Terraform Module: VPC Flow Logs

A Terraform module for enabling VPC Flow Logs to an S3 bucket.

Releases

• Versions: <= 0.x.y (Terraform 0.11.x compatible)

  • eg: https://registry.terraform.io/modules/binbashar/vpc-flow-logs/aws/0.0.1

• Versions: >= 1.x.y (Terraform 0.12.x compatible)

  • eg: https://registry.terraform.io/modules/binbashar/vpc-flow-logs/aws/1.0.0

• TODO: Support AWS Org centralized flow logs -> https://aws.amazon.com/blogs/security/how-to-facilitate-data-analysis-and-fulfill-security-requirements-by-using-centralized-flow-log-data/

Requirements

Name	Version
terraform	>= 0.12.28
aws	>= 4.9

Providers

Name	Version
aws	>= 4.9

Modules

No modules.

Resources

Name	Type
aws_flow_log.this	resource
aws_s3_bucket.this	resource
aws_s3_bucket_policy.this	resource
aws_s3_bucket_public_access_block.default	resource
aws_iam_policy_document.allow_vpc_flowlogs_delivery_service	data source
aws_iam_policy_document.combined	data source
aws_iam_policy_document.ssl_enforce	data source

Inputs

Name	Description	Type	Default	Required
bucket_name_prefix	S3 Bucket Name Prefix	string	"S3 Bucket for Terraform Remote State Storage"	no
custom_policy	Custom policy	string	null	no
enable_default_policy	Enable default policy	bool	true	no
enable_versioning	Enable bucket versioning	bool	false	no
enable_vpc_delivery_service	Enable VPC delivery service policy	bool	true	no
enforce_ssl	Enforce bucket SSL encryption	bool	true	no
force_destroy	Whether to forcefully destroy the bucket or not	bool	false	no
log_format	VPC Flow Logs Format	string	null	no
tags	Tags To Apply To Created Resources	any	{}	no
vpc_id	VPC ID	string	""	no

Outputs

Name	Description
bucket_arn	S3 Bucket ARN
bucket_name	S3 Bucket name
flow_log_id	Flow Log ID

Examples

VPC Flow Logs

#
# VPC Flow Logs
#
module "vpc_flow_logs" {
    source = "git::[email protected]:binbashar/terraform-aws-vpc-flowlogs.git?ref=v0.0.2"

    vpc_id = "your-vpc-id"
    bucket_name_prefix = "your-s3-bucket-name-prefix"
    bucket_region = "your-s3-bucket-region"
    tags = "your-tags"
}

---

Binbash Leverage | DevOps Automation Code Library Integration

In order to get the full automated potential of the Binbash Leverage DevOps Automation Code Library
you should initialize all the necessary helper Makefiles.

How?

You must execute the make init-makefiles command at the root context

╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17
╰─⠠⠵ make
Available Commands:
 - init-makefiles     initialize makefiles

Why?

You'll get all the necessary commands to automatically operate this module via a dockerized approach, example shown below

╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17
╰─⠠⠵ make
Available Commands:
 - circleci-validate-config  ## Validate A CircleCI Config (https
 - format-check        ## The terraform fmt is used to rewrite tf conf files to a canonical format and style.
 - format              ## The terraform fmt is used to rewrite tf conf files to a canonical format and style.
 - tf-dir-chmod        ## run chown in ./.terraform to gran that the docker mounted dir has the right permissions
 - version             ## Show terraform version
 - init-makefiles      ## initialize makefiles

╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17
╰─⠠⠵ make format-check
docker run --rm -v /home/delivery/Binbash/repos/Leverage/terraform/terraform-aws-backup-by-tags:"/go/src/project/":rw -v :/config -v /common.config:/common-config/common.config -v ~/.ssh:/root/.ssh -v ~/.gitconfig:/etc/gitconfig -v ~/.aws/bb:/root/.aws/bb -e AWS_SHARED_CREDENTIALS_FILE=/root/.aws/bb/credentials -e AWS_CONFIG_FILE=/root/.aws/bb/config --entrypoint=/bin/terraform -w "/go/src/project/" -it binbash/terraform-awscli-slim:0.12.28 fmt -check

Release Management

CircleCi PR auto-release job

• pipeline-job (NOTE: Will only run after merged PR)
• releases
• changelog