fix: ARN prefix for govcloud (#188)

* arn prefix for govcloud

* readme fix

* changelog

* fix: readme

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## v2.2.3
+#### **firehose-metrics**
+#### **firehose-logs**
+### 🧰 Bug fixes 🧰 
+- Added new variable `govcloud_deployment`, when set to true the arn of resource that are being used by the module will start with `arn:aws-us-gov` instead of `arn:aws`
+
 ## v2.2.2
 #### **coralogix-aws-shipper**
 ### 💡 Enhancements 

examples/firehose-logs/variables.tf

@@ -56,3 +56,9 @@ variable "cloudwatch_retention_days" {
   type        = number
   default     = 1
 }
+
+variable "govcloud_deployment" {
+  description = "Enable if you deploy the integration in govcloud"
+  type        = bool
+  default     = false
+}

examples/firehose-metrics/variables.tf

@@ -127,3 +127,9 @@ variable "cloudwatch_retention_days" {
   type        = number
   default     = 1
 }
+
+variable "govcloud_deployment" {
+  description = "Enable if you deploy the integration in govcloud"
+  type        = bool
+  default     = false
+}

modules/firehose-logs/README.md

@@ -96,15 +96,14 @@ It is possible to pass a custom coralogix domain by using the `custom_domain` va
 | <a name="input_source_type_logs"></a> [source_type_logs](#input\_source_type_logs) | The source_type of kinesis firehose: KinesisStreamAsSource or DirectPut | `string` | `DirectPut` | no |
 | <a name="input_kinesis_stream_arn"></a> [kinesis_stream_arn](#input\_kinesis_stream_arn) | If 'KinesisStreamAsSource' set as source_type_logs. Set the kinesis stream's ARN as the source of the firehose log stream | `string` | `""` | no |
 | <a name="input_integration_type_logs"></a> [integration_type_logs](#input\_integration_type_logs) | The integration type of the firehose delivery stream: 'CloudWatch_JSON', 'WAF', 'CloudWatch_CloudTrail', 'EksFargate', 'Default', 'RawText' | `string` | `Default` | no |
+| <a name="input_s3_backup_custom_name"></a> [s3_backup_custom_name](#input\_s3_backup_custom_name) | Set the name of the S3 backup bucket, otherwise variable '{firehose_stream}-backup-logs' will be used | `string` | `null` | no |
+| <a name="input_existing_s3_backup"></a> [existing\_s3\_backup](variables.tf#L149) | Use an existing S3 bucket to use as a backup bucket. | `string` | n/a | no |
+| <a name="input_govcloud_deployment"></a> [govcloud\_deployment](#input\_govcloud\_deployment) | Enable if you deploy the integration in govcloud | `bool` | false | no |
+| <a name="input_firehose_iam_custom_name"></a> [firehose\_iam\_custom\_name](variables.tf#L179) | Set the name of the IAM role & policy, otherwise variable '{firehose_stream}-firehose-metrics-iam' will be used. | `string` | n/a | no |
+| <a name="input_existing_firehose_iam"></a> [existing\_firehose\_iam](variables.tf#L185) | Use an existing IAM role to use as a firehose role. | `string` | n/a | no |
 | <a name="input_user_supplied_tags"></a> [user_supplied_tags](#input\_user_supplied_tags) | Tags supplied by the user to populate to all generated resources | `map(string)` | n/a | no |
 | <a name="input_override_default_tags"></a> [override_default_tags](#input\_override_default_tags) | Override and remove the default tags by setting to true | `bool` | `false` | no |
 
-## Inputs - Custom Resource Naming
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_s3_backup_custom_name"></a> [s3_backup_custom_name](#input\_s3_backup_custom_name) | Set the name of the S3 backup bucket, otherwise variable '{firehose_stream}-backup-logs' will be used | `string` | `null` | no |
-
-
 ## Coralgoix regions
 
 | Coralogix region | AWS Region | Coralogix Domain |

modules/firehose-logs/main.tf

@@ -32,6 +32,8 @@ locals {
   #new global resource namings
   new_s3_backup_bucket_name = var.s3_backup_custom_name != null ? var.s3_backup_custom_name : "${var.firehose_stream}-backup-logs"
   new_firehose_iam_name     = var.firehose_iam_custom_name != null ? var.firehose_iam_custom_name : "${var.firehose_stream}-firehose-logs-iam"
+
+  arn_prefix = var.govcloud_deployment ? "arn:aws-us-gov" : "arn:aws"
 }
 
