include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket[S3 access requests]: [source,terraform] ---- resource "aws_s3_bucket" "example" { # Sensitive bucket = "example" } ---- For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage[API Gateway stages]: [source,terraform] ---- resource "aws_api_gateway_stage" "example" { # Sensitive xray_tracing_enabled = false # Sensitive } ---- For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster[MSK Broker logs]: [source,terraform] ---- resource "aws_msk_cluster" "example" { cluster_name = "example" kafka_version = "2.7.1" number_of_broker_nodes = 3 logging_info { broker_logs { # Sensitive firehose { enabled = false } s3 { enabled = false } } } } ---- For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker[MQ Brokers]: [source,terraform] ---- resource "aws_mq_broker" "example" { logs { # Sensitive audit = false general = false } } ---- For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster[Amazon DocumentDB]: [source,terraform] ---- resource "aws_docdb_cluster" "example" { # Sensitive cluster_identifier = "example" } ---- For Azure https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service[App Services]: [source,terraform] ---- resource "azurerm_app_service" "example" { logs { application_logs { file_system_level = "Off" # Sensitive azure_blob_storage { level = "Off" # Sensitive } } } } ---- For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork/[VPC Subnetwork]: [source,terraform] ---- resource "google_compute_subnetwork" "example" { # Sensitive name = "example" ip_cidr_range = "10.2.0.0/16" region = "us-central1" network = google_compute_network.example.id } ---- For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance/[SQL Database Instance]: [source,terraform] ---- resource "google_sql_database_instance" "example" { name = "example" settings { # Sensitive tier = "db-f1-micro" ip_configuration { require_ssl = true ipv4_enabled = true } } } ---- For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster/[Kubernetes Engine (GKE) cluster]: [source,terraform] ---- resource "google_container_cluster" "example" { name = "example" logging_service = "none" # Sensitive } ---- == Compliant Solution For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket[S3 access requests]: [source,terraform] ---- resource "aws_s3_bucket" "example" { bucket = "example" } resource "aws_s3_bucket_logging" "example" { bucket = aws_s3_bucket.example.id target_bucket = aws_s3_bucket.logs.id target_prefix = "testing-logs" } # Set up a logging bucket resource "aws_s3_bucket" "logs" { bucket = "example_logstorage" } data "aws_iam_policy_document" "logs" { statement { sid = "s3-log-delivery" effect = "Allow" principals { type = "Service" identifiers = ["logging.s3.amazonaws.com"] } actions = ["s3:PutObject"] resources = [ "${aws_s3_bucket.logs.arn}/*", ] } } resource "aws_s3_bucket_policy" "logs" { bucket = aws_s3_bucket.example-logs.id policy = data.aws_iam_policy_document.example.json } ---- For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage[API Gateway stages]: [source,terraform] ---- resource "aws_api_gateway_stage" "example" { xray_tracing_enabled = true access_log_settings { destination_arn = "arn:aws:logs:eu-west-1:123456789:example" format = "..." } } ---- For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster[MSK Broker logs]: [source,terraform] ---- resource "aws_msk_cluster" "example" { cluster_name = "example" kafka_version = "2.7.1" number_of_broker_nodes = 3 logging_info { broker_logs { firehose { enabled = false } s3 { enabled = true bucket = "example" prefix = "log/msk-" } } } } ---- For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker[MQ Brokers], enable `audit` or `general`: [source,terraform] ---- resource "aws_mq_broker" "example" { logs { audit = true general = true } } ---- For Amazon https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster[Amazon DocumentDB]: [source,terraform] ---- resource "aws_docdb_cluster" "example" { cluster_identifier = "example" enabled_cloudwatch_logs_exports = ["audit"] } ---- For Azure https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service[App Services]: [source,terraform] ---- resource "azurerm_app_service" "example" { logs { http_logs { file_system { retention_in_days = 90 retention_in_mb = 100 } } application_logs { file_system_level = "Error" azure_blob_storage { retention_in_days = 90 level = "Error" } } } } ---- For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork/[VPC Subnetwork]: [source,terraform] ---- resource "google_compute_subnetwork" "example" { name = "example" ip_cidr_range = "10.2.0.0/16" region = "us-central1" network = google_compute_network.example.id log_config { aggregation_interval = "INTERVAL_10_MIN" flow_sampling = 0.5 metadata = "INCLUDE_ALL_METADATA" } } ---- For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance/[SQL Database Instance]: [source,terraform] ---- resource "google_sql_database_instance" "example" { name = "example" settings { ip_configuration { require_ssl = true ipv4_enabled = true } database_flags { name = "log_connections" value = "on" } database_flags { name = "log_disconnections" value = "on" } database_flags { name = "log_checkpoints" value = "on" } database_flags { name = "log_lock_waits" value = "on" } } } ---- For GCP https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster/[Kubernetes Engine (GKE) cluster]: [source,terraform] ---- resource "google_container_cluster" "example" { name = "example" logging_service = "logging.googleapis.com/kubernetes" } ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] endif::env-github,rspecator-view[]