feat: add support to enable vpc flow logs (#411)

terraform-ibm-modules · Mar 8, 2023 · 6cd3eb3 · 6cd3eb3
1 parent 717a362
commit 6cd3eb3
Show file tree

Hide file tree

Showing 8 changed files with 288 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -84,6 +84,8 @@ You need the following permissions to run this module.
 
 | Name | Type |
 |------|------|
+| [ibm_iam_authorization_policy.policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
+| [ibm_is_flow_log.flow_logs](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_flow_log) | resource |
 | [ibm_is_network_acl.network_acl](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_network_acl) | resource |
 | [ibm_is_public_gateway.gateway](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_public_gateway) | resource |
 | [ibm_is_security_group_rule.default_vpc_rule](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_security_group_rule) | resource |
@@ -100,9 +102,14 @@ You need the following permissions to run this module.
 |------|-------------|------|---------|:--------:|
 | <a name="input_address_prefixes"></a> [address\_prefixes](#input\_address\_prefixes) | OPTIONAL - IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes | <pre>object({<br>    zone-1 = optional(list(string))<br>    zone-2 = optional(list(string))<br>    zone-3 = optional(list(string))<br>  })</pre> | <pre>{<br>  "zone-1": null,<br>  "zone-2": null,<br>  "zone-3": null<br>}</pre> | no |
 | <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | OPTIONAL - Classic Access to the VPC | `bool` | `false` | no |
+| <a name="input_create_authorization_policy_vpc_to_cos"></a> [create\_authorization\_policy\_vpc\_to\_cos](#input\_create\_authorization\_policy\_vpc\_to\_cos) | Create authorisation policy for VPC to access COS. Set as false if authorization policy exists already | `bool` | `false` | no |
 | <a name="input_default_network_acl_name"></a> [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | OPTIONAL - Name of the Default ACL. If null, a name will be automatically generated | `string` | `null` | no |
 | <a name="input_default_routing_table_name"></a> [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | OPTIONAL - Name of the Default Routing Table. If null, a name will be automatically generated | `string` | `null` | no |
 | <a name="input_default_security_group_name"></a> [default\_security\_group\_name](#input\_default\_security\_group\_name) | OPTIONAL - Name of the Default Security Group. If null, a name will be automatically generated | `string` | `null` | no |
+| <a name="input_enable_vpc_flow_logs"></a> [enable\_vpc\_flow\_logs](#input\_enable\_vpc\_flow\_logs) | Flag to enable vpc flow logs. If true, flow log collector will be created | `bool` | `false` | no |
+| <a name="input_existing_cos_instance_guid"></a> [existing\_cos\_instance\_guid](#input\_existing\_cos\_instance\_guid) | GUID of the COS instance to create Flow log collector | `string` | `null` | no |
+| <a name="input_existing_storage_bucket_name"></a> [existing\_storage\_bucket\_name](#input\_existing\_storage\_bucket\_name) | Name of the COS bucket to collect VPC flow logs | `string` | `null` | no |
+| <a name="input_is_flow_log_collector_active"></a> [is\_flow\_log\_collector\_active](#input\_is\_flow\_log\_collector\_active) | Indicates whether the collector is active. If false, this collector is created in inactive mode. | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name for VPC | `string` | n/a | yes |
 | <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | List of ACLs to create. Rules can be automatically created to allow inbound and outbound traffic from a VPC tier by adding the name of that tier to the `network_connections` list. Rules automatically generated by these network connections will be added at the beginning of a list, and will be web-tierlied to traffic first. At least one rule must be provided for each ACL. | <pre>list(<br>    object({<br>      name                         = string<br>      network_connections          = optional(list(string))<br>      add_ibm_cloud_internal_rules = optional(bool)<br>      add_vpc_connectivity_rules   = optional(bool)<br>      prepend_ibm_rules            = optional(bool)<br>      rules = list(<br>        object({<br>          name        = string<br>          action      = string<br>          destination = string<br>          direction   = string<br>          source      = string<br>          tcp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          udp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          icmp = optional(<br>            object({<br>              type = optional(number)<br>              code = optional(number)<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "add_ibm_cloud_internal_rules": true,<br>    "add_vpc_connectivity_rules": true,<br>    "name": "vpc-acl",<br>    "prepend_ibm_rules": true,<br>    "rules": [<br>      {<br>        "action": "allow",<br>        "destination": "0.0.0.0/0",<br>        "direction": "inbound",<br>        "name": "allow-all-443-inbound",<br>        "source": "0.0.0.0/0",<br>        "tcp": {<br>          "port_max": 443,<br>          "port_min": 443<br>        }<br>      },<br>      {<br>        "action": "allow",<br>        "destination": "0.0.0.0/0",<br>        "direction": "outbound",<br>        "name": "allow-all-443-outbound",<br>        "source": "0.0.0.0/0",<br>        "tcp": {<br>          "source_port_max": 443,<br>          "source_port_min": 443<br>        }<br>      }<br>    ]<br>  }<br>]</pre> | no |
 | <a name="input_network_cidr"></a> [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
@@ -126,6 +133,7 @@ You need the following permissions to run this module.
 | <a name="output_subnet_ids"></a> [subnet\_ids](#output\_subnet\_ids) | The IDs of the subnets |
 | <a name="output_subnet_zone_list"></a> [subnet\_zone\_list](#output\_subnet\_zone\_list) | A list containing subnet IDs and subnet zones |
 | <a name="output_vpc_crn"></a> [vpc\_crn](#output\_vpc\_crn) | CRN of VPC created |
+| <a name="output_vpc_flow_logs"></a> [vpc\_flow\_logs](#output\_vpc\_flow\_logs) | Details of VPC flow logs collector |
 | <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | ID of VPC created |
 | <a name="output_vpc_name"></a> [vpc\_name](#output\_vpc\_name) | Name of VPC created |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

