log permissions

src/aws.go

@@ -1144,6 +1144,11 @@ var tFLookup = map[string]interface{}{ //nolint:gochecknoglobals
 	"aws_lakeformation_data_lake_settings":                             awsLakeformationDataLakeSettings,
 	"aws_lakeformation_permissions":                                    awsLakeformationPermissions,
 	"aws_lakeformation_resource":                                       awsLakeformationResource,
+	"aws_cloudwatch_log_delivery":                                      awsCloudwatchLogDelivery,
+	"aws_cloudwatch_log_delivery_destination":                          awsCloudwatchLogDeliveryDestination,
+	"aws_cloudwatch_log_delivery_destination_policy":                   awsCloudwatchLogDeliveryDestinationPolicy,
+	"aws_cloudwatch_log_delivery_source":                               awsCloudwatchLogDeliverySource,
+	"aws_cloudwatch_log_index_policy":                                  awsCloudwatchLogIndexPolicy,
 }
 
 // GetAWSPermissions for AWS resources.

src/coverage/aws.md

@@ -1,6 +1,6 @@
 # todo aws
 
-Resource percentage coverage   76.43
+Resource percentage coverage   76.77
 Datasource percentage coverage 100.00
 
 ./resource.ps1 aws_amplify_backend_environment
@@ -23,11 +23,6 @@ Datasource percentage coverage 100.00
 ./resource.ps1 aws_cloudhsm_v2_hsm
 ./resource.ps1 aws_cloudtrail_organization_delegated_admin_account
 ./resource.ps1 aws_cloudwatch_log_anomaly_detector
-./resource.ps1 aws_cloudwatch_log_delivery
-./resource.ps1 aws_cloudwatch_log_delivery_destination
-./resource.ps1 aws_cloudwatch_log_delivery_destination_policy
-./resource.ps1 aws_cloudwatch_log_delivery_source
-./resource.ps1 aws_cloudwatch_log_index_policy
 ./resource.ps1 aws_codeconnections_host
 ./resource.ps1 aws_cognito_managed_user_pool_client
 ./resource.ps1 aws_comprehend_entity_recognizer

src/files.go

@@ -3222,3 +3222,18 @@ var awsLakeformationPermissions []byte
 
 //go:embed mapping/aws/resource/lakeformation/aws_lakeformation_resource.json
 var awsLakeformationResource []byte
+
+//go:embed mapping/aws/resource/logs/aws_cloudwatch_log_delivery.json
+var awsCloudwatchLogDelivery []byte
+
+//go:embed mapping/aws/resource/logs/aws_cloudwatch_log_delivery_destination.json
+var awsCloudwatchLogDeliveryDestination []byte
+
+//go:embed mapping/aws/resource/logs/aws_cloudwatch_log_delivery_destination_policy.json
+var awsCloudwatchLogDeliveryDestinationPolicy []byte
+
+//go:embed mapping/aws/resource/logs/aws_cloudwatch_log_delivery_source.json
+var awsCloudwatchLogDeliverySource []byte
+
+//go:embed mapping/aws/resource/logs/aws_cloudwatch_log_index_policy.json
+var awsCloudwatchLogIndexPolicy []byte

src/mapping/aws/resource/logs/aws_cloudwatch_log_anomaly_detector.json

@@ -0,0 +1,16 @@
+[
+  {
+    "apply": [
+      "logs:CreateLogAnomalyDetector",
+      "logs:GetLogAnomalyDetector",
+      "logs:DeleteLogAnomalyDetector",
+      "logs:UpdateLogAnomalyDetector"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]

src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery.json

@@ -0,0 +1,16 @@
+[
+  {
+    "apply": [
+      "logs:GetLogDelivery",
+      "logs:CreateLogDelivery",
+      "logs:DeleteLogDelivery",
+      "logs:UpdateLogDelivery"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]

src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery_destination.json

@@ -0,0 +1,16 @@
+[
+  {
+    "apply": [
+      "logs:PutDeliveryDestination",
+      "logs:GetDeliveryDestination",
+      "logs:DescribeDeliveryDestinations",
+      "logs:DeleteDeliveryDestination"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]

src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery_destination_policy.json

