├── .circleci
    └── config.yml
├── .gitignore
├── README.md
└── terraform
    ├── aws.tf
    ├── cloudwatch.tf
    ├── elasticsearch.tf
    ├── iam.tf
    ├── kinesis.tf
    ├── kms.tf
    ├── outputs.tf
    ├── policies
        ├── ec2_assume_role.json
        ├── elasticsearch_policy.json
        └── firehose_assume_role.json
    ├── s3.tf
    ├── test
        ├── aws.tf
        ├── backend.tfvars.example
        ├── ec2-test.tf
        ├── files
        │   └── ec2-test.tpl
        ├── network.tf
        ├── outputs.tf
        ├── terraform.tfvars.example
        ├── variables.tf
        └── vpc-test.tf
    └── variables.tf


/.circleci/config.yml:
--------------------------------------------------------------------------------
 1 | version: 2
 2 | jobs:
 3 |   terraform:
 4 |     docker:
 5 |       - image: hashicorp/terraform
 6 |         environment:
 7 |           AWS_DEFAULT_REGION: us-east-1
 8 |     steps:
 9 |       - checkout
10 |       - run:
11 |           name: EKK Stack - Set up Terraform
12 |           command: cd terraform/test && terraform init -backend=false
13 |       - run:
14 |           name: EKK Stack - Validate Terraform
15 |           command: cd terraform/test && terraform validate -check-variables=false
16 | 
17 | workflows:
18 |   version: 2
19 | 
20 |   validate:
21 |     jobs:
22 |       - terraform
23 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | ## Terraform ##
 2 | #
 3 | # Ignore private variables
 4 | *.tfvars
 5 | #
 6 | # Compiled files
 7 | *.tfstate*
 8 | #
 9 | # Module directory
10 | .terraform/
11 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # devsecops-ekk-stack
 2 | 
 3 | Terraform that builds an EKK logging stack.
 4 | 
 5 | This stack is based on [this CloudFormation example.](https://us-west-2.console.aws.amazon.com/cloudformation/designer/home?region=us-west-2&templateUrl=https://s3.amazonaws.com/scriptdepot/es.template)
 6 | 
 7 | The stack also creates a small EC2 instance (defined in ec2-test.tf) that will be configured with a kinesis agent to test writing into the stream. If you do not wish to deploy this instance, move this file out of the terraform directory or change the extension of the file.
 8 | 
 9 | ## Usage
10 | 
11 | This stack is meant to be consumed as a module in your existing terraform stack. You can consume it by using code similar to this:
12 | 
13 | ```hcl
14 | module "ekk_stack" {
15 |     source = "github.com/GSA/devsecops-ekk-stack//terraform"
16 |     s3_logging_bucket_name = "${var.s3_logging_bucket_name}"
17 |     kinesis_delivery_stream = "${var.kinesis_delivery_stream}"
18 |     ekk_kinesis_stream_name = "${var.ekk_kinesis_stream_name}"
19 | }
20 | ```
21 | 
22 | ...where the variables referenced above are defined in your terraform.tfvars file. "var.s3_logging_bucket_name" should be set to a bucket (which the stack will create) to contain copies of the kinesis firehose logs. "var.kinesis_delivery_stream" should be set to the name of the firehose delivery stream that you wish to use. The EKK stack will create this delivery stream with the name you provide with this variable.
23 | 
24 | The Kinesis stream will send to Elasticsearch and S3.
25 | 
26 | ## Test Deployment
27 | 
28 | Use these steps to deploy the test.
29 | 
30 | 1. Create an S3 bucket for the terraform state.
31 | 1. Run the following command:
32 | 
33 |     ````sh
34 |     cd terraform/test
35 |     cp backend.tfvars.example backend.tfvars
36 |     cp terraform.tfvars.example terraform.tfvars
37 |     ````
38 | 
39 | 1. Fill out backend.tfvars with the name of the S3 bucket you just created.
40 | 1. Fill out terraform.tfvars with required values.
41 | 1. Run the init:
42 | 
43 |     ````sh
44 |     terraform init --backend-config="backend.tfvars"
45 |     ````
46 | 
47 | 1. Run a plan to make sure everything is fine and ready to go:
48 | 
49 |     ````sh
50 |     terraform plan
51 |     ````
52 | 
53 | 1. If there are no issues, apply the stack:
54 | 
55 |     ````sh
56 |     terraform apply
57 |     ````
58 | Following the steps above will emulate the intended behavior of the stack. You must execute it from the test directory just below the terraform directory. The test consumes the stack as a module and deploys it, then sets up an EC2 instance that will install the aws-kinesis-agent and configure it to stream to the Kinesis Firehose delivery stream.
59 | 
60 | The EC2 instance also configures itself with a cron job that performs a curl against its local apache2 daemon 5900 times every minute. This is used to generate logs that the Kinesis agent will capture. To verify that it is working properly, you can login to the EC2 instance and tail the aws-kinesis agent log (/var/log/aws-kinesis/aws-kinesis-agent.log) or look in the web console at the CloudWatch metrics for the Firehose delivery stream itself.
61 | 


