Issue #1 - Add aws flow log creation to base module

unifio · Oct 23, 2015 · 51b5280 · 51b5280
1 parent 3862399
commit 51b5280
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/base/main.tf b/base/main.tf
@@ -59,3 +59,26 @@ resource "aws_security_group" "nat_sg" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 }
+
+# Provision aws_flow_log with reasonable initial settings
+
+resource "aws_cloudwatch_log_group" "flow_log_group" {
+  name = "${var.stack_item_label}FlowLogGroup"
+}
+
+module "flow_log_iam_role" {
+  source = "../../terraform-aws-iam/iam_role"
+
+  rolename = "${var.stack_item_label}FlowLogRole"
+  service = "vpc-flow-logs.amazonaws.com"
+  actions = "logs:CreateLogGroup,logs:CreateLogStream,logs:PutLogEvents,logs:DescribeLogGroups,logs:DescribeLogStreams"
+  action_privs = "Allow,Allow,Allow,Allow,Allow"
+  resources = "*,*,*,*,*"
+}
+
+resource "aws_flow_log" "flow_log" {
+  log_group_name = "${var.stack_item_label}FlowLogGroup"
+  iam_role_arn = "${module.flow_log_iam_role.role_arn}"
+  vpc_id = "${aws_vpc.vpc.id}"
+  traffic_type = "ALL"
+}
diff --git a/base/outputs.tf b/base/outputs.tf
@@ -19,3 +19,7 @@ output "rt_dmz_id" {
 output "nat_sg_id" {
   value = "${aws_security_group.nat_sg.id}"
 }
+
+output "flow_log_id" {
+  value = "${aws_flow_log.flow_log.id}"
+}