From 24df66020d859da57bee5939efe74ba779ec5266 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Tue, 23 Feb 2021 15:14:11 -0500
Subject: [PATCH 1/3] rename access-logging to s3-access-logs

---
 README.md                                              | 4 +++-
 {access-logging => s3-access-logs}/README.md           | 6 +++---
 {access-logging => s3-access-logs}/data.tf             | 0
 {access-logging => s3-access-logs}/defaults.tf         | 0
 {access-logging => s3-access-logs}/main.tf             | 6 +++---
 {access-logging => s3-access-logs}/outputs.tf          | 0
 {access-logging => s3-access-logs}/policy_data.tf      | 0
 {access-logging => s3-access-logs}/prefixes.tf         | 0
 {access-logging => s3-access-logs}/variables.common.tf | 0
 {access-logging => s3-access-logs}/variables.tf        | 0
 {access-logging => s3-access-logs}/version.tf          | 0
 11 files changed, 9 insertions(+), 7 deletions(-)
 rename {access-logging => s3-access-logs}/README.md (97%)
 rename {access-logging => s3-access-logs}/data.tf (100%)
 rename {access-logging => s3-access-logs}/defaults.tf (100%)
 rename {access-logging => s3-access-logs}/main.tf (97%)
 rename {access-logging => s3-access-logs}/outputs.tf (100%)
 rename {access-logging => s3-access-logs}/policy_data.tf (100%)
 rename {access-logging => s3-access-logs}/prefixes.tf (100%)
 rename {access-logging => s3-access-logs}/variables.common.tf (100%)
 rename {access-logging => s3-access-logs}/variables.tf (100%)
 rename {access-logging => s3-access-logs}/version.tf (100%)

diff --git a/README.md b/README.md
index 196ce92..3fb89e0 100644
--- a/README.md
+++ b/README.md
@@ -13,11 +13,13 @@ structure so they are not really needed. The bucket is `inf-tfstate-{account_id}
 
 This has no other dependencies, since it has to be created first.  Only one is needed per account.
 
-### [access-logging](access-logging)
+### [s3-access-logs](s3-access-logs)
 
 This sets up the S3 bucket used for access logs.  One is needed per region, and the region and account are included
 in the bucket names: `inf-logs-{account_id}-{region}`. 
 
+### [s3-flow-logs](s3-flow-logs)
+
 ### splunk-user
 ### object-logging
 ### cloudtrail
diff --git a/access-logging/README.md b/s3-access-logs/README.md
similarity index 97%
rename from access-logging/README.md
rename to s3-access-logs/README.md
index 11f4239..9093aba 100644
--- a/access-logging/README.md
+++ b/s3-access-logs/README.md
@@ -1,4 +1,4 @@
-# aws-inf-setup :: access-logging
+# aws-inf-setup :: s3-access-logs
 
 This set up the needed components for S3 access log bucket.  An access log must exist in each region  
 where there are components wishing to use access logs (S3, ALB, etc.).
@@ -12,7 +12,7 @@ Here is a simple example, the one most commonly expected to be used.
 
 ```hcl
 module "logs" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//access-logging"
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-access-logs"
 }
 ```
 
@@ -22,7 +22,7 @@ variable file generation.
 
 ```hcl
 module "logs_full" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//terraform-state"
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-access-logs"
 
   # optional
   account_alias         = "do2-govcloud"
diff --git a/access-logging/data.tf b/s3-access-logs/data.tf
similarity index 100%
rename from access-logging/data.tf
rename to s3-access-logs/data.tf
diff --git a/access-logging/defaults.tf b/s3-access-logs/defaults.tf
similarity index 100%
rename from access-logging/defaults.tf
rename to s3-access-logs/defaults.tf
diff --git a/access-logging/main.tf b/s3-access-logs/main.tf
similarity index 97%
rename from access-logging/main.tf
rename to s3-access-logs/main.tf
index 81f8584..f8e0a47 100644
--- a/access-logging/main.tf
+++ b/s3-access-logs/main.tf
@@ -1,5 +1,5 @@
 /*
-* # aws-inf-setup :: access-logging
+* # aws-inf-setup :: s3-access-logs
 * 
 * This set up the needed components for S3 access log bucket.  An access log must exist in each region
 * where there are components wishing to use access logs (S3, ALB, etc.).
@@ -13,7 +13,7 @@
 *
 * ```hcl
 * module "logs" {
-*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//access-logging"
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-access-logs"
 * }
 * ```
 *
@@ -23,7 +23,7 @@
 *
 * ```hcl
 * module "logs_full" {
-*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//terraform-state"
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-access-logs"
 * 
 *   # optional
 *   account_alias         = "do2-govcloud"
diff --git a/access-logging/outputs.tf b/s3-access-logs/outputs.tf
similarity index 100%
rename from access-logging/outputs.tf
rename to s3-access-logs/outputs.tf
diff --git a/access-logging/policy_data.tf b/s3-access-logs/policy_data.tf
similarity index 100%
rename from access-logging/policy_data.tf
rename to s3-access-logs/policy_data.tf
diff --git a/access-logging/prefixes.tf b/s3-access-logs/prefixes.tf
similarity index 100%
rename from access-logging/prefixes.tf
rename to s3-access-logs/prefixes.tf
diff --git a/access-logging/variables.common.tf b/s3-access-logs/variables.common.tf
similarity index 100%
rename from access-logging/variables.common.tf
rename to s3-access-logs/variables.common.tf
diff --git a/access-logging/variables.tf b/s3-access-logs/variables.tf
similarity index 100%
rename from access-logging/variables.tf
rename to s3-access-logs/variables.tf
diff --git a/access-logging/version.tf b/s3-access-logs/version.tf
similarity index 100%
rename from access-logging/version.tf
rename to s3-access-logs/version.tf

