This module configures a Kinesis Firehose, sets up a subscription for a desired CloudWatch Log Group to the Firehose, and sends the log data to Splunk. A Lambda function is required to transform the CloudWatch Log data from "CloudWatch compressed format" to a format compatible with Splunk. This module takes care of configuring this Lambda function.
In order to send this data to Splunk you will need to first obtain an HEC Token from your Splunk administrator.
Once you have received the token, you can proceed forward in creating a module resource, such as the one in the Example below. You will use a KMS key of your choice to encrypt the token, as it is sensitive.
Note: the user of this module is responsible for specifying the provider {} block for the AWS Terraform provider. As of v5.0.0 the provider block was removed from this module.
module "kinesis_firehose" {
source = "disney/kinesis-firehose-splunk/aws"
version = "<version>"
cloudwatch_log_regions = ["us-east-1", "us-west-2"]
name_cloudwatch_logs_to_ship = "/test/test01"
cloudwatch_log_group_names_to_ship = ["/aws/svc/loggroup1", "log-group-2", "/aws/svc2/loggroup"]
hec_url = "<Splunk_Kinesis_ingest_URL>"
s3_bucket_name = "<mybucketname>"
### HEC Token ###
One of var.hec_token (default) OR var.self_managed_hec_token must be used to pass in the Splunk HEC token.
}
Please see the S3 Life Cycle Rule example if you wish to configure them.
If you are a Splunk Cloud customer, once you have successfully deployed all the resources, you will need to ensure that your Splunk Cloud instance has the Kinesis Data Firehose egress CIDRs allow listed under Server Settings > IP Allow List Management > HEC access for ingestion.
For more details on the relevant CIDRs please reference this article.
If you choose to change the way you pass in your HEC token (see section below) when upgrading from v6.0.0 to v7.0.0, when you run terraform apply, you might run into Terraform reporting that it is going to make changes to resources such as IAM policies when nothing has changed with them. Others have experienced this issue as well, please see this issue.
As of v7.0.0, there are two additional options available to pass in the HEC token:
- You may pass the HEC token in via a variable called
var.self_managed_hec_token, which gives you the flexibility to perhaps encrypt the token in your repo with a different tool of your choice. For example, AWS SSM Parameter Store or SOPS.
By DEFAULT, for backwards compatibilty, it will default to using the KMS encrypted HEC token that this module previously required you to configure.
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| archive | >= 2.3.0, < 3.0.0 |
| aws | >= 5.0.0, < 6.0.0 |
| Name | Version |
|---|---|
| archive | 2.4.0 |
| aws | 5.8.0 |
| Name | Source | Version |
|---|---|---|
| hec_token_kms_secret | ./modules/kms_secrets | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| hec_url | Splunk Kinesis URL for submitting CloudWatch logs to splunk | string |
n/a | yes |
| s3_bucket_name | Name of the s3 bucket Kinesis Firehose uses for backups | string |
n/a | yes |
| arn_cloudwatch_logs_to_ship | arn of the CloudWatch Log Group that you want to ship to Splunk. | string |
null |
no |
| aws_s3_bucket_versioning | Versioning state of the bucket. Valid values: Enabled, Suspended, or Disabled. Disabled should only be used when creating or importing resources that correspond to unversioned S3 buckets. | string |
null |
no |
| cloudwach_log_group_kms_key_id | KMS key ID of the key to use to encrypt the Cloudwatch log group | string |
null |
no |
| cloudwatch_log_filter_name | Name of Log Filter for CloudWatch Log subscription to Kinesis Firehose | string |
"KinesisSubscriptionFilter" |
no |
| cloudwatch_log_group_names_to_ship | List of CloudWatch Log Group names that you want to ship to Splunk. | list(string) |
null |
no |
| cloudwatch_log_regions | List of regions to allow CloudWatch logs to be shipped from. Set in Kinesis Firehose role's trust polucy | list(string) |
