Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Allow custom VPC Flow Log IAM Role name and IAM Policy name #1089

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -575,6 +575,10 @@ No modules.
| <a name="input_single_nat_gateway"></a> [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
| <a name="input_use_ipam_pool"></a> [use\_ipam\_pool](#input\_use\_ipam\_pool) | Determines whether IPAM pool is used for CIDR allocation | `bool` | `false` | no |
| <a name="input_vpc_flow_log_iam_policy_name"></a> [vpc\_flow\_log\_iam\_policy\_name](#input\_vpc\_flow\_log\_iam\_policy\_name) | Name of the IAM policy | `string` | `"vpc-flow-log-to-cloudwatch"` | no |
| <a name="input_vpc_flow_log_iam_policy_use_name_prefix"></a> [vpc\_flow\_log\_iam\_policy\_use\_name\_prefix](#input\_vpc\_flow\_log\_iam\_policy\_use\_name\_prefix) | Determines whether the name of the IAM policy (`vpc_flow_log_iam_policy_name`) is used as a prefix | `bool` | `true` | no |
| <a name="input_vpc_flow_log_iam_role_name"></a> [vpc\_flow\_log\_iam\_role\_name](#input\_vpc\_flow\_log\_iam\_role\_name) | Name to use on the VPC Flow Log IAM role created | `string` | `"vpc-flow-log-role"` | no |
| <a name="input_vpc_flow_log_iam_role_use_name_prefix"></a> [vpc\_flow\_log\_iam\_role\_use\_name\_prefix](#input\_vpc\_flow\_log\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`vpc_flow_log_iam_role_name_name`) is used as a prefix | `bool` | `true` | no |
| <a name="input_vpc_flow_log_permissions_boundary"></a> [vpc\_flow\_log\_permissions\_boundary](#input\_vpc\_flow\_log\_permissions\_boundary) | The ARN of the Permissions Boundary for the VPC Flow Log IAM Role | `string` | `null` | no |
| <a name="input_vpc_flow_log_tags"></a> [vpc\_flow\_log\_tags](#input\_vpc\_flow\_log\_tags) | Additional tags for the VPC Flow Logs | `map(string)` | `{}` | no |
| <a name="input_vpc_tags"></a> [vpc\_tags](#input\_vpc\_tags) | Additional tags for the VPC | `map(string)` | `{}` | no |
Expand Down
10 changes: 6 additions & 4 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -73,10 +73,12 @@ module "vpc" {
dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]

# VPC Flow Logs (Cloudwatch log group and IAM role will be created)
enable_flow_log = true
create_flow_log_cloudwatch_log_group = true
create_flow_log_cloudwatch_iam_role = true
flow_log_max_aggregation_interval = 60
vpc_flow_log_iam_role_name = "vpc-complete-example-role"
vpc_flow_log_iam_role_use_name_prefix = false
enable_flow_log = true
create_flow_log_cloudwatch_log_group = true
create_flow_log_cloudwatch_iam_role = true
flow_log_max_aggregation_interval = 60

tags = local.tags
}
Expand Down
1 change: 1 addition & 0 deletions examples/vpc-flow-logs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
| <a name="module_vpc_with_flow_logs_cloudwatch_logs"></a> [vpc\_with\_flow\_logs\_cloudwatch\_logs](#module\_vpc\_with\_flow\_logs\_cloudwatch\_logs) | ../../ | n/a |
| <a name="module_vpc_with_flow_logs_cloudwatch_logs_default"></a> [vpc\_with\_flow\_logs\_cloudwatch\_logs\_default](#module\_vpc\_with\_flow\_logs\_cloudwatch\_logs\_default) | ../../ | n/a |
| <a name="module_vpc_with_flow_logs_cloudwatch_logs_prefix"></a> [vpc\_with\_flow\_logs\_cloudwatch\_logs\_prefix](#module\_vpc\_with\_flow\_logs\_cloudwatch\_logs\_prefix) | ../../ | n/a |
| <a name="module_vpc_with_flow_logs_s3_bucket"></a> [vpc\_with\_flow\_logs\_s3\_bucket](#module\_vpc\_with\_flow\_logs\_s3\_bucket) | ../../ | n/a |
| <a name="module_vpc_with_flow_logs_s3_bucket_parquet"></a> [vpc\_with\_flow\_logs\_s3\_bucket\_parquet](#module\_vpc\_with\_flow\_logs\_s3\_bucket\_parquet) | ../../ | n/a |