@@ -0,0 +1,15 @@
+[
+  {
+    "apply": [
+      "logs:PutDeliveryDestinationPolicy",
+      "logs:GetDeliveryDestinationPolicy",
+      "logs:DeleteDeliveryDestinationPolicy"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]

src/mapping/aws/resource/logs/aws_cloudwatch_log_delivery_source.json

@@ -0,0 +1,15 @@
+[
+  {
+    "apply": [
+      "logs:GetDeliverySource",
+      "logs:PutDeliverySource",
+      "logs:DeleteDeliverySource"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]

src/mapping/aws/resource/logs/aws_cloudwatch_log_group.json

@@ -4,7 +4,8 @@
       "logs:CreateLogGroup",
       "logs:DescribeLogGroups",
       "logs:ListTagsLogGroup",
-      "logs:DeleteLogGroup"
+      "logs:DeleteLogGroup",
+      "logs:ListTagsForResource"
     ],
     "attributes": {
       "kms_key_id": [

src/mapping/aws/resource/logs/aws_cloudwatch_log_index_policy.json

@@ -0,0 +1,15 @@
+[
+  {
+    "apply": [
+      "logs:PutIndexPolicy",
+      "logs:DeleteIndexPolicy",
+      "logs:DescribeIndexPolicies"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]

terraform/aws/backup/aws_cloudwatch_log_anomaly_detector.tf

@@ -0,0 +1,12 @@
+resource "aws_cloudwatch_log_group" "test" {
+  count = 2
+  name  = "testing-${count.index}"
+}
+
+# resource "aws_cloudwatch_log_anomaly_detector" "test" {
+#   detector_name           = "testing"
+#   log_group_arn_list      = [aws_cloudwatch_log_group.test[0].arn]
+#   anomaly_visibility_time = 7
+#   evaluation_frequency    = "TEN_MIN"
+#   enabled                 = "false"
+# }

terraform/aws/backup/aws_cloudwatch_log_delivery.tf

@@ -0,0 +1,8 @@
+resource "aws_cloudwatch_log_delivery" "example" {
+  delivery_source_name     = aws_cloudwatch_log_delivery_source.example.name
+  delivery_destination_arn = aws_cloudwatch_log_delivery_destination.example.arn
+
+  field_delimiter = ","
+
+  record_fields = ["event_timestamp", "event"]
+}

terraform/aws/backup/aws_cloudwatch_log_delivery_destination.tf

@@ -0,0 +1,8 @@
+resource "aws_cloudwatch_log_delivery_destination" "example" {
+  name = "example"
+
+  delivery_destination_configuration {
+    destination_resource_arn = aws_cloudwatch_log_group.test[0].arn
+  }
+
+}

terraform/aws/backup/aws_cloudwatch_log_delivery_destination_policy.tf

@@ -0,0 +1,23 @@
+resource "aws_cloudwatch_log_delivery_destination_policy" "example" {
+  delivery_destination_name   = aws_cloudwatch_log_delivery_destination.example.name
+  delivery_destination_policy = data.aws_iam_policy_document.example.json
+}
+
+
+data "aws_iam_policy_document" "example" {
+  statement {
+    sid    = "1"
+    effect = "Allow"
+    actions = [
+      "logs:CreateDelivery",
+    ]
+
+    resources = [
+      "*",
+    ]
+    principals {
+      identifiers = ["AWS"]
+      type        = "arn:aws:iam::680235478471:root"
+    }
+  }
+}

terraform/aws/backup/aws_cloudwatch_log_delivery_source.tf

@@ -0,0 +1,28 @@
+
+resource "aws_cloudwatch_log_delivery_source" "example" {
+  name         = "example"
+  log_type     = "APPLICATION_LOGS"
+  resource_arn = aws_instance.pike.arn
+}
+
+
+data "aws_ami" "ubuntu" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  owners = ["099720109477"] # Canonical
+}
+
+resource "aws_instance" "pike" {
+  ami           = data.aws_ami.ubuntu.id
+  instance_type = "t3.micro"
+}

terraform/aws/backup/aws_cloudwatch_log_index_policy.tf

@@ -0,0 +1,6 @@
+resource "aws_cloudwatch_log_index_policy" "pike" {
+  log_group_name = aws_cloudwatch_log_group.test[0].name
+  policy_document = jsonencode({
+    Fields = ["eventName"]
+  })
+}

