diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 1cdb2b4c..e64644bf 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -28,6 +28,10 @@ locals { module "vpc" { source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.5.2" + locals { + log_group_arn = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${flow_log_cloudwatch_log_group_name_prefix}:*" + } + count = var.create_vpc ? 1 : 0 name = "${local.cluster_id}-vpc" @@ -68,7 +72,22 @@ module "vpc" { manage_default_network_acl = false manage_default_route_table = false - tags = local.tags + enable_flow_log = var.create_vpc_flow_logs + flow_log_destination_type = "s3" + flow_log_max_agreegation_interval = (var.create_vpc_flow_logs) ? var.flow_log_max_aggregation_interval : null + flow_log_traffic_type = (var.create_vpc_flow_logs) ? var.flow_log_traffic_type : null + flow_log_file_format = (var.create_vpc_flow_logs) ? var.flow_log_log_format : null + flow_log_destination_arn = (var.create_vpc_flow_logs) ? "arn:aws:s3:::${var.flow_log_s3_bucket_name}" : null + + tags = merge( + { + Name = "${local.cluster_id}-vpc-flow-logs" + owner = var.owner + namespace = var.namespace + environment = var.environment + }, + var.tags + ) } moved { diff --git a/odc_eks/variables.tf b/odc_eks/variables.tf index 7613454a..bddc85f5 100644 --- a/odc_eks/variables.tf +++ b/odc_eks/variables.tf @@ -167,13 +167,47 @@ variable "enable_nat_gateway" { default = true } - variable "create_igw" { type = bool description = "Whether to provision an Internet Gateway in the VPC. Default is true (False for private routing)" default = true } +variable "create_vpc_flow_logs" { + type = bool + description = "Whether to create VPC flow logs. Default is set to 'false'" + default = false +} + +variable "flow_log_max_aggregation_interval" { + description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds" + type = number + default = 600 +} + +variable "flow_log_traffic_type" { + description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL" + type = string + default = "ALL" +} + +variable "flow_log_file_format" { + description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`" + type = string + default = "plain-text" +} + +variable "create_flow_log_s3_bucket" { + type = bool + description = "Whether to create a S3 bucket for the vpc flow logs. Default is set to 'false'" + default = false +} + +variable "flow_log_s3_bucket_name" { + description = "The name of the bucket used to store the logs" + type = string + default = "" +} # EC2 Worker Roles # ================== diff --git a/odc_eks/vpc_support.tf b/odc_eks/vpc_support.tf new file mode 100644 index 00000000..9dcca4df --- /dev/null +++ b/odc_eks/vpc_support.tf @@ -0,0 +1,51 @@ +################################################################################ +# Supporting Resources +################################################################################ +locals { + log_destination = split(",", var.flow_log_destination) +} + +resource "random_pet" "this" { + length = 2 +} + +# S3 Bucket +module "s3_bucket" { + count = (var.create_vpc_flow_logs && var.create_flow_log_s3_bucket) ? 1 : 0 + source = "terraform-aws-modules/s3-bucket/aws" + version = "~> 3.0" + + bucket = var.flow_log_s3_bucket_name + policy = data.aws_iam_policy_document.flow_log_s3.json + + tags = var.tags +} + +data "aws_iam_policy_document" "flow_log_s3" { + count = (var.create_vpc_flow_logs && var.create_flow_log_s3_bucket) ? 1 : 0 + statement { + sid = "AWSLogDeliveryWrite" + + principals { + type = "Service" + identifiers = ["delivery.logs.amazonaws.com"] + } + + actions = ["s3:PutObject"] + + resources = ["arn:aws:s3:::${var.flow_log_s3_bucket_name}/AWSLogs/*"] + } + + statement { + sid = "AWSLogDeliveryAclCheck" + + principals { + type = "Service" + identifiers = ["delivery.logs.amazonaws.com"] + } + + actions = ["s3:GetBucketAcl"] + + resources = ["arn:aws:s3:::${var.flow_log_s3_bucket_name}"] + } +} \ No newline at end of file