forked from aliyun/ros-templates
-
Notifications
You must be signed in to change notification settings - Fork 0
/
collect-cross-account-logs-by-auditing.yml
302 lines (286 loc) · 9.58 KB
/
collect-cross-account-logs-by-auditing.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
ROSTemplateFormatVersion: '2015-09-01'
Description:
zh-cn: 跨账号OSS日志采集方案,支持企业与个人认证模式,自动化配置日志审计服务与权限策略。
en: Cross-account OSS Log Collection Solution, supporting both enterprise and individual
authentication modes, automates the configuration of log audit services and permission
policies.
Parameters:
AuthenticationMode:
Description:
en: Only enterprise accounts can be used for resource management. For individual accounts, please select user-defined authentication mode.
zh-cn: 仅支持企业账号开通资源管理(Resource Management),个人账号请通过自定义鉴权模式(User-defined)完成多账号配置。
Label:
en: Authentication mode
zh-cn: 鉴权模式
Type: String
AllowedValues:
- Resource Management
- User-defined
Default: Resource Management
DisplayNameSLS:
Description:
en: |-
Name of SLS log audit. <br>
Contains a maximum of 128 characters.
zh-cn: |-
SLS日志审计服务的名称。<br>
长度不超过128个字符。
Label:
en: Name of SLS log audit
zh-cn: 日志审计服务名称
MaxLength: 128
Type: String
Default: test-log-audit
DisplayNameMember:
Type: String
Default: test-log-audit
Description:
en: |-
The display name of the member. <br>
The name must be 2 to 50 characters in length. The name can contain letters, digits, underscores (_), periods (.), hyphens (-), and spaces. The name must be unique in the resource directory.
zh-cn: |-
成员显示名称。<br>
长度范围:2~50个字符或汉字。格式:允许输入汉字、英文字母、数字、下划线(_)、半角句号(.)、短划线(-)和空格。成员显示名称在资源目录内必须唯一。
Label:
en: The name of resource management account
zh-cn: 资源管理账号名称
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${AuthenticationMode}
- Resource Management
AccessKey:
Type: String
Default: null
Description:
en: Identify a user.
zh-cn: 用于标识用户。
Label: AccessKey ID
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${AuthenticationMode}
- User-defined
SecretKey:
Type: String
Default: null
Description:
en: The key to verify the user.
zh-cn: 用于验证用户的密钥。
Label: AccessKey Secret
AssociationProperty: Password
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${AuthenticationMode}
- User-defined
Conditions:
ResourceManagementMode:
Fn::Equals:
- Resource Management
- Ref: AuthenticationMode
UserDefinedMode:
Fn::Equals:
- User-defined
- Ref: AuthenticationMode
Resources:
ResourceManagerAccount:
Condition: ResourceManagementMode
Type: ALIYUN::ResourceManager::Account
Properties:
DisplayName:
Ref: DisplayNameMember
DealLogAuditStack:
Condition: ResourceManagementMode
Type: ALIYUN::ROS::Stack
Properties:
Parameters:
aliuid:
Ref: ALIYUN::TenantId
display_name:
Ref: DisplayNameSLS
multi_account:
- Fn::GetAtt:
- ResourceManagerAccount
- AccountId
TemplateBody:
ROSTemplateFormatVersion: '2015-09-01'
Transform: 'Aliyun::Terraform-v1.2'
Workspace:
main.tf: |-
variable "aliuid" {
type = string
}
variable "display_name" {
type = string
}
variable "multi_account" {
type = list(string)
}
resource "alicloud_log_audit" "default" {
display_name = var.display_name
aliuid = var.aliuid
variable_map = {
"oss_access_enabled" = "true",
"oss_access_ttl" = "180",
}
multi_account = var.multi_account
resource_directory_type = "custom"
}
DependsOn:
- ResourceManagerAccount
DealAccountPermissionPolicyStack:
Condition: UserDefinedMode
Type: ALIYUN::ROS::Stack
Properties:
Parameters:
aliuid:
Ref: ALIYUN::TenantId
access_key:
Ref: AccessKey
secret_key:
Ref: SecretKey
region:
Ref: ALIYUN::Region
TemplateBody:
ROSTemplateFormatVersion: '2015-09-01'
Transform: 'Aliyun::Terraform-v1.2'
Workspace:
main.tf: |-
variable "aliuid" {
type = string
}
variable "access_key" {
type = string
}
variable "secret_key" {
type = string
}
variable "region" {
type = string
}
provider "alicloud" {
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
region = "${var.region}"
}
resource "alicloud_ram_policy" "policy" {
policy_name = "AliyunLogAuditServiceMonitorAccess"
policy_document = <<EOF
{
"Version": "1",
"Statement": [
{
"Action": "log:*",
"Resource": [
"acs:log:*:*:project/slsaudit-*",
"acs:log:*:*:app/audit"
],
"Effect": "Allow"
},
{
"Action": [
"rds:ModifySQLCollectorPolicy",
"vpc:*FlowLog*",
"drds:*SqlAudit*",
"kvstore:ModifyAuditLogConfig",
"polardb:ModifyDBClusterAuditLogCollector",
"config:UpdateIntegratedServiceStatus",
"config:StartConfigurationRecorder",
"config:PutConfigurationRecorder"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"config.aliyuncs.com"
]
}
}
}
]
}
EOF
}
resource "alicloud_ram_role" "role" {
name = "sls-audit-service-monitor"
document = <<EOF
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"${var.aliuid}@log.aliyuncs.com",
"log.aliyuncs.com"
]
}
}
],
"Version": "1"
}
EOF
}
resource "alicloud_ram_role_policy_attachment" "attach" {
policy_name = alicloud_ram_policy.policy.policy_name
policy_type = "Custom"
role_name = alicloud_ram_role.role.name
}
resource "alicloud_ram_role_policy_attachment" "system_attach" {
policy_name = "ReadOnlyAccess"
policy_type = "System"
role_name = alicloud_ram_role.role.name
}
data "alicloud_account" "current" {
}
output "current_account_id" {
value = "${data.alicloud_account.current.id}"
}
DealUserDefinedLogAuditStack:
Condition: UserDefinedMode
Type: ALIYUN::ROS::Stack
Properties:
Parameters:
aliuid:
Ref: ALIYUN::TenantId
display_name:
Ref: DisplayNameSLS
multi_account:
- Fn::GetAtt:
- DealAccountPermissionPolicyStack
- Outputs.current_account_id
TemplateBody:
ROSTemplateFormatVersion: '2015-09-01'
Transform: 'Aliyun::Terraform-v1.2'
Workspace:
main.tf: |-
variable "aliuid" {
type = string
}
variable "display_name" {
type = string
}
variable "multi_account" {
type = list(string)
}
resource "alicloud_log_audit" "default" {
display_name = var.display_name
aliuid = var.aliuid
variable_map = {
"oss_access_enabled" = "true",
"oss_access_ttl" = "180",
}
multi_account = var.multi_account
}
DependsOn:
- DealAccountPermissionPolicyStack