From 5f93855b5e08a549f78702378dad64b117e65781 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Tue, 23 Feb 2021 15:30:23 -0500
Subject: [PATCH 2/3] v1.3: add s3-flow-logs, rename access-logs to
 s3-access-logs

---
 CHANGELOG.md                     |   4 ++
 common/version.tf                |   2 +-
 s3-flow-logs/data.tf             |   1 +
 s3-flow-logs/defaults.tf         |   1 +
 s3-flow-logs/main.tf             | 110 +++++++++++++++++++++++++++++++
 s3-flow-logs/outputs.tf          |   9 +++
 s3-flow-logs/policy_data.tf      |  27 ++++++++
 s3-flow-logs/prefixes.tf         |   1 +
 s3-flow-logs/variables.common.tf |   1 +
 s3-flow-logs/variables.tf        |  20 ++++++
 s3-flow-logs/version.tf          |   1 +
 11 files changed, 176 insertions(+), 1 deletion(-)
 create mode 120000 s3-flow-logs/data.tf
 create mode 120000 s3-flow-logs/defaults.tf
 create mode 100644 s3-flow-logs/main.tf
 create mode 100644 s3-flow-logs/outputs.tf
 create mode 100644 s3-flow-logs/policy_data.tf
 create mode 120000 s3-flow-logs/prefixes.tf
 create mode 120000 s3-flow-logs/variables.common.tf
 create mode 100644 s3-flow-logs/variables.tf
 create mode 120000 s3-flow-logs/version.tf

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 507b9a6..0566b2a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,3 +10,7 @@
 
