feat: Added support for Cloudwatch metric stream (#64)

Co-authored-by: magreenbaum <magreenbaum>

Author: magreenbaum

README.md

@@ -120,6 +120,50 @@ module "cis_alarms" {
 
 AWS CloudTrail normally publishes logs into AWS CloudWatch Logs. This module creates log metric filters together with metric alarms according to [CIS AWS Foundations Benchmark v1.4.0 (05-28-2021)](https://www.cisecurity.org/benchmark/amazon_web_services/). Read more about [CIS AWS Foundations Controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html).
 
+### Metric Stream 
+
+```hcl
+module "metric_stream" {
+  name          = "metric-stream"
+  firehose_arn  = "arn:aws:firehose:eu-west-1:835367859852:deliverystream/metric-stream-example"
+  output_format = "json"
+  role_arn      = "arn:aws:iam::835367859852:role/metric-stream-to-firehose-20240113005123755300000002"
+
+  # conflicts with exclude_filter
+  include_filter = {
+    ec2 = {
+      namespace    = "AWS/EC2"
+      metric_names = ["CPUUtilization", "NetworkIn"]
+    }
+  }
+
+  statistics_configuration = [
+    {
+      additional_statistics = ["p99"]
+      include_metric = [
+        {
+          namespace   = "AWS/EC2"
+          metric_name = "CPUUtilization"
+        },
+        {
+          namespace   = "AWS/EC2"
+          metric_name = "NetworkIn"
+        }
+      ]
+    },
+    {
+      additional_statistics = ["p90", "TM(10%:90%)"]
+      include_metric = [
+        {
+          namespace   = "AWS/EC2"
+          metric_name = "CPUUtilization"
+        }
+      ]
+    }
+  ]
+}
+```
+
 ### Query Definition
 
 ```hcl
@@ -144,6 +188,7 @@ EOF
 - [Cloudwatch metric alarms for AWS Lambda with multiple dimensions](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/multiple-lambda-metric-alarm)
 - [CIS AWS Foundations Controls: Metrics + Alarms](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/cis-alarms)
 - [Cloudwatch query definition](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/query-definition)
+- [Cloudwatch Metric Stream](https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/tree/master/examples/metric-stream)
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/metric-stream/README.md

@@ -0,0 +1,78 @@
+# Cloudwatch Metric Stream
+
+Configuration in this directory creates Cloudwatch metric streams and delivers them to Kinesis Firehose with an s3 destination.
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.5 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.5 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_firehose_to_s3"></a> [firehose\_to\_s3](#module\_firehose\_to\_s3) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | >= 5.30 |
+| <a name="module_firehose_to_s3_policy"></a> [firehose\_to\_s3\_policy](#module\_firehose\_to\_s3\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | >= 5.30 |
+| <a name="module_metrics_bucket"></a> [metrics\_bucket](#module\_metrics\_bucket) | terraform-aws-modules/s3-bucket/aws | >= 3.15 |
+| <a name="module_stream_all"></a> [stream\_all](#module\_stream\_all) | ../../modules/metric-stream | n/a |
+| <a name="module_stream_all_disabled"></a> [stream\_all\_disabled](#module\_stream\_all\_disabled) | ../../modules/metric-stream | n/a |
+| <a name="module_stream_to_firehose_policy"></a> [stream\_to\_firehose\_policy](#module\_stream\_to\_firehose\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | >= 5.30 |
+| <a name="module_stream_to_firehose_role"></a> [stream\_to\_firehose\_role](#module\_stream\_to\_firehose\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | >= 5.30 |
+| <a name="module_stream_with_exclude_filter"></a> [stream\_with\_exclude\_filter](#module\_stream\_with\_exclude\_filter) | ../../modules/metric-stream | n/a |
+| <a name="module_stream_with_include_filter"></a> [stream\_with\_include\_filter](#module\_stream\_with\_include\_filter) | ../../modules/metric-stream | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kinesis_firehose_delivery_stream.s3_all_stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
+| [aws_kinesis_firehose_delivery_stream.s3_exclude_stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
