resource "aws_flow_log" "vpc-flowlog" { count = var.enable-flow-log && var.flow-log-destination == "cwlog" ? 1 : 0 iam_role_arn = aws_iam_role.vpcflowlog-role[0].arn log_destination = aws_cloudwatch_log_group.vpcflowlog-loggroup[0].arn traffic_type = "ALL" vpc_id = aws_vpc.vpc.id tags = { Name = "${var.resource-prefix}-vpcflowlog" } } resource "aws_flow_log" "vpc-flowlog-s3" { count = var.enable-flow-log && var.flow-log-destination == "s3" ? 1 : 0 log_destination_type = "s3" log_destination = var.flow-log-bucket-arn traffic_type = "ALL" vpc_id = aws_vpc.vpc.id tags = { Name = "${var.resource-prefix}-vpcflowlog" } } resource "aws_cloudwatch_log_group" "vpcflowlog-loggroup" { count = var.enable-flow-log && var.flow-log-destination == "cwlog" ? 1 : 0 name_prefix = "vpcflowlog/${aws_vpc.vpc.id}/" kms_key_id = var.vpcflowlog-cwl-loggroup-key-arn retention_in_days = var.vpcflowlog-retain-days } resource "random_id" "rid" { byte_length = 2 } resource "aws_iam_role" "vpcflowlog-role" { count = var.enable-flow-log && var.flow-log-destination == "cwlog" ? 1 : 0 name = "VpcFlowlogRole-${random_id.rid.dec}" path = "/service/" assume_role_policy = jsonencode( { "Version" : "2012-10-17", "Statement" : [ { "Sid" : "", "Effect" : "Allow", "Principal" : { "Service" : "vpc-flow-logs.amazonaws.com" }, "Action" : "sts:AssumeRole" } ] } ) } resource "aws_iam_role_policy" "vpcflowlog-role-policy" { count = var.enable-flow-log && var.flow-log-destination == "cwlog" ? 1 : 0 name = "VpcFlowlogRole-${random_id.rid.dec}" role = aws_iam_role.vpcflowlog-role[0].id policy = jsonencode( { "Version" : "2012-10-17", "Statement" : [ { "Action" : [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "kms:Encrypt", "kms:ReEncrypt", "kms:Decrypt" ], "Effect" : "Allow", "Resource" : "*" } ] } ) }