diff --git a/examples/default/main.tf b/examples/default/main.tf
@@ -14,15 +14,42 @@ data "ibm_resource_group" "existing_resource_group" {
   name  = var.resource_group
 }
 
+#############################################################################
+# Provision cloud object storage and bucket
+#############################################################################
+
+resource "ibm_resource_instance" "cos_instance" {
+  count = var.enable_vpc_flow_logs ? 1 : 0
+
+  name              = "${var.prefix}-vpc-logs-cos"
+  resource_group_id = var.resource_group != null ? data.ibm_resource_group.existing_resource_group[0].id : ibm_resource_group.resource_group[0].id
+  service           = "cloud-object-storage"
+  plan              = var.cos_plan
+  location          = var.cos_location
+}
+
+resource "ibm_cos_bucket" "cos_bucket" {
+  count = var.enable_vpc_flow_logs ? 1 : 0
+
+  bucket_name          = "${var.prefix}-vpc-logs-cos-bucket"
+  resource_instance_id = ibm_resource_instance.cos_instance[0].id
+  region_location      = var.region
+  storage_class        = "standard"
+}
+
 #############################################################################
 # Provision VPC
 #############################################################################
 
 module "slz_vpc" {
-  source            = "../../"
-  resource_group_id = var.resource_group != null ? data.ibm_resource_group.existing_resource_group[0].id : ibm_resource_group.resource_group[0].id
-  region            = var.region
-  name              = var.name
-  prefix            = var.prefix
-  tags              = var.resource_tags
+  source                                 = "../../"
+  resource_group_id                      = var.resource_group != null ? data.ibm_resource_group.existing_resource_group[0].id : ibm_resource_group.resource_group[0].id
+  region                                 = var.region
+  name                                   = var.name
+  prefix                                 = var.prefix
+  tags                                   = var.resource_tags
+  enable_vpc_flow_logs                   = var.enable_vpc_flow_logs
+  create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos
+  existing_cos_instance_guid             = ibm_resource_instance.cos_instance[0].guid
+  existing_storage_bucket_name           = ibm_cos_bucket.cos_bucket[0].bucket_name
 }
diff --git a/examples/default/outputs.tf b/examples/default/outputs.tf
@@ -2,12 +2,27 @@
 # Outputs
 ##############################################################################
 
-output "id" {
+output "vpc_id" {
   value       = module.slz_vpc.vpc_id
   description = "VPC id"
 }
 
