diff --git a/README.md b/README.md
index 3e60ca885..d2b28a8b6 100644
--- a/README.md
+++ b/README.md
@@ -575,6 +575,10 @@ No modules.
| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no |
| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
| [use\_ipam\_pool](#input\_use\_ipam\_pool) | Determines whether IPAM pool is used for CIDR allocation | `bool` | `false` | no |
+| [vpc\_flow\_log\_iam\_policy\_name](#input\_vpc\_flow\_log\_iam\_policy\_name) | Name of the IAM policy | `string` | `"vpc-flow-log-to-cloudwatch"` | no |
+| [vpc\_flow\_log\_iam\_policy\_use\_name\_prefix](#input\_vpc\_flow\_log\_iam\_policy\_use\_name\_prefix) | Determines whether the name of the IAM policy (`vpc_flow_log_iam_policy_name`) is used as a prefix | `bool` | `true` | no |
+| [vpc\_flow\_log\_iam\_role\_name](#input\_vpc\_flow\_log\_iam\_role\_name) | Name to use on the VPC Flow Log IAM role created | `string` | `"vpc-flow-log-role"` | no |
+| [vpc\_flow\_log\_iam\_role\_use\_name\_prefix](#input\_vpc\_flow\_log\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`vpc_flow_log_iam_role_name_name`) is used as a prefix | `bool` | `true` | no |
| [vpc\_flow\_log\_permissions\_boundary](#input\_vpc\_flow\_log\_permissions\_boundary) | The ARN of the Permissions Boundary for the VPC Flow Log IAM Role | `string` | `null` | no |
| [vpc\_flow\_log\_tags](#input\_vpc\_flow\_log\_tags) | Additional tags for the VPC Flow Logs | `map(string)` | `{}` | no |
| [vpc\_tags](#input\_vpc\_tags) | Additional tags for the VPC | `map(string)` | `{}` | no |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 204489880..579a47395 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -73,10 +73,12 @@ module "vpc" {
dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
# VPC Flow Logs (Cloudwatch log group and IAM role will be created)
- enable_flow_log = true
- create_flow_log_cloudwatch_log_group = true
- create_flow_log_cloudwatch_iam_role = true
- flow_log_max_aggregation_interval = 60
+ vpc_flow_log_iam_role_name = "vpc-complete-example-role"
+ vpc_flow_log_iam_role_use_name_prefix = false
+ enable_flow_log = true
+ create_flow_log_cloudwatch_log_group = true
+ create_flow_log_cloudwatch_iam_role = true
+ flow_log_max_aggregation_interval = 60
tags = local.tags
}
diff --git a/examples/vpc-flow-logs/README.md b/examples/vpc-flow-logs/README.md
index e8b6f0d3b..f40bc01c7 100644
--- a/examples/vpc-flow-logs/README.md
+++ b/examples/vpc-flow-logs/README.md
@@ -41,6 +41,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
| [vpc\_with\_flow\_logs\_cloudwatch\_logs](#module\_vpc\_with\_flow\_logs\_cloudwatch\_logs) | ../../ | n/a |
| [vpc\_with\_flow\_logs\_cloudwatch\_logs\_default](#module\_vpc\_with\_flow\_logs\_cloudwatch\_logs\_default) | ../../ | n/a |
+| [vpc\_with\_flow\_logs\_cloudwatch\_logs\_prefix](#module\_vpc\_with\_flow\_logs\_cloudwatch\_logs\_prefix) | ../../ | n/a |
| [vpc\_with\_flow\_logs\_s3\_bucket](#module\_vpc\_with\_flow\_logs\_s3\_bucket) | ../../ | n/a |
| [vpc\_with\_flow\_logs\_s3\_bucket\_parquet](#module\_vpc\_with\_flow\_logs\_s3\_bucket\_parquet) | ../../ | n/a |
diff --git a/examples/vpc-flow-logs/main.tf b/examples/vpc-flow-logs/main.tf
index 9fee41bdf..7cd35d34f 100644
--- a/examples/vpc-flow-logs/main.tf
+++ b/examples/vpc-flow-logs/main.tf
@@ -83,6 +83,35 @@ module "vpc_with_flow_logs_cloudwatch_logs_default" {
vpc_flow_log_tags = local.tags
}
+# CloudWatch Log Group and IAM prefix
+module "vpc_with_flow_logs_cloudwatch_logs_prefix" {
