Support cloudwatch oam modules (#11)

posquit0 · web-flow · commit 4e1f4bd423be · 2023-04-22T03:53:15.000+09:00
diff --git a/.github/labeler.yaml b/.github/labeler.yaml
@@ -3,3 +3,7 @@
 - modules/cloudwatch-log-group/**/*
 ":floppy_disk: cloudwatch-log-policy":
 - modules/cloudwatch-log-policy/**/*
+":floppy_disk: cloudwatch-oam-link":
+- modules/cloudwatch-oam-link/**/*
+":floppy_disk: cloudwatch-oam-sink":
+- modules/cloudwatch-oam-sink/**/*
diff --git a/.github/labels.yaml b/.github/labels.yaml
@@ -46,3 +46,9 @@
 - color: "fbca04"
   description: "This issue or pull request is related to cloudwatch-log-policy module."
   name: ":floppy_disk: cloudwatch-log-policy"
+- color: "fbca04"
+  description: "This issue or pull request is related to cloudwatch-oam-link module."
+  name: ":floppy_disk: cloudwatch-oam-link"
+- color: "fbca04"
+  description: "This issue or pull request is related to cloudwatch-oam-sink module."
+  name: ":floppy_disk: cloudwatch-oam-sink"
diff --git a/README.md b/README.md
@@ -17,6 +17,24 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws-
     - Log Groups
     - Resource Policy
   - Metrics (Comming soon!)
+  - OAM (Observability Access Manager)
+    - Sink (Monitoring Account)
+    - Link (Source Account)
+
+
+## Examples
+
+### AWS CloudWatch
+
+#### Logs
+
+- [CloudWatch Log Group Full](./examples/cloudwatch-log-group-full)
+- [CloudWatch Log Policy for OpenSearch](./examples/cloudwatch-log-policy-es)
+- [CloudWatch Log Policy for Route53](./examples/cloudwatch-log-policy-route53)
+
+#### OAM (Observability Access Manager)
+
+- [CloudWatch OAM Cross Account Observability](./examples/cloudwatch-oam-cross-account-observability)
 
 
 ## Self Promotion
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.1.2
+0.2.0
diff --git a/examples/cloudwatch-log-group-full/main.tf b/examples/cloudwatch-log-group-full/main.tf
@@ -10,7 +10,7 @@ provider "aws" {
 module "log_group" {
   source = "../../modules/cloudwatch-log-group"
   # source  = "tedilabs/observability/aws//modules/cloudwatch-log-group"
-  # version = "~> 0.1.0"
+  # version = "~> 0.2.0"
 
   name = "/tedilabs/test"
 
@@ -23,6 +23,6 @@ module "log_group" {
   ]
 
   tags = {
-    "project" = "terraform-aws-secret-examples"
+    "project" = "terraform-aws-observability-examples"
   }
 }
diff --git a/examples/cloudwatch-log-policy-es/main.tf b/examples/cloudwatch-log-policy-es/main.tf
@@ -11,7 +11,7 @@ data "aws_caller_identity" "this" {}
 module "log_policy" {
   source = "../../modules/cloudwatch-log-policy"
   # source  = "tedilabs/observability/aws//modules/cloudwatch-log-policy"
-  # version = "~> 0.1.0"
+  # version = "~> 0.2.0"
 
   name    = "es"
   service = "es.amazonaws.com"
diff --git a/examples/cloudwatch-log-policy-route53/main.tf b/examples/cloudwatch-log-policy-route53/main.tf
@@ -11,7 +11,7 @@ data "aws_caller_identity" "this" {}
 module "log_policy" {
   source = "../../modules/cloudwatch-log-policy"
   # source  = "tedilabs/observability/aws//modules/cloudwatch-log-policy"
-  # version = "~> 0.1.0"
+  # version = "~> 0.2.0"
 
