Completely remove CSLS, configuring only Cribl

Author: whi-tw

infra/modules/access-logs-bucket/main.tf

@@ -68,9 +68,8 @@ data "aws_iam_policy_document" "access_logs_policy" {
 module "cyber_s3_log_shipping" {
   count = var.send_access_logs_to_cyber ? 1 : 0
 
-  source      = "../cyber_s3_log_shipping"
-  s3_name     = aws_s3_bucket.access_logs.id
-  destination = var.access_log_shipping_destination
+  source  = "../cyber_s3_log_shipping"
+  s3_name = aws_s3_bucket.access_logs.id
 }
 
 data "aws_iam_policy_document" "access_logs_combined_policy" {

infra/modules/access-logs-bucket/variables.tf

@@ -15,14 +15,3 @@ variable "extra_bucket_policies" {
   description = "Extra bucket policies to apply to this bucket. List of json policies"
   default     = []
 }
-
-variable "access_log_shipping_destination" {
-  type        = string
-  description = "The destination for log shipping. Valid values are 'cribl' or 'csls'."
-  default     = "cribl"
-
-  validation {
-    condition     = contains(["cribl", "csls"], var.access_log_shipping_destination)
-    error_message = "Invalid destination. Valid values are 'cribl' or 'csls'."
-  }
-}

infra/modules/cyber_s3_log_shipping/cribl.tf

@@ -1,17 +1,41 @@
-# S3 bucket notifications for both CSLS and Cribl
+module "cribl_well_known" {
+  source = "../well-known/cribl"
+}
+
+# IAM policy for Cribl role to access S3 bucket
+data "aws_iam_policy_document" "cribl_s3_access" {
+  statement {
+    sid = "CriblS3Access"
+
+    principals {
+      type        = "AWS"
+      identifiers = [module.cribl_well_known.cribl_role_arn]
+    }
 
-locals {
-  enable_cribl = var.destination == "cribl"
-  enable_csls  = var.destination == "csls"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+      "s3:ListBucket",
+      "s3:GetObjectTagging",
+      "s3:PutObjectTagging"
+    ]
+
+    resources = [
+      "arn:aws:s3:::${var.s3_name}",
+      "arn:aws:s3:::${var.s3_name}/*",
+    ]
+  }
 }
 
+# S3 bucket notifications
 resource "aws_s3_bucket_notification" "s3_bucket_notification" {
   bucket = var.s3_name
 
   # We can't push events to multiple SQS queues at once, so we conditionally choose
   # which queue to use based on the destination variable.
   queue {
-    queue_arn = local.enable_cribl ? module.cribl_well_known[0].cribl_sqs_queue_arn : module.csls_well_known.s3_to_splunk_queue_arn
+    queue_arn = module.cribl_well_known.cribl_sqs_queue_arn
     events    = ["s3:ObjectCreated:*"]
   }
 }

infra/modules/cyber_s3_log_shipping/csls.tf

@@ -1,4 +1,4 @@
 output "s3_policy" {
   description = "S3 bucket policy for cyber security log shipping"
-  value       = local.enable_cribl ? data.aws_iam_policy_document.cribl_s3_access[0].json : data.aws_iam_policy_document.csls_s3_access[0].json
+  value       = data.aws_iam_policy_document.cribl_s3_access[0].json
 }

infra/modules/cyber_s3_log_shipping/main.tf

@@ -2,14 +2,3 @@ variable "s3_name" {
   type        = string
   description = "The name of the S3 bucket to configure for log shipping"
 }
-
-variable "destination" {
-  type        = string
-  description = "The destination for log shipping. Valid values are 'cribl' or 'csls'."
-  default     = "cribl"
-
-  validation {
-    condition     = contains(["cribl", "csls"], var.destination)
-    error_message = "Invalid destination. Valid values are 'cribl' or 'csls'."
-  }
-}

infra/modules/cyber_s3_log_shipping/outputs.tf

@@ -666,10 +666,6 @@ data "aws_iam_policy_document" "eventbridge" {
   }
 }
 
-module "csls_well_known" {
-  source = "../well-known/csls"
-}
-
 data "aws_iam_policy_document" "cloudwatch_logging" {
   statement {
     actions = [
@@ -685,15 +681,6 @@ data "aws_iam_policy_document" "cloudwatch_logging" {
     effect = "Allow"
   }
 
-  statement {
-    sid = "PutSubscriptionFilterForCSLS"
-    actions = [
-      "logs:PutSubscriptionFilter",
-    ]
-    resources = values(module.csls_well_known.cloudwatch_to_splunk_destination_arns)
-    effect    = "Allow"
-  }
-
   statement {
     sid = "ManageSubscriptionFilterForCRIBL"
     actions = [

infra/modules/cyber_s3_log_shipping/variables.tf

@@ -90,8 +90,7 @@ module "access_logs_bucket" {
 
   bucket_name = "${var.name}-access-logs"
 
-  send_access_logs_to_cyber       = var.send_access_logs_to_cyber
-  access_log_shipping_destination = var.access_log_shipping_destination
+  send_access_logs_to_cyber = var.send_access_logs_to_cyber
 }
 
 resource "aws_s3_bucket_logging" "this" {

infra/modules/deployer-access/policy.tf

@@ -34,14 +34,3 @@ variable "send_access_logs_to_cyber" {
   default     = true
   nullable    = false
 }
-
-variable "access_log_shipping_destination" {
-  type        = string
-  description = "The destination for log shipping. Valid values are 'cribl' or 'csls'."
-  default     = "cribl"
-
-  validation {
-    condition     = contains(["cribl", "csls"], var.access_log_shipping_destination)
-    error_message = "Invalid destination. Valid values are 'cribl' or 'csls'."
-  }
-}