-output "crn" {
+output "vpc_crn" {
   value       = module.slz_vpc.vpc_crn
   description = "VPC crn"
 }
+
+output "vpc_flow_logs_collector" {
+  value       = module.slz_vpc.vpc_flow_logs
+  description = "VPC flow logs collector"
+}
+
+output "cos_instance_crn" {
+  value       = ibm_resource_instance.cos_instance[0].crn
+  description = "COS instance crn"
+}
+
+output "cos_bucket_name" {
+  value       = ibm_cos_bucket.cos_bucket[0].bucket_name
+  description = "COS bucket name"
+}
diff --git a/examples/default/variables.tf b/examples/default/variables.tf
@@ -33,3 +33,31 @@ variable "resource_tags" {
   type        = list(string)
   default     = null
 }
+
+variable "enable_vpc_flow_logs" {
+  type        = bool
+  description = "Enable VPC Flow Logs, it will create Flow logs collector if set to true"
+  default     = true
+}
+
+variable "cos_plan" {
+  description = "Plan to be used for creating cloud object storage instance"
+  type        = string
+  default     = "standard"
+  validation {
+    condition     = contains(["standard", "lite"], var.cos_plan)
+    error_message = "The specified cos_plan is not a valid selection!"
+  }
+}
+
+variable "cos_location" {
+  description = "Location of the cloud object storage instance"
+  type        = string
+  default     = "global"
+}
+
+variable "create_authorization_policy_vpc_to_cos" {
+  description = "Set it to true if authorization policy is required for VPC to access COS"
+  type        = bool
+  default     = true
+}
diff --git a/main.tf b/main.tf
@@ -88,3 +88,37 @@ resource "ibm_is_public_gateway" "gateway" {
 }
 
