Skip to content

Support Route53 Resolver Query Logging #14877

Closed
Closed
Support Route53 Resolver Query Logging#14877
Assignees
ewbankkit
Labels
enhancementRequests to existing resources that expand the functionality or scope.new-resourceIntroduces a new resource.service/route53Issues and PRs that pertain to the route53 service.service/route53resolverIssues and PRs that pertain to the route53resolver service.
Milestone
v3.8.0
@ghost

Description

@ghost
ghost
opened on Aug 27, 2020

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS released a new feature for Route53 Resolver to write DNS queries to a log destination. See *QueryLog* actions in the API Reference.

New or Affected Resource(s)

  • aws_route53_resolver_query_log_config
  • aws_route53_resolver_query_log_config_association
  • aws_route53_resolver_query_log_config_policy *

* I'm not sure aws_route53_resolver_query_log_config_policy is required. I went through a RAM-sharing scenario in the console, and reviewing CloudTrail, do not see any explicit API methods called regarding these policies. It may just be a permission required behind the scenes.

Potential Terraform Configuration

resource "aws_route53_resolver_query_log_config" "my_query_log" {
  name = "my_query_log"
  destination_arn = "arn:aws:s3:::my_query_s3_bucket"
  tags = {
    Environment = "Prod"
  }
}

resource "aws_route53_resolver_query_log_config_association" "my_vpc_query_log" {
  query_log_config_id=aws_route53_resolver_query_log_config.my_query_log.id
  resource_id = "vpc-01234abcde"
}

resource "aws_route53_resolver_query_log_config_policy" "my_query_log_policy" {
  account_arn="0123456789012"
  policy=<<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal":
      {
        "AWS": [
          "123456789012"
        ]
      },
      "Action": [
        "route53resolver:AssociateResolverQueryLogConfig",
        "route53resolver:DisassociateResolverQueryLogConfig",
        "route53resolver:ListResolverQueryLogConfigAssociations",
        "route53resolver:ListResolverQueryLogConfigs"
      ],
      "Resource": [
        "${aws_route53_resolver_query_log_config.my_query_log.arn}"
      ]
    }
  ]
}
EOF
}

References

https://aws.amazon.com/blogs/aws/log-your-vpc-dns-queries-with-route-53-resolver-query-logs/
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs.html
https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53_Resolver.html

Metadata

Metadata

Assignees

Labels

enhancementRequests to existing resources that expand the functionality or scope.new-resourceIntroduces a new resource.service/route53Issues and PRs that pertain to the route53 service.service/route53resolverIssues and PRs that pertain to the route53resolver service.

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions