# Bring your own bucket for Log Management with Terraform In this guide, you will use this Terraform configuration to automate the creation of a secure S3 bucket for Radiant Security Log Management. This setup applies the required cross-account IAM roles for both log ingestion and data backfilling. ### Prerequisites * [ ] **Terraform Version:** 0.13+ * [ ] **AWS Provider Version:** 4.0+ * [ ] **Inputs**: We have two options for region depending on whether the tenant is US-based or EU based: * **US radiant\_region:** `us-west-2` * **Europe radiant\_region:** `eu-central-1` ### Create a Terraform Project This module uses a map to automatically select the correct **Radiant Security AWS Account ID** based on your tenant's region. 1. Copy the following HCL code into your Terraform project (e.g., `radiant_logs.tf`). 2. Replace the variables in the `locals` block with your specific details. ```javascript variable "radiant_region" { type = string description = "The region of your Radiant Security tenant. Options: 'us-west-2' or 'eu-central-1'" validation { condition = contains(["us-west-2", "eu-central-1"], var.radiant_region) error_message = "Radiant Security currently supports 'us-west-2' (Oregon) or 'eu-central-1' (Frankfurt)." } } variable "bucket_name" { type = string description = "The name of the S3 bucket to be created for Radiant logs." } locals { # Map of Radiant Security Account IDs per region radiant_accounts = { "us-west-2" = "649384204969" "eu-central-1" = "076657324990" } radiant_account_id = local.radiant_accounts[var.radiant_region] } # --- S3 Bucket Resource --- resource "aws_s3_bucket" "radiant_logs" { bucket = var.bucket_name } # Enable Default Encryption (SSE-S3) resource "aws_s3_bucket_server_side_encryption_configuration" "radiant_logs_encryption" { bucket = aws_s3_bucket.radiant_logs.id rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } bucket_key_enabled = false } } # --- Bucket Access Policy --- resource "aws_s3_bucket_policy" "radiant_access" { bucket = aws_s3_bucket.radiant_logs.id policy = jsonencode({ Version = "2012-10-17" Statement = [ { Sid = "RadiantSecurityIngestionFullAccess" Effect = "Allow" Principal = { AWS = "arn:aws:iam::${local.radiant_account_id}:role/radiant_security_ingestion_role" } Action = "s3:*" Resource = [ aws_s3_bucket.radiant_logs.arn, "${aws_s3_bucket.radiant_logs.arn}/*" ] }, { Sid = "RadiantSecurityBYOBBackfillAccess" Effect = "Allow" Principal = { AWS = "arn:aws:iam::${local.radiant_account_id}:role/logmanagement-customers-split-files-backfill-sa-role" } Action = "s3:*" Resource = [ aws_s3_bucket.radiant_logs.arn, "${aws_s3_bucket.radiant_logs.arn}/*" ] } ] }) } ``` ### Deployment Steps #### Option A: Passing variables via command line If you want to run this quickly without a `tfvars` file: ```java terraform apply -var="radiant_region=us-west-2" -var="bucket_name=your-unique-bucket-name" ``` #### Option B: Using a tfvars file Create a file named `terraform.tfvars` and add: ```javascript radiant_region = "us-west-2" # or "eu-central-1" bucket_name = "your-unique-bucket-name" ``` ### Configure Log Management in Radiant Security Once the Terraform apply is successful: 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, click **Log** **Management**. 3. From **Log** **Management**, click **+ Add Credentials**. 4. In the side menu, paste the bucket name (not ARN) that you created in the [Create an S3 Bucket in AWS](#create-an-s3-bucket-in-aws) section. 5. Click **Add credentials** to save the bucket configuration. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/log-management/bring-your-own-bucket-byob/bring-your-own-bucket-for-log-management-with-terraform.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.