--------------------------------------------------------------------------------
/terraform/aws.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 |   version = "~> 1.8"
3 | }
4 | 


--------------------------------------------------------------------------------
/terraform/cloudwatch.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_cloudwatch_log_group" "es_log_group" {
 2 |     name = "${var.es_log_group_name}"
 3 |     retention_in_days = "${var.es_log_retention_in_days}"
 4 | }
 5 | 
 6 | resource "aws_cloudwatch_log_group" "s3_log_group" {
 7 |     name = "${var.s3_log_group_name}"
 8 |     retention_in_days = "${var.s3_log_retention_in_days}"
 9 | }
10 | 
11 | resource "aws_cloudwatch_log_stream" "es_log_stream" {
12 |     name = "${var.es_log_stream_name}"
13 |     log_group_name = "${aws_cloudwatch_log_group.es_log_group.name}"
14 | }
15 | 
16 | resource "aws_cloudwatch_log_stream" "s3_log_stream" {
17 |     name = "${var.s3_log_stream_name}"
18 |     log_group_name = "${aws_cloudwatch_log_group.s3_log_group.name}"
19 | }


--------------------------------------------------------------------------------
/terraform/elasticsearch.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_elasticsearch_domain" "elasticsearch" {
 2 |   domain_name           = "${var.es_domain_name}"
 3 |   elasticsearch_version = "${var.es_version}"
 4 | 
 5 |   cluster_config {
 6 |     dedicated_master_enabled = "${var.es_dedicated_master_enabled}"
 7 |     instance_type            = "${var.es_instance_type}"
 8 |     instance_count           = "${var.es_instance_count}"
 9 |     zone_awareness_enabled   = "${var.es_zone_awareness_enabled}"
10 |     dedicated_master_type    = "${var.es_dedicated_master_instance_type}"
11 |     dedicated_master_count   = "${var.es_dedicated_master_count}"
12 |   }
13 | 
14 |   advanced_options {
15 |     "rest.action.multi.allow_explicit_index" = "${var.es_advanced_allow_explicit_index}"
16 |   }
17 | 
18 |   ebs_options {
19 |     ebs_enabled = "${var.es_ebs_enabled}"
20 |     iops        = "${var.es_ebs_iops}"
21 |     volume_size = "${var.es_ebs_volume_size}"
22 |     volume_type = "${var.es_ebs_volume_type}"
23 |   }
24 | 
25 |   encrypt_at_rest {
26 |     enabled    = "true"
27 |     kms_key_id = "${var.es_kms_key_id != "" ? var.es_kms_key_id : aws_kms_key.es_kms_key.key_id}"
28 |   }
29 | 
30 |   snapshot_options {
31 |     automated_snapshot_start_hour = "${var.es_snapshot_start_hour}"
32 |   }
33 | 
34 |   access_policies = <<CONFIG
35 | {
36 |     "Version": "2012-10-17",
37 |     "Statement": [
38 |         {
39 |             "Action": "es:*",
40 |             "Principal": "*",
41 |             "Effect": "Allow",
42 |             "Resource": "*"
43 |         }
44 |     ]
45 | }
46 | CONFIG
47 | }
48 | 


