From 84b059759b2d129f62f406224bd82a36999d8a45 Mon Sep 17 00:00:00 2001 From: Robby Ho Date: Fri, 23 Oct 2015 14:50:38 -0700 Subject: [PATCH] Issue #1 - Add aws flow log creation to base module --- Readme.md | 4 +++- base/main.tf | 55 +++++++++++++++++++++++++++++++++++++++++++++++++ base/outputs.tf | 4 ++++ 3 files changed, 62 insertions(+), 1 deletion(-) diff --git a/Readme.md b/Readme.md index 591765f..b832935 100644 --- a/Readme.md +++ b/Readme.md @@ -6,7 +6,7 @@ DHCP Options Sets, Virtual Private Gateway creation, and provision one or more a ## Base Module ## -The Base module provisions the VPC, attaches an Internet Gateway, and creates NAT Security Group and DMZ Routing table +The Base module provisions the VPC, attaches an Internet Gateway, and creates NAT Security Group, DMZ Routing table, and creates a CloudWatch group, IAM role, and AWS flow log. The flow log is configured to capture all traffic (ALLOW and DENY) over the entire VPC. ### Input Variables ### @@ -17,6 +17,7 @@ The Base module provisions the VPC, attaches an Internet Gateway, and creates NA - `enable_hostnames` - (Optional) A boolean flag to enable/disable DNS hostnames in the VPC. Defaults false. - `lan_cidr` - Comma separated list of CIDR blocks to be given ingress access to NAT boxes in each subnet. + ### Usage ### ```js @@ -37,6 +38,7 @@ module "vpc_base" { - `igw_id` - ID of the Internet gateway - `rt_dmz_id` - ID of the DMZ routing table - `nat_sg_id` - ID of NAT security group +- `flow_log_id` - ID of the AWS flow log ## DHCP module ## diff --git a/base/main.tf b/base/main.tf index 2d33f4f..0209498 100644 --- a/base/main.tf +++ b/base/main.tf @@ -59,3 +59,58 @@ resource "aws_security_group" "nat_sg" { cidr_blocks = ["0.0.0.0/0"] } } + +# Provision aws_flow_log with reasonable initial settings + +resource "aws_cloudwatch_log_group" "flow_log_group" { + name = "${var.stack_item_label}FlowLogGroup" +} + +resource "aws_iam_role" "flow_log_role" { + name = "${var.stack_item_label}FlowLogRole" + assume_role_policy = <