terraform/aws/role/aws_iam_policy.basic.tf

@@ -31,85 +31,43 @@ resource "aws_iam_policy" "basic" {
           "ec2:StartInstances",
           "ec2:StopInstances",
           "ec2:TerminateInstances",
-          "iam:AttachRolePolicy",
-          "iam:CreateRole",
-          "iam:CreateServiceLinkedRole",
-          "iam:DeleteRole",
-          "iam:DetachRolePolicy",
-          "iam:GetRole",
-          "iam:ListAttachedRolePolicies",
-          "iam:ListInstanceProfilesForRole",
-          "iam:ListRolePolicies",
-          "organizations:CreateOrganization",
-          "organizations:DeleteOrganization",
-          "organizations:DescribeOrganization",
-          "organizations:ListRoots",
+          "logs:CreateLogGroup",
+          "logs:DeleteLogGroup",
+          "logs:DescribeLogGroups",
+          "logs:ListTagsLogGroup",
           "s3:DeleteObject",
           "s3:GetObject",
           "s3:ListBucket",
           "s3:PutObject",
 
-          # aws_lakeformation_resource
-          "lakeformation:RegisterResource",
-          "iam:PutRolePolicy",
-          "lakeformation:DescribeResource",
-          "lakeformation:DeregisterResource",
-          "iam:GetRolePolicy",
-          "lakeformation:UpdateResource",
-
-          # aws_lakeformation_data_lake_settings
-          "lakeformation:PutDataLakeSettings",
-          "lakeformation:GetDataLakeSettings",
-
-          # aws_glue_dev_endpoint
-          "glue:CreateDevEndpoint",
-          "iam:PassRole",
-          "glue:GetDevEndpoint",
-          "glue:DeleteDevEndpoint",
-          "glue:UpdateDevEndpoint",
-
-          # aws_glue_data_quality_ruleset
-          "glue:CreateDataQualityRuleset",
-          "glue:GetDataQualityRuleset",
-          "glue:GetTags",
-          "glie:DeleteTags",
-          "glue:DeleteDataQualityRuleset",
-          "glue:UpdateDataQualityRuleset",
-
-
-          # aws_ec2_traffic_mirror_target
-          "ec2:CreateTrafficMirrorTarget",
-          "ec2:DescribeTrafficMirrorTargets",
-          "ec2:DeleteTrafficMirrorTarget",
-
-          # aws_ec2_traffic_mirror_filter
-          "ec2:CreateTrafficMirrorFilter",
-          "ec2:ModifyTrafficMirrorFilterNetworkServices",
-          "ec2:DescribeTrafficMirrorFilters",
-          "ec2:DeleteTrafficMirrorFilter",
-
-          # aws_config_aggregate_authorization
-          "config:PutAggregationAuthorization",
-          "config:DescribeAggregationAuthorizations",
-          "config:DeleteAggregationAuthorization",
-
-          # aws_config_organization_managed_rule
-          "config:DescribeOrganizationConfigRules",
-          "config:DeleteOrganizationConfigRule",
-          "config:PutOrganizationConfigRule",
-
-          # aws_config_remediation_configuration
-          "config:DescribeRemediationConfigurations",
-          "config:DeleteRemediationConfiguration",
-          "config:PutRemediationConfigurations",
-
-          # aws_ec2_traffic_mirror_session.tf
-          "ec2:CreateTrafficMirrorSession",
-          "ec2:DeleteTrafficMirrorSession",
-          "ec2:ModifyTrafficMirrorSession",
-          "ec2:DescribeTrafficMirrorSessions",
-
-
+          # aws_cloudwatch_log_delivery_source
+          "logs:PutDeliverySource",
+          "logs:DeleteDeliverySource",
+
+          # aws_cloudwatch_log_group
+          "logs:ListTagsForResource",
+
+          # aws_cloudwatch_log_index_policy
+          "logs:PutIndexPolicy",
+          "logs:DeleteIndexPolicy",
+          "logs:DescribeIndexPolicies",
+
+          # aws_cloudwatch_log_delivery_destination
+          "logs:PutDeliveryDestination",
+          "logs:GetDeliveryDestination",
+          "logs:DescribeDeliveryDestinations",
+          "logs:DeleteDeliveryDestination",
+
+          # aws_cloudwatch_log_anomaly_detector
+          "logs:CreateLogAnomalyDetector",
+          "logs:GetLogAnomalyDetector",
+          "logs:DeleteLogAnomalyDetector",
+          "logs:UpdateLogAnomalyDetector",
+
+          # aws_cloudwatch_log_delivery_destination_policy
+          "logs:PutDeliveryDestinationPolicy",
+          "logs:GetDeliveryDestinationPolicy",
+          "logs:DeleteDeliveryDestinationPolicy"
         ],
         "Resource" : [
           "*"