aws · mergify · Nov 21, 2022 · Nov 8, 2022 · Nov 10, 2022 · Nov 11, 2022
diff --git a/internal/pkg/deploy/cloudformation/stack/env.go b/internal/pkg/deploy/cloudformation/stack/env.go
@@ -433,12 +433,16 @@ func (e *EnvStackConfig) vpcConfig() (template.VPCConfig, error) {
 	if err != nil {
 		return template.VPCConfig{}, err
 	}
+	flowLogs, err := convertFlowLogsConfig(e.in.Mft)
+	if err != nil {
+		return template.VPCConfig{}, err
+	}
 	return template.VPCConfig{
 		Imported:            e.importVPC(),
 		Managed:             e.managedVPC(),
 		AllowVPCIngress:     e.in.Mft.HTTPConfig.Private.HasVPCIngress(),
 		SecurityGroupConfig: securityGroupConfig,
-		FlowLogs:            aws.BoolValue(e.in.Mft.Network.VPC.Flowlogs),
+		FlowLogs:            flowLogs,
 	}, nil
 }
 

diff --git a/internal/pkg/deploy/cloudformation/stack/env_integration_test.go b/internal/pkg/deploy/cloudformation/stack/env_integration_test.go
@@ -232,7 +232,8 @@ type: Environment`
 type: Environment
 network:
   vpc:
-    flow_logs: on`
+    flow_logs:
+     retention: 60`
 				var mft manifest.Environment
 				err := yaml.Unmarshal([]byte(rawMft), &mft)
 				require.NoError(t, err)

diff --git a/internal/pkg/deploy/cloudformation/stack/env_test.go b/internal/pkg/deploy/cloudformation/stack/env_test.go
@@ -41,6 +41,7 @@ func TestEnv_Template(t *testing.T) {
 								PublicSubnetCIDRs:  DefaultPublicSubnetCIDRs,
 							},
 							SecurityGroupConfig: nil,
+							FlowLogs:            nil,
 						},
 						LatestVersion: deploy.LatestEnvTemplateVersion,
 						CustomResources: map[string]template.S3ObjectLocation{

diff --git a/...g/deploy/cloudformation/stack/testdata/environments/template-with-defaultvpc-flowlogs.yml b/...g/deploy/cloudformation/stack/testdata/environments/template-with-defaultvpc-flowlogs.yml
@@ -7,7 +7,8 @@ Metadata:
     type: Environment
     network:
       vpc:
-        flow_logs: on
+        flow_logs:
+         retention: 60
 
 Parameters:
   AppName:
@@ -1003,14 +1004,21 @@ Resources:
       DomainName: !Ref AppDNSName
       PublicAccessDNS: !GetAtt PublicLoadBalancer.DNSName
       PublicAccessHostedZone: !GetAtt PublicLoadBalancer.CanonicalHostedZoneID
+  VpcFlowLogGroup:
+    Type: AWS::Logs::LogGroup
+    Metadata:
+      'aws:copilot:description': 'A CloudWatch log group to store VPC flow log data'
+    Properties:
+      LogGroupName: !Join ['-', [!Ref AppName, !Ref EnvironmentName, FlowLogs]]
+      RetentionInDays: 60
   FlowLog:
     Metadata:
       'aws:copilot:description': 'A flow log for the VPC to capture information about the IP traffic'
     Type: AWS::EC2::FlowLog
     Properties:
       DeliverLogsPermissionArn: !GetAtt FlowLogRole.Arn
       LogDestinationType: cloud-watch-logs
-      LogGroupName: !Join ['-', [!Ref AppName, !Ref EnvironmentName, FlowLogGroup]]
+      LogGroupName: !Ref VpcFlowLogGroup
       MaxAggregationInterval: 60
       ResourceId: !Ref VPC                 
       ResourceType: VPC

diff --git a/.../deploy/cloudformation/stack/testdata/environments/template-with-importedvpc-flowlogs.yml b/.../deploy/cloudformation/stack/testdata/environments/template-with-importedvpc-flowlogs.yml
@@ -833,14 +833,21 @@ Resources:
       DomainName: !Ref AppDNSName
       PublicAccessDNS: !GetAtt PublicLoadBalancer.DNSName
       PublicAccessHostedZone: !GetAtt PublicLoadBalancer.CanonicalHostedZoneID
+  VpcFlowLogGroup:
+    Type: AWS::Logs::LogGroup
+    Metadata:
+      'aws:copilot:description': 'A CloudWatch log group to store VPC flow log data'
+    Properties:
+      LogGroupName: !Join ['-', [!Ref AppName, !Ref EnvironmentName, FlowLogs]]
+      RetentionInDays: 14  
   FlowLog:
     Metadata:
       'aws:copilot:description': 'A flow log for the VPC to capture information about the IP traffic'
     Type: AWS::EC2::FlowLog
     Properties:
       DeliverLogsPermissionArn: !GetAtt FlowLogRole.Arn
       LogDestinationType: cloud-watch-logs
-      LogGroupName: !Join ['-', [!Ref AppName, !Ref EnvironmentName, FlowLogGroup]]
+      LogGroupName: !Ref VpcFlowLogGroup
       MaxAggregationInterval: 60
       ResourceId: vpc-12345                 
       ResourceType: VPC

diff --git a/internal/pkg/deploy/cloudformation/stack/transformers.go b/internal/pkg/deploy/cloudformation/stack/transformers.go
@@ -384,6 +384,22 @@ func convertELBAccessLogsConfig(mft *manifest.Environment) (*template.ELBAccessL
 	}, nil
 }
 
+// convertFlowLogsConfig converts the VPC FlowLog configuration into a format parsable by the templates pkg.
+func convertFlowLogsConfig(mft *manifest.Environment) (*template.VPCFlowLogs, error) {
+	vpcFlowLogs := mft.EnvironmentConfig.Network.VPC.FlowLogs
+	if vpcFlowLogs.IsZero() {
+		return nil, nil
+	}
+	retentionInDays := aws.Int(14)
+	if vpcFlowLogs.Advanced.Retention != nil {
+		retentionInDays = vpcFlowLogs.Advanced.Retention
+	}
+	return &template.VPCFlowLogs{
+		Retention: retentionInDays,
+	}, nil
+
+}
+
 func convertEnvSecurityGroupCfg(mft *manifest.Environment) (*template.SecurityGroupConfig, error) {
 	securityGroupConfig, isSecurityConfigSet := mft.EnvSecurityGroup()
 	if !isSecurityConfigSet {

diff --git a/internal/pkg/manifest/env.go b/internal/pkg/manifest/env.go
@@ -119,11 +119,11 @@ type environmentNetworkConfig struct {
 }
 
 type environmentVPCConfig struct {
-	ID                  *string              `yaml:"id,omitempty"`
-	CIDR                *IPNet               `yaml:"cidr,omitempty"`
-	Subnets             subnetsConfiguration `yaml:"subnets,omitempty"`
-	SecurityGroupConfig securityGroupConfig  `yaml:"security_group,omitempty"`
-	Flowlogs            *bool                `yaml:"flow_logs,omitempty"`
+	ID                  *string                       `yaml:"id,omitempty"`
+	CIDR                *IPNet                        `yaml:"cidr,omitempty"`
+	Subnets             subnetsConfiguration          `yaml:"subnets,omitempty"`
+	SecurityGroupConfig securityGroupConfig           `yaml:"security_group,omitempty"`
+	FlowLogs            Union[*bool, VPCFlowLogsArgs] `yaml:"flow_logs,omitempty"`
 }
 
 type securityGroupConfig struct {
@@ -187,6 +187,16 @@ func (cfg *portsConfig) UnmarshalYAML(value *yaml.Node) error {
 	return nil
 }
 
+// VPCFlowLogsArgs holds the flow logs configuration.
+type VPCFlowLogsArgs struct {
+	Retention *int `yaml:"retention,omitempty"`
+}
+
+// IsZero implements yaml.IsZeroer.
+func (fl *VPCFlowLogsArgs) IsZero() bool {
+	return fl.Retention == nil
+}
+
 // EnvSecurityGroup returns the security group config if the user has set any values.
 // If there is no env security group settings, then returns nil and false.
 func (cfg *EnvironmentConfig) EnvSecurityGroup() (*securityGroupConfig, bool) {
@@ -262,7 +272,7 @@ func (cfg *EnvironmentCDNConfig) UnmarshalYAML(value *yaml.Node) error {
 
 // IsEmpty returns true if vpc is not configured.
 func (cfg environmentVPCConfig) IsEmpty() bool {
-	return cfg.ID == nil && cfg.CIDR == nil && cfg.Subnets.IsEmpty() && cfg.Flowlogs == nil
+	return cfg.ID == nil && cfg.CIDR == nil && cfg.Subnets.IsEmpty() && cfg.FlowLogs.IsZero()
 }
 
 func (cfg *environmentVPCConfig) loadVPCConfig(env *config.CustomizeEnv) {

diff --git a/internal/pkg/manifest/env_test.go b/internal/pkg/manifest/env_test.go
@@ -858,8 +858,21 @@ func TestEnvironmentVPCConfig_IsEmpty(t *testing.T) {
 		},
 		"not empty when flowlog is on": {
 			in: environmentVPCConfig{
-				Flowlogs: aws.Bool(true),
+				FlowLogs: Union[*bool, VPCFlowLogsArgs]{
+					Basic: aws.Bool(true),
+				},
+			},
+			wanted: true,
+		},
+		"not empty when flowlog with specific retention": {
+			in: environmentVPCConfig{
+				FlowLogs: Union[*bool, VPCFlowLogsArgs]{
+					Advanced: VPCFlowLogsArgs{
+						Retention: aws.Int(60),
+					},
+				},
 			},
+			wanted: true,
 		},
 	}
 	for name, tc := range testCases {

