From b35da32145248ab35142024134e9d32287587857 Mon Sep 17 00:00:00 2001 From: vijay-stephen Date: Thu, 14 Nov 2024 06:17:54 +0000 Subject: [PATCH] enable vpc-flow-logs (#88) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * enable vpc-flow-logs * region variable removed * vpc flowlog enable for s3 * fix flowlogs policy * pr corrections * PR corrections made * corrections made for vpcflow * corrections made for vpcflow * corrections made for vpcflow * corrections made for vpcflow * flow_log variable update --------- Co-authored-by: chandra <“Chandrashekar.reddy@sourcefuse.com”> --- .../terraform-aws-ref-arch-network/README.md | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/docs/arc-iac-docs/modules/terraform-aws-ref-arch-network/README.md b/docs/arc-iac-docs/modules/terraform-aws-ref-arch-network/README.md index 229c5038f..d4014d12d 100644 --- a/docs/arc-iac-docs/modules/terraform-aws-ref-arch-network/README.md +++ b/docs/arc-iac-docs/modules/terraform-aws-ref-arch-network/README.md @@ -162,17 +162,24 @@ locals { | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.57.0 | +| [aws](#provider\_aws) | 5.75.0 | ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [kms](#module\_kms) | sourcefuse/arc-kms/aws | 1.0.9 | ## Resources | Name | Type | |------|------| +| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_eip.nat_gw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource | +| [aws_flow_log.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource | +| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.attach_flow_logs_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource | | [aws_nat_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource | | [aws_route.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | @@ -184,6 +191,10 @@ No modules. | [aws_subnet.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | | [aws_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.flow_logs_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_route_tables.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source | | [aws_route_tables.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source | @@ -208,11 +219,13 @@ No modules. | [ipv6\_cidr\_block\_network\_border\_group](#input\_ipv6\_cidr\_block\_network\_border\_group) | The network border group of the IPv6 CIDR block. | `string` | `null` | no | | [ipv6\_ipam\_pool\_id](#input\_ipv6\_ipam\_pool\_id) | The IPv6 IPAM pool ID from which to allocate the CIDR. | `string` | `null` | no | | [ipv6\_netmask\_length](#input\_ipv6\_netmask\_length) | The netmask length of the IPv6 CIDR block to allocate to the VPC. | `number` | `null` | no | +| [kms\_config](#input\_kms\_config) | n/a | 
object({
    deletion_window_in_days = number
    enable_key_rotation     = bool
  })
| 
{
  "deletion_window_in_days": 30,
  "enable_key_rotation": true
}
| no | | [name](#input\_name) | VPC name | `string` | n/a | yes | | [namespace](#input\_namespace) | Namespace name | `string` | n/a | yes | | [subnet\_map](#input\_subnet\_map) | A map defining the configuration of subnets, their attributes, and associated resources.
Each subnet configuration can include the following details:

- **name**: Name of the subnet.
- **cidr\_block**: CIDR block for the subnet.
- **availability\_zone**: The availability zone where the subnet is located.
- **enable\_resource\_name\_dns\_a\_record\_on\_launch**: Enable or disable DNS A records for EC2 instances launched in this subnet (default: false).
- **enable\_resource\_name\_dns\_aaaa\_record\_on\_launch**: Enable or disable DNS AAAA records for EC2 instances launched in this subnet (default: false).
- **map\_public\_ip\_on\_launch**: Specify whether to auto-assign a public IP for instances in this subnet (default: false).
- **ipv6\_native**: Enable or disable native IPv6 support for the subnet (default: false).
- **assign\_ipv6\_address\_on\_creation**: Whether to automatically assign an IPv6 address to instances launched in the subnet (default: false).
- **ipv6\_cidr\_block**: The IPv6 CIDR block associated with the subnet (optional).
- **enable\_dns64**: Enable or disable DNS64 in the subnet (default: false).
- **nat\_gateway\_name**: Name of the NAT Gateway attached to the subnet (optional).
- **create\_nat\_gateway**: Specify whether to create a NAT Gateway for the subnet (default: true).
- **attach\_nat\_gateway**: Specify whether to attach an existing NAT Gateway to the subnet (default: false).
- **attach\_internet\_gateway**: Specify whether to attach an Internet Gateway to the subnet (default: false).
- **additional\_routes**: List of additional routes to be added to the subnet route table, typically to route traffic to other services like Transit Gateway. Each route includes:
- **type**: Type of resource (default: "transit-gateway").
- **id**: The ID of the route target (e.g., a Transit Gateway ID).
- **cidr\_block**: The destination CIDR block for the route.
- **destination\_ipv6\_cidr\_block**: The destination IPV6 CIDR block for the route. | 
map(object({
    name                                           = string
    cidr_block                                     = string
    availability_zone                              = string
    enable_resource_name_dns_a_record_on_launch    = optional(bool, false)
    enable_resource_name_dns_aaaa_record_on_launch = optional(bool, false)
    map_public_ip_on_launch                        = optional(bool, false)
    ipv6_native                                    = optional(bool, false)
    assign_ipv6_address_on_creation                = optional(bool, false)
    ipv6_cidr_block                                = optional(string, null)
    enable_dns64                                   = optional(bool, false)
    nat_gateway_name                               = optional(string, null)
    create_nat_gateway                             = optional(bool, true)
    attach_nat_gateway                             = optional(bool, false)
    attach_internet_gateway                        = optional(bool, false)
    additional_routes = optional(list(object({
      type                        = optional(string, "transit-gateway") // possible values : network-interface ,transit-gateway, vpc-endpoint, vpc-peering-connection
      id                          = string
      destination_cidr_block      = optional(string, null)
      destination_ipv6_cidr_block = optional(string, null)
      }
    )), [])
  }))
| `null` | no | | [tags](#input\_tags) | (optional) Tags for VPC resources | `map(string)` | `{}` | no | | [vpc\_endpoint\_data](#input\_vpc\_endpoint\_data) | (optional) List of VPC endpoints to be created | 
list(object({
    service             = string
    route_table_filter  = optional(string, "private") // possible values 'private' and 'public'
    policy_doc          = optional(string, null)
    private_dns_enabled = optional(bool, false)
    security_group_ids  = optional(list(string), [])
  }))
| `[]` | no | +| [vpc\_flow\_log\_config](#input\_vpc\_flow\_log\_config) | If `s3_bucket_arn` is null, only CloudWatch logging is enabled by default. If `s3_bucket_arn` is provided, S3 logging is enabled. | 
object({
    enable            = bool
    retention_in_days = number
    s3_bucket_arn     = string
  })
| 
{
  "enable": true,
  "retention_in_days": 7,
  "s3_bucket_arn": null
}
| no | ## Outputs