--------------------------------------------------------------------------------
/terraform/iam.tf:
--------------------------------------------------------------------------------
  1 | # IAM roles and policies for this stack
  2 | 
  3 | # Policies
  4 | 
  5 | data "template_file" "ec2_assume_role_policy" {
  6 |   template = "${file("${path.module}/policies/ec2_assume_role.json")}"
  7 | }
  8 | 
  9 | data "template_file" "firehose_assume_role_policy" {
 10 |   template = "${file("${path.module}/policies/firehose_assume_role.json")}"
 11 | }
 12 | 
 13 | data "template_file" "elasticsearch_policy" {
 14 |   template = "${file("${path.module}/policies/elasticsearch_policy.json")}"
 15 | }
 16 | 
 17 | # S3
 18 | resource "aws_iam_role" "s3_delivery_role" {
 19 |     name = "${var.s3_delivery_role_name}"
 20 |     assume_role_policy = "${data.template_file.firehose_assume_role_policy.rendered}"
 21 | }
 22 | 
 23 | data "aws_iam_policy_document" "s3_log_bucket_access" {
 24 |   statement {
 25 |     actions = [
 26 |       "s3:PutObject",
 27 |     ]
 28 |     resources = [
 29 |       "arn:aws:s3:::${var.s3_logging_bucket_name}",
 30 |     ]
 31 |   }
 32 | }
 33 | 
 34 | resource "aws_iam_policy" "s3_log_bucket_iam_policy" {
 35 |   name   = "${var.s3_role_log_bucket_access_policy}"
 36 |   path   = "/"
 37 |   policy = "${data.aws_iam_policy_document.s3_log_bucket_access.json}"
 38 | }
 39 | 
 40 | resource "aws_iam_role" "ekk_role" {
 41 |     name = "${var.ekk_role_name}"
 42 |     assume_role_policy = "${data.template_file.ec2_assume_role_policy.rendered}"
 43 | }
 44 | 
 45 | resource "aws_iam_instance_profile" "ekk_instance_profile" {
 46 |   name  = "${var.ekk_role_name}-instance-profile"
 47 |   role = "${aws_iam_role.ekk_role.name}"
 48 | }
 49 | 
 50 | resource "aws_iam_policy" "ekk_policy" {
 51 |     name = "${var.ekk_role_policy_name}"
 52 |     policy = <<EOF
 53 | {
 54 |   "Version": "2012-10-17",
 55 |   "Statement": [
 56 |     {
 57 |       "Action": [
 58 |         "cloudwatch:GetMetricStatistics",
 59 |         "cloudwatch:ListMetrics",
 60 |         "cloudwatch:PutMetricAlarm",
 61 |         "cloudwatch:PutMetricData",
 62 |         "cloudwatch:SetAlarmState",
 63 |         "kms:GenerateDataKey"
 64 |       ],
 65 |       "Effect": "Allow",
 66 |       "Resource": "*"
 67 |     },
 68 |     {
 69 |         "Action": [
 70 |             "kms:GenerateDataKey",
 71 |             "kms:Encrypt",
 72 |             "kms:Decrypt"
 73 |         ],
 74 |         "Effect": "Allow",
 75 |         "Resource": "${var.ekk_kinesis_stream_kms_key_arn != "" ? var.ekk_kinesis_stream_kms_key_arn : aws_kms_key.kinesis_stream_kms_key.arn}"
 76 |     }
 77 |   ]
 78 | }
 79 | EOF
 80 | }
 81 | 
 82 | resource "aws_iam_role_policy_attachment" "ekk_policy_attach" {
 83 |     role = "${aws_iam_role.ekk_role.name}"
 84 |     policy_arn = "${aws_iam_policy.ekk_policy.arn}"
 85 | }
 86 | 
 87 | resource "aws_iam_role_policy_attachment" "es_full_access" {
 88 |     role = "${aws_iam_role.ekk_role.name}"
 89 |     policy_arn = "arn:aws:iam::aws:policy/AmazonESFullAccess"
 90 | }
 91 | 
 92 | resource "aws_iam_role_policy_attachment" "s3_full_access" {
 93 |     role = "${aws_iam_role.ekk_role.name}"
 94 |     policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
 95 | }
 96 | 
 97 | resource "aws_iam_role_policy_attachment" "kinesisfirehouse_full_access" {
 98 |     role = "${aws_iam_role.ekk_role.name}"
 99 |     policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFirehoseFullAccess"
100 | }
101 | 
102 | resource "aws_iam_role_policy_attachment" "kinesis_stream_full_access" {
103 |     role = "${aws_iam_role.ekk_role.name}"
104 |     policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFullAccess"
105 | }
106 | 
107 | resource "aws_iam_role_policy_attachment" "es_cloudwatch_full_access" {
108 |     role = "${aws_iam_role.ekk_role.name}"
109 |     policy_arn = "arn:aws:iam::aws:policy/CloudWatchFullAccess"
110 | }
111 | 
112 | resource "aws_iam_role" "elasticsearch_delivery_role" {
113 |     name = "${var.es_delivery_role_name}"
114 |     assume_role_policy = "${data.template_file.firehose_assume_role_policy.rendered}"
115 | }
116 | 
117 | resource "aws_iam_role_policy_attachment" "es_delivery_full_access" {
118 |     role = "${aws_iam_role.elasticsearch_delivery_role.name}"
119 |     policy_arn = "arn:aws:iam::aws:policy/AmazonESFullAccess"
120 | }