 data "aws_caller_identity" "current_identity" {}
@@ -136,7 +138,7 @@ resource "aws_iam_role" "new_firehose_iam" {
             "kinesis:GetRecords",
             "kinesis:ListShards"
           ],
-          "Resource" = "arn:aws:kinesis:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_identity.account_id}:stream/*"
+          "Resource" = "${local.arn_prefix}:kinesis:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_identity.account_id}:stream/*"
         },
         {
           "Effect" : "Allow",
@@ -156,19 +158,19 @@ resource "aws_iam_role" "new_firehose_iam" {
 resource "aws_iam_role_policy_attachment" "policy_attachment_firehose" {
   count      = var.existing_firehose_iam != null ? 0 : 1
   role       = one(aws_iam_role.new_firehose_iam[*].name)
-  policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisFirehoseFullAccess"
+  policy_arn = "${local.arn_prefix}:iam::aws:policy/AmazonKinesisFirehoseFullAccess"
 }
 
 resource "aws_iam_role_policy_attachment" "policy_attachment_kinesis" {
   count      = var.existing_firehose_iam != null ? 0 : 1
   role       = one(aws_iam_role.new_firehose_iam[*].name)
-  policy_arn = "arn:aws:iam::aws:policy/AmazonKinesisReadOnlyAccess"
+  policy_arn = "${local.arn_prefix}:iam::aws:policy/AmazonKinesisReadOnlyAccess"
 }
 
 resource "aws_iam_role_policy_attachment" "policy_attachment_cloudwatch" {
   count      = var.existing_firehose_iam != null ? 0 : 1
   role       = one(aws_iam_role.new_firehose_iam[*].name)
-  policy_arn = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
+  policy_arn = "${local.arn_prefix}:iam::aws:policy/CloudWatchLogsFullAccess"
 }
 
 resource "aws_kinesis_firehose_delivery_stream" "coralogix_stream_logs" {

modules/firehose-logs/variables.tf

@@ -72,6 +72,12 @@ variable "existing_s3_backup" {
   default     = null
 }
 
+variable "govcloud_deployment" {
+  description = "Enable if you deploy the integration in govcloud"
+  type        = bool
+  default     = false
+}
+
 variable "firehose_iam_custom_name" {
   description = "Set the name of the firehose IAM role & policy, otherwise variable '{firehose_stream}-firehose-logs-iam' will be used"
   type        = string

modules/firehose-metrics/README.md

@@ -211,6 +211,7 @@ then the CloudWatch metric stream must be configured with the same format, confi
 | <a name="input_additional_metric_statistics"></a> [additional\_metric\_statistics](variables.tf#L97) | For each entry, specify one or more metrics (metric_name and namespace) and the list of additional statistics to stream for those metrics. Each configuration of metric name and namespace can have a list of additional_statistics included into the AWS CloudWatch Metric Stream. | `list(object({additional_statistics=list(string), metric_name=string, namespace=string}))` | See variables.tf | no |
 | <a name="input_s3_backup_custom_name"></a> [s3\_backup\_custom\_name](variables.tf#L143) | Set the name of the S3 backup bucket, otherwise variable '{firehose_stream}-backup-metrics' will be used. | `string` | n/a | no |
 | <a name="input_existing_s3_backup"></a> [existing\_s3\_backup](variables.tf#L149) | Use an existing S3 bucket to use as a backup bucket. | `string` | n/a | no |
+| <a name="input_govcloud_deployment"></a> [govcloud\_deployment](#input\_govcloud\_deployment) | Enable if you deploy the integration in govcloud | `bool` | false | no |
 | <a name="input_lambda_processor_enable"></a> [lambda\_processor\_enable](variables.tf#L155) | Enable the lambda processor function. Set to false to remove the lambda and all associated resources. | `bool` | `true` | no |
 | <a name="input_lambda_processor_custom_name"></a> [lambda\_processor\_custom\_name](variables.tf#L161) | Set the name of the lambda processor function, otherwise variable '{firehose_stream}-metrics-transform' will be used | `string` | `null` | no |
 | <a name="input_lambda_processor_iam_custom_name"></a> [lambda\_processor\_iam\_custom\_name](variables.tf#L167) | Set the name of the lambda processor IAM role, otherwise variable '{firehose_stream}-lambda-processor-iam' will be used. | `string` | n/a | no |

