{"id":49958690,"url":"https://github.com/render-examples/render-auditlogs","last_synced_at":"2026-05-18T01:09:24.148Z","repository":{"id":357946787,"uuid":"1110822517","full_name":"render-examples/render-auditlogs","owner":"render-examples","description":"Export Render platform audit logs to AWS S3 (Go + Terraform)","archived":false,"fork":false,"pushed_at":"2026-05-14T23:27:14.000Z","size":41,"stargazers_count":1,"open_issues_count":1,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-15T01:30:51.182Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://www.render.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/render-examples.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-05T19:21:10.000Z","updated_at":"2026-02-13T03:15:54.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/render-examples/render-auditlogs","commit_stats":null,"previous_names":["render-examples/render-auditlogs"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/render-examples/render-auditlogs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/render-examples%2Frender-auditlogs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/render-examples%2Frender-auditlogs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/render-examples%2Frender-auditlogs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/render-examples%2Frender-auditlogs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/render-examples","download_url":"https://codeload.github.com/render-examples/render-auditlogs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/render-examples%2Frender-auditlogs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33161411,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-17T22:39:12.733Z","status":"ssl_error","status_checked_at":"2026-05-17T22:39:10.741Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-18T01:09:23.305Z","updated_at":"2026-05-18T01:09:24.142Z","avatar_url":"https://github.com/render-examples.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# render-auditlogs\n\nExport [Render](https://render.com) audit logs to an AWS S3 bucket.\n\n## Overview\n\nThis project provides:\n\n- A Go application that fetches audit logs from the Render API and uploads them to S3\n- Terraform modules to deploy the infrastructure on both AWS and Render\n- Automatic scheduling via a Render Cron Job that runs every 15 minutes by default\n\nSupports both workspace-level and organization-level (Enterprise) audit logs.\n\n## Prerequisites\n\n- Render workspace on Organization or Enterprise plan\n- [Render API Key](https://dashboard.render.com/u/settings) (create from Account Settings). The Render API key must be a User account which is:\n - An Admin in every Workspace that will be tracked\n - An Owner of the Oranization (Enterprise Plan)\n- Render Owner ID (`tea-xxx`) — workspace where the Cron Job will be deployed\n- [Terraform](https://www.terraform.io/downloads) \u003e= 1.0\n- AWS account with permissions to create S3 buckets and IAM roles\n\n## AWS Authentication\n\nThe Cron Job authenticates to AWS via [Render OIDC](https://render.com/docs/oidc) (currently in alpha): it exchanges a short-lived token for AWS credentials by assuming an IAM role. No long-lived secrets are stored. Render publishes a per-workspace OIDC issuer at `https://oidc.render.com/\u003crender_deployment_workspace_id\u003e`.\n\nThe Go application also supports long-lived `AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` credentials as a fallback (if `AWS_ROLE_ARN` is unset.\n\n## Quick Start\n\n### 1. Clone the repository\n\n```bash\ngit clone https://github.com/render-examples/render-auditlogs.git\ncd render-auditlogs/terraform\n```\n\n### 2. Configure authentication\n\nSet up authentication for both providers for the Terraform providers:\n\n```bash\n# AWS - use one of these methods:\nexport AWS_PROFILE=your-profile\n# or\nexport AWS_ACCESS_KEY_ID=...\nexport AWS_SECRET_ACCESS_KEY=...\n\n# Render - both are required for the Terraform provider\nexport RENDER_API_KEY=your-render-api-key\nexport RENDER_OWNER_ID=tea-xxxxx\n```\n\n### 3. Deploy with Terraform\n\n```bash\nterraform init\nterraform apply \\\n -var=\"aws_s3_bucket_name=your-audit-logs-bucket\" \\\n -var=\"render_api_key=${RENDER_API_KEY}\" \\\n -var='render_workspace_ids=[\"tea-xxxxx\", \"tea-yyyyy\"]'\n```\n\nThis creates an IAM OIDC provider for `https://oidc.render.com/\u003crender_deployment_workspace_id\u003e` (if one does not already exist) and an IAM role the Cron Job assumes at runtime.\n\nIf you already have the OIDC provider registered in AWS add:\n\n```bash\n -var=\"aws_oidc_provider_arn=arn:aws:iam::123456789012:oidc-provider/oidc.render.com/tea-xxxxx\"\n```\n\nFor Enterprise customers with organization-level audit logs, add `-var=\"render_organization_id=org-xxxxx\"`.