Skip to content

Commit

Permalink
feat: add vpc flow log options
Browse files Browse the repository at this point in the history
  • Loading branch information
whoiskai committed Dec 1, 2023
1 parent 28713cd commit d87f8d1
Show file tree
Hide file tree
Showing 3 changed files with 154 additions and 0 deletions.
18 changes: 18 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,8 @@ No requirements.
|------|-------------|------|---------|:--------:|
| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | Region to deploy current terraform script | `string` | `"ap-southeast-1"` | no |
| <a name="input_cidr_name"></a> [cidr\_name](#input\_cidr\_name) | Name of cidr managed | `string` | `""` | no |
| <a name="input_create_flow_log_cloudwatch_iam_role"></a> [create\_flow\_log\_cloudwatch\_iam\_role](#input\_create\_flow\_log\_cloudwatch\_iam\_role) | Whether to create IAM role for VPC Flow Logs | `bool` | `false` | no |
| <a name="input_create_flow_log_cloudwatch_log_group"></a> [create\_flow\_log\_cloudwatch\_log\_group](#input\_create\_flow\_log\_cloudwatch\_log\_group) | Whether to create CloudWatch log group for VPC Flow Logs | `bool` | `false` | no |
| <a name="input_create_vpc"></a> [create\_vpc](#input\_create\_vpc) | Controls if VPC should be created (it affects almost all resources) | `bool` | `true` | no |
| <a name="input_database_subnets"></a> [database\_subnets](#input\_database\_subnets) | cidr range of your database subnets | `list(string)` | `[]` | no |
| <a name="input_default_network_acl_name"></a> [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | Name to be used on the Default Network ACL | `string` | `""` | no |
Expand All @@ -345,12 +347,26 @@ No requirements.
| <a name="input_default_vpc_name"></a> [default\_vpc\_name](#input\_default\_vpc\_name) | Name to be used on the Default VPC | `string` | `null` | no |
| <a name="input_default_vpc_tags"></a> [default\_vpc\_tags](#input\_default\_vpc\_tags) | Additional tags for the Default VPC | `map(string)` | `{}` | no |
| <a name="input_eks_cluster_tags"></a> [eks\_cluster\_tags](#input\_eks\_cluster\_tags) | List of tags that EKS will create, but also added to VPC for persistency across terraform applies | `map(any)` | `{}` | no |
| <a name="input_enable_flow_log"></a> [enable\_flow\_log](#input\_enable\_flow\_log) | Whether or not to enable VPC Flow Logs | `bool` | `false` | no |
| <a name="input_enable_nat_gateway"></a> [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Should be true if you want to provision NAT Gateways for each of your private networks | `bool` | `true` | no |
| <a name="input_firewall_dedicated_network_acl"></a> [firewall\_dedicated\_network\_acl](#input\_firewall\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for firewall subnets | `bool` | `false` | no |
| <a name="input_firewall_inbound_acl_rules"></a> [firewall\_inbound\_acl\_rules](#input\_firewall\_inbound\_acl\_rules) | firewall subnets inbound network ACL rules | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_firewall_outbound_acl_rules"></a> [firewall\_outbound\_acl\_rules](#input\_firewall\_outbound\_acl\_rules) | Firewall subnets outbound network ACL rules | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_firewall_subnets"></a> [firewall\_subnets](#input\_firewall\_subnets) | cidr range of your firewall subnets | `list(string)` | `[]` | no |
| <a name="input_firewall_sync_states"></a> [firewall\_sync\_states](#input\_firewall\_sync\_states) | Output of aws\_networkfirewall\_firewall.firewall\_status[0].sync\_states | <pre>list(object({<br> attachment = list(object({<br> endpoint_id = string<br> subnet_id = string<br> }))<br> availability_zone = string<br> }))</pre> | `[]` | no |
| <a name="input_flow_log_cloudwatch_iam_role_arn"></a> [flow\_log\_cloudwatch\_iam\_role\_arn](#input\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow\_log\_destination\_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided | `string` | `""` | no |
| <a name="input_flow_log_cloudwatch_log_group_kms_key_id"></a> [flow\_log\_cloudwatch\_log\_group\_kms\_key\_id](#input\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs | `string` | `null` | no |
| <a name="input_flow_log_cloudwatch_log_group_name_prefix"></a> [flow\_log\_cloudwatch\_log\_group\_name\_prefix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_prefix) | Specifies the name prefix of CloudWatch Log Group for VPC flow logs | `string` | `"/aws/vpc-flow-log/"` | no |