[] |
no |
| cloudwatch_log_retention | Length in days to keep CloudWatch logs of Kinesis Firehose | number |
30 |
no |
| cloudwatch_to_fh_access_policy_name | Name of IAM policy attached to the IAM role for CloudWatch to Kinesis Firehose subscription | string |
"KinesisCloudWatchToFirehosePolicy" |
no |
| cloudwatch_to_firehose_trust_iam_role_name | IAM Role name for CloudWatch to Kinesis Firehose subscription | string |
"CloudWatchToSplunkFirehoseTrust" |
no |
| enable_fh_cloudwatch_logging | Enable kinesis firehose CloudWatch logging. (It only logs errors) | bool |
true |
no |
| encryption_context | aws_kms_secrets encryption context | map(string) |
{} |
no |
| expected_bucket_owner | The account ID of the expected bucket owner | string |
null |
no |
| firehose_name | Name of the Kinesis Firehose | string |
"kinesis-firehose-to-splunk" |
no |
| firehose_processing_enabled | Kinesis firehose processing enabled | bool |
true |
no |
| firehose_server_side_encryption_enabled | Enable SSE for Kinesis Firehose | bool |
false |
no |
| firehose_server_side_encryption_key_arn | ARN of the key to be used for Firehose SSE | string |
null |
no |
| firehose_server_side_encryption_key_type | Type of SSE key to be used for encrypting the Firehose. Valid values are AWS_OWNED_CMK and CUSTOMER_MANAGED_CMK |
string |
null |
no |
| hec_acknowledgment_timeout | The amount of time, in seconds between 180 and 600, that Kinesis Firehose waits to receive an acknowledgment from Splunk after it sends it data. | number |
300 |
no |
| hec_endpoint_type | Splunk HEC endpoint type; Raw or Event |
string |
"Raw" |
no |
| hec_token | Splunk security token needed to submit data to Splunk. Required if var.self_managed_hec_token is not specified. | string |
null |
no |
| kinesis_firehose_buffer | https://www.terraform.io/docs/providers/aws/r/kinesis_firehose_delivery_stream.html#buffer_size | number |
5 |
no |
| kinesis_firehose_buffer_interval | Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination | number |
300 |
no |
| kinesis_firehose_iam_policy_name | Name of the IAM Policy attached to IAM Role for the Kinesis Firehose | string |
"KinesisFirehose-Policy" |
no |
| kinesis_firehose_lambda_role_name | Name of IAM Role for Lambda function that transforms CloudWatch data for Kinesis Firehose into Splunk compatible format | string |
"KinesisFirehoseToLambaRole" |
no |
| kinesis_firehose_retry_duration | After an initial failure to deliver to Splunk, the total amount of time, in seconds between 0 to 7200, during which Firehose re-attempts delivery (including the first attempt). After this time has elapsed, the failed documents are written to Amazon S3. The default value is 300s. There will be no retry if the value is 0 | number |
300 |
no |
| kinesis_firehose_role_name | Name of IAM Role for the Kinesis Firehose | string |
"KinesisFirehoseRole" |
no |
| lambda_function_environment_variables | Environment variables for the lambda function | map(string) |
{} |
no |
| lambda_function_memory_size | Amount of memory in MB which Lambda Function can use at runtime. Defaults to 128 | number |
128 |
no |
| lambda_function_name | Name of the Lambda function that transforms CloudWatch data for Kinesis Firehose into Splunk compatible format | string |
"kinesis-firehose-transform" |
no |
| lambda_function_timeout | The function execution time at which Lambda should terminate the function. | number |
180 |
no |
| lambda_iam_policy_name | Name of the IAM policy that is attached to the IAM Role for the lambda transform function | string |
"Kinesis-Firehose-to-Splunk-Policy" |
no |
| lambda_kms_key_arn | Amazon Resource Name (ARN) of the AWS Key Management Service (KMS) key that is used to encrypt environment variables. | string |
null |
no |
| lambda_processing_buffer_interval_in_seconds | Lambda processing buffer interval in seconds. | number |
61 |
no |
| lambda_processing_buffer_size_in_mb | Lambda processing buffer size in mb. | number |
0.256 |
no |
