feat: add a flag to enable/disable VPC Flow Logs (#146)

nozaq · web-flow · commit d681d9f5556d · 2020-11-14T17:34:24.000+09:00
fixes #143
diff --git a/README.md b/README.md
@@ -176,6 +176,7 @@ This module is composed of several submodules and each of which can be used inde
 | tags | Specifies object tags key and value. This applies to all resources created by this module. | `map` | `{}` | no |
 | target\_regions | A list of regions to set up with this module. | `list` | <pre>[<br>  "ap-northeast-1",<br>  "ap-northeast-2",<br>  "ap-south-1",<br>  "ap-southeast-1",<br>  "ap-southeast-2",<br>  "ca-central-1",<br>  "eu-central-1",<br>  "eu-north-1",<br>  "eu-west-1",<br>  "eu-west-2",<br>  "eu-west-3",<br>  "sa-east-1",<br>  "us-east-1",<br>  "us-east-2",<br>  "us-west-1",<br>  "us-west-2"<br>]</pre> | no |
 | use\_external\_audit\_log\_bucket | A boolean that indicates whether the specific audit log bucket already exists. Create a new S3 bucket if it is set to false. | `bool` | `false` | no |
+| vpc\_enable\_flow\_logs | The boolean flag whether to enable VPC Flow Logs in default VPCs | `bool` | `true` | no |
 | vpc\_iam\_role\_name | The name of the IAM Role which VPC Flow Logs will use. | `string` | `"VPC-Flow-Logs-Publisher"` | no |
 | vpc\_iam\_role\_policy\_name | The name of the IAM Role Policy which VPC Flow Logs will use. | `string` | `"VPC-Flow-Logs-Publish-Policy"` | no |
 | vpc\_log\_group\_name | The name of CloudWatch Logs group to which VPC Flow Logs are delivered. | `string` | `"default-vpc-flow-logs"` | no |
diff --git a/modules/vpc-baseline/README.md b/modules/vpc-baseline/README.md
@@ -22,6 +22,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| enable\_flow\_logs | The boolean flag whether to enable VPC Flow Logs in the default VPC | `bool` | `true` | no |
 | enabled | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
 | tags | Specifies object tags key and value. This applies to all resources created by this module. | `map` | <pre>{<br>  "Terraform": true<br>}</pre> | no |
 | vpc\_flow\_logs\_iam\_role\_arn | The ARN of the IAM Role which will be used by VPC Flow Logs. | `any` | n/a | yes |
diff --git a/modules/vpc-baseline/main.tf b/modules/vpc-baseline/main.tf
@@ -3,7 +3,7 @@
 # --------------------------------------------------------------------------------------------------
 
 resource "aws_cloudwatch_log_group" "default_vpc_flow_logs" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.enable_flow_logs ? 1 : 0
 
   name              = var.vpc_log_group_name
   retention_in_days = var.vpc_log_retention_in_days
@@ -69,7 +69,7 @@ resource "aws_default_security_group" "default" {
 # --------------------------------------------------------------------------------------------------
 
 resource "aws_flow_log" "default_vpc_flow_logs" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.enable_flow_logs ? 1 : 0
 
   log_destination = aws_cloudwatch_log_group.default_vpc_flow_logs[0].arn
   iam_role_arn    = var.vpc_flow_logs_iam_role_arn
diff --git a/modules/vpc-baseline/variables.tf b/modules/vpc-baseline/variables.tf
@@ -3,6 +3,11 @@ variable "enabled" {
   default     = true
 }
 
+variable "enable_flow_logs" {
+  description = "The boolean flag whether to enable VPC Flow Logs in the default VPC"
+  default     = true
+}
+
 variable "vpc_log_group_name" {
   description = "The name of CloudWatch Logs group to which VPC Flow Logs are delivered."
 }
diff --git a/variables.tf b/variables.tf
@@ -209,6 +209,11 @@ variable "vpc_log_retention_in_days" {
   default     = 365
 }
 
+variable "vpc_enable_flow_logs" {
+  description = "The boolean flag whether to enable VPC Flow Logs in default VPCs"
+  default     = true
+}
+
 # --------------------------------------------------------------------------------------------------
 # Variables for config-baseline module.
 # --------------------------------------------------------------------------------------------------
diff --git a/vpc_baselines.tf b/vpc_baselines.tf
@@ -55,6 +55,7 @@ module "vpc_baseline_ap-northeast-1" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }
@@ -70,6 +71,7 @@ module "vpc_baseline_ap-northeast-2" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }
@@ -85,6 +87,7 @@ module "vpc_baseline_ap-south-1" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }
@@ -100,6 +103,7 @@ module "vpc_baseline_ap-southeast-1" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }
@@ -115,6 +119,7 @@ module "vpc_baseline_ap-southeast-2" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }
@@ -130,6 +135,7 @@ module "vpc_baseline_ca-central-1" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }
@@ -145,6 +151,7 @@ module "vpc_baseline_eu-central-1" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }
@@ -160,6 +167,7 @@ module "vpc_baseline_eu-north-1" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }
@@ -175,6 +183,7 @@ module "vpc_baseline_eu-west-1" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }
@@ -190,6 +199,7 @@ module "vpc_baseline_eu-west-2" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }
@@ -205,6 +215,7 @@ module "vpc_baseline_eu-west-3" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }
@@ -220,6 +231,7 @@ module "vpc_baseline_sa-east-1" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }
@@ -235,6 +247,7 @@ module "vpc_baseline_us-east-1" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }
@@ -250,6 +263,7 @@ module "vpc_baseline_us-east-2" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }
@@ -265,6 +279,7 @@ module "vpc_baseline_us-west-1" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }
@@ -280,6 +295,7 @@ module "vpc_baseline_us-west-2" {
   vpc_log_group_name         = var.vpc_log_group_name
   vpc_flow_logs_iam_role_arn = aws_iam_role.vpc_flow_logs_publisher.arn
   vpc_log_retention_in_days  = var.vpc_log_retention_in_days
+  enable_flow_logs           = var.vpc_enable_flow_logs
 
   tags = var.tags
 }

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,11 @@ variable "enabled" {`
`3`	`3`	`default = true`
`4`	`4`	`}`
`5`	`5`
	`6`	`+variable "enable_flow_logs" {`
	`7`	`+ description = "The boolean flag whether to enable VPC Flow Logs in the default VPC"`
	`8`	`+ default = true`
	`9`	`+}`
	`10`	`+`
`6`	`11`	`variable "vpc_log_group_name" {`
`7`	`12`	`description = "The name of CloudWatch Logs group to which VPC Flow Logs are delivered."`
`8`	`13`	`}`