\n\n## Terraform Variables\n\n| Variable | Required | Default | Description |\n| --------------------------- | -------- | ---------------------------- | -------------------------------------------------------------------------------------------------- |\n| `aws_s3_bucket_name` | Yes | - | Name of the S3 bucket to create for storing audit logs |\n| `render_api_key` | Yes | - | Render API key for accessing audit logs |\n| `render_deployment_workspace_id` | Yes | - | Render workspace ID (`tea-xxx`) where the Cron Job is deployed; used to build the OIDC issuer URL `oidc.render.com/\u003crender_deployment_workspace_id\u003e` |\n| `render_workspace_ids` | No | `[]` | List of workspace IDs to fetch audit logs from |\n| `render_organization_id` | No | `\"\"` | Organization ID for Enterprise audit logs |\n| `aws_oidc_provider_arn` | No | `\"\"` | ARN of an existing AWS IAM OIDC provider; if empty, one is created |\n| `aws_iam_role_name` | No | `render-audit-log-processor` | Name of the IAM role the Cron Job assumes |\n| `aws_s3_bucket_key_enabled` | No | `false` | Enable S3 bucket key to reduce KMS calls |\n| `aws_s3_kms_key_id` | No | `\"\"` | ARN for KMS key to use for encryption |\n| `aws_s3_use_kms` | No | `false` | Use KMS for encryption (instead of SSE-S3) |\n| `render_cronjob_name` | No | `render-auditlogs` | Name of the Render Cron Job |\n| `render_cronjob_schedule` | No | `1/15 * * * *` | Cron schedule (default: every 15 minutes) |\n| `render_cronjob_plan` | No | `starter` | Render plan for the Cron Job |\n| `render_cronjob_region` | No | `oregon` | Region to deploy the Cron Job |\n| `render_project_name` | No | `audit-logs` | Name of the Render project |\n\n*Note*: If you use a KMS key, confirm that the IAM role is set up with User Permissions for the key.\n\nExample:\n```\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Id\": \"default\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Sid\": \"Allow use of the key\",\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Principal\": {\n\t\t\t\t\"AWS\": \"arn:aws:iam::123456789012:role/render-audit-log-processor\"\n\t\t\t},\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": \"*\"\n\t\t}\n\t]\n}\n```\n\n## Architecture\n\nThe Terraform configuration creates:\n\n**AWS Resources:**\n\n- S3 bucket (versioned, encrypted, public access blocked)\n- IAM role with S3 write permissions and an OIDC trust policy scoped to this Cron Job's service ID\n- IAM OIDC provider for `oidc.render.com/\u003crender_deployment_workspace_id\u003e` (skipped when `aws_oidc_provider_arn` is set)\n\n**Render Resources:**\n\n- Project\n- Cron Job (builds from this repo)\n\n## Local Development\n\nTo run the application locally:\n\n1. Create a `.env` file:\n\n```bash\nWORKSPACE_IDS=tea-xxxxx,tea-yyyyy\nORGANIZATION_ID=org-xxxxx # Optional, for Enterprise\nS3_BUCKET=your-bucket-name\nRENDER_API_KEY=your-api-key\nAWS_ACCESS_KEY_ID=your-aws-key\nAWS_SECRET_ACCESS_KEY=your-aws-secret\nAWS_REGION=us-west-2\n\n# Optional: KMS encryption settings (defaults to SSE-S3 if not set)\nS3_USE_KMS=true\nS3_KMS_KEY_ID=arn:aws:kms:us-west-2:123456789012:key/your-key-id # Optional\nS3_BUCKET_KEY_ENABLED=true # Optional\n```\n\nWhen `AWS_ROLE_ARN` is set, the application assumes that role via web-identity federation. When it is empty, the AWS SDK's default credential chain picks up `AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` (or your local AWS profile).\n\n2. Run the application:\n\n```bash\ngo run main.go\n```\n\n## S3 Object Structure\n\nPath format (Hive-style partitioning, gzip compressed):\n\n```\ns3://your-bucket/\n ├── workspace=tea-xxxxx/\n │ └── year=2024/\n │ └── month=1/\n │ └── day=15/\n │ └── audit-logs-2024-01-15_10-30-00.json.gz\n └── organization=org-xxxxx/\n └── year=2024/\n └── month=1/\n └── day=15/\n └── audit-logs-2024-01-15_10-30-00.json.gz\n```\n\n## Integration with Panther SIEM\n\n1. Create a custom log type in Panther with the schema below\n2. Add an S3 log source pointing to your audit-logs bucket\n3. Configure S3 event notifications to send object-create events to Panther\n\nPanther schema:\n\n```yaml\nfields:\n - name: auditLog\n required: true\n type: object\n fields:\n - name: actor\n type: object\n fields:\n - name: email\n type: string\n indicators:\n - email\n - name: id\n type: string\n - name: type\n type: string\n - name: event\n type: string\n - name: id\n type: string\n - name: metadata\n type: json\n - name: status\n type: string\n - name: timestamp\n type: timestamp\n isEventTime: true\n timeFormats:\n - rfc3339\n - name: cursor\n required: true\n type: string\n```\n\n## Contributing\n\n1. Fork the repository\n2. Create a feature branch (`git checkout -b feature/my-feature`)\n3. Commit your changes (`git commit -am 'Add my feature'`)\n4. Push to the branch (`git push origin feature/my-feature`)\n5. Open a Pull Request\n\nTests run automatically on PRs via GitHub Actions.\n\n## Security\n\nTo report a security vulnerability, email security@render.com. Do not open a public issue.\n\n## License\n\nSee [LICENSE](LICENSE) for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frender-examples%2Frender-auditlogs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frender-examples%2Frender-auditlogs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frender-examples%2Frender-auditlogs/lists"}