--------------------------------------------------------------------------------
/terraform/kinesis.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_kinesis_stream" "ekk_kinesis_stream" {
 2 |     name = "${var.ekk_kinesis_stream_name}"
 3 |     shard_count = "${var.ekk_kinesis_stream_shard_count}"
 4 |     retention_period = "${var.ekk_kinesis_stream_retention_period}"
 5 | 
 6 |     shard_level_metrics = "${var.ekk_kinesis_stream_shard_metrics}"
 7 | 
 8 |     encryption_type = "KMS"
 9 |     # Strangely, this uses the KMS GUID instead of the ARN
10 |     # kms_key_id = "${var.ekk_kinesis_stream_kms_key_id}"
11 |     kms_key_id = "${var.ekk_kinesis_stream_kms_key_id != "" ? var.ekk_kinesis_stream_kms_key_id : aws_kms_key.kinesis_stream_kms_key.key_id}"
12 | }
13 | 
14 | resource "aws_kinesis_firehose_delivery_stream" "ekk_kinesis_delivery_stream" {
15 |     name = "${var.kinesis_delivery_stream}"
16 |     destination = "s3"
17 |     kinesis_source_configuration = {
18 |         kinesis_stream_arn = "${aws_kinesis_stream.ekk_kinesis_stream.arn}",
19 |         role_arn = "${aws_iam_role.ekk_role.arn}"
20 |     } 
21 |     
22 |     destination = "elasticsearch"
23 |     
24 |     elasticsearch_configuration {
25 |         buffering_interval = "${var.es_buffering_interval}"
26 |         buffering_size = "${var.es_buffering_size}"
27 |         cloudwatch_logging_options {
28 |             enabled = "${var.es_cloudwatch_logging_enabled}"
29 |             log_group_name = "${aws_cloudwatch_log_group.es_log_group.name}"
30 |             log_stream_name = "${aws_cloudwatch_log_stream.es_log_stream.name}"
31 |         }
32 |         domain_arn = "${aws_elasticsearch_domain.elasticsearch.arn}"
33 |         role_arn = "${aws_iam_role.ekk_role.arn}"
34 |         index_name = "${var.es_index_name}"
35 |         type_name = "${var.es_type_name}"
36 |         index_rotation_period = "${var.es_index_rotation_period}"
37 |         retry_duration = "${var.es_retry_duration}"
38 |         role_arn = "${aws_iam_role.ekk_role.arn}"
39 |         s3_backup_mode = "${var.es_s3_backup_mode}"
40 |     }
41 |     
42 |     s3_configuration {
43 |         role_arn = "${aws_iam_role.s3_delivery_role.arn}"
44 |         bucket_arn = "${aws_s3_bucket.s3_logging_bucket.arn}"
45 |         buffer_size = "${var.s3_buffer_size}"
46 |         buffer_interval = "${var.s3_buffer_interval}"
47 |         compression_format = "${var.s3_compression_format}"
48 |         prefix = "${var.s3_prefix}"
49 |         kms_key_arn = "${var.s3_kms_key_arn != "" ? var.s3_kms_key_arn : aws_kms_key.s3_logging_kms_key.arn}"
50 |         cloudwatch_logging_options {
51 |             enabled = "${var.s3_cloudwatch_logging_enabled}"
52 |             log_group_name = "${aws_cloudwatch_log_group.s3_log_group.name}"
53 |             log_stream_name = "${aws_cloudwatch_log_stream.s3_log_stream.name}"
54 |         }
55 |     }
56 | }