| <a name="input_flow_log_cloudwatch_log_group_name_suffix"></a> [flow\_log\_cloudwatch\_log\_group\_name\_suffix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_suffix) | Specifies the name suffix of CloudWatch Log Group for VPC flow logs | `string` | `""` | no |
| <a name="input_flow_log_cloudwatch_log_group_retention_in_days"></a> [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs | `number` | `null` | no |
| <a name="input_flow_log_destination_arn"></a> [flow\_log\_destination\_arn](#input\_flow\_log\_destination\_arn) | The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create\_flow\_log\_cloudwatch\_log\_group is set to false this argument must be provided | `string` | `""` | no |
| <a name="input_flow_log_destination_type"></a> [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3 or cloud-watch-logs | `string` | `"cloud-watch-logs"` | no |
| <a name="input_flow_log_file_format"></a> [flow\_log\_file\_format](#input\_flow\_log\_file\_format) | (Optional) The format for the flow log. Valid values: `plain-text`, `parquet` | `string` | `null` | no |
| <a name="input_flow_log_hive_compatible_partitions"></a> [flow\_log\_hive\_compatible\_partitions](#input\_flow\_log\_hive\_compatible\_partitions) | (Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 | `bool` | `false` | no |
| <a name="input_flow_log_log_format"></a> [flow\_log\_log\_format](#input\_flow\_log\_log\_format) | The fields to include in the flow log record, in the order in which they should appear | `string` | `null` | no |
| <a name="input_flow_log_max_aggregation_interval"></a> [flow\_log\_max\_aggregation\_interval](#input\_flow\_log\_max\_aggregation\_interval) | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds | `number` | `600` | no |
| <a name="input_flow_log_per_hour_partition"></a> [flow\_log\_per\_hour\_partition](#input\_flow\_log\_per\_hour\_partition) | (Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries | `bool` | `false` | no |
| <a name="input_flow_log_traffic_type"></a> [flow\_log\_traffic\_type](#input\_flow\_log\_traffic\_type) | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL | `string` | `"ALL"` | no |
| <a name="input_folder"></a> [folder](#input\_folder) | Path relative to root of terraform directory where this module is used. This is for easier locating of where the individual resource is created with aws console | `map(any)` | n/a | yes |
| <a name="input_intranet_subnets"></a> [intranet\_subnets](#input\_intranet\_subnets) | cidr range of your intranet subnets | `list(string)` | `[]` | no |
| <a name="input_manage_default_network_acl"></a> [manage\_default\_network\_acl](#input\_manage\_default\_network\_acl) | Should be true to adopt and manage Default Network ACL | `bool` | `false` | no |
Expand All @@ -364,6 +380,8 @@ No requirements.
| <a name="input_secondary_cidr_blocks"></a> [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | `list(string)` | `[]` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to resources | `map(any)` | `{}` | no |
| <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | CIDR for the VPC, check that this doesn't collide with an existing one | `string` | n/a | yes |
| <a name="input_vpc_flow_log_permissions_boundary"></a> [vpc\_flow\_log\_permissions\_boundary](#input\_vpc\_flow\_log\_permissions\_boundary) | The ARN of the Permissions Boundary for the VPC Flow Log IAM Role | `string` | `null` | no |
| <a name="input_vpc_flow_log_tags"></a> [vpc\_flow\_log\_tags](#input\_vpc\_flow\_log\_tags) | Additional tags for the VPC Flow Logs | `map(string)` | `{}` | no |
| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC id for use in cases where VPC was already created and you would like to reuse it with this module. Not required if create\_vpc = true | `string` | `""` | no |
| <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | Name of VPC | `string` | n/a | yes |
| <a name="input_vpc_tags"></a> [vpc\_tags](#input\_vpc\_tags) | Tags to apply to VPC | `map(any)` | `{}` | no |
Expand Down
19 changes: 19 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,25 @@ module "vpc" {
default_route_table_routes = var.default_route_table_routes
default_route_table_tags = var.default_route_table_tags

