This is a mirror of the official AWS VPC module from github. (Prevents failed clones happening frequently when using github).
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

101 lines
3.5KB

  1. locals {
  2. # Only create flow log if user selected to create a VPC as well
  3. enable_flow_log = var.create_vpc && var.enable_flow_log
  4. create_flow_log_cloudwatch_iam_role = local.enable_flow_log && var.flow_log_destination_type != "s3" && var.create_flow_log_cloudwatch_iam_role
  5. create_flow_log_cloudwatch_log_group = local.enable_flow_log && var.flow_log_destination_type != "s3" && var.create_flow_log_cloudwatch_log_group
  6. flow_log_destination_arn = local.create_flow_log_cloudwatch_log_group ? aws_cloudwatch_log_group.flow_log[0].arn : var.flow_log_destination_arn
  7. flow_log_iam_role_arn = var.flow_log_destination_type != "s3" && local.create_flow_log_cloudwatch_iam_role ? aws_iam_role.vpc_flow_log_cloudwatch[0].arn : var.flow_log_cloudwatch_iam_role_arn
  8. }
  9. ################################################################################
  10. # Flow Log
  11. ################################################################################
  12. resource "aws_flow_log" "this" {
  13. count = local.enable_flow_log ? 1 : 0
  14. log_destination_type = var.flow_log_destination_type
  15. log_destination = local.flow_log_destination_arn
  16. log_format = var.flow_log_log_format
  17. iam_role_arn = local.flow_log_iam_role_arn
  18. traffic_type = var.flow_log_traffic_type
  19. vpc_id = local.vpc_id
  20. max_aggregation_interval = var.flow_log_max_aggregation_interval
  21. tags = merge(var.tags, var.vpc_flow_log_tags)
  22. }
  23. ################################################################################
  24. # Flow Log CloudWatch
  25. ################################################################################
  26. resource "aws_cloudwatch_log_group" "flow_log" {
  27. count = local.create_flow_log_cloudwatch_log_group ? 1 : 0
  28. name = "${var.flow_log_cloudwatch_log_group_name_prefix}${local.vpc_id}"
  29. retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days
  30. kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_id
  31. tags = merge(var.tags, var.vpc_flow_log_tags)
  32. }
  33. resource "aws_iam_role" "vpc_flow_log_cloudwatch" {
  34. count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
  35. name_prefix = "vpc-flow-log-role-"
  36. assume_role_policy = data.aws_iam_policy_document.flow_log_cloudwatch_assume_role[0].json
  37. permissions_boundary = var.vpc_flow_log_permissions_boundary
  38. tags = merge(var.tags, var.vpc_flow_log_tags)
  39. }
  40. data "aws_iam_policy_document" "flow_log_cloudwatch_assume_role" {
  41. count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
  42. statement {
  43. principals {
  44. type = "Service"
  45. identifiers = ["vpc-flow-logs.amazonaws.com"]
  46. }
  47. effect = "Allow"
  48. actions = ["sts:AssumeRole"]
  49. }
  50. }
  51. resource "aws_iam_role_policy_attachment" "vpc_flow_log_cloudwatch" {
  52. count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
  53. role = aws_iam_role.vpc_flow_log_cloudwatch[0].name
  54. policy_arn = aws_iam_policy.vpc_flow_log_cloudwatch[0].arn
  55. }
  56. resource "aws_iam_policy" "vpc_flow_log_cloudwatch" {
  57. count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
  58. name_prefix = "vpc-flow-log-to-cloudwatch-"
  59. policy = data.aws_iam_policy_document.vpc_flow_log_cloudwatch[0].json
  60. }
  61. data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" {
  62. count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
  63. statement {
  64. sid = "AWSVPCFlowLogsPushToCloudWatch"
  65. effect = "Allow"
  66. actions = [
  67. "logs:CreateLogStream",
  68. "logs:PutLogEvents",
  69. "logs:DescribeLogGroups",
  70. "logs:DescribeLogStreams",
  71. ]
  72. resources = ["*"]
  73. }
  74. }