This module assembles different methods of collecting data from AWS into Observe. It is intended as both a starting point and as a reference.
The module sets up the following forwarding methods:
- the Observe lambda
- an S3 bucket, subscribed to the aforementioned Lambda
- a Firehose stream
Given these egresses, we extract data from the following sources:
- Cloudwatch Metrics, via Firehose
- CloudTrail, via S3
- EventBridge, via Firehose
- AWS snapshot data, via Lambda
The following snippet installs the Observe AWS collection stack to a single region:
module "observe_collection" {
source = "github.com/observeinc/terraform-aws-collection"
observe_customer = ""
observe_token = ""
}
The snippet below installs the Observe AWS collection stack so that all supported CloudWatch Logs, CloudWatch metrics, CloudTrail records, and AWS resource updates are collected, except for some excluded items:
module "observe_collection" {
source = "github.com/observeinc/terraform-aws-collection"
observe_customer = ""
observe_token = ""
subscribed_log_group_matches = [".*"]
subscribed_log_group_excludes = ["/aws/elasticbeanstalk/my-app.*"]
snapshot_exclude = ["kms:Describe*"]
cloudwatch_metrics_exclude_filters = ["AWS/KMS"]
}
┌──────────────────┐ ┌───────────────┐ ┌─────────────┐
│cloudwatch metrics├──┐ │ s3 bucket │ │ cloudtrail │
└──────────────────┘ │ ┌───────────► ◄────┤ │
│ │ └────────┬──────┘ └─────────────┘
│ │ │
│ │ │
│ ┌─────┴──────┐ │
└─────► │ │
│ Firehose ├──────┐ │
┌───────────────────► │ │ │
│ └───▲──┬─────┘ │ │
│ │ │ │ │
│ │ │ ┌───▼───┐ │
┌─────┴─────┐ │ │ │ │ │
│eventbridge│ │ │ │observe│ │
└─────┬─────┘ │ │ │ │ │
│ ┌──────────┴──▼─┐ └────▲──┘ │
│ │cloudwatch logs│ │ │
│ └──────────┬──┬─┘ │ │
│ │ │ │ │
│ │ │ │ │
│ ┌───┴──▼─────┐ │ │
└───────────────────► ├───────┘ │
│ Lambda │ │
┌───────────────────► ◄─────────────┘
│ └────────────┘
┌────────┴─────────┐
│ cloudwatch logs │
└──────────────────┘
| Name | Version |
|---|---|
| terraform | >= 1.2 |
| aws | >= 5.0 |
| random | >= 3.0.0 |
| Name | Version |
|---|---|
| aws | >= 5.0 |
| random | >= 3.0.0 |
| Name | Source | Version |
|---|---|---|
| lambda_log_subscription | observeinc/kinesis-firehose/aws//modules/cloudwatch_logs_subscription | 2.3.0 |
| observe_cloudwatch_logs_subscription | observeinc/cloudwatch-logs-subscription/aws | 0.5.0 |
| observe_cloudwatch_metrics | observeinc/kinesis-firehose/aws//modules/cloudwatch_metrics | 2.3.0 |
| observe_firehose_eventbridge | observeinc/kinesis-firehose/aws//modules/eventbridge | 2.3.0 |
| observe_kinesis_firehose | observeinc/kinesis-firehose/aws | 2.3.0 |
| observe_lambda | observeinc/lambda/aws | 3.6.0 |
| observe_lambda_s3_bucket_subscription | observeinc/lambda/aws//modules/s3_bucket_subscription | 3.6.0 |
| observe_lambda_snapshot | observeinc/lambda/aws//modules/snapshot | 3.6.0 |
| s3_bucket | terraform-aws-modules/s3-bucket/aws | ~> 4.0 |
| Name | Type |
|---|---|
| aws_cloudtrail.trail | resource |
| aws_cloudwatch_event_rule.rules | resource |
| aws_cloudwatch_log_group.group | resource |
| random_string.this | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.bucket | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cloudtrail_enable | Whether to create a CloudTrail trail. Useful for avoiding the 'trails per region' quota of 5, such as when testing. If CloudTrail is already enabled in your AWS account, management events will still be collected by default—except for those from RDS and KMS, which are excluded. To disable collection of all CloudTrail management events, explicitly set cloudtrail_exclude_management_event_sources to ["*"]. If you have existing CloudTrails and want to include their events, update cloudtrail_exclude_management_event_sources to control which services are included or excluded from event collection. |
bool |
true |
no |
| cloudtrail_enable_log_file_validation | Whether log file integrity validation is enabled for CloudTrail. Defalults to false. | bool |
false |
no |
| cloudtrail_exclude_management_event_sources | A list of management event sources to exclude. To capture all CloudTrail management events, set this to an empty list ([]). To exclude all CloudTrail management events, explicitly set to ["*"] See the following link for more info: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html |
set(string) |
[ |
no |
| cloudtrail_is_multi_region_trail | Whether to enable multi region trail export | bool |
true |
no |
| cloudwatch_metrics_exclude_filters | Namespaces to exclude. Mutually exclusive with cloudwatch_metrics_include_filters. To disable Cloudwatch Metrics Stream entirely, use ["*"]. |