diff --git a/internal/pkg/manifest/validate_env.go b/internal/pkg/manifest/validate_env.go
@@ -100,6 +100,9 @@ func (cfg environmentVPCConfig) validate() error {
 			return fmt.Errorf(`validate "subnets" for an adjusted VPC: %w`, err)
 		}
 	}
+	if err := cfg.FlowLogs.validate(); err != nil {
+		return fmt.Errorf(`validate vpc "flowlogs": %w`, err)
+	}
 	return nil
 }
 
@@ -269,6 +272,11 @@ func (c subnetConfiguration) validate() error {
 	return nil
 }
 
+// validate is a no-op for VPCFlowLogsArgs.
+func (fl VPCFlowLogsArgs) validate() error {
+	return nil
+}
+
 // validate returns nil if environmentObservability is configured correctly.
 func (o environmentObservability) validate() error {
 	return nil

diff --git a/internal/pkg/manifest/validate_env_test.go b/internal/pkg/manifest/validate_env_test.go
@@ -187,6 +187,30 @@ func TestEnvironmentConfig_validate(t *testing.T) {
 			},
 			wantedError: "CDN must be enabled to limit security group ingress to CloudFront",
 		},
+		"valid vpc flowlogs with default retention": {
+			in: EnvironmentConfig{
+				Network: environmentNetworkConfig{
+					VPC: environmentVPCConfig{
+						FlowLogs: Union[*bool, VPCFlowLogsArgs]{
+							Basic: aws.Bool(true),
+						},
+					},
+				},
+			},
+		},
+		"valid vpc flowlogs with a specified retention": {
+			in: EnvironmentConfig{
+				Network: environmentNetworkConfig{
+					VPC: environmentVPCConfig{
+						FlowLogs: Union[*bool, VPCFlowLogsArgs]{
+							Advanced: VPCFlowLogsArgs{
+								Retention: aws.Int(30),
+							},
+						},
+					},
+				},
+			},
+		},
 		"valid elb access logs config with bucket_prefix": {
 			in: EnvironmentConfig{
 				HTTPConfig: EnvironmentHTTPConfig{

diff --git a/internal/pkg/template/env.go b/internal/pkg/template/env.go
@@ -178,7 +178,7 @@ type VPCConfig struct {
 	Managed             ManagedVPC
 	AllowVPCIngress     bool
 	SecurityGroupConfig *SecurityGroupConfig
-	FlowLogs            bool
+	FlowLogs            *VPCFlowLogs
 }
 
 // ImportVPC holds the fields to import VPC resources.
@@ -215,6 +215,11 @@ type SecurityGroupRule struct {
 	ToPort     int
 }
 
+// VPCFlowLogs holds the fields to configure logging IP traffic using VPC flow logs.
+type VPCFlowLogs struct {
+	Retention *int
+}
+
 // ParseEnv parses an environment's CloudFormation template with the specified data object and returns its content.
 func (t *Template) ParseEnv(data *EnvOpts) (*Content, error) {
 	tpl, err := t.parse("base", envCFTemplatePath, withEnvParsingFuncs())

diff --git a/internal/pkg/template/templates/environment/cf.yml b/internal/pkg/template/templates/environment/cf.yml
@@ -587,15 +587,22 @@ Resources:
 {{- if not .VPCConfig.Imported}}
 {{include "ar-vpc-connector" . | indent 2}}
 {{- end}}
-{{- if .VPCConfig.FlowLogs }}
+{{- if .VPCConfig.FlowLogs}}
+  VpcFlowLogGroup:
+    Type: AWS::Logs::LogGroup
+    Metadata:
+      'aws:copilot:description': 'A CloudWatch log group to store VPC flow log data'
+    Properties:
+      LogGroupName: !Join ['-', [!Ref AppName, !Ref EnvironmentName, FlowLogs]]
+      RetentionInDays: {{.VPCConfig.FlowLogs.Retention}}       
   FlowLog:
     Metadata:
       'aws:copilot:description': 'A flow log for the VPC to capture information about the IP traffic'
     Type: AWS::EC2::FlowLog
     Properties:
       DeliverLogsPermissionArn: !GetAtt FlowLogRole.Arn
       LogDestinationType: cloud-watch-logs
-      LogGroupName: !Join ['-', [!Ref AppName, !Ref EnvironmentName, FlowLogGroup]]
+      LogGroupName: !Ref VpcFlowLogGroup
       MaxAggregationInterval: 60
 {{- if .VPCConfig.Imported}}
       ResourceId: {{.VPCConfig.Imported.ID}}