Added module for WAF logs (#9)

* Updated Change log

* module for WAF servicelog

* updated docs and CHANGELOG

Author: karthicgit

CHANGELOG.adoc

@@ -7,6 +7,11 @@ All notable changes to this project are documented in this file.
 
 The format is based on {uri-changelog}[Keep a Changelog].
 
+== 0.3.0 - Unreleased
+
+=== Added
+* Module for Web Application Firewall service logs
+
 == 0.2.0 (Oct 18, 2021)
 
 === Added

docs/terraformoptions.adoc

@@ -96,6 +96,8 @@ loggroup_tags = {
     #vpnlog ={loggroup="vpnloggroup",service="vpn",resource="<ipsecname>"}
     #devopslog = {loggroup="devopsloggroup",service="devops",resource="<projectname>"}
     #emaillog = {loggroup="emailloggroup",service="email",resource="<emaildomain>"}
+    #intlog = {loggroup="intloggroup",service="integration",resource="<integrationinstance>"}
+    #waflog = {loggroup="wafloggroup",service="waf",resource="<firewallname>"}
   }
 ----
 |

locals.tf

@@ -28,6 +28,9 @@ locals {
 
   vpnlogdef   = { for k, v in var.service_logdef : k => v if v.service == "vpn" }
   vpnloggroup = [for k, v in var.service_logdef : v.loggroup if v.service == "vpn"]
+
+  waflogdef   = { for k, v in var.service_logdef : k => v if v.service == "waf" }
+  wafloggroup = [for k, v in var.service_logdef : v.loggroup if v.service == "waf"]
 }
 
 locals {

main.tf

@@ -118,6 +118,18 @@ resource "oci_logging_log_group" "vpnloggroup" {
 
 }
 
+#WAF loggroup resource
+resource "oci_logging_log_group" "wafloggroup" {
+
+  for_each = toset(local.wafloggroup)
+
+  compartment_id = var.compartment_id
+  description    = "WAF Loggroup"
+  display_name   = var.label_prefix == "none" ? each.value : format("%s-%s", var.label_prefix, each.value)
+  freeform_tags  = var.loggroup_tags
+
+}
+
 #Custom Linux loggroup resource
 resource "oci_logging_log_group" "linuxloggroup" {
 
@@ -277,3 +289,15 @@ module "vpnlog" {
   count = length(local.vpnlogdef) >= 1 ? 1 : 0
 
 }
+
+module "waflog" {
+  source                 = "./modules/waf"
+  compartment_id         = var.compartment_id
+  label_prefix           = var.label_prefix
+  logdefinition          = local.waflogdef
+  log_retention_duration = var.log_retention_duration
+  loggroup               = oci_logging_log_group.wafloggroup
+
+  count = length(local.waflogdef) >= 1 ? 1 : 0
+
+}

modules/waf/outputs.tf

@@ -0,0 +1,7 @@
+output "waf_logid" {
+  value = { for v in oci_logging_log.waf_log : v.display_name => v.id }
+}
+
+output "waf_loggroupid" {
+  value = { for k, v in var.loggroup : v.display_name => v.id }
+}

modules/waf/variables.tf

@@ -0,0 +1,23 @@
+variable "label_prefix" {
+  default     = "none"
+  description = "A string that will be prepended to log resources."
+  type        = string
+}
+variable "logdefinition" {
+  type        = map(any)
+  description = "Log definition"
+}
+variable "log_retention_duration" {
+  type        = string
+  description = "Duration to retain logs"
+}
+
+variable "compartment_id" {
+  type        = string
+  description = "Compartment ID where the resources will be created"
+}
+
+variable "loggroup" {
+  type        = map(any)
+  description = "Log Group"
+}

modules/waf/waflogs.tf

@@ -0,0 +1,29 @@
+data "oci_waf_web_app_firewalls" "web_app_firewalls" {
+  for_each       = var.logdefinition
+  compartment_id = var.compartment_id
+
+  display_name = each.value.resource
+  state        = ["ACTIVE"]
+}
+
+resource "oci_logging_log" "waf_log" {
+
+
+  for_each = var.logdefinition
+
+  display_name = var.label_prefix == "none" ? each.key : format("%s-%s", var.label_prefix, each.key)
+  log_group_id = var.loggroup[each.value.loggroup].id
+  log_type     = "SERVICE"
+  configuration {
+    source {
+      category    = "all"
+      resource    = data.oci_waf_web_app_firewalls.web_app_firewalls[each.key].web_app_firewall_collection[0]["items"].0.id
+      service     = "waf"
+      source_type = "OCISERVICE"
+    }
+  }
+
+  is_enabled         = lookup(each.value, "enable", true)
+  retention_duration = var.log_retention_duration
+
+}

outputs.tf

@@ -143,6 +143,18 @@ output "vpn_loggroupid" {
 
 }
 
+#WAF log and loggroup id
+output "waf_logid" {
+  value       = try(module.waflog[0].waf_logid, "")
+  description = "WAF logs id"
+}
+
+output "waf_loggroupid" {
+  value       = try(module.waflog[0].waf_loggroupid, "")
+  description = "WAF loggroup id"
+
+}
+
 #Windows custom log and loggroup id
 output "windows_logid" {
   value       = try(module.customlog[0].windowslogid, "")

terraform.tfvars.example

@@ -29,6 +29,7 @@ service_logdef = {
     #devopslog = {loggroup="devopsloggroup",service="devops",resource="<projectname>"}
     #emaillog = {loggroup="emailloggroup",service="email",resource="<emaildomain>"}
     #intlog = {loggroup="intloggroup",service="integration",resource="<integrationinstance>"}
+    #waflog = {loggroup="wafloggroup",service="waf",resource="<firewallname>"}
 
   }