Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Support Route53 Resolver Query Logging #14877

Closed
ghost opened this issue Aug 27, 2020 · 6 comments
Closed

Support Route53 Resolver Query Logging #14877

ghost opened this issue Aug 27, 2020 · 6 comments
Assignees
@ewbankkit
Labels
enhancement Requests to existing resources that expand the functionality or scope. new-resource Introduces a new resource. service/route53resolver Issues and PRs that pertain to the route53resolver service. service/route53 Issues and PRs that pertain to the route53 service.
Milestone
v3.8.0

Comments

@ghost
Copy link

ghost commented Aug 27, 2020
edited by ghost
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS released a new feature for Route53 Resolver to write DNS queries to a log destination. See *QueryLog* actions in the API Reference.

New or Affected Resource(s)

  • aws_route53_resolver_query_log_config
  • aws_route53_resolver_query_log_config_association
  • aws_route53_resolver_query_log_config_policy *

* I'm not sure aws_route53_resolver_query_log_config_policy is required. I went through a RAM-sharing scenario in the console, and reviewing CloudTrail, do not see any explicit API methods called regarding these policies. It may just be a permission required behind the scenes.

Potential Terraform Configuration

resource "aws_route53_resolver_query_log_config" "my_query_log" {
  name = "my_query_log"
  destination_arn = "arn:aws:s3:::my_query_s3_bucket"
  tags = {
    Environment = "Prod"
  }
}

resource "aws_route53_resolver_query_log_config_association" "my_vpc_query_log" {
  query_log_config_id=aws_route53_resolver_query_log_config.my_query_log.id
  resource_id = "vpc-01234abcde"
}

resource "aws_route53_resolver_query_log_config_policy" "my_query_log_policy" {
  account_arn="0123456789012"
  policy=<<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal":
      {
        "AWS": [
          "123456789012"
        ]
      },
      "Action": [
        "route53resolver:AssociateResolverQueryLogConfig",
        "route53resolver:DisassociateResolverQueryLogConfig",
        "route53resolver:ListResolverQueryLogConfigAssociations",
        "route53resolver:ListResolverQueryLogConfigs"
      ],
      "Resource": [
        "${aws_route53_resolver_query_log_config.my_query_log.arn}"
      ]
    }
  ]
}
EOF
}

References

https://aws.amazon.com/blogs/aws/log-your-vpc-dns-queries-with-route-53-resolver-query-logs/
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs.html
https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53_Resolver.html
@ghost ghost added enhancement Requests to existing resources that expand the functionality or scope. service/route53 Issues and PRs that pertain to the route53 service. service/route53resolver Issues and PRs that pertain to the route53resolver service. labels Aug 27, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Aug 27, 2020
@ewbankkit ewbankkit mentioned this issue Aug 27, 2020
Closed
@ewbankkit ewbankkit added new-resource Introduces a new resource. and removed needs-triage Waiting for first response or review from a maintainer. service/route53 Issues and PRs that pertain to the route53 service. labels Aug 27, 2020
@ewbankkit
Copy link
Contributor

ewbankkit commented Aug 27, 2020
edited
Loading

Announcement.

Requires AWS SDK v1.34.11:

@ghost ghost added the service/route53 Issues and PRs that pertain to the route53 service. label Aug 27, 2020
@ewbankkit ewbankkit self-assigned this Aug 28, 2020
@ewbankkit ewbankkit mentioned this issue Aug 28, 2020
Merged
@ewbankkit
Copy link
Contributor

ewbankkit commented Aug 28, 2020
edited
Loading

@ewbankkit ewbankkit mentioned this issue Aug 28, 2020
Merged
@ewbankkit
Copy link
Contributor

@jgardsentry I agree that aws_route53_resolver_query_log_config_policy isn't required (at least not to get most scenarios working).

@ewbankkit ewbankkit mentioned this issue Sep 3, 2020
Closed
@ewbankkit
Copy link
Contributor

Now available in AWS GovCloud (US).

@ewbankkit
Copy link
Contributor

This has been released in version 3.8.0 of the Terraform AWS provider.

@bflad bflad added this to the v3.8.0 milestone Sep 25, 2020
@ghost
Copy link

ghost commented Oct 25, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Oct 25, 2020
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees

@ewbankkit ewbankkit

Labels
enhancement Requests to existing resources that expand the functionality or scope. new-resource Introduces a new resource. service/route53resolver Issues and PRs that pertain to the route53resolver service. service/route53 Issues and PRs that pertain to the route53 service.
Projects
None yet
Milestone
v3.8.0
Development

No branches or pull requests
2 participants
@bflad @ewbankkit