Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Route53 Resolver Query Logging #14877

Closed
ghost opened this issue Aug 27, 2020 · 6 comments
Closed

Support Route53 Resolver Query Logging #14877

ghost opened this issue Aug 27, 2020 · 6 comments
Assignees
Labels
enhancement Requests to existing resources that expand the functionality or scope. new-resource Introduces a new resource. service/route53resolver Issues and PRs that pertain to the route53resolver service. service/route53 Issues and PRs that pertain to the route53 service.
Milestone

Comments

@ghost
Copy link

ghost commented Aug 27, 2020

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS released a new feature for Route53 Resolver to write DNS queries to a log destination. See *QueryLog* actions in the API Reference.

New or Affected Resource(s)

  • aws_route53_resolver_query_log_config
  • aws_route53_resolver_query_log_config_association
  • aws_route53_resolver_query_log_config_policy *

* I'm not sure aws_route53_resolver_query_log_config_policy is required. I went through a RAM-sharing scenario in the console, and reviewing CloudTrail, do not see any explicit API methods called regarding these policies. It may just be a permission required behind the scenes.

Potential Terraform Configuration

resource "aws_route53_resolver_query_log_config" "my_query_log" {
  name = "my_query_log"
  destination_arn = "arn:aws:s3:::my_query_s3_bucket"
  tags = {
    Environment = "Prod"
  }
}

resource "aws_route53_resolver_query_log_config_association" "my_vpc_query_log" {
  query_log_config_id=aws_route53_resolver_query_log_config.my_query_log.id
  resource_id = "vpc-01234abcde"
}

resource "aws_route53_resolver_query_log_config_policy" "my_query_log_policy" {
  account_arn="0123456789012"
  policy=<<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal":
      {
        "AWS": [
          "123456789012"
        ]
      },
      "Action": [
        "route53resolver:AssociateResolverQueryLogConfig",
        "route53resolver:DisassociateResolverQueryLogConfig",
        "route53resolver:ListResolverQueryLogConfigAssociations",
        "route53resolver:ListResolverQueryLogConfigs"
      ],
      "Resource": [
        "${aws_route53_resolver_query_log_config.my_query_log.arn}"
      ]
    }
  ]
}
EOF
}

References

https://aws.amazon.com/blogs/aws/log-your-vpc-dns-queries-with-route-53-resolver-query-logs/
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs.html
https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53_Resolver.html

@ghost ghost added enhancement Requests to existing resources that expand the functionality or scope. service/route53 Issues and PRs that pertain to the route53 service. service/route53resolver Issues and PRs that pertain to the route53resolver service. labels Aug 27, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Aug 27, 2020
@ewbankkit ewbankkit added new-resource Introduces a new resource. and removed needs-triage Waiting for first response or review from a maintainer. service/route53 Issues and PRs that pertain to the route53 service. labels Aug 27, 2020
@ewbankkit
Copy link
Contributor

ewbankkit commented Aug 27, 2020

Announcement.

Requires AWS SDK v1.34.11:

@ghost ghost added the service/route53 Issues and PRs that pertain to the route53 service. label Aug 27, 2020
@ewbankkit ewbankkit self-assigned this Aug 28, 2020
@ewbankkit
Copy link
Contributor

ewbankkit commented Aug 28, 2020

@ewbankkit
Copy link
Contributor

@jgardsentry I agree that aws_route53_resolver_query_log_config_policy isn't required (at least not to get most scenarios working).

@ewbankkit
Copy link
Contributor

Now available in AWS GovCloud (US).

@ewbankkit
Copy link
Contributor

This has been released in version 3.8.0 of the Terraform AWS provider.

@bflad bflad added this to the v3.8.0 milestone Sep 25, 2020
@ghost
Copy link

ghost commented Oct 25, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Oct 25, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement Requests to existing resources that expand the functionality or scope. new-resource Introduces a new resource. service/route53resolver Issues and PRs that pertain to the route53resolver service. service/route53 Issues and PRs that pertain to the route53 service.
Projects
None yet
Development

No branches or pull requests

2 participants