set(string) |
[] |
no |
| cloudwatch_metrics_include_filters | Namespaces to include. Mutually exclusive with cloudwatch_metrics_exclude_filters. | set(string) |
[] |
no |
| dead_letter_queue_destination | Send failed events/function executions to a dead letter queue arn sns or sqs | string |
null |
no |
| enable_s3_bucket_eventbridge | Enable sending bucket notifications to EventBridge | bool |
false |
no |
| eventbridge_rules | Eventbridge events matching these rules will be forwarded to Observe. Map keys are only used to provide stable resource addresses. If null, a default set of rules will be used. |
map(object({ |
null |
no |
| invoke_snapshot_on_start_enabled | Toggle invocation of snapshot from Cloudformation. This can be useful for debug purposes if the lambda fails to complete successfully. | bool |
false |
no |
| kms_key_id | KMS key ARN to use to encrypt the logs delivered by CloudTrail. | string |
"" |
no |
| lambda_envvars | Environment variables | map(any) |
{} |
no |
| lambda_kms_key | KMS key to encrypt environment variables | object({ arn = string }) |
null |
no |
| lambda_memory_size | The amount of memory that your function has access to. Increasing the function's memory also increases its CPU allocation. The default value is 256 MB. The value must be a multiple of 64 MB. |
number |
256 |
no |
| lambda_reserved_concurrent_executions | The number of simultaneous executions to reserve for the function. | number |
100 |
no |
| lambda_s3_custom_rules | List of rules to evaluate how to upload a given S3 object to Observe. | list(object({ |
[] |
no |
| lambda_subscribe_logs | Whether to subscribe to the Lambda function's logs and deliver them from CloudWatch to Observe via Kinesis Firehose. | bool |
true |
no |
| lambda_timeout | The amount of time that Lambda allows a function to run before stopping it. The maximum allowed value is 900 seconds. |
number |
120 |
no |
| lambda_version | Lambda version | string |
"arm64/latest" |
no |
| log_subscription_name | Name for log subscription resources to be created | string |
null |
no |
| name | Name for resources to be created | string |
"observe-collection" |
no |
| observe_customer | Observe Customer ID | string |
n/a | yes |
| observe_domain | Observe Domain | string |
"observeinc.com" |
no |
| observe_token | Observe Token | string |
n/a | yes |
| retention_in_days | Retention in days of cloudwatch log group | number |
365 |
no |
| s3_bucket | Override S3 bucket used to to stage data to be sent to Observe. | object({ |
null |
no |
| s3_exported_prefix | Key prefix which is subscribed to be sent to Observe Lambda | string |
"" |
no |
| s3_lifecycle_rule | List of maps containing configuration of object lifecycle management. | any |
[] |
no |
| s3_logging | Enable S3 access log collection | bool |
false |
no |
| snapshot_action | List of actions triggered by snapshot. Set to null to inherit all actions supported by the lambda. | set(string) |
[ |
no |
| snapshot_exclude | List of actions to exclude from being executed on snapshot request. | list(string) |
[] |
no |
| snapshot_include | List of actions to include in snapshot request. | list(string) |
[] |
no |
| snapshot_schedule_expression | Rate at which snapshot is triggered. Must be valid EventBridge expression | string |
"rate(1 hour)" |
no |
| subscribed_log_group_excludes | A list of regex patterns describing CloudWatch log groups to NOT subscribe to. See https://github.com/observeinc/terraform-aws-cloudwatch-logs-subscription#input_log_group_excludes for more info" |
list(string) |
[] |
no |
| subscribed_log_group_filter_pattern | A filter pattern for a CloudWatch Logs subscription filter. See https://github.com/observeinc/terraform-aws-cloudwatch-logs-subscription#input_filter_pattern or https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html for more info" |
string |
"" |
no |
| subscribed_log_group_matches | A list of regex patterns describing CloudWatch log groups to subscribe to. See https://github.com/observeinc/terraform-aws-cloudwatch-logs-subscription#input_log_group_matches for more info" |
list(string) |
[] |
no |
| subscribed_s3_bucket_arns | List of additional S3 bucket ARNs to subscribe lambda to. | list(string) |
[] |
no |
| tags | A map of tags to add to all resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| bucket | S3 bucket subscribed to Observe Lambda |
| observe_kinesis_firehose | Observe Kinesis Firehose module |
| observe_lambda | Observe Lambda module |
Apache 2 Licensed. See LICENSE for full details.