adding module for cw-logs-destination (#215)

modules/aws/logging/cw-logs-destination/README.md

@@ -0,0 +1,45 @@
+<!-- BEGIN_TF_DOCS -->
+  # Terraform Module for - creating cw-logs-destination
+  # Example terragrunt.hcl inputs 
+  ```hcl
+inputs = {
+  destination_name    = "cc-centralized-logs-destination"
+  source_account_id   = "example-account-id"  # the account from which the logs originate 
+  firehose_arn        = "arn:aws:firehose:eu-west-2:<firehose-aws-account-id>:deliverystream/splunk-firehose-fh-cw2splunk"
+}
+  ```
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_destination.cw_logs_destination](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_destination) | resource |
+| [aws_cloudwatch_log_destination_policy.cw_logs_destination_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_destination_policy) | resource |
+| [aws_iam_role.logs_destination_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.logs_destination_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region | `string` | `"eu-west-2"` | no |
+| <a name="input_destination_name"></a> [destination\_name](#input\_destination\_name) | Name of the CloudWatch Logs destination | `string` | n/a | yes |
+| <a name="input_firehose_arn"></a> [firehose\_arn](#input\_firehose\_arn) | ARN of the existing Firehose delivery stream | `string` | n/a | yes |
+| <a name="input_source_account_id"></a> [source\_account\_id](#input\_source\_account\_id) | AWS Account ID of the source (management account X) | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cw_logs_destination_arn"></a> [cw\_logs\_destination\_arn](#output\_cw\_logs\_destination\_arn) | The ARN of the CloudWatch Logs Destination |
+<!-- END_TF_DOCS -->

modules/aws/logging/cw-logs-destination/main.tf

@@ -0,0 +1,57 @@
+resource "aws_cloudwatch_log_destination" "cw_logs_destination" {
+  name       = var.destination_name
+  role_arn   = aws_iam_role.logs_destination_role.arn
+  target_arn = var.firehose_arn
+}
+
+resource "aws_cloudwatch_log_destination_policy" "cw_logs_destination_policy" {
+  destination_name = aws_cloudwatch_log_destination.cw_logs_destination.name
+  access_policy    = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          AWS = var.source_account_id
+        }
+        Action   = "logs:PutSubscriptionFilter"
+        Resource = aws_cloudwatch_log_destination.cw_logs_destination.arn
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role" "logs_destination_role" {
+  name = "CloudWatchLogsDestinationRole"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "logs.${var.aws_region}.amazonaws.com"
+        }
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "logs_destination_policy" {
+  role = aws_iam_role.logs_destination_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "firehose:PutRecord",
+          "firehose:PutRecordBatch"
+        ]
+        Resource = var.firehose_arn
+      }
+    ]
+  })
+}

modules/aws/logging/cw-logs-destination/outputs.tf

@@ -0,0 +1,4 @@
+output "cw_logs_destination_arn" {
+  description = "The ARN of the CloudWatch Logs Destination"
+  value       = aws_cloudwatch_log_destination.cw_logs_destination.arn
+}

modules/aws/logging/cw-logs-destination/variables.tf

@@ -0,0 +1,20 @@
+variable "aws_region" {
+  description = "AWS Region"
+  type        = string
+  default     = "eu-west-2"
+}
+
+variable "destination_name" {
+  description = "Name of the CloudWatch Logs destination"
+  type        = string
+}
+
+variable "source_account_id" {
+  description = "AWS Account ID of the source (management account X)"
+  type        = string
+}
+
+variable "firehose_arn" {
+  description = "ARN of the existing Firehose delivery stream"
+  type        = string
+}

modules/aws/secrets/fetch-secret/README.md

@@ -0,0 +1,38 @@
+<!-- BEGIN_TF_DOCS -->
+  # Terraform Module for - fetching secrets from secrets manager
+  # Example terragrunt.hcl inputs 
+  ```hcl
+  inputs = {
+    secret_name = "dev/splunk/hec-token"  # example secret-name to fetch its secret value
+  }
+  ```
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_secretsmanager_secret.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
+| [aws_secretsmanager_secret_version.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_secret_name"></a> [secret\_name](#input\_secret\_name) | name of the secret to be fetched | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_hec_token"></a> [hec\_token](#output\_hec\_token) | n/a |
+<!-- END_TF_DOCS -->