 ##############################################################################
+
+##############################################################################
+# Add VPC to Flow Logs
+##############################################################################
+
+locals {
+  # tflint-ignore: terraform_unused_declarations
+  validate_vpc_flow_logs_inputs = (var.enable_vpc_flow_logs) ? ((var.create_authorization_policy_vpc_to_cos) ? ((var.existing_cos_instance_guid != null && var.existing_storage_bucket_name != null) ? true : tobool("Please provide COS instance & bucket name to create flow logs collector.")) : ((var.existing_storage_bucket_name != null) ? true : tobool("Please provide COS bucket name to create flow logs collector"))) : false
+}
+
+# Create authorization policy to allow VPC to access COS instance
+resource "ibm_iam_authorization_policy" "policy" {
+  count = (var.enable_vpc_flow_logs) ? ((var.create_authorization_policy_vpc_to_cos) ? 1 : 0) : 0
+
+  source_service_name         = "is"
+  source_resource_type        = "flow-log-collector"
+  target_service_name         = "cloud-object-storage"
+  target_resource_instance_id = var.existing_cos_instance_guid
+  roles                       = ["Writer"]
+}
+
+# Create VPC flow logs collector
+resource "ibm_is_flow_log" "flow_logs" {
+  count = (var.enable_vpc_flow_logs) ? 1 : 0
+
+  name           = "${var.prefix}-${var.name}-logs"
+  target         = ibm_is_vpc.vpc.id
+  active         = var.is_flow_log_collector_active
+  storage_bucket = var.existing_storage_bucket_name
+  resource_group = var.resource_group_id
+  tags           = var.tags
+}
+
+##############################################################################
diff --git a/module-metadata.json b/module-metadata.json
@@ -32,6 +32,16 @@
       },
       "immutable": true
     },
+    "create_authorization_policy_vpc_to_cos": {
+      "name": "create_authorization_policy_vpc_to_cos",
+      "type": "bool",
+      "description": "Create authorisation policy for VPC to access COS. Set as false if authorization policy exists already",
+      "default": false,
+      "pos": {
+        "filename": "variables.tf",
+        "line": 408
+      }
+    },
     "default_network_acl_name": {
       "name": "default_network_acl_name",
       "type": "string",
@@ -80,6 +90,61 @@
       "matches": "^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$",
       "computed": true
     },
+    "enable_vpc_flow_logs": {
+      "name": "enable_vpc_flow_logs",
+      "type": "bool",
+      "description": "Flag to enable vpc flow logs. If true, flow log collector will be created",
+      "default": false,
+      "source": [
+        "ibm_iam_authorization_policy.policy.count",
+        "ibm_is_flow_log.flow_logs.count"
+      ],
+      "pos": {
+        "filename": "variables.tf",
+        "line": 402
+      }
+    },
+    "existing_cos_instance_guid": {
+      "name": "existing_cos_instance_guid",
+      "type": "string",
+      "description": "GUID of the COS instance to create Flow log collector",
+      "source": [
+        "ibm_iam_authorization_policy.policy.target_resource_instance_id"
+      ],
+      "pos": {
+        "filename": "variables.tf",
+        "line": 414
+      },
+      "immutable": true,
+      "computed": true
+    },
+    "existing_storage_bucket_name": {
+      "name": "existing_storage_bucket_name",
+      "type": "string",
+      "description": "Name of the COS bucket to collect VPC flow logs",
+      "required": true,
+      "source": [
+        "ibm_is_flow_log.flow_logs.storage_bucket"
+      ],
+      "pos": {
+        "filename": "variables.tf",
+        "line": 420
+      },
+      "immutable": true
+    },
+    "is_flow_log_collector_active": {
+      "name": "is_flow_log_collector_active",
+      "type": "bool",
+      "description": "Indicates whether the collector is active. If false, this collector is created in inactive mode.",
+      "default": true,
+      "source": [
+        "ibm_is_flow_log.flow_logs.active"
+      ],
+      "pos": {
+        "filename": "variables.tf",
+        "line": 426
+      }
+    },
     "name": {
       "name": "name",
       "type": "string",
@@ -153,6 +218,7 @@
       "description": "The prefix that you would like to append to your resources",
       "required": true,
       "source": [
+        "ibm_is_flow_log.flow_logs.name",
         "ibm_is_network_acl.network_acl.name",
         "ibm_is_public_gateway.gateway.name",
         "ibm_is_vpc.vpc.name",
@@ -189,6 +255,7 @@
       "description": "The resource group ID where the VPC to be created",
       "required": true,
       "source": [
+        "ibm_is_flow_log.flow_logs.resource_group",
         "ibm_is_network_acl.network_acl.resource_group",
         "ibm_is_public_gateway.gateway.resource_group",
         "ibm_is_subnet.subnet.resource_group",
@@ -277,6 +344,7 @@
       "type": "list(string)",
       "description": "List of Tags for the resource created",
       "source": [
+        "ibm_is_flow_log.flow_logs.tags",
         "ibm_is_public_gateway.gateway.tags",
         "ibm_is_subnet.subnet.tags",
         "ibm_is_vpc.vpc.tags"
@@ -378,6 +446,14 @@
       "type": "TypeString",
       "cloud_data_type": "crn"
     },
+    "vpc_flow_logs": {
+      "name": "vpc_flow_logs",
+      "description": "Details of VPC flow logs collector",
+      "pos": {
+        "filename": "outputs.tf",
+        "line": 104
+      }
+    },
     "vpc_id": {
       "name": "vpc_id",
       "description": "ID of VPC created",
@@ -416,6 +492,42 @@
     }
   },
   "managed_resources": {
+    "ibm_iam_authorization_policy.policy": {
+      "mode": "managed",
+      "type": "ibm_iam_authorization_policy",
+      "name": "policy",
+      "attributes": {
+        "count": "enable_vpc_flow_logs",
+        "target_resource_instance_id": "existing_cos_instance_guid"
+      },
+      "provider": {
+        "name": "ibm"
+      },
+      "pos": {
+        "filename": "main.tf",
+        "line": 102
+      }
+    },
+    "ibm_is_flow_log.flow_logs": {
+      "mode": "managed",
+      "type": "ibm_is_flow_log",
+      "name": "flow_logs",
+      "attributes": {
+        "active": "is_flow_log_collector_active",
+        "count": "enable_vpc_flow_logs",
+        "name": "prefix",
+        "resource_group": "resource_group_id",
+        "storage_bucket": "existing_storage_bucket_name",
+        "tags": "tags"
+      },
+      "provider": {
+        "name": "ibm"
+      },
+      "pos": {
+        "filename": "main.tf",
+        "line": 113
+      }
+    },
     "ibm_is_network_acl.network_acl": {
       "mode": "managed",
       "type": "ibm_is_network_acl",

diff --git a/outputs.tf b/outputs.tf
@@ -96,3 +96,23 @@ output "network_acls" {
 }
 
 ##############################################################################
+
+##############################################################################
+# VPC flow logs
+##############################################################################
+
+output "vpc_flow_logs" {
+  description = "Details of VPC flow logs collector"
+  value = var.enable_vpc_flow_logs != true ? [] : [
+    for flow_log_collector in ibm_is_flow_log.flow_logs :
+    {
+      name  = flow_log_collector.name
+      id    = flow_log_collector.id
+      crn   = flow_log_collector.crn
+      href  = flow_log_collector.href
+      state = flow_log_collector.lifecycle_state
+    }
+  ]
+}
+
+##############################################################################