rds_activity_stream

RDS Activity Stream

Creates an RDS activity stream that has its events written to an S3 bucket for auditting. By default the activity stream is asynchronous to prioritize database performance.

This is accomplished with a Kinesis Firehose that reads from the activity stream and uses a Lambda function to decrypts the records before they are written to the bucket. The design is based on a recommended AWS architecture.

⚠ Note: Docker is required for the terraform apply to download the Lambda function's Python dependencies.

Requirements

No requirements.

Providers

Name	Version
archive	n/a
aws	n/a
external	n/a
random	n/a

Modules

Name	Source	Version
activity_stream_bucket	github.com/cds-snc/terraform-modules//S3	v9.4.5

Resources

Name	Type
aws_cloudwatch_log_group.decrypt	resource
aws_cloudwatch_log_group.firehose_activity_stream	resource
aws_cloudwatch_log_stream.firehose_activity_stream	resource
aws_iam_policy.decrypt	resource
aws_iam_policy.firehose_activity_stream	resource
aws_iam_role.decrypt	resource
aws_iam_role.firehose_activity_stream	resource
aws_iam_role_policy_attachment.decrypt	resource
aws_iam_role_policy_attachment.firehose_activity_stream	resource
aws_kinesis_firehose_delivery_stream.activity_stream	resource
aws_kms_key.activity_stream	resource
aws_lambda_function.decrypt	resource
aws_lambda_layer_version.decrypt_deps	resource
aws_lambda_permission.lambda_permission	resource
aws_rds_cluster_activity_stream.activity_stream	resource
random_string.bucket_suffix	resource
archive_file.decrypt_code	data source
aws_caller_identity.current	data source
aws_iam_policy_document.decrypt	data source
aws_iam_policy_document.decrypt_assume	data source
aws_iam_policy_document.firehose_activity_stream	data source
aws_iam_policy_document.firehose_assume	data source
aws_region.current	data source
external_external.decrypt_deps	data source

Inputs

Name	Description	Type	Default	Required
activity_log_retention_days	(Optional, default 7) The number of days to retain the activity stream logs in the S3 bucket.	number	7	no
activity_stream_mode	(Optional, default 'async') The activity stream recording mode to enable on the RDS cluster. Valid values are 'sync' or 'async'.	string	"async"	no
billing_tag_key	(Optional, default 'CostCentre') The name of the billing tag.	string	"CostCentre"	no
billing_tag_value	(Required) The value of the billing tag.	string	n/a	yes
decrypt_lambda_memory_size	(Optional, default 1024) The amount of memory in MB that the Lambda function will have available for processing.	number	1024	no
decrypt_lambda_timeout	(Optional, default 10) The maximum amount of time in seconds that the Lambda function will process before timing out.	number	10	no
rds_cluster_arn	(Required) The ARN of the RDS cluster to enable the activity stream on.	string	n/a	yes
rds_stream_name	(Required) The name that will be used to represent this activity stream's resources. It must be unique within the account.	string	n/a	yes

Outputs

Name	Description
decrypt_lambda_arn	The ARN of the decrypt Lambda function.
decrypt_lambda_cloudwatch_log_group_name	The name of the decrypt Lambda function's CloudWatch log group.
decrypt_lambda_name	The name of the decrypt Lambda function.
kinesis_firehose_arn	The ARN of the Kinesis Firehose that is processing the RDS activity stream events.
rds_activity_stream_arn	The ARN of the RDS activity stream.
s3_activity_stream_bucket_arn	The ARN of the S3 bucket that the decrypted activity stream logs are written to.
s3_activity_stream_bucket_name	The name of the S3 bucket that the decrypted activity stream logs are written to.