modules/firehose-metrics/main.tf

@@ -40,6 +40,8 @@ locals {
   new_lambda_processor_iam_name = var.lambda_processor_iam_custom_name != null ? var.lambda_processor_iam_custom_name : "${var.firehose_stream}-lambda-processor-iam"
   new_firehose_iam_name         = var.firehose_iam_custom_name != null ? var.firehose_iam_custom_name : "${var.firehose_stream}-firehose-metrics-iam"
   new_metric_stream_iam_name    = var.metric_streams_iam_custom_name != null ? var.metric_streams_iam_custom_name : "${var.firehose_stream}-cw-iam"
+
+  arn_prefix = var.govcloud_deployment ? "arn:aws-us-gov" : "arn:aws"
 }
 
 data "aws_caller_identity" "current_identity" {}
@@ -150,7 +152,7 @@ resource "aws_iam_policy" "new_firehose_iam" {
                "kms:GenerateDataKey"
            ],
            "Resource": [
-               "arn:aws:kms:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_identity.account_id}:key/key-id"
+               "${local.arn_prefix}:kms:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_identity.account_id}:key/key-id"
            ],
            "Condition": {
                "StringEquals": {
@@ -169,7 +171,7 @@ resource "aws_iam_policy" "new_firehose_iam" {
                "kinesis:GetRecords",
                "kinesis:ListShards"
            ],
-           "Resource": "arn:aws:kinesis:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_identity.account_id}:stream/*"
+           "Resource": "${local.arn_prefix}:kinesis:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_identity.account_id}:stream/*"
         },
         {
            "Effect": "Allow",
@@ -263,7 +265,7 @@ resource "aws_iam_role_policy" "new_lambda_iam" {
               "logs:CreateLogGroup"
           ],
           "Effect": "Allow",
-          "Resource": "arn:aws:logs:*:*:*",
+          "Resource": "${local.arn_prefix}:logs:*:*:*",
           "Sid": ""
       }
   ]
@@ -438,13 +440,13 @@ EOF
 }
 
 resource "aws_cloudwatch_metric_stream" "cloudwatch_metric_stream" {
-  tags          = local.tags
-  count         = var.enable_cloudwatch_metricstream ? 1 : 0
-  name          = local.cloud_watch_metric_stream_name
-  role_arn      = local.metrics_stream_iam_role_arn
-  firehose_arn  = aws_kinesis_firehose_delivery_stream.coralogix_stream_metrics.arn
+  tags                            = local.tags
+  count                           = var.enable_cloudwatch_metricstream ? 1 : 0
+  name                            = local.cloud_watch_metric_stream_name
+  role_arn                        = local.metrics_stream_iam_role_arn
+  firehose_arn                    = aws_kinesis_firehose_delivery_stream.coralogix_stream_metrics.arn
   include_linked_accounts_metrics = var.include_linked_accounts_metrics
-  output_format = var.output_format
+  output_format                   = var.output_format
 
   dynamic "include_filter" {
     for_each = var.include_metric_stream_namespaces

modules/firehose-metrics/variables.tf

@@ -82,7 +82,7 @@ variable "include_metric_stream_filter" {
   default = []
 }
 
-  variable "include_linked_accounts_metrics" {
+variable "include_linked_accounts_metrics" {
   description = "include_linked_accounts_metrics (Optional) If you are creating a metric stream in a monitoring account, specify true to include metrics from source accounts that are linked to this monitoring account, in the metric stream. The default is false."
   type        = bool
   default     = false
@@ -152,6 +152,12 @@ variable "existing_s3_backup" {
   default     = null
 }
 
+variable "govcloud_deployment" {
+  description = "Enable if you deploy the integration in govcloud"
+  type        = bool
+  default     = false
+}
+
 variable "lambda_processor_enable" {
   description = "Enable lambda processor function, defaults to true"
   type        = bool