Expand Down
29 changes: 29 additions & 0 deletions examples/vpc-flow-logs/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,35 @@ module "vpc_with_flow_logs_cloudwatch_logs_default" {
vpc_flow_log_tags = local.tags
}

# CloudWatch Log Group and IAM prefix
module "vpc_with_flow_logs_cloudwatch_logs_prefix" {
source = "../../"

name = "${local.name}-cloudwatch-logs-prefix"
cidr = local.vpc_cidr

azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]

# Cloudwatch log group and IAM role will be created
enable_flow_log = true
create_flow_log_cloudwatch_log_group = true
create_flow_log_cloudwatch_iam_role = true

vpc_flow_log_iam_role_name = "vpc-iam-prefix-example"
vpc_flow_log_iam_role_use_name_prefix = true
vpc_flow_log_iam_policy_name = "vpc-iam-prefix-example"
vpc_flow_log_iam_policy_use_name_prefix = true

flow_log_max_aggregation_interval = 60
flow_log_cloudwatch_log_group_name_prefix = "/aws/my-amazing-vpc-flow-logz/"
flow_log_cloudwatch_log_group_name_suffix = "my-test"
flow_log_cloudwatch_log_group_class = "INFREQUENT_ACCESS"

vpc_flow_log_tags = local.tags
}

# CloudWatch Log Group and IAM role created separately
module "vpc_with_flow_logs_cloudwatch_logs" {
source = "../../"
Expand Down
25 changes: 25 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -1478,12 +1478,37 @@ variable "enable_flow_log" {
default = false
}

variable "vpc_flow_log_iam_role_name" {
description = "Name to use on the VPC Flow Log IAM role created"
type = string
default = "vpc-flow-log-role"
}

variable "vpc_flow_log_iam_role_use_name_prefix" {
description = "Determines whether the IAM role name (`vpc_flow_log_iam_role_name_name`) is used as a prefix"
type = bool
default = true
}


variable "vpc_flow_log_permissions_boundary" {
description = "The ARN of the Permissions Boundary for the VPC Flow Log IAM Role"
type = string
default = null
}

variable "vpc_flow_log_iam_policy_name" {
description = "Name of the IAM policy"
type = string
default = "vpc-flow-log-to-cloudwatch"
}

variable "vpc_flow_log_iam_policy_use_name_prefix" {
description = "Determines whether the name of the IAM policy (`vpc_flow_log_iam_policy_name`) is used as a prefix"
type = bool
default = true
}

variable "flow_log_max_aggregation_interval" {
description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds"
type = number
Expand Down
7 changes: 5 additions & 2 deletions vpc-flow-logs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,9 @@ resource "aws_cloudwatch_log_group" "flow_log" {
resource "aws_iam_role" "vpc_flow_log_cloudwatch" {
count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0

name_prefix = "vpc-flow-log-role-"
name = var.vpc_flow_log_iam_role_use_name_prefix ? null : var.vpc_flow_log_iam_role_name
name_prefix = var.vpc_flow_log_iam_role_use_name_prefix ? "${var.vpc_flow_log_iam_role_name}-" : null

assume_role_policy = data.aws_iam_policy_document.flow_log_cloudwatch_assume_role[0].json
permissions_boundary = var.vpc_flow_log_permissions_boundary

Expand Down Expand Up @@ -92,7 +94,8 @@ resource "aws_iam_role_policy_attachment" "vpc_flow_log_cloudwatch" {
resource "aws_iam_policy" "vpc_flow_log_cloudwatch" {
count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0

name_prefix = "vpc-flow-log-to-cloudwatch-"
name = var.vpc_flow_log_iam_policy_use_name_prefix ? null : var.vpc_flow_log_iam_policy_name
name_prefix = var.vpc_flow_log_iam_policy_use_name_prefix ? "${var.vpc_flow_log_iam_policy_name}-" : null
policy = data.aws_iam_policy_document.vpc_flow_log_cloudwatch[0].json
tags = merge(var.tags, var.vpc_flow_log_tags)
}
Expand Down