Skip to content

Commit 6c7daab

Browse files
KarthikeyannhsKarthikeyannhs
committed
firehose terraform code
1 parent 73e9393 commit 6c7daab

6 files changed

Lines changed: 81 additions & 0 deletions

File tree

infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_delivery_stream" {
2+
name = var.audit_firehose_delivery_stream_name
3+
destination = "extended_s3"
4+
5+
extended_s3_configuration {
6+
role_arn = var.audit_firehose_role_arn
7+
bucket_arn = var.s3_audit_bucket_arn
8+
9+
buffering_size = 1
10+
buffering_interval = 60
11+
compression_format = "UNCOMPRESSED"
12+
}
13+
}

infrastructure/modules/kinesis_firehose/outputs.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
output "firehose_stream_name" {
2+
value = aws_kinesis_firehose_delivery_stream.eligibility_audit_firehose_delivery_stream.name
3+
}

infrastructure/modules/kinesis_firehose/variables.tf

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
variable "audit_firehose_delivery_stream_name" {
2+
description = "audit firehose delivery stream name"
3+
type = string
4+
}
5+
6+
variable "audit_firehose_role_arn" {
7+
description = "audit firehose role arn"
8+
type = string
9+
}
10+
11+
variable "s3_audit_bucket_arn" {
12+
description = "s3 audit bucket arn"
13+
type = string
14+
}
15+

infrastructure/stacks/api-layer/iam_policies.tf

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,13 @@ resource "aws_iam_role_policy" "lambda_s3_read_policy" {
5656
policy = data.aws_iam_policy_document.s3_rules_bucket_policy.json
5757
}
5858

59+
# Attach s3 read policy to kinesis firehose role
60+
resource "aws_iam_role_policy" "kinesis_firehose_s3_read_policy" {
61+
name = "S3ReadAccess"
62+
role = aws_iam_role.eligibility_audit_firehose_role.id
63+
policy = data.aws_iam_policy_document.s3_audit_bucket_policy.json
64+
}
65+
5966
# Attach AWSLambdaVPCAccessExecutionRole to Lambda
6067
resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
6168
role = aws_iam_role.eligibility_lambda_role.id
@@ -194,3 +201,23 @@ resource "aws_kms_key_policy" "s3_audit_kms_key" {
194201
key_id = module.s3_audit_bucket.storage_bucket_kms_key_arn
195202
policy = data.aws_iam_policy_document.s3_audit_kms_key_policy.json
196203
}
204+
205+
data "aws_iam_policy_document" "lambda_firehose_write_policy" {
206+
statement {
207+
sid = "AllowLambdaToPutToFirehose"
208+
effect = "Allow"
209+
actions = [
210+
"firehose:PutRecord",
211+
"firehose:PutRecordBatch"
212+
]
213+
resources = [
214+
"arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/${module.eligibility_audit_firehose_delivery_stream.firehose_stream_name}"
215+
]
216+
}
217+
}
218+
219+
resource "aws_iam_role_policy" "lambda_firehose_policy" {
220+
name = "LambdaFirehoseWritePolicy"
221+
role = aws_iam_role.eligibility_lambda_role.id
222+
policy = data.aws_iam_policy_document.lambda_firehose_write_policy.json
223+
}

infrastructure/stacks/api-layer/iam_roles.tf

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,18 @@ data "aws_iam_policy_document" "dps_assume_role" {
2222
}
2323
}
2424

25+
# Trust policy kinesis firehose
26+
data "aws_iam_policy_document" "firehose_assume_role" {
27+
statement {
28+
actions = ["sts:AssumeRole"]
29+
principals {
30+
type = "Service"
31+
identifiers = ["firehose.amazonaws.com"]
32+
}
33+
}
34+
}
35+
36+
# Roles
2537

2638
resource "aws_iam_role" "eligibility_lambda_role" {
2739
name = "eligibility_lambda-role${terraform.workspace == "default" ? "" : "-${terraform.workspace}"}"
@@ -36,3 +48,8 @@ resource "aws_iam_role" "write_access_role" {
3648
assume_role_policy = data.aws_iam_policy_document.dps_assume_role.json
3749
permissions_boundary = aws_iam_policy.assumed_role_permissions_boundary.arn
3850
}
51+
52+
resource "aws_iam_role" "eligibility_audit_firehose_role" {
53+
name = "eligibility_audit_firehouse-role${terraform.workspace == "default" ? "" : "-${terraform.workspace}"}"
54+
assume_role_policy = data.aws_iam_policy_document.firehose_assume_role.json
55+
}

infrastructure/stacks/api-layer/kinesis_firehose.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
module "eligibility_audit_firehose_delivery_stream" {
2+
source = "../../modules/kinesis_firehose"
3+
audit_firehose_delivery_stream_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}eligibility_audit_stream"
4+
audit_firehose_role_arn = aws_iam_role.eligibility_audit_firehose_role.arn
5+
s3_audit_bucket_arn = module.s3_audit_bucket.storage_bucket_arn
6+
}

0 commit comments

Comments
 (0)