Add VPC flow logs

opendatacube · Sep 5, 2024 · 9c140b7 · 9c140b7
1 parent 92e3eb8
commit 9c140b7
Show file tree

Hide file tree

Showing 3 changed files with 106 additions and 2 deletions.
diff --git a/odc_eks/main.tf b/odc_eks/main.tf
@@ -28,6 +28,10 @@ locals {
 module "vpc" {
   source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.5.2"
 
+  locals {
+    log_group_arn = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${flow_log_cloudwatch_log_group_name_prefix}:*"
+  }
+
   count = var.create_vpc ? 1 : 0
 
   name             = "${local.cluster_id}-vpc"
@@ -68,7 +72,22 @@ module "vpc" {
   manage_default_network_acl    = false
   manage_default_route_table    = false
 
-  tags = local.tags
+  enable_flow_log                   = var.create_vpc_flow_logs
+  flow_log_destination_type         = "s3"
+  flow_log_max_agreegation_interval = (var.create_vpc_flow_logs) ? var.flow_log_max_aggregation_interval : null
+  flow_log_traffic_type             = (var.create_vpc_flow_logs) ? var.flow_log_traffic_type : null
+  flow_log_file_format              = (var.create_vpc_flow_logs) ? var.flow_log_log_format : null
+  flow_log_destination_arn          = (var.create_vpc_flow_logs) ? "arn:aws:s3:::${var.flow_log_s3_bucket_name}" : null
+
+  tags = merge(
+    {
+      Name        = "${local.cluster_id}-vpc-flow-logs"
+      owner       = var.owner
+      namespace   = var.namespace
+      environment = var.environment
+    },
+    var.tags
+  )
 }
 
 moved {

diff --git a/odc_eks/variables.tf b/odc_eks/variables.tf
@@ -167,13 +167,47 @@ variable "enable_nat_gateway" {
   default     = true
 }
 
-
 variable "create_igw" {
   type        = bool
   description = "Whether to provision an Internet Gateway in the VPC. Default is true (False for private routing)"
   default     = true
 }
 
+variable "create_vpc_flow_logs" {
+  type        = bool
+  description = "Whether to create VPC flow logs. Default is set to 'false'"
+  default     = false
+}
+
+variable "flow_log_max_aggregation_interval" {
+  description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds"
+  type        = number
+  default     = 600
+}
+
+variable "flow_log_traffic_type" {
+  description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL"
+  type        = string
+  default     = "ALL"
+}
+
+variable "flow_log_file_format" {
+  description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`"
+  type        = string
+  default     = "plain-text"
+}
+
+variable "create_flow_log_s3_bucket" {
+  type        = bool
+  description = "Whether to create a S3 bucket for the vpc flow logs. Default is set to 'false'"
+  default     = false
+}
+
+variable "flow_log_s3_bucket_name" {
+  description = "The name of the bucket used to store the logs"
+  type        = string
+  default     = ""
+}
 
 # EC2 Worker Roles
 # ==================

diff --git a/odc_eks/vpc_support.tf b/odc_eks/vpc_support.tf
@@ -0,0 +1,51 @@
+################################################################################
+# Supporting Resources
+################################################################################
+locals {
+  log_destination = split(",", var.flow_log_destination)
+}
+
+resource "random_pet" "this" {
+  length = 2
+}
+
+# S3 Bucket
+module "s3_bucket" {
+  count   = (var.create_vpc_flow_logs && var.create_flow_log_s3_bucket) ? 1 : 0
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "~> 3.0"
+
+  bucket = var.flow_log_s3_bucket_name
+  policy = data.aws_iam_policy_document.flow_log_s3.json
+
+  tags = var.tags
+}
+
+data "aws_iam_policy_document" "flow_log_s3" {
+  count  = (var.create_vpc_flow_logs && var.create_flow_log_s3_bucket) ? 1 : 0
+  statement {
+    sid = "AWSLogDeliveryWrite"
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+
+    actions = ["s3:PutObject"]
+
+    resources = ["arn:aws:s3:::${var.flow_log_s3_bucket_name}/AWSLogs/*"]
+  }
+
+  statement {
+    sid = "AWSLogDeliveryAclCheck"
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+
+    actions = ["s3:GetBucketAcl"]
+
+    resources = ["arn:aws:s3:::${var.flow_log_s3_bucket_name}"]
+  }
+}