From 6e25437b16955b9393348d91965ead2f755fb2e0 Mon Sep 17 00:00:00 2001 From: Kasey Linden Date: Mon, 11 Dec 2023 09:34:22 -0600 Subject: [PATCH] feat: Add Cross Account Flow Support (#1014) * feat: Add Cross Account Flow Support * fix: update flow log naming convention --------- Co-authored-by: Kasey Linden Co-authored-by: Bryant Biggs --- README.md | 4 +++- outputs.tf | 5 +++++ variables.tf | 8 +++++++- vpc-flow-logs.tf | 15 ++++++++------- 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 78a2e5e18..f154534c0 100644 --- a/README.md +++ b/README.md @@ -450,8 +450,9 @@ No modules. | [flow\_log\_cloudwatch\_log\_group\_name\_suffix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_suffix) | Specifies the name suffix of CloudWatch Log Group for VPC flow logs | `string` | `""` | no | | [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs | `number` | `null` | no | | [flow\_log\_cloudwatch\_log\_group\_skip\_destroy](#input\_flow\_log\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `false` | no | +| [flow\_log\_deliver\_cross\_account\_role](#input\_flow\_log\_deliver\_cross\_account\_role) | (Optional) ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts. | `string` | `null` | no | | [flow\_log\_destination\_arn](#input\_flow\_log\_destination\_arn) | The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create\_flow\_log\_cloudwatch\_log\_group is set to false this argument must be provided | `string` | `""` | no | -| [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3 or cloud-watch-logs | `string` | `"cloud-watch-logs"` | no | +| [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3, kinesis-data-firehose or cloud-watch-logs | `string` | `"cloud-watch-logs"` | no | | [flow\_log\_file\_format](#input\_flow\_log\_file\_format) | (Optional) The format for the flow log. Valid values: `plain-text`, `parquet` | `string` | `null` | no | | [flow\_log\_hive\_compatible\_partitions](#input\_flow\_log\_hive\_compatible\_partitions) | (Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 | `bool` | `false` | no | | [flow\_log\_log\_format](#input\_flow\_log\_log\_format) | The fields to include in the flow log record, in the order in which they should appear | `string` | `null` | no | @@ -682,6 +683,7 @@ No modules. | [vpc\_enable\_dns\_hostnames](#output\_vpc\_enable\_dns\_hostnames) | Whether or not the VPC has DNS hostname support | | [vpc\_enable\_dns\_support](#output\_vpc\_enable\_dns\_support) | Whether or not the VPC has DNS support | | [vpc\_flow\_log\_cloudwatch\_iam\_role\_arn](#output\_vpc\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN of the IAM role used when pushing logs to Cloudwatch log group | +| [vpc\_flow\_log\_deliver\_cross\_account\_role](#output\_vpc\_flow\_log\_deliver\_cross\_account\_role) | The ARN of the IAM role used when pushing logs cross account | | [vpc\_flow\_log\_destination\_arn](#output\_vpc\_flow\_log\_destination\_arn) | The ARN of the destination for VPC Flow Logs | | [vpc\_flow\_log\_destination\_type](#output\_vpc\_flow\_log\_destination\_type) | The type of the destination for VPC Flow Logs | | [vpc\_flow\_log\_id](#output\_vpc\_flow\_log\_id) | The ID of the Flow Log resource | diff --git a/outputs.tf b/outputs.tf index a542e75a6..5cf1ffc0c 100644 --- a/outputs.tf +++ b/outputs.tf @@ -609,6 +609,11 @@ output "vpc_flow_log_cloudwatch_iam_role_arn" { value = local.flow_log_iam_role_arn } +output "vpc_flow_log_deliver_cross_account_role" { + description = "The ARN of the IAM role used when pushing logs cross account" + value = try(aws_flow_log.this[0].deliver_cross_account_role, null) +} + ################################################################################ # Static values (arguments) ################################################################################ diff --git a/variables.tf b/variables.tf index 8a20ba93e..c990ecdbd 100644 --- a/variables.tf +++ b/variables.tf @@ -1485,7 +1485,7 @@ variable "flow_log_traffic_type" { } variable "flow_log_destination_type" { - description = "Type of flow log destination. Can be s3 or cloud-watch-logs" + description = "Type of flow log destination. Can be s3, kinesis-data-firehose or cloud-watch-logs" type = string default = "cloud-watch-logs" } @@ -1502,6 +1502,12 @@ variable "flow_log_destination_arn" { default = "" } +variable "flow_log_deliver_cross_account_role" { + description = "(Optional) ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts." + type = string + default = null +} + variable "flow_log_file_format" { description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`" type = string diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf index 127d7e016..9e453c819 100644 --- a/vpc-flow-logs.tf +++ b/vpc-flow-logs.tf @@ -17,13 +17,14 @@ locals { resource "aws_flow_log" "this" { count = local.enable_flow_log ? 1 : 0 - log_destination_type = var.flow_log_destination_type - log_destination = local.flow_log_destination_arn - log_format = var.flow_log_log_format - iam_role_arn = local.flow_log_iam_role_arn - traffic_type = var.flow_log_traffic_type - vpc_id = local.vpc_id - max_aggregation_interval = var.flow_log_max_aggregation_interval + log_destination_type = var.flow_log_destination_type + log_destination = local.flow_log_destination_arn + log_format = var.flow_log_log_format + iam_role_arn = local.flow_log_iam_role_arn + deliver_cross_account_role = var.flow_log_deliver_cross_account_role + traffic_type = var.flow_log_traffic_type + vpc_id = local.vpc_id + max_aggregation_interval = var.flow_log_max_aggregation_interval dynamic "destination_options" { for_each = var.flow_log_destination_type == "s3" ? [true] : []