Basic VPC Flow Logs blueprint

remind101 · Apr 23, 2017 · 566b03a · 566b03a
1 parent 79220bf
commit 566b03a
Show file tree

Hide file tree

Showing 2 changed files with 185 additions and 2 deletions.
diff --git a/stacker_blueprints/policies.py b/stacker_blueprints/policies.py
@@ -1,8 +1,27 @@
-from awacs.aws import Statement, Allow, Policy, Action
+from awacs.aws import (
+    Action,
+    Allow,
+    Policy,
+    Principal,
+    Statement,
+)
 
 from troposphere import Join
 
-from awacs import s3
+from awacs import s3, sts
+
+
+def make_simple_assume_statement(*principals):
+    return Statement(
+        Principal=Principal('Service', principals),
+        Effect=Allow,
+        Action=[sts.AssumeRole])
+
+
+def make_simple_assume_policy(*principals):
+    return Policy(
+        Statement=[
+            make_simple_assume_statement(*principals)])
 
 
 def s3_arn(bucket):
@@ -67,3 +86,7 @@ def read_write_s3_bucket_policy_statements(buckets):
 
 def read_write_s3_bucket_policy(buckets):
     return Policy(Statement=read_write_s3_bucket_policy_statements(buckets))
+
+
+def flowlogs_assumerole_policy():
+    return make_simple_assume_policy("vpc-flow-logs.amazonaws.com")
diff --git a/stacker_blueprints/vpc_flow_logs.py b/stacker_blueprints/vpc_flow_logs.py
@@ -0,0 +1,160 @@
+from troposphere import (
+    GetAtt,
+    Join,
+    Output,
+    Ref,
+    iam,
+    logs,
+    ec2,
+)
+
+from troposphere.iam import Policy as TropoPolicy
+
+from stacker.blueprints.base import Blueprint
+
+from awacs.aws import (
+    Statement,
+    Policy,
+)
+
+import awacs
+import awacs.logs
+
+from .policies import flowlogs_assumerole_policy
+
+ALLOWED_TRAFFIC_TYPES = ["ACCEPT", "REJECT", "ALL"]
+JOINED_TRAFFIC_TYPES = '/'.join(ALLOWED_TRAFFIC_TYPES)
+LOG_RETENTION_DEFAULT = 1
+CLOUDWATCH_ROLE_NAME = "Role"
+FLOW_LOG_GROUP_NAME = "LogGroup"
+FLOW_LOG_STREAM_NAME = "LogStream"
+
+
+def vpc_flow_log_cloudwatch_policy(log_group_arn):
+    return Policy(
+        Statement=[
+            Statement(
+                Effect="Allow",
+                Action=[
+                    awacs.logs.DescribeLogGroups
+                ],
+                Resource=["*"],
+            ),
+            Statement(
+                Effect="Allow",
+                Action=[
+                    awacs.logs.CreateLogStream,
+                    awacs.logs.DescribeLogStreams,
+                    awacs.logs.PutLogEvents,
+                ],
+                Resource=[
+                    log_group_arn,
+                    Join('', [log_group_arn, ":*"]),
+                ],
+            ),
+        ]
+    )
+
+
+def validate_traffic_type(traffic_type):
+    if traffic_type not in ALLOWED_TRAFFIC_TYPES:
+        raise ValueError(
+            "Traffic type must be one of the following: " +
+            "%s" % JOINED_TRAFFIC_TYPES
+        )
+
+    return traffic_type
+
+
+class FlowLogs(Blueprint):
+    VARIABLES = {
+        "Retention": {
+            "type": int,
+            "description": "Log group retention time in days.",
+            "default": LOG_RETENTION_DEFAULT,
+        },
+        "VpcId": {
+            "type": str,
+            "description": "ID of the VPC that flow logs will be enabled "
+                           "for.",
+        },
+        "TrafficType": {
+            "type": str,
+            "description": "Type of traffic to log. Must be one of the "
+                           "following: %s" % JOINED_TRAFFIC_TYPES,
+            "validator": validate_traffic_type,
+            "default": "ALL",
+        },
+    }
+
+    def create_template(self):
+        t = self.template
+        variables = self.get_variables()
+
+        self.log_group = t.add_resource(
+            logs.LogGroup(
+                FLOW_LOG_GROUP_NAME,
+                RetentionInDays=variables["Retention"],
+            )
+        )
+
+        t.add_output(
+            Output(
+                "%sName" % FLOW_LOG_GROUP_NAME,
+                Value=Ref(self.log_group)
+            )
+        )
+        t.add_output(
+            Output(
+                "%sArn" % FLOW_LOG_GROUP_NAME,
+                Value=GetAtt(self.log_group, "Arn")
+            )
+        )
+
+        self.role = t.add_resource(
+            iam.Role(
+                CLOUDWATCH_ROLE_NAME,
+                AssumeRolePolicyDocument=flowlogs_assumerole_policy(),
+                Path="/",
+                Policies=[
+                    TropoPolicy(
+                        PolicyName="vpc_cloudwatch_flowlog_policy",
+                        PolicyDocument=vpc_flow_log_cloudwatch_policy(
+                            GetAtt(self.log_group, "Arn")
+                        ),
+                    ),
+                ]
+            )
+        )
+
+        t.add_output(
+            Output(
+                "%sName" % CLOUDWATCH_ROLE_NAME,
+                Value=Ref(self.role)
+            )
+        )
+        role_arn = GetAtt(self.role, "Arn")
+        t.add_output(
+            Output(
+                "%sArn" % CLOUDWATCH_ROLE_NAME,
+                Value=role_arn
+            )
+        )
+
+        self.log_stream = t.add_resource(
+            ec2.FlowLog(
+                FLOW_LOG_STREAM_NAME,
+                DeliverLogsPermissionArn=role_arn,
+                LogGroupName=Ref(FLOW_LOG_GROUP_NAME),
+                ResourceId=variables["VpcId"],
+                ResourceType="VPC",
+                TrafficType=variables["TrafficType"],
+            )
+        )
+
+        t.add_output(
+            Output(
+                "%sName" % FLOW_LOG_STREAM_NAME,
+                Value=Ref(self.log_stream)
+            )
+        )