Issue #1 - Add aws flow log creation to base module

unifio · Oct 26, 2015 · 84b0597 · 84b0597
1 parent 3862399
commit 84b0597
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 1 deletion.
diff --git a/Readme.md b/Readme.md
@@ -6,7 +6,7 @@ DHCP Options Sets, Virtual Private Gateway creation, and provision one or more a
 
 ## Base Module ##
 
-The Base module provisions the VPC, attaches an Internet Gateway, and creates NAT Security Group and DMZ Routing table
+The Base module provisions the VPC, attaches an Internet Gateway, and creates NAT Security Group, DMZ Routing table, and creates a CloudWatch group, IAM role, and AWS flow log.  The flow log is configured to capture all traffic (ALLOW and DENY) over the entire VPC.
 
 ### Input Variables ###
 
@@ -17,6 +17,7 @@ The Base module provisions the VPC, attaches an Internet Gateway, and creates NA
 - `enable_hostnames` - (Optional) A boolean flag to enable/disable DNS hostnames in the VPC. Defaults false.
 - `lan_cidr` - Comma separated list of CIDR blocks to be given ingress access to NAT boxes in each subnet.
 
+
 ### Usage ###
 
 ```js
@@ -37,6 +38,7 @@ module "vpc_base" {
 - `igw_id` - ID of the Internet gateway
 - `rt_dmz_id` - ID of the DMZ routing table
 - `nat_sg_id` - ID of NAT security group
+- `flow_log_id` - ID of the AWS flow log
 
 ## DHCP module ##
 

diff --git a/base/main.tf b/base/main.tf
@@ -59,3 +59,58 @@ resource "aws_security_group" "nat_sg" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 }
+
+# Provision aws_flow_log with reasonable initial settings
+
+resource "aws_cloudwatch_log_group" "flow_log_group" {
+  name = "${var.stack_item_label}FlowLogGroup"
+}
+
+resource "aws_iam_role" "flow_log_role" {
+    name = "${var.stack_item_label}FlowLogRole"
+    assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "vpc-flow-logs.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "flow_log_role_policies" {
+    name = "${var.stack_item_label}FlowLogPolicy"
+    role = "${aws_iam_role.flow_log_role.id}"
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_flow_log" "flow_log" {
+  log_group_name = "${var.stack_item_label}FlowLogGroup"
+  iam_role_arn = "${aws_iam_role.flow_log_role.arn}"
+  vpc_id = "${aws_vpc.vpc.id}"
+  traffic_type = "ALL"
+}
diff --git a/base/outputs.tf b/base/outputs.tf
@@ -19,3 +19,7 @@ output "rt_dmz_id" {
 output "nat_sg_id" {
   value = "${aws_security_group.nat_sg.id}"
 }
+
+output "flow_log_id" {
+  value = "${aws_flow_log.flow_log.id}"
+}