--------------------------------------------------------------------------------
/terraform/kms.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_kms_key" "s3_logging_kms_key" {
 2 |   count = "${var.s3_kms_key_arn == "" ? 1 : 0}"
 3 | 
 4 |   description = "S3 Logging KMS Key - Created by Terraform"
 5 | }
 6 | 
 7 | resource "aws_kms_key" "es_kms_key" {
 8 |   count = "${var.es_kms_key_id == "" ? 1 : 0}"
 9 | 
10 |   description = "ES data KMS Key - Created by Terraform"
11 | }
12 | 
13 | resource "aws_kms_key" "kinesis_stream_kms_key" {
14 |   count = "${var.ekk_kinesis_stream_kms_key_id == "" ? 1 : 0}"
15 | 
16 |   description = "Kinesis Stream KMS Key - Created by Terraform"
17 | }
18 | 


--------------------------------------------------------------------------------
/terraform/outputs.tf:
--------------------------------------------------------------------------------
 1 | # output "es_domain_arn" {
 2 | #     value = "${aws_elasticsearch_domain.elasticsearch.arn}"
 3 | # }
 4 | 
 5 | # output "es_domain_endpoint" {
 6 | #     value = "${aws_elasticsearch_domain.elasticsearch.endpoint}"
 7 | # }
 8 | 
 9 | output "ekk_instance_profile_id" {
10 |     value = "${aws_iam_instance_profile.ekk_instance_profile.id}"
11 | }


--------------------------------------------------------------------------------
/terraform/policies/ec2_assume_role.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "Version": "2012-10-17",
 3 |     "Statement": [
 4 |         {
 5 |             "Action": "sts:AssumeRole",
 6 |             "Principal": {
 7 |                 "Service": "ec2.amazonaws.com"
 8 |             },
 9 |             "Effect": "Allow",
10 |             "Sid": ""
11 |         },
12 |         {
13 |             "Action": "sts:AssumeRole",
14 |             "Principal": {
15 |                 "Service": "firehose.amazonaws.com"
16 |             },
17 |             "Effect": "Allow",
18 |             "Sid": ""
19 |         }
20 |     ]
21 | }


--------------------------------------------------------------------------------
/terraform/policies/elasticsearch_policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "Version": "2012-10-17",
 3 |     "Statement": [
 4 |       {
 5 |         "Action": [
 6 |           "cloudwatch:GetMetricStatistics",
 7 |           "cloudwatch:ListMetrics",
 8 |           "cloudwatch:PutMetricAlarm",
 9 |           "cloudwatch:PutMetricData",
10 |           "cloudwatch:SetAlarmState"
11 |         ],
12 |         "Effect": "Allow",
13 |         "Resource": "*"
14 |       }
15 |     ]
16 |   }


--------------------------------------------------------------------------------
/terraform/policies/firehose_assume_role.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "Version": "2012-10-17",
 3 |     "Statement": [
 4 |         {
 5 |             "Action": "sts:AssumeRole",
 6 |             "Principal": {
 7 |                 "Service": "firehose.amazonaws.com"
 8 |             },
 9 |             "Effect": "Allow",
10 |             "Sid": ""
11 |         }
12 |     ]
13 | }


--------------------------------------------------------------------------------
/terraform/s3.tf:
--------------------------------------------------------------------------------
1 | resource "aws_s3_bucket" "s3_logging_bucket" {
2 |   bucket = "${var.s3_logging_bucket_name}"
3 |   acl    = "private"
4 | }


--------------------------------------------------------------------------------
/terraform/test/aws.tf:
--------------------------------------------------------------------------------
1 | data "aws_region" "current" {
2 |   current = true
3 | }
4 | 
5 | provider "aws" {
6 |   version = "~> 1.8"
7 | }
8 | 


--------------------------------------------------------------------------------
/terraform/test/backend.tfvars.example:
--------------------------------------------------------------------------------
1 | # This will be used to init the backend during "terraform init" (see README.MD)
2 | # These values must match the bucket you created.
3 | bucket = "<bucket-name>"  # e.g. "devsecops-infrastructure"
4 | key = "<folder/file>"     # e.g. "network/terraform.tfstate"
5 | region = "<region>"       # e.g. "us-east-1"


--------------------------------------------------------------------------------
/terraform/test/ec2-test.tf:
--------------------------------------------------------------------------------
 1 | module "ekk_stack" {
 2 |   source = "../"
 3 |   s3_logging_bucket_name = "${var.s3_logging_bucket_name}"
 4 |   kinesis_delivery_stream = "${var.kinesis_delivery_stream}"
 5 |   ekk_kinesis_stream_name = "${var.ekk_kinesis_stream_name}"
 6 |   es_instance_type = "${var.es_instance_type}"
 7 |   es_dedicated_master_instance_type = "${var.es_dedicated_master_instance_type}"
 8 | }
 9 | 
10 | data "template_file" "user_data_template" {
11 |   template = "${file("${path.module}/files/ec2-test.tpl")}"
12 | 
13 |   vars {
14 |     kinesisstream = "${var.ekk_kinesis_stream_name}"
15 |   }
16 | }
17 | 
18 | data "aws_ami" "ec2-linux" {
19 |   most_recent = true
20 |   filter {
21 |     name = "name"
22 |     values = ["amzn-ami-*-x86_64-gp2"]
23 |   }
24 |   filter {
25 |     name = "virtualization-type"
26 |     values = ["hvm"]
27 |   }
28 |   filter {
29 |     name = "owner-alias"
30 |     values = ["amazon"]
31 |   }
32 | }
33 | 
34 | resource "aws_instance" "stream_tester" {
35 |   ami           = "${data.aws_ami.ec2-linux.id}"
36 |   instance_type = "m4.xlarge"
37 |   iam_instance_profile = "${module.ekk_stack.ekk_instance_profile_id}"
38 | 
39 |   subnet_id = "${module.test_vpc.public_subnets[0]}"
40 |   vpc_security_group_ids = ["${aws_security_group.main.id}"]
41 | 
42 |   key_name = "${var.ec_test_instance_key_name}"
43 | 
44 |   user_data = "${data.template_file.user_data_template.rendered}"
45 | 
46 |   provisioner "remote-exec" {
47 |     inline = ["echo Successfully connected"]
48 | 
49 |     connection {
50 |       user = "ec2-user"
51 |     }
52 |   }
53 | }


--------------------------------------------------------------------------------
/terraform/test/files/ec2-test.tpl:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # This user data sets up the test instance to curl the localhost port 80 to generate apache logs. Kinesis should then feed them to the proper stream that was created in Terraform.
 3 | 
 4 | # Install necessary packages
 5 | yum -y install httpd aws-kinesis-agent
 6 | 
 7 | # Create necessary test files
 8 | cat<<EOF>/etc/aws-kinesis/agent.json
 9 | {
10 |     "cloudwatch.emitMetrics": true,
11 |     "firehose.endpoint": "firehose.us-east-1.amazonaws.com",
12 |     "flows": [
13 |         {
14 |             "filePattern": "/var/log/httpd/access_log",
15 |             "kinesisStream": "${kinesisstream}",
16 |             "dataProcessingOptions": [
17 |                 {
18 |                     "optionName": "LOGTOJSON",
19 |                     "logFormat": "COMMONAPACHELOG"
20 |                 }
21 |             ]
22 |         }
23 |     ]
24 | }
25 | EOF
26 | 
27 | cat<<EOF>/root/test.sh
28 | #!/bin/bash
29 | # Test connectivity to localhost port
30 | for i in {1..5900};do curl -s -w "%{time_total}\n" -o /dev/null http://localhost/; done
31 | EOF
32 | 
33 | # Set cron to run the tests
34 | chmod +x /root/test.sh
35 | echo "* * * * * /root/test.sh" >> /root/mycron
36 | crontab /root/mycron
37 | rm /root/mycron
38 | 
39 | # Set permissions on httpd directory
40 | service httpd start
41 | chown -R aws-kinesis-agent-user:root /var/log/httpd
42 | chmod -R 764 /var/log/httpd
43 | 
44 | # Make sure kinesis agent is using the correct agent.json above
45 | service aws-kinesis-agent start


--------------------------------------------------------------------------------
/terraform/test/network.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_security_group" "main" {
 2 |   vpc_id = "${module.test_vpc.vpc_id}"
 3 | 
 4 |   # SSH access from anywhere
 5 |   ingress {
 6 |     from_port   = 22
 7 |     to_port     = 22
 8 |     protocol    = "tcp"
 9 |     cidr_blocks = ["0.0.0.0/0"]
10 |   }
11 |   ingress {
12 |       from_port = 80
13 |       to_port = 80
14 |       protocol = "tcp"
15 |       cidr_blocks = ["0.0.0.0/0"]
16 |   }
17 |   egress {
18 |     from_port       = 0
19 |     to_port         = 0
20 |     protocol        = "-1"
21 |     cidr_blocks     = ["0.0.0.0/0"]
22 |   }
23 | }


--------------------------------------------------------------------------------
/terraform/test/outputs.tf:
--------------------------------------------------------------------------------
1 | output "test_instance_ip" {
2 |     value = "${aws_instance.stream_tester.public_ip}"
3 | }


--------------------------------------------------------------------------------
/terraform/test/terraform.tfvars.example:
--------------------------------------------------------------------------------
1 | # List your logging bucket name here. Make sure it's done a naming collison with someone else's bucket.
2 | s3_logging_bucket_name = "<bucket_name>"
3 | ec_test_instance_key_name = "<key_pair_name>"


--------------------------------------------------------------------------------
/terraform/test/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "s3_logging_bucket_name" {
 2 |     type = "string"
 3 | }
 4 | variable "ec_test_instance_key_name" {
 5 |     type = "string"
 6 | }
 7 | variable "kinesis_delivery_stream" {
 8 |     default = "DevSecOpsKinesisDeliveryStream"
 9 | }
10 | variable "ekk_kinesis_stream_name" {
11 |     default = "DevSecOpsKinesisStream"
12 | }
13 | variable "es_instance_type" {
14 |     default = "t2.micro.elasticsearch"
15 | }
16 | variable "es_dedicated_master_instance_type" {
17 |     default = "t2.micro.elasticsearch"
18 | }


--------------------------------------------------------------------------------
/terraform/test/vpc-test.tf:
--------------------------------------------------------------------------------
 1 | module "test_vpc" {
 2 |   source = "github.com/terraform-aws-modules/terraform-aws-vpc"
 3 | 
 4 |   name = "ec2-test"
 5 |   cidr = "10.0.0.0/16"
 6 |   public_subnets = ["10.0.1.0/24"]
 7 |   enable_nat_gateway = "false"
 8 |   enable_dns_hostnames = "true"
 9 |   enable_dns_support = "true"
10 |   azs = ["us-east-1c", "us-east-1d"]
11 | }