   name    = "route53"
   service = "route53.amazonaws.com"
diff --git a/examples/cloudwatch-oam-cross-account-observability/main.tf b/examples/cloudwatch-oam-cross-account-observability/main.tf
@@ -0,0 +1,70 @@
+provider "aws" {
+  alias  = "monitoring"
+  region = "us-east-1"
+}
+
+provider "aws" {
+  alias  = "source"
+  region = "us-east-1"
+}
+
+data "aws_caller_identity" "monitoring" {
+  provider = aws.monitoring
+}
+
+data "aws_caller_identity" "source" {
+  provider = aws.source
+}
+
+
+###################################################
+# CloudWatch OAM Sink
+###################################################
+
+module "sink" {
+  source = "../../modules/cloudwatch-oam-sink"
+  # source  = "tedilabs/observability/aws//modules/cloudwatch-oam-sink"
+  # version = "~> 0.2.0"
+
+  providers = {
+    aws = aws.monitoring
+  }
+
+  name = "monitoring"
+
+  ## Source Accounts
+  telemetry_types = ["AWS::CloudWatch::Metric", "AWS::Logs::LogGroup", "AWS::XRay::Trace"]
+
+  allowed_source_accounts           = [data.aws_caller_identity.source.account_id]
+  allowed_source_organizations      = []
+  allowed_source_organization_paths = []
+
+  tags = {
+    "project" = "terraform-aws-observability-examples"
+  }
+}
+
+
+###################################################
+# CloudWatch OAM Link
+###################################################
+
+module "link" {
+  source = "../../modules/cloudwatch-oam-link"
+  # source  = "tedilabs/observability/aws//modules/cloudwatch-oam-link"
+  # version = "~> 0.2.0"
+
+  providers = {
+    aws = aws.source
+  }
+
+  sink = module.sink.arn
+  name = "source"
+
+  account_label   = "$AccountName"
+  telemetry_types = ["AWS::CloudWatch::Metric", "AWS::Logs::LogGroup", "AWS::XRay::Trace"]
+
+  tags = {
+    "project" = "terraform-aws-observability-examples"
+  }
+}
diff --git a/examples/cloudwatch-oam-cross-account-observability/outputs.tf b/examples/cloudwatch-oam-cross-account-observability/outputs.tf
@@ -0,0 +1,7 @@
+output "sink" {
+  value = module.sink
+}
+
+output "link" {
+  value = module.link
+}
diff --git a/examples/cloudwatch-oam-cross-account-observability/versions.tf b/examples/cloudwatch-oam-cross-account-observability/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = "~> 1.1"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}
diff --git a/modules/cloudwatch-log-group/variables.tf b/modules/cloudwatch-log-group/variables.tf
@@ -1,12 +1,14 @@
 variable "name" {
   description = "(Required) The name of the CloudWatch log group."
   type        = string
+  nullable    = false
 }
 
 variable "retention_in_days" {
   description = "(Optional) Specify the number of days to retain log events in the log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. Default to `90` days."
   type        = number
   default     = 90
+  nullable    = false
 }
 
 variable "encryption_kms_key" {
@@ -45,16 +47,19 @@ variable "resource_group_enabled" {
   description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module."
   type        = bool
   default     = true
+  nullable    = false
 }
 
 variable "resource_group_name" {
   description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`."
   type        = string
   default     = ""
+  nullable    = false
 }
 
 variable "resource_group_description" {
   description = "(Optional) The description of Resource Group."
   type        = string
   default     = "Managed by Terraform."
+  nullable    = false
 }
diff --git a/modules/cloudwatch-log-policy/variables.tf b/modules/cloudwatch-log-policy/variables.tf
@@ -1,6 +1,7 @@
 variable "name" {
   description = "(Required) The name of the CloudWatch Logs resource policy."
   type        = string
+  nullable    = false
 }
 