# flow log
enable_flow_log = var.enable_flow_log
vpc_flow_log_permissions_boundary = var.vpc_flow_log_permissions_boundary
flow_log_max_aggregation_interval = var.flow_log_max_aggregation_interval
flow_log_traffic_type = var.flow_log_traffic_type
flow_log_destination_type = var.flow_log_destination_type
flow_log_log_format = var.flow_log_log_format
flow_log_destination_arn = var.flow_log_destination_arn
flow_log_file_format = var.flow_log_file_format
flow_log_hive_compatible_partitions = var.flow_log_hive_compatible_partitions
flow_log_per_hour_partition = var.flow_log_per_hour_partition
vpc_flow_log_tags = var.vpc_flow_log_tags
create_flow_log_cloudwatch_log_group = var.create_flow_log_cloudwatch_log_group
create_flow_log_cloudwatch_iam_role = var.create_flow_log_cloudwatch_iam_role
flow_log_cloudwatch_iam_role_arn = var.flow_log_cloudwatch_iam_role_arn
flow_log_cloudwatch_log_group_name_prefix = var.flow_log_cloudwatch_log_group_name_prefix
flow_log_cloudwatch_log_group_name_suffix = var.flow_log_cloudwatch_log_group_name_suffix
flow_log_cloudwatch_log_group_retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days
flow_log_cloudwatch_log_group_kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_id
}

#######################
Expand Down
117 changes: 117 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,123 @@ variable "default_network_acl_tags" {
default = {}
}

################################################################################
# Flow Log
################################################################################

variable "enable_flow_log" {
description = "Whether or not to enable VPC Flow Logs"
type = bool
default = false
}

variable "vpc_flow_log_permissions_boundary" {
description = "The ARN of the Permissions Boundary for the VPC Flow Log IAM Role"
type = string
default = null
}

variable "flow_log_max_aggregation_interval" {
description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds"
type = number
default = 600
}

variable "flow_log_traffic_type" {
description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL"
type = string
default = "ALL"
}

variable "flow_log_destination_type" {
description = "Type of flow log destination. Can be s3 or cloud-watch-logs"
type = string
default = "cloud-watch-logs"
}

variable "flow_log_log_format" {
description = "The fields to include in the flow log record, in the order in which they should appear"
type = string
default = null
}

variable "flow_log_destination_arn" {
description = "The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided"
type = string
default = ""
}

variable "flow_log_file_format" {
description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`"
type = string
default = null
}

variable "flow_log_hive_compatible_partitions" {
description = "(Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3"
type = bool
default = false
}

variable "flow_log_per_hour_partition" {
description = "(Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries"
type = bool
default = false
}

variable "vpc_flow_log_tags" {
description = "Additional tags for the VPC Flow Logs"
type = map(string)
default = {}
}

################################################################################
# Flow Log CloudWatch
################################################################################

variable "create_flow_log_cloudwatch_log_group" {
description = "Whether to create CloudWatch log group for VPC Flow Logs"
type = bool
default = false
}

variable "create_flow_log_cloudwatch_iam_role" {
description = "Whether to create IAM role for VPC Flow Logs"
type = bool
default = false
}

variable "flow_log_cloudwatch_iam_role_arn" {
description = "The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided"
type = string
default = ""
}

variable "flow_log_cloudwatch_log_group_name_prefix" {
description = "Specifies the name prefix of CloudWatch Log Group for VPC flow logs"
type = string
default = "/aws/vpc-flow-log/"
}

variable "flow_log_cloudwatch_log_group_name_suffix" {
description = "Specifies the name suffix of CloudWatch Log Group for VPC flow logs"
type = string
default = ""
}

variable "flow_log_cloudwatch_log_group_retention_in_days" {
description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs"
type = number
default = null
}

variable "flow_log_cloudwatch_log_group_kms_key_id" {
description = "The ARN of the KMS Key to use when encrypting log data for VPC flow logs"
type = string
default = null
}


################################################################################
# Default VPC
################################################################################
Expand Down

0 comments on commit d87f8d1

Please sign in to comment.