+ source = "../../"
+
+ name = "${local.name}-cloudwatch-logs-prefix"
+ cidr = local.vpc_cidr
+
+ azs = local.azs
+ private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+ public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
+
+ # Cloudwatch log group and IAM role will be created
+ enable_flow_log = true
+ create_flow_log_cloudwatch_log_group = true
+ create_flow_log_cloudwatch_iam_role = true
+
+ vpc_flow_log_iam_role_name = "vpc-iam-prefix-example"
+ vpc_flow_log_iam_role_use_name_prefix = true
+ vpc_flow_log_iam_policy_name = "vpc-iam-prefix-example"
+ vpc_flow_log_iam_policy_use_name_prefix = true
+
+ flow_log_max_aggregation_interval = 60
+ flow_log_cloudwatch_log_group_name_prefix = "/aws/my-amazing-vpc-flow-logz/"
+ flow_log_cloudwatch_log_group_name_suffix = "my-test"
+ flow_log_cloudwatch_log_group_class = "INFREQUENT_ACCESS"
+
+ vpc_flow_log_tags = local.tags
+}
+
# CloudWatch Log Group and IAM role created separately
module "vpc_with_flow_logs_cloudwatch_logs" {
source = "../../"
diff --git a/variables.tf b/variables.tf
index bd4dc3b29..e0f31ad12 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1478,12 +1478,37 @@ variable "enable_flow_log" {
default = false
}
+variable "vpc_flow_log_iam_role_name" {
+ description = "Name to use on the VPC Flow Log IAM role created"
+ type = string
+ default = "vpc-flow-log-role"
+}
+
+variable "vpc_flow_log_iam_role_use_name_prefix" {
+ description = "Determines whether the IAM role name (`vpc_flow_log_iam_role_name_name`) is used as a prefix"
+ type = bool
+ default = true
+}
+
+
variable "vpc_flow_log_permissions_boundary" {
description = "The ARN of the Permissions Boundary for the VPC Flow Log IAM Role"
type = string
default = null
}
+variable "vpc_flow_log_iam_policy_name" {
+ description = "Name of the IAM policy"
+ type = string
+ default = "vpc-flow-log-to-cloudwatch"
+}
+
+variable "vpc_flow_log_iam_policy_use_name_prefix" {
+ description = "Determines whether the name of the IAM policy (`vpc_flow_log_iam_policy_name`) is used as a prefix"
+ type = bool
+ default = true
+}
+
variable "flow_log_max_aggregation_interval" {
description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds"
type = number
diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf
index e21cd11e6..88b30789c 100644
--- a/vpc-flow-logs.tf
+++ b/vpc-flow-logs.tf
@@ -58,7 +58,9 @@ resource "aws_cloudwatch_log_group" "flow_log" {
resource "aws_iam_role" "vpc_flow_log_cloudwatch" {
count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
- name_prefix = "vpc-flow-log-role-"
+ name = var.vpc_flow_log_iam_role_use_name_prefix ? null : var.vpc_flow_log_iam_role_name
+ name_prefix = var.vpc_flow_log_iam_role_use_name_prefix ? "${var.vpc_flow_log_iam_role_name}-" : null
+
assume_role_policy = data.aws_iam_policy_document.flow_log_cloudwatch_assume_role[0].json
permissions_boundary = var.vpc_flow_log_permissions_boundary
@@ -92,7 +94,8 @@ resource "aws_iam_role_policy_attachment" "vpc_flow_log_cloudwatch" {
resource "aws_iam_policy" "vpc_flow_log_cloudwatch" {
count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
- name_prefix = "vpc-flow-log-to-cloudwatch-"
+ name = var.vpc_flow_log_iam_policy_use_name_prefix ? null : var.vpc_flow_log_iam_policy_name
+ name_prefix = var.vpc_flow_log_iam_policy_use_name_prefix ? "${var.vpc_flow_log_iam_policy_name}-" : null
policy = data.aws_iam_policy_document.vpc_flow_log_cloudwatch[0].json
tags = merge(var.tags, var.vpc_flow_log_tags)
}