 variable "service" {
diff --git a/modules/cloudwatch-oam-link/README.md b/modules/cloudwatch-oam-link/README.md
@@ -0,0 +1,56 @@
+# cloudwatch-oam-link
+This module creates following resources.
+
+- `aws_oam_link`
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.63 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.64.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_oam_link.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/oam_link) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | (Required) The name of the CloudWatch OAM link. | `string` | n/a | yes |
+| <a name="input_sink"></a> [sink](#input\_sink) | (Required) The ARN of the sink to use to create this link. | `string` | n/a | yes |
+| <a name="input_account_label"></a> [account\_label](#input\_account\_label) | (Optional) A label to help identify your source account. In the monitoring account, the account label is displayed with data from that source account. The account label is displayed in charts and search experiences to help you identify account context. Support use following template variables. Defaults to `$AccountName`.<br>  - `$AccountName`: Account name used to identify accounts.<br>  - `$AccountEmail`: Email address used to identify accounts. (i.e. name@amazon.com)<br>  - `$AccountEmailNoDomain`: Email address without domain (i.e. without @amazon.com) used to identify accounts. | `string` | `"$AccountName"` | no |
+| <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
+| <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
+| <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
+| <a name="input_telemetry_types"></a> [telemetry\_types](#input\_telemetry\_types) | (Optional) A set of the telemetry types that the source account shares with the monitoring account. Valid values are `AWS::CloudWatch::Metric`, `AWS::Logs::LogGroup`, `AWS::XRay::Trace`. | `set(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_account_label"></a> [account\_label](#output\_account\_label) | A label to help identify your source account. |
+| <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the CloudWatch OAM link. |
+| <a name="output_id"></a> [id](#output\_id) | The ID of the CloudWatch OAM link. |
+| <a name="output_name"></a> [name](#output\_name) | The name of CloudWatch OAM link. |
+| <a name="output_sink"></a> [sink](#output\_sink) | The information of the sink for this link. |
+| <a name="output_telemetry_types"></a> [telemetry\_types](#output\_telemetry\_types) | A set of the telemetry types that the source account shares with the monitoring account. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/cloudwatch-oam-link/main.tf b/modules/cloudwatch-oam-link/main.tf
@@ -0,0 +1,35 @@
+locals {
+  metadata = {
+    package = "terraform-aws-observability"
+    version = trimspace(file("${path.module}/../../VERSION"))
+    module  = basename(path.module)
+    name    = var.name
+  }
+  module_tags = var.module_tags_enabled ? {
+    "module.terraform.io/package"   = local.metadata.package
+    "module.terraform.io/version"   = local.metadata.version
+    "module.terraform.io/name"      = local.metadata.module
+    "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}"
+    "module.terraform.io/instance"  = local.metadata.name
+  } : {}
+}
+
+
+###################################################
+# CloudWatch OAM Link
+###################################################
+
+resource "aws_oam_link" "this" {
+  sink_identifier = var.sink
+
+  label_template = var.account_label
+  resource_types = var.telemetry_types
+
+  tags = merge(
+    {
+      "Name" = local.metadata.name
+    },
+    local.module_tags,
+    var.tags,
+  )
+}
diff --git a/modules/cloudwatch-oam-link/outputs.tf b/modules/cloudwatch-oam-link/outputs.tf
@@ -0,0 +1,32 @@
+output "arn" {
+  description = "The ARN of the CloudWatch OAM link."
+  value       = aws_oam_link.this.arn
+}
+
+output "id" {
+  description = "The ID of the CloudWatch OAM link."
+  value       = aws_oam_link.this.link_id
+}
+
+output "sink" {
+  description = "The information of the sink for this link."
+  value = {
+    id  = aws_oam_link.this.sink_identifier
+    arn = aws_oam_link.this.sink_arn
+  }
+}
+
+output "name" {
+  description = "The name of CloudWatch OAM link."
+  value       = local.metadata.name
+}
+
+output "account_label" {
+  description = "A label to help identify your source account."
+  value       = aws_oam_link.this.label
+}
+
+output "telemetry_types" {
+  description = "A set of the telemetry types that the source account shares with the monitoring account."
+  value       = aws_oam_link.this.resource_types
+}
diff --git a/modules/cloudwatch-oam-link/resource-group.tf b/modules/cloudwatch-oam-link/resource-group.tf
@@ -0,0 +1,31 @@
+locals {
+  resource_group_name = (var.resource_group_name != ""
+    ? var.resource_group_name
+    : join(".", [
+      local.metadata.package,
+      local.metadata.module,
+      replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"),
+    ])
+  )
+}
+
+
+module "resource_group" {
+  source  = "tedilabs/misc/aws//modules/resource-group"
+  version = "~> 0.10.0"
+
+  count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0
+
+  name        = local.resource_group_name
+  description = var.resource_group_description
+
+  query = {
+    resource_tags = local.module_tags
+  }
+
+  module_tags_enabled = false
+  tags = merge(
+    local.module_tags,
+    var.tags,
+  )
+}
diff --git a/modules/cloudwatch-oam-link/variables.tf b/modules/cloudwatch-oam-link/variables.tf
diff --git a/modules/cloudwatch-oam-link/versions.tf b/modules/cloudwatch-oam-link/versions.tf
diff --git a/modules/cloudwatch-oam-sink/README.md b/modules/cloudwatch-oam-sink/README.md
diff --git a/modules/cloudwatch-oam-sink/main.tf b/modules/cloudwatch-oam-sink/main.tf
diff --git a/modules/cloudwatch-oam-sink/outputs.tf b/modules/cloudwatch-oam-sink/outputs.tf
diff --git a/modules/cloudwatch-oam-sink/resource-group.tf b/modules/cloudwatch-oam-sink/resource-group.tf
diff --git a/modules/cloudwatch-oam-sink/variables.tf b/modules/cloudwatch-oam-sink/variables.tf
diff --git a/modules/cloudwatch-oam-sink/versions.tf b/modules/cloudwatch-oam-sink/versions.tf

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ provider "aws" {`
`10`	`10`	`module "log_group" {`
`11`	`11`	`source = "../../modules/cloudwatch-log-group"`
`12`	`12`	`# source = "tedilabs/observability/aws//modules/cloudwatch-log-group"`
`13`		`- # version = "~> 0.1.0"`
	`13`	`+ # version = "~> 0.2.0"`
`14`	`14`
`15`	`15`	`name = "/tedilabs/test"`
`16`	`16`
`@@ -23,6 +23,6 @@ module "log_group" {`
`23`	`23`	`]`
`24`	`24`
`25`	`25`	`tags = {`
`26`		`- "project" = "terraform-aws-secret-examples"`
	`26`	`+ "project" = "terraform-aws-observability-examples"`
`27`	`27`	`}`
`28`	`28`	`}`