terraform-aws-vpcflowlog-bucket

Creates an S3 bucket suitable for receiving VPC flow logs from one or more AWS account. Uses a KMS CMK, which is necessary for CIS compliance. Requires an external bucket to route S3 access logs to (also for CIS compliance).

Example:

Create the bucket with this module.

module "vpcflowlog-bucket" {
  source              = "rhythmictech/aws-vpcflowlogs/terraform"
  allowed_account_ids = ["123456789012", "123456789013"]
  logging_bucket      = "example-s3-access-logs-bucket"
  region              = "us-east-1"
}

Then create the flow logs in each of the allowed accounts. Logs will flow back to the bucket in the original account.

module "vpcflowlogs" {
  source = "git::https://github.com/rhythmictech/terraform-aws-vpcflowlogs.git"

  create_bucket      = false
  create_kms_key     = false
  region             = var.region
  vpc_ids            = [module.vpc.vpc_id]
  vpcflowlog_bucket  = module.vpcflowlog-bucket.s3_bucket_name
  vpcflowlog_kms_key = module.vpcflowlog-bucket.kms_key_id
}

Requirements

Name	Version
terraform	>= 0.13.4
aws	>= 4

Providers

Name	Version
aws	4.17.1

Modules

No modules.

Resources

Name	Type
aws_kms_alias.this	resource
aws_kms_key.this	resource
aws_s3_bucket.this	resource
aws_s3_bucket_acl.this	resource
aws_s3_bucket_lifecycle_configuration.this	resource
aws_s3_bucket_logging.this	resource
aws_s3_bucket_policy.this	resource
aws_s3_bucket_public_access_block.this	resource
aws_s3_bucket_server_side_encryption_configuration.this	resource
aws_s3_bucket_versioning.this	resource
aws_caller_identity.current	data source
aws_iam_policy_document.key	data source
aws_iam_policy_document.this	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
allowed_account_ids	Optional list of AWS Account IDs that are permitted to write to the bucket	`list(string)`	`[]`	no
lifecycle_rules	lifecycle rules to apply to the bucket	list(object( { id = string enabled = optional(bool, true) expiration = optional(number) prefix = optional(number) noncurrent_version_expiration = optional(number) transition = optional(list(object({ days = number storage_class = string }))) }))	[ { "id": "expire-noncurrent-objects-after-ninety-days", "noncurrent_version_expiration": 90 }, { "id": "transition-to-IA-after-30-days", "transition": [ { "days": 30, "storage_class": "STANDARD_IA" } ] }, { "expiration": 2557, "id": "delete-after-seven-years" } ]	no
logging_bucket	S3 bucket to send request logs to the VPC flow log bucket to	`string`	n/a	yes
region	Region VPC flow logs will be sent to	`string`	n/a	yes
tags	Tags to include on resources that support it	`map(string)`	`{}`	no

Outputs

Name	Description
kms_key_id	KMS key
s3_bucket_arn	The ARN of the bucket
s3_bucket_name	The name of the bucket

Related Projects

VPC Flow Logs

Name		Name	Last commit message	Last commit date
Latest commit History 7 Commits
.github		.github
bin		bin
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
.terraform-version		.terraform-version
.terraform.lock.hcl		.terraform.lock.hcl
.tflint.hcl		.tflint.hcl
.yamllint.yml		.yamllint.yml
LICENSE		LICENSE
README.md		README.md
kms.tf		kms.tf
main.tf		main.tf
outputs.tf		outputs.tf
variables.tf		variables.tf
versions.tf		versions.tf

License

rhythmictech/terraform-aws-vpcflowlog-bucket

Folders and files

Latest commit

History

Repository files navigation

terraform-aws-vpcflowlog-bucket

Requirements

Providers

Modules

Resources

Inputs

Outputs

Related Projects

About

Topics

Resources

License

Stars

Watchers

Forks

Languages