| lambda_reserved_concurrent_executions | Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. |
string |
null |
no |
| lambda_tracing_config | Configures x-ray tracing for Lambda fuction. See valid values here: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode | string |
null |
no |
| lifecycle_rule | List of maps containing configuration of object lifecycle management. | any |
[] |
no |
| local_lambda_file | The absolute path to an existing custom Lambda script | string |
null |
no |
| local_lambda_file_handler | Allows you to specify Lambda handler if using a local custom file for Lambda function | string |
null |
no |
| log_stream_name | Name of the CloudWatch log stream for Kinesis Firehose CloudWatch log group | string |
"SplunkDelivery" |
no |
| name_cloudwatch_logs_to_ship | Name of the CloudWatch Log Group that you want to ship to Splunk (single log group; leave empty to not create the subscription filter; see var.cloudwatch_log_group_names_to_ship for creating subscription filters for multiple log groups). | string |
null |
no |
| nodejs_runtime | Runtime version of nodejs for Lambda function | string |
"nodejs20.x" |
no |
| object_lock_configuration_days | Required if years is not specified. Number of days that you want to specify for the default retention period | number |
null |
no |
| object_lock_configuration_mode | Default Object Lock retention mode you want to apply to new objects placed in the specified bucket. Valid values: COMPLIANCE, GOVERNANCE | string |
null |
no |
| object_lock_configuration_token | S3 bucket object lock configuration token | string |
null |
no |
| object_lock_configuration_years | Required if days is not specified. Number of years that you want to specify for the default retention period | number |
null |
no |
| region | DEPRECATED. The region of AWS you want to work in, such as us-west-2 or us-east-1 (deprecated: use var.cloudwatch_log_regions instead) |
string |
null |
no |
| s3_backup_mode | Defines how documents should be delivered to Amazon S3. Valid values are FailedEventsOnly and AllEvents. | string |
"FailedEventsOnly" |
no |
| s3_bucket_block_public_access_enabled | Set to 1 if you would like to add block public access settings for the s3 bucket Kinesis Firehose uses for backups | number |
0 |
no |
| s3_bucket_key_enabled | Whether or not to use Amazon S3 Bucket Keys for SSE-KMS. | bool |
null |
no |
| s3_bucket_object_lock_enabled | Indicates whether this bucket has an Object Lock configuration enabled. Valid values: Enabled. | string |
null |
no |
| s3_bucket_server_side_encryption_algorithm | (Required) Server-side encryption algorithm to use. Valid values are AES256 and aws:kms | string |
"AES256" |
no |
| s3_bucket_server_side_encryption_kms_master_key_id | AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms | string |
null |
no |
| s3_compression_format | The compression format for what the Kinesis Firehose puts in the s3 bucket | string |
"GZIP" |
no |
| s3_prefix | Optional prefix (a slash after the prefix will show up as a folder in the s3 bucket). The YYYY/MM/DD/HH time format prefix is automatically used for delivered S3 files. | string |
"kinesis-firehose/" |
no |
| self_managed_hec_token | This variable allows for the user to have additional flexibility in how they pass in the HEC token. Perhaps they want to use a different tool than SSM or KMS encryption in their code base to encrypt it. Required if var.hec_token is not specified. | string |
null |
no |
| subscription_filter_pattern | Filter pattern for the CloudWatch Log Group subscription to the Kinesis Firehose. See this for filter pattern info. | string |
"" |
no |
| tags | Map of tags to put on the resource | map(string) |
{} |
no |
| Name | Description |
|---|---|
| cloudwatch_to_firehose_trust_arn | cloudwatch log subscription filter role_arn |
| destination_firehose_arn | cloudwatch log subscription filter - Firehose destination arn |
Author
- Mitchell L. Cooper - Maintainer
Reviewers
- Ian Ward
- Justice London