+| [aws_kinesis_firehose_delivery_stream.s3_include_stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_iam_policy_document.firehose_to_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.metric_stream_to_firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_all_example_metric_stream"></a> [all\_example\_metric\_stream](#output\_all\_example\_metric\_stream) | ARN of the metric stream. |
+| <a name="output_all_example_metric_stream_creation_date"></a> [all\_example\_metric\_stream\_creation\_date](#output\_all\_example\_metric\_stream\_creation\_date) | Date and time in RFC3339 format that the metric stream was created. |
+| <a name="output_all_example_metric_stream_last_update_date"></a> [all\_example\_metric\_stream\_last\_update\_date](#output\_all\_example\_metric\_stream\_last\_update\_date) | Date and time in RFC3339 format that the metric stream was last updated. |
+| <a name="output_all_example_metric_stream_state"></a> [all\_example\_metric\_stream\_state](#output\_all\_example\_metric\_stream\_state) | State of the metric stream. Possible values are running and stopped. |
+| <a name="output_exclude_example_metric_stream"></a> [exclude\_example\_metric\_stream](#output\_exclude\_example\_metric\_stream) | ARN of the metric stream. |
+| <a name="output_exclude_example_metric_stream_creation_date"></a> [exclude\_example\_metric\_stream\_creation\_date](#output\_exclude\_example\_metric\_stream\_creation\_date) | Date and time in RFC3339 format that the metric stream was created. |
+| <a name="output_exclude_example_metric_stream_last_update_date"></a> [exclude\_example\_metric\_stream\_last\_update\_date](#output\_exclude\_example\_metric\_stream\_last\_update\_date) | Date and time in RFC3339 format that the metric stream was last updated. |
+| <a name="output_exclude_example_metric_stream_state"></a> [exclude\_example\_metric\_stream\_state](#output\_exclude\_example\_metric\_stream\_state) | State of the metric stream. Possible values are running and stopped. |
+| <a name="output_include_example_metric_stream"></a> [include\_example\_metric\_stream](#output\_include\_example\_metric\_stream) | ARN of the metric stream. |
+| <a name="output_include_example_metric_stream_creation_date"></a> [include\_example\_metric\_stream\_creation\_date](#output\_include\_example\_metric\_stream\_creation\_date) | Date and time in RFC3339 format that the metric stream was created. |
+| <a name="output_include_example_metric_stream_last_update_date"></a> [include\_example\_metric\_stream\_last\_update\_date](#output\_include\_example\_metric\_stream\_last\_update\_date) | Date and time in RFC3339 format that the metric stream was last updated. |
+| <a name="output_include_example_metric_stream_state"></a> [include\_example\_metric\_stream\_state](#output\_include\_example\_metric\_stream\_state) | State of the metric stream. Possible values are running and stopped. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/metric-stream/main.tf

@@ -0,0 +1,234 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+locals {
+  name = "metric-stream"
+}
+
+module "stream_with_exclude_filter" {
+  source = "../../modules/metric-stream"
+
+  name          = "${local.name}-with-exclude-filter"
+  firehose_arn  = aws_kinesis_firehose_delivery_stream.s3_exclude_stream.arn
+  output_format = "json"
+  role_arn      = module.stream_to_firehose_role.iam_role_arn
+
+  # conflicts with include_filter
+  exclude_filter = {
+    logs = {
+      namespace = "AWS/Logs"
+    }
+    usage = {
+      namespace    = "AWS/Usage"
+      metric_names = ["CallCount", "ResourceCount"]
+    }
+    kms = {
+      namespace    = "AWS/Firehose"
+      metric_names = ["KMSKeyDisabled"]
+    }
+  }
+}
+
+module "stream_with_include_filter" {
+  source = "../../modules/metric-stream"
+
+  name          = "${local.name}-with-include-filter"
+  firehose_arn  = aws_kinesis_firehose_delivery_stream.s3_include_stream.arn
+  output_format = "json"
+  role_arn      = module.stream_to_firehose_role.iam_role_arn
+
+  # conflicts with exclude_filter
+  include_filter = {
+    ec2 = {
+      namespace    = "AWS/EC2"
+      metric_names = ["CPUUtilization", "NetworkIn"]
+    }
+  }
+
+  statistics_configuration = [
+    {
+      additional_statistics = ["p99"]
+      include_metric = [
+        {
+          namespace   = "AWS/EC2"
+          metric_name = "CPUUtilization"
+        },
+        {
+          namespace   = "AWS/EC2"
+          metric_name = "NetworkIn"
+        }
+      ]
+    },
+    {
+      additional_statistics = ["p90", "TM(10%:90%)"]
+      include_metric = [
+        {
+          namespace   = "AWS/EC2"
+          metric_name = "CPUUtilization"
+        }
+      ]
+    }
+  ]
+}
+
+module "stream_all" {
+  source = "../../modules/metric-stream"
+
+  name          = "${local.name}-all"
+  firehose_arn  = aws_kinesis_firehose_delivery_stream.s3_all_stream.arn
+  output_format = "json"
+  role_arn      = module.stream_to_firehose_role.iam_role_arn
+}
+
+module "stream_all_disabled" {
+  source = "../../modules/metric-stream"
+
+  create = false
+
+  name          = "${local.name}-all-disabled"
+  firehose_arn  = aws_kinesis_firehose_delivery_stream.s3_all_stream.arn
+  output_format = "json"
+  role_arn      = module.stream_to_firehose_role.iam_role_arn
+}
+
+resource "random_pet" "this" {
+  length = 2
+}
+
+module "metrics_bucket" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = ">= 3.15"
+
+  bucket = "${local.name}-${random_pet.this.id}"
+
+  force_destroy = true
+}
+
+resource "aws_kinesis_firehose_delivery_stream" "s3_include_stream" {
+  name        = "${local.name}-include-filter-example"
+  destination = "extended_s3"
+
+  extended_s3_configuration {
+    role_arn   = module.firehose_to_s3.iam_role_arn
+    bucket_arn = module.metrics_bucket.s3_bucket_arn
+    prefix     = "include-filter/"
+  }
+}
+
+resource "aws_kinesis_firehose_delivery_stream" "s3_exclude_stream" {
+  name        = "${local.name}-exclude-filter-example"
+  destination = "extended_s3"
+
+  extended_s3_configuration {
+    role_arn   = module.firehose_to_s3.iam_role_arn
+    bucket_arn = module.metrics_bucket.s3_bucket_arn
+    prefix     = "exclude-filter/"
+  }
+}
+
+resource "aws_kinesis_firehose_delivery_stream" "s3_all_stream" {
+  name        = "${local.name}-all-example"
+  destination = "extended_s3"
+
+  extended_s3_configuration {
+    role_arn   = module.firehose_to_s3.iam_role_arn
+    bucket_arn = module.metrics_bucket.s3_bucket_arn
+    prefix     = "all/"
+  }
+}
+
+module "firehose_to_s3" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = ">= 5.30"
+
+  trusted_role_services = [
+    "firehose.amazonaws.com"
+  ]
+
+  create_role = true
+
+  role_name_prefix  = "${local.name}-firehose-to-s3-"
+  role_requires_mfa = false
+
+  custom_role_policy_arns = [
+    module.firehose_to_s3_policy.arn
+  ]
+}
+
+module "firehose_to_s3_policy" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = ">= 5.30"
+
+  name        = "${local.name}-firehose-to-s3"
+  path        = "/"
+  description = local.name
+
+  policy = data.aws_iam_policy_document.firehose_to_s3.json
+}
+
+data "aws_iam_policy_document" "firehose_to_s3" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "s3:AbortMultipartUpload",
+      "s3:GetBucketLocation",
+      "s3:GetObject",
+      "s3:ListBucket",
+      "s3:ListBucketMultipartUploads",
+      "s3:PutObject",
+    ]
+
+    resources = [
+      module.metrics_bucket.s3_bucket_arn,
+      "${module.metrics_bucket.s3_bucket_arn}/*",
+    ]
+  }
+}
+
+module "stream_to_firehose_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = ">= 5.30"
+
+  trusted_role_services = [
+    "streams.metrics.cloudwatch.amazonaws.com"
+  ]
+
+  create_role = true
+
+  role_name_prefix  = "${local.name}-to-firehose-"
+  role_requires_mfa = false
+
+  custom_role_policy_arns = [
+    module.stream_to_firehose_policy.arn
+  ]
+}
+
+module "stream_to_firehose_policy" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = ">= 5.30"
+
+  name        = "${local.name}-to-firehose"
+  path        = "/"
+  description = local.name
+
+  policy = data.aws_iam_policy_document.metric_stream_to_firehose.json
+}
+
+data "aws_iam_policy_document" "metric_stream_to_firehose" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "firehose:PutRecord",
+      "firehose:PutRecordBatch",
+    ]
+
+    resources = [
+      aws_kinesis_firehose_delivery_stream.s3_include_stream.arn,
+      aws_kinesis_firehose_delivery_stream.s3_exclude_stream.arn,
+      aws_kinesis_firehose_delivery_stream.s3_all_stream.arn,
+    ]
+  }
+}