forked from personio/rds-audit-logs-s3
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate.yaml
153 lines (144 loc) · 4.28 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
rds-audit-logs-s3
Lambda function to ingest RDS instance audit logs to S3
Metadata:
AWS::ServerlessRepo::Application:
Name: rds-audit-logs-s3
Description: Lambda function to ingest RDS instance audit logs to S3
Author: Personio GmbH
SpdxLicenseId: MIT
LicenseUrl: LICENSE.txt
ReadmeUrl: README.md
Labels: [ 'rds', 's3', 'lambda', 'logs', 'audit' ]
HomePageUrl: https://github.com/personio/rds-audit-logs-s3
SourceCodeUrl: https://github.com/personio/rds-audit-logs-s3
Parameters:
Name:
Type: String
Description: Name to use for created AWS resources, eg. "rds-audit-logs-s3"
BucketName:
Type: String
Description: Name of the S3 bucket where logs should be stored in
KmsKeyArn:
Type: String
Description: ARN of the KMS key used for the S3 bucket (optional)
Default: ""
RdsInstanceIdentifier:
Type: String
Description: DB identifier of the RDS instance to get logs from
LambdaDebug:
Type: String
Description: Wether to enable debug logs in the Lambda function
Default: false
AllowedValues:
- true
- false
LambdaMemorySize:
Type: Number
Description: Memory for the Lambda function in MB
Default: 3008
MinValue: 128
MaxValue: 3008
LambdaTimeout:
Type: Number
Description: Timeout of the Lambda function in seconds
Default: 900
LambdaTriggerRate:
Type: Number
Description: Rate for triggering the Lambda function in minutes
Default: 15
LambdaLogRetention:
Type: Number
Description: Number of days to retain the logs of the Lambda function
Default: 30
AllowedValues:
- 1
- 3
- 5
- 7
- 14
- 30
- 60
- 90
- 120
- 150
- 180
- 365
- 400
- 545
- 731
- 1827
- 3653
Globals:
Function:
Runtime: go1.x
Conditions:
LambdaTriggerRate1Minute: !Equals [ !Ref LambdaTriggerRate, 1 ]
KmsKeyProvided: !Not [ !Equals [ !Ref KmsKeyArn, "" ] ]
Resources:
RdsAuditLogsS3Function:
Type: AWS::Serverless::Function
DependsOn: RdsAuditLogsS3FunctionLogGroup
Properties:
FunctionName: !Ref Name
Description: !Sub "Lambda function for RDS audit log ingestion of instance ${RdsInstanceIdentifier} to S3"
CodeUri: lambda/
Handler: lambda
MemorySize: !Ref LambdaMemorySize
Timeout: !Ref LambdaTimeout
Events:
TriggerEvent:
Type: Schedule
Properties:
Name: !Ref Name
Schedule: !If [ LambdaTriggerRate1Minute, !Sub "rate(${LambdaTriggerRate} minute)", !Sub "rate(${LambdaTriggerRate} minutes)" ]
Description: !Sub "Trigger Lambda function ${Name} every ${LambdaTriggerRate} minutes"
Environment:
Variables:
RDS_INSTANCE_IDENTIFIER: !Ref RdsInstanceIdentifier
S3_BUCKET_NAME: !Ref BucketName
DYNAMODB_TABLE_NAME: !Ref DynamoDBTable
DEBUG: !Ref LambdaDebug
Policies:
- DynamoDBCrudPolicy:
TableName: !Ref DynamoDBTable
- S3WritePolicy:
BucketName: !Ref BucketName
- Statement:
- Sid: RdsGetLogs
Effect: Allow
Action:
- rds:DownloadCompleteDBLogFile
- rds:DescribeDBLogFiles
- rds:DescribeDBInstances
Resource: !Sub "arn:${AWS::Partition}:rds:${AWS::Region}:${AWS::AccountId}:db:${RdsInstanceIdentifier}"
- !If
- KmsKeyProvided
- Statement:
- Sid: KmsS3Policy
Effect: Allow
Action:
- kms:GenerateDataKey
- kms:Encrypt
- kms:Decrypt
Resource: !Ref KmsKeyArn
- !Ref "AWS::NoValue"
RdsAuditLogsS3FunctionLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub "/aws/lambda/${Name}"
RetentionInDays: !Ref LambdaLogRetention
DynamoDBTable:
Type: AWS::Serverless::SimpleTable
Properties:
PrimaryKey:
Name: id
Type: String
TableName: !Ref Name
Outputs:
LambdaFunctionArn:
Value: !GetAtt RdsAuditLogsS3Function.Arn
LambdaFunctionName:
Value: !Ref RdsAuditLogsS3Function