Skip to content

rhythmictech/terraform-aws-vpcflowlog-bucket

BranchesTags

Repository files navigation

terraform-aws-vpcflowlog-bucket

tflint tfsec yamllint misspell pre-commit-check follow on Twitter

Creates an S3 bucket suitable for receiving VPC flow logs from one or more AWS account. Uses a KMS CMK, which is necessary for CIS compliance. Requires an external bucket to route S3 access logs to (also for CIS compliance).

Example:

Create the bucket with this module.

module "vpcflowlog-bucket" {
  source              = "rhythmictech/aws-vpcflowlogs/terraform"
  allowed_account_ids = ["123456789012", "123456789013"]
  logging_bucket      = "example-s3-access-logs-bucket"
  region              = "us-east-1"
}

Then create the flow logs in each of the allowed accounts. Logs will flow back to the bucket in the original account.

module "vpcflowlogs" {
  source = "git::https://github.com/rhythmictech/terraform-aws-vpcflowlogs.git"

  create_bucket      = false
  create_kms_key     = false
  region             = var.region
  vpc_ids            = [module.vpc.vpc_id]
  vpcflowlog_bucket  = module.vpcflowlog-bucket.s3_bucket_name
  vpcflowlog_kms_key = module.vpcflowlog-bucket.kms_key_id
}

Requirements

Name Version
terraform >= 0.13.4
aws >= 5

Providers

Name Version
aws 5.87.0

Modules

No modules.

Resources

Name Type
aws_kms_alias.this resource
aws_kms_key.this resource
aws_s3_bucket.this resource
aws_s3_bucket_lifecycle_configuration.this resource
aws_s3_bucket_logging.this resource
aws_s3_bucket_policy.this resource
aws_s3_bucket_public_access_block.this resource
aws_s3_bucket_server_side_encryption_configuration.this resource
aws_s3_bucket_versioning.this resource
aws_caller_identity.current data source
aws_iam_policy_document.key data source
aws_iam_policy_document.this data source
aws_partition.current data source

Inputs

Name Description Type Default Required
allowed_account_ids Optional list of AWS Account IDs that are permitted to write to the bucket list(string) [] no
lifecycle_rules lifecycle rules to apply to the bucket 
list(object(
    {
      id                            = string
      enabled                       = optional(bool, true)
      expiration                    = optional(number)
      prefix                        = optional(string)
      noncurrent_version_expiration = optional(number)
      transition = optional(list(object({
        days          = number
        storage_class = string
      })))
  }))
 
[
  {
    "id": "expire-noncurrent-objects-after-ninety-days",
    "noncurrent_version_expiration": 90
  },
  {
    "id": "transition-to-IA-after-30-days",
    "transition": [
      {
        "days": 30,
        "storage_class": "STANDARD_IA"
      }
    ]
  },
  {
    "expiration": 2557,
    "id": "delete-after-seven-years"
  }
]
 no
lifecycle_transition_default_minimum_object_size The default minimum object size behavior applied to the lifecycle configuration string "varies_by_storage_class" no
logging_bucket S3 bucket to send request logs to the VPC flow log bucket to string n/a yes
region Region VPC flow logs will be sent to string n/a yes
tags Tags to include on resources that support it map(string) {} no

Outputs

Name Description
kms_key_id KMS key
s3_bucket_arn The ARN of the bucket
s3_bucket_name The name of the bucket

Related Projects

About

Creates an S3 bucket suitable for receiving VPC flow logs from one or more AWS account.

registry.terraform.io/modules/rhythmictech/vpcflowlog-bucket/aws

Topics

aws cis terraform vpc-flow-logs terraform-module

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases 5

v0.3.1 Latest
Feb 14, 2025
+ 4 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages