From 80d631884126075e1adbe2d410f46ef6b9ea8a19 Mon Sep 17 00:00:00 2001 From: air3ijai <88528265+air3ijai@users.noreply.github.com> Date: Fri, 21 Oct 2022 14:29:48 +0300 Subject: [PATCH] feat: Added ability to specify CloudWatch Log group name for VPC Flow logs (#847) Co-authored-by: Anton Babenko --- README.md | 1 + examples/vpc-flow-logs/main.tf | 5 ++++- variables.tf | 6 ++++++ vpc-flow-logs.tf | 7 ++++--- 4 files changed, 15 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0e0ecab1c..f3a8b654d 100644 --- a/README.md +++ b/README.md @@ -435,6 +435,7 @@ No modules. | [flow\_log\_cloudwatch\_iam\_role\_arn](#input\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow\_log\_destination\_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided. | `string` | `""` | no | | [flow\_log\_cloudwatch\_log\_group\_kms\_key\_id](#input\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs. | `string` | `null` | no | | [flow\_log\_cloudwatch\_log\_group\_name\_prefix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_prefix) | Specifies the name prefix of CloudWatch Log Group for VPC flow logs. | `string` | `"/aws/vpc-flow-log/"` | no | +| [flow\_log\_cloudwatch\_log\_group\_name\_suffix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_suffix) | Specifies the name suffix of CloudWatch Log Group for VPC flow logs. | `string` | `""` | no | | [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. | `number` | `null` | no | | [flow\_log\_destination\_arn](#input\_flow\_log\_destination\_arn) | The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create\_flow\_log\_cloudwatch\_log\_group is set to false this argument must be provided. | `string` | `""` | no | | [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3 or cloud-watch-logs. | `string` | `"cloud-watch-logs"` | no | diff --git a/examples/vpc-flow-logs/main.tf b/examples/vpc-flow-logs/main.tf index 9a524e6d1..d22b4eed7 100644 --- a/examples/vpc-flow-logs/main.tf +++ b/examples/vpc-flow-logs/main.tf @@ -67,7 +67,10 @@ module "vpc_with_flow_logs_cloudwatch_logs_default" { enable_flow_log = true create_flow_log_cloudwatch_log_group = true create_flow_log_cloudwatch_iam_role = true - flow_log_max_aggregation_interval = 60 + + flow_log_max_aggregation_interval = 60 + flow_log_cloudwatch_log_group_name_prefix = "/aws/my-amazing-vpc-flow-logz/" + flow_log_cloudwatch_log_group_name_suffix = "my-test" vpc_flow_log_tags = local.tags } diff --git a/variables.tf b/variables.tf index 7df9f4a29..e6561ef73 100644 --- a/variables.tf +++ b/variables.tf @@ -1167,6 +1167,12 @@ variable "flow_log_cloudwatch_log_group_name_prefix" { default = "/aws/vpc-flow-log/" } +variable "flow_log_cloudwatch_log_group_name_suffix" { + description = "Specifies the name suffix of CloudWatch Log Group for VPC flow logs." + type = string + default = "" +} + variable "flow_log_cloudwatch_log_group_retention_in_days" { description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs." type = number diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf index 830c73c86..ac9f25758 100644 --- a/vpc-flow-logs.tf +++ b/vpc-flow-logs.tf @@ -5,8 +5,9 @@ locals { create_flow_log_cloudwatch_iam_role = local.enable_flow_log && var.flow_log_destination_type != "s3" && var.create_flow_log_cloudwatch_iam_role create_flow_log_cloudwatch_log_group = local.enable_flow_log && var.flow_log_destination_type != "s3" && var.create_flow_log_cloudwatch_log_group - flow_log_destination_arn = local.create_flow_log_cloudwatch_log_group ? try(aws_cloudwatch_log_group.flow_log[0].arn, null) : var.flow_log_destination_arn - flow_log_iam_role_arn = var.flow_log_destination_type != "s3" && local.create_flow_log_cloudwatch_iam_role ? try(aws_iam_role.vpc_flow_log_cloudwatch[0].arn, null) : var.flow_log_cloudwatch_iam_role_arn + flow_log_destination_arn = local.create_flow_log_cloudwatch_log_group ? try(aws_cloudwatch_log_group.flow_log[0].arn, null) : var.flow_log_destination_arn + flow_log_iam_role_arn = var.flow_log_destination_type != "s3" && local.create_flow_log_cloudwatch_iam_role ? try(aws_iam_role.vpc_flow_log_cloudwatch[0].arn, null) : var.flow_log_cloudwatch_iam_role_arn + flow_log_cloudwatch_log_group_name_suffix = var.flow_log_cloudwatch_log_group_name_suffix == "" ? local.vpc_id : var.flow_log_cloudwatch_log_group_name_suffix } ################################################################################ @@ -44,7 +45,7 @@ resource "aws_flow_log" "this" { resource "aws_cloudwatch_log_group" "flow_log" { count = local.create_flow_log_cloudwatch_log_group ? 1 : 0 - name = "${var.flow_log_cloudwatch_log_group_name_prefix}${local.vpc_id}" + name = "${var.flow_log_cloudwatch_log_group_name_prefix}${local.flow_log_cloudwatch_log_group_name_suffix}" retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_id