# Bring your own bucket for Log Management with Terraform In this guide, you will use this Terraform configuration to automate the creation of a secure S3 bucket for Radiant Security Log Management. This setup applies the required cross-account IAM roles for both log ingestion and data backfilling. ### Prerequisites * [ ] **Terraform Version:** 0.13+ * [ ] **AWS Provider Version:** 4.0+ * [ ] **Inputs**: We have two options for region depending on whether the tenant is US-based or EU based: * **US radiant\_region:** `us-west-2` * **Europe radiant\_region:** `eu-central-1` ### Create a Terraform Project This module uses a map to automatically select the correct **Radiant Security AWS Account ID** based on your tenant's region. 1. Copy the following HCL code into your Terraform project (e.g., `radiant_logs.tf`). 2. Replace the variables in the `locals` block with your specific details. ```javascript variable "radiant_region" { type = string description = "The region of your Radiant Security tenant. Options: 'us-west-2' or 'eu-central-1'" validation { condition = contains(["us-west-2", "eu-central-1"], var.radiant_region) error_message = "Radiant Security currently supports 'us-west-2' (Oregon) or 'eu-central-1' (Frankfurt)." } } variable "bucket_name" { type = string description = "The name of the S3 bucket to be created for Radiant logs." } locals { # Map of Radiant Security Account IDs per region radiant_accounts = { "us-west-2" = "649384204969" "eu-central-1" = "076657324990" } radiant_account_id = local.radiant_accounts[var.radiant_region] } # --- S3 Bucket Resource --- resource "aws_s3_bucket" "radiant_logs" { bucket = var.bucket_name } # Enable Default Encryption (SSE-S3) resource "aws_s3_bucket_server_side_encryption_configuration" "radiant_logs_encryption" { bucket = aws_s3_bucket.radiant_logs.id rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } bucket_key_enabled = false } } # --- Bucket Access Policy --- resource "aws_s3_bucket_policy" "radiant_access" { bucket = aws_s3_bucket.radiant_logs.id policy = jsonencode({ Version = "2012-10-17" Statement = [ { Sid = "RadiantSecurityIngestionFullAccess" Effect = "Allow" Principal = { AWS = "arn:aws:iam::${local.radiant_account_id}:role/radiant_security_ingestion_role" } Action = "s3:*" Resource = [ aws_s3_bucket.radiant_logs.arn, "${aws_s3_bucket.radiant_logs.arn}/*" ] }, { Sid = "RadiantSecurityBYOBBackfillAccess" Effect = "Allow" Principal = { AWS = "arn:aws:iam::${local.radiant_account_id}:role/logmanagement-customers-split-files-backfill-sa-role" } Action = "s3:*" Resource = [ aws_s3_bucket.radiant_logs.arn, "${aws_s3_bucket.radiant_logs.arn}/*" ] } ] }) } ``` ### Deployment Steps #### Option A: Passing variables via command line If you want to run this quickly without a `tfvars` file: ```java terraform apply -var="radiant_region=us-west-2" -var="bucket_name=your-unique-bucket-name" ``` #### Option B: Using a tfvars file Create a file named `terraform.tfvars` and add: ```javascript radiant_region = "us-west-2" # or "eu-central-1" bucket_name = "your-unique-bucket-name" ``` ### Configure Log Management in Radiant Security Once the Terraform apply is successful: 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, click **Log** **Management**. 3. From **Log** **Management**, click **+ Add Credentials**. 4. In the side menu, paste the bucket name (not ARN) that you created in the [Create an S3 Bucket in AWS](#create-an-s3-bucket-in-aws) section. 5. Click **Add credentials** to save the bucket configuration.