1", "kafka-instance-2"]
+}
+```
+
+## Inputs
+
+| Name                |    Default    | Description                                                     | Required |
+|:--------------------|:-------------:|:----------------------------------------------------------------|:--------:|
+| `namespace`         |      ``       | Namespace (e.g. `cp` or `cloudposse`)                           |   Yes    |
+| `stage`             |      ``       | Stage (e.g. `prod`, `dev`, `staging`)                           |   Yes    |
+| `name`              |      ``       | Name  (e.g. `bastion` or `db`)                                  |    No    |
+| `delimiter`         |      `-`      | Delimiter to be used between `name`, `namespace`, `stage`, etc. |    No    |
+| `attributes`        |     `[]`      | Additional attributes (e.g. `policy` or `role`)                 |    No    |
+| `tags`              |     `{}`      | Additional tags  (e.g. `map("BusinessUnit","XYZ")`              |    No    |
+| `retention_in_days` |     `30`      | Number of days you want to retain log events in the log group   |    No    |
+| `stream_names`      | `["default"]` | List names of streams                                           |    No    |
+| `user_enabled`      |    `true`     | Flag for creation user                                          |    No    |
+| `region`            |      ``       | AWS region, by default used the region of caller                |    No    |
+
+## Outputs
+
+| Name                | Description           |
+|:--------------------|:----------------------|
+| `log_group_arn`     | ARN of the log group  |
+| `access_key_id`     | Access key ID         |
+| `secret_access_key` | Secret access key     |
+| `stream_arns`       | ARN of the log stream |
+| `user_arn`          | ARN of AWS user       |
+| `user_name`         | AWS username          |
+| `user_unique_id`    | ID of user            |
+| `log_stream_names`  | Name of log streams   |
+| `log_group_name`    | Name of log group     |
+
+## License
+
+Apache 2 License. See [`LICENSE`](LICENSE) for full details.

iam.tf

@@ -0,0 +1,39 @@
+data "aws_iam_policy_document" "log_assume" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["logs.${length(var.region) > 0 ? var.region: data.aws_region.default.name}.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "log" {
+  statement {
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams",
+      "logs:CreateLogStream",
+      "logs:DeleteLogStream",
+    ]
+
+    resources = [
+      "${join(",", compact(concat(list(aws_cloudwatch_log_group.default.arn), aws_cloudwatch_log_stream.default.*.arn)))}",
+    ]
+  }
+}
+
+resource "aws_iam_role" "log" {
+  name               = "${module.log_group_label.id}"
+  assume_role_policy = "${data.aws_iam_policy_document.log_assume.json}"
+}
+
+resource "aws_iam_role_policy" "log" {
+  name   = "${module.log_group_label.id}"
+  role   = "${aws_iam_role.log.id}"
+  policy = "${data.aws_iam_policy_document.log.json}"
+}

iam_user.tf

@@ -0,0 +1,33 @@
+data "aws_iam_policy_document" "user" {
+  count = "${var.user_enabled == "true" ? 1 : 0}"
+
+  statement {
+    actions = [
+      "logs:DescribeDestinations",
+      "logs:DescribeExportTasks",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams",
+      "logs:DescribeMetricFilters",
+      "logs:DescribeSubscriptionFilters",
+      "logs:FilterLogEvents",
+      "logs:GetLogEvents",
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DescribeLogStreams",
+      "logs:CreateLogStream",
+      "logs:DeleteLogStream",
+    ]
+
+    resources = ["*"]
+  }
+}
+
+module "user" {
+  source    = "git::https://github.com/cloudposse/terraform-aws-iam-system-user.git?ref=tags/0.2.1"
+  namespace = "${var.namespace}"
+  stage     = "${var.stage}"
+  name      = "${var.name}"
+  policy    = "${data.aws_iam_policy_document.user.json}"
+  enabled   = "${var.user_enabled}"
+}

main.tf

@@ -0,0 +1,35 @@
+data "aws_region" "default" {
+  current = "true"
+}
+
+module "log_group_label" {
+  source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.1"
+  namespace  = "${var.namespace}"
+  name       = "${var.name}"
+  stage      = "${var.stage}"
+  delimiter  = "${var.delimiter}"
+  attributes = "${compact(concat(var.attributes, list("log"), list("group")))}"
+  tags       = "${var.tags}"
+}
+
+module "stream_label" {
+  source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.1"
+  namespace  = "${var.namespace}"
+  name       = "${var.name}"
+  stage      = "${var.stage}"
+  delimiter  = "${var.delimiter}"
+  attributes = "${compact(concat(var.attributes, list("stream")))}"
+  tags       = "${var.tags}"
+}
+
+resource "aws_cloudwatch_log_group" "default" {
+  name              = "${module.log_group_label.id}"
+  retention_in_days = "${var.retention_in_days}"
+  tags              = "${module.log_group_label.tags}"
+}
+
+resource "aws_cloudwatch_log_stream" "default" {
+  count          = "${length(var.stream_names)}"
+  name           = "${module.stream_label.id}${var.delimiter}${element(var.stream_names, count.index)}"
+  log_group_name = "${aws_cloudwatch_log_group.default.name}"
+}

outputs.tf

@@ -0,0 +1,44 @@
+output "log_group_arn" {
+  value       = "${aws_cloudwatch_log_group.default.arn}"
+  description = "ARN of the log group"
+}
+
+output "stream_arns" {
+  value       = "${aws_cloudwatch_log_stream.default.*.arn}"
+  description = "ARN of the log stream"
+}
+
+output "user_name" {
+  description = "AWS username"
+  value       = "${module.user.user_name}"
+}
+
+output "user_arn" {
+  description = "ARN of AWS user"
+  value       = "${module.user.user_arn}"
+}
+
+output "user_unique_id" {
+  description = "ID of user"
+  value       = "${module.user.user_unique_id}"
+}
+
+output "access_key_id" {
+  description = "Access key ID"
+  value       = "${module.user.access_key_id}"
+}
+
+output "secret_access_key" {
+  description = "Secret access key"
+  value       = "${module.user.secret_access_key}"
+}
+
+output "log_group_name" {
+  description = "Name of log group"
+  value       = "${aws_cloudwatch_log_group.default.name}"
+}
+
+output "log_stream_names" {
+  description = "Name of log streams"
+  value       = ["${aws_cloudwatch_log_stream.default.*.name}"]
+}

variables.tf

@@ -0,0 +1,63 @@
+variable "name" {
+  default     = ""
+  description = "Name  (e.g. `bastion` or `db`)"
+}
+
+variable "namespace" {
+  description = "Namespace (e.g. `cp` or `cloudposse`)"
+  type        = "string"
+}
+
+variable "stage" {
+  description = "Stage (e.g. `prod`, `dev`, `staging`)"
+  type        = "string"
+}
+
+variable "delimiter" {
+  type        = "string"
+  default     = "-"
+  description = "Delimiter to be used between `name`, `namespace`, `stage`, etc."
+}
+
+variable "attributes" {
+  type        = "list"
+  default     = []
+  description = "Additional attributes (e.g. `policy` or `role`)"
+}
+
+variable "tags" {
+  type        = "map"
+  default     = {}
+  description = "Additional tags (e.g. map(`BusinessUnit`,`XYZ`)"
+}
+
+variable "region" {
+  description = "AWS region"
+  default     = ""
+}
+
+variable "retention_in_days" {
+  description = "Number of days you want to retain log events in the log group"
+  default     = "30"
+}
+
+variable "stream_names" {
+  default     = ["default"]
+  type        = "list"
+  description = "Names of streams"
+}
+
+variable "path" {
+  default     = "/"
+  description = "Path in which to create the user"
+}
+
+variable "force_destroy" {
+  default     = "false"
+  description = "Force destroy user. Possible values: true or false"
+}
+
+variable "user_enabled" {
+  description = "Flag for creation user"
+  default     = "true"
+}