Creates an RDS activity stream that has its events written to an S3 bucket for auditting. By default the activity stream is asynchronous to prioritize database performance.
This is accomplished with a Kinesis Firehose that reads from the activity stream and uses a Lambda function to decrypts the records before they are written to the bucket. The design is based on a recommended AWS architecture.
⚠ Note: Docker is required for the terraform apply
to download the Lambda function's Python dependencies.
No requirements.
Name | Version |
---|---|
archive | n/a |
aws | n/a |
external | n/a |
random | n/a |
Name | Source | Version |
---|---|---|
activity_stream_bucket | github.com/cds-snc/terraform-modules//S3 | v9.6.8 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
activity_log_retention_days | (Optional, default 7) The number of days to retain the activity stream logs in the S3 bucket. | number |
7 |
no |
activity_stream_mode | (Optional, default 'async') The activity stream recording mode to enable on the RDS cluster. Valid values are 'sync' or 'async'. | string |
"async" |
no |
billing_tag_key | (Optional, default 'CostCentre') The name of the billing tag. | string |
"CostCentre" |
no |
billing_tag_value | (Required) The value of the billing tag. | string |
n/a | yes |
decrypt_lambda_memory_size | (Optional, default 1024) The amount of memory in MB that the Lambda function will have available for processing. | number |
1024 |
no |
decrypt_lambda_timeout | (Optional, default 10) The maximum amount of time in seconds that the Lambda function will process before timing out. | number |
10 |
no |
rds_cluster_arn | (Required) The ARN of the RDS cluster to enable the activity stream on. | string |
n/a | yes |
rds_stream_name | (Required) The name that will be used to represent this activity stream's resources. It must be unique within the account. | string |
n/a | yes |
Name | Description |
---|---|
decrypt_lambda_arn | The ARN of the decrypt Lambda function. |
decrypt_lambda_cloudwatch_log_group_name | The name of the decrypt Lambda function's CloudWatch log group. |
decrypt_lambda_name | The name of the decrypt Lambda function. |
kinesis_firehose_arn | The ARN of the Kinesis Firehose that is processing the RDS activity stream events. |
rds_activity_stream_arn | The ARN of the RDS activity stream. |
s3_activity_stream_bucket_arn | The ARN of the S3 bucket that the decrypted activity stream logs are written to. |
s3_activity_stream_bucket_name | The name of the S3 bucket that the decrypted activity stream logs are written to. |