--------------------------------------------------------------------------------
/terraform/variables.tf:
--------------------------------------------------------------------------------
  1 | variable "s3_logging_bucket_name" {
  2 |   type = "string"
  3 | }
  4 | 
  5 | variable "kinesis_delivery_stream" {
  6 |   type = "string"
  7 | }
  8 | 
  9 | variable "ekk_kinesis_stream_name" {
 10 |   type = "string"
 11 | }
 12 | 
 13 | variable "s3_kms_key_arn" {
 14 |   type        = "string"
 15 |   description = "KMS Key ARN used to encrypt data within S3 bucket. The key must already exist within the account."
 16 |   default     = ""
 17 | }
 18 | 
 19 | variable "ekk_kinesis_stream_kms_key_id" {
 20 |   description = "This is the GUID of a KMS key, not the ARN!"
 21 |   default     = ""
 22 | }
 23 | 
 24 | variable "ekk_kinesis_stream_kms_key_arn" {
 25 |   description = "This is the ARN of a KMS key, not the GUID!"
 26 |   default     = ""
 27 | }
 28 | 
 29 | variable "ekk_kinesis_stream_shard_count" {
 30 |   default = "1"
 31 | }
 32 | 
 33 | variable "ekk_kinesis_stream_retention_period" {
 34 |   default = "24"
 35 | }
 36 | 
 37 | variable "ekk_kinesis_stream_shard_metrics" {
 38 |   default = ["IncomingBytes", "OutgoingBytes"]
 39 | }
 40 | 
 41 | variable "aws_region" {
 42 |   default = "us-east-1"
 43 | }
 44 | 
 45 | variable "es_domain_name" {
 46 |   default = "devsecops-ekk-stack"
 47 | }
 48 | 
 49 | variable "es_version" {
 50 |   default = "5.5"
 51 | }
 52 | 
 53 | variable "es_instance_type" {
 54 |   default = "m4.large.elasticsearch"
 55 | }
 56 | 
 57 | variable "es_instance_count" {
 58 |   default = "2"
 59 | }
 60 | 
 61 | variable "es_dedicated_master_instance_type" {
 62 |   default = "m4.large.elasticsearch"
 63 | }
 64 | 
 65 | variable "es_kms_key_id" {
 66 |   type        = "string"
 67 |   description = "KMS Key ID (NOT the ARN!) used to encrypt data within elasticsearch instances. The key must already exist within the account."
 68 |   default     = ""
 69 | }
 70 | 
 71 | variable "es_dedicated_master_count" {
 72 |   default = "2"
 73 | }
 74 | 
 75 | variable "ekk_role_name" {
 76 |   default = "EKKRole"
 77 | }
 78 | 
 79 | variable "ekk_role_policy_name" {
 80 |   default = "EKKRolePolicy"
 81 | }
 82 | 
 83 | variable "s3_delivery_role_name" {
 84 |   default = "EKKS3DeliveryRole"
 85 | }
 86 | 
 87 | variable "s3_role_log_bucket_access_policy" {
 88 |   default = "S3RoleBucketAccessPolicy"
 89 | }
 90 | 
 91 | variable "es_delivery_role_name" {
 92 |   default = "ESDeliveryRole"
 93 | }
 94 | 
 95 | variable "es_log_group_name" {
 96 |   default = "ElasticSearchDeliveryLogGroup"
 97 | }
 98 | 
 99 | variable "es_log_retention_in_days" {
100 |   default = "7"
101 | }
102 | 
103 | variable "es_log_stream_name" {
104 |   default = "ElasticSearchDelivery"
105 | }
106 | 
107 | variable "s3_log_group_name" {
108 |   default = "S3DeliveryLogGroup"
109 | }
110 | 
111 | variable "s3_log_retention_in_days" {
112 |   default = "7"
113 | }
114 | 
115 | variable "s3_log_stream_name" {
116 |   default = "S3Delivery"
117 | }
118 | 
119 | variable "es_dedicated_master_enabled" {
120 |   default = "true"
121 | }
122 | 
123 | variable "es_zone_awareness_enabled" {
124 |   default = "true"
125 | }
126 | 
127 | variable "es_advanced_allow_explicit_index" {
128 |   default = "true"
129 | }
130 | 
131 | variable "es_ebs_enabled" {
132 |   default = "true"
133 | }
134 | 
135 | variable "es_ebs_iops" {
136 |   default = "0"
137 | }
138 | 
139 | variable "es_ebs_volume_size" {
140 |   default = "20"
141 | }
142 | 
143 | variable "es_ebs_volume_type" {
144 |   default = "gp2"
145 | }
146 | 
147 | variable "es_snapshot_start_hour" {
148 |   default = "0"
149 | }
150 | 
151 | variable "es_buffering_interval" {
152 |   default = "60"
153 | }
154 | 
155 | variable "es_buffering_size" {
156 |   default = "50"
157 | }
158 | 
159 | variable "es_cloudwatch_logging_enabled" {
160 |   default = "true"
161 | }
162 | 
163 | variable "es_index_name" {
164 |   default = "logmonitor"
165 | }
166 | 
167 | variable "es_type_name" {
168 |   default = "log"
169 | }
170 | 
171 | variable "es_index_rotation_period" {
172 |   default = "NoRotation"
173 | }
174 | 
175 | variable "es_retry_duration" {
176 |   default = "60"
177 | }
178 | 
179 | variable "es_s3_backup_mode" {
180 |   default = "AllDocuments"
181 | }
182 | 
183 | variable "s3_buffer_size" {
184 |   default = "10"
185 | }
186 | 
187 | variable "s3_buffer_interval" {
188 |   default = "300"
189 | }
190 | 
191 | variable "s3_compression_format" {
192 |   default = "UNCOMPRESSED"
193 | }
194 | 
195 | variable "s3_prefix" {
196 |   default = "firehose/"
197 | }
198 | 
199 | variable "s3_cloudwatch_logging_enabled" {
200 |   default = "true"
201 | }
202 | 


--------------------------------------------------------------------------------