 * v1.2 -- 20210223
   - module: access-logging
+
+* v1.3 -- 20210223
+  - module: rename access-logging to s3-access-logs
+  - module: add s3-flow-logs
diff --git a/common/version.tf b/common/version.tf
index 2f4174c..6459949 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.2"
+  _module_version = "1.3"
 }
diff --git a/s3-flow-logs/data.tf b/s3-flow-logs/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/s3-flow-logs/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/s3-flow-logs/defaults.tf b/s3-flow-logs/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/s3-flow-logs/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/s3-flow-logs/main.tf b/s3-flow-logs/main.tf
new file mode 100644
index 0000000..ab40cff
--- /dev/null
+++ b/s3-flow-logs/main.tf
@@ -0,0 +1,110 @@
+/*
+* # aws-inf-setup :: s3-flow-logs
+* 
+* This set up the needed components for S3 VPC flow log bucket.  Only one flow log bucket is
+* needed
+* 
+* * S3 bucket
+* * S3 bucket objects (key prefixes, aka "directories")
+* * S3 bucket policy
+* 
+* # Usage
+* Here is a simple example, the one most commonly expected to be used.
+*
+* ```hcl
+* module "flowlogs" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs"
+* }
+* ```
+*
+* This one can be used if you need to customize stuff, though really, the defaults are all built 
+* for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
+* variable file generation.
+*
+* ```hcl
+* module "flowlogs_full" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs"
+* 
+*   # optional
+*   account_alias         = "do2-govcloud"
+*   bucket_name           = "inf-flowlogs-123456789012"
+*
+*   # flowlogs is generally not needed and not recommended
+*   component_tags        = {
+*     "s3" = {
+*       "SpecialTag1" = "something"
+*       "SpecialTag2" = "somethingElse"
+*     }
+*   }
+* }
+* ```
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  flowlogs_region     = data.aws_region.current.name
+  account_environment = data.aws_arn.current.partiion == "aws-us-gov" ? "gov" : "ew"
+
+  bucket_name = var.bucket_name != "" ? var.bucket_name : format("%v-%v-%v", var.bucket_name_prefix, local.account_id, local.flowlogs_region)
+
+  base_tags = {
+    "Organization"          = "census:aditcio:csvd"
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+#---
+# s3
+#---
+resource "aws_s3_bucket" "flowlogs" {
+  bucket = local.bucket_name
+  acl    = "log-delivery-write"
+
+  # need to create the inf_ key used for infrastucture things like
+  # vpc flow, cloudtrail, config, sns, sqs
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        #        kms_master_key_id = local.inf_key_arn
+        sse_algorithm = "aws:kms"
+      }
+    }
+  }
+
+  versioning {
+    enabled = false
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  # probably want some migration of old data to some other location
+  # like glacier
+
+  tags = merge(
+    var.tags,
+    local.base_tags,
+    lookup(var.component_tags, "s3", {}),
+    map("Name", local.bucket_name),
+  )
+
+  provisioner "local-exec" {
+    command = "sleep 30"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "flowlogs" {
+  bucket                  = aws_s3_bucket.flowlogs.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_policy" "flowlogs" {
+  bucket = aws_s3_bucket.flowlogs.id
+  policy = data.aws_iam_policy_document.flowlogs_s3.json
+}
diff --git a/s3-flow-logs/outputs.tf b/s3-flow-logs/outputs.tf
new file mode 100644
index 0000000..cc57cc2
--- /dev/null
+++ b/s3-flow-logs/outputs.tf
@@ -0,0 +1,9 @@
+output "flowlogs_bucket_id" {
+  description = "VPC Flow Logs S3 bucket ID"
+  value       = aws_s3_bucket.flowlogs.id
+}
+
+output "flowlogs_bucket_arn" {
+  description = "VPC Flow Logs S3 bucket ARN"
+  value       = aws_s3_bucket.flowlogs.arn
+}
diff --git a/s3-flow-logs/policy_data.tf b/s3-flow-logs/policy_data.tf
new file mode 100644
index 0000000..d2caf36
--- /dev/null
+++ b/s3-flow-logs/policy_data.tf
@@ -0,0 +1,27 @@
+data "aws_iam_policy_document" "flowlog_s3" {
+  statement {
+    sid     = "AWSLogDeliveryWrite"
+    effect  = "Allow"
+    actions = ["s3:PutObject"]
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+    resources = ["${aws_s3_bucket.flowlog.arn}/*"]
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+  }
+  statement {
+    sid     = "AWSLogDeliveryAclCheck"
+    effect  = "Allow"
+    actions = ["s3:GetBucketAcl"]
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+    resources = [aws_s3_bucket.flowlog.arn]
+  }
+}
diff --git a/s3-flow-logs/prefixes.tf b/s3-flow-logs/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/s3-flow-logs/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/s3-flow-logs/variables.common.tf b/s3-flow-logs/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/s3-flow-logs/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/s3-flow-logs/variables.tf b/s3-flow-logs/variables.tf
new file mode 100644
index 0000000..e27308d
--- /dev/null
+++ b/s3-flow-logs/variables.tf
@@ -0,0 +1,20 @@
+variable "bucket_name" {
+  description = "VPC Flow Logs S3 bucket name"
+  type        = string
+  #  default     = "inf-flowlogs-{{ tf_account }}-{{ region }}"
+  #  default     = "inf-flowlogs-{{ tf_account }}"
+  default = ""
+}
+
+variable "bucket_name_prefix" {
+  #  description = "VPC Flow Logs S3 bucket prefix, prepended to the AWS account ID and region to make the bucket name."
+  description = "VPC Flow Logs S3 bucket prefix, prepended to the AWS account ID to make the bucket name."
+  type        = string
+  default     = "inf-flowlogs"
+}
+
+variable "component_tags" {
+  description = "Additional tags for Components (s3, kms, ddb)"
+  type        = map(map(string))
+  default     = { "s3" = {}, "kms" = {}, "ddb" = {} }
+}
diff --git a/s3-flow-logs/version.tf b/s3-flow-logs/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/s3-flow-logs/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file

From c155ba9902d252e19eba62d3b5ab6ed684547b94 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Tue, 23 Feb 2021 15:30:30 -0500
Subject: [PATCH 3/3] v1.3: add s3-flow-logs, rename access-logs to
 s3-access-logs

---
 s3-flow-logs/README.md | 83 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100644 s3-flow-logs/README.md

diff --git a/s3-flow-logs/README.md b/s3-flow-logs/README.md
new file mode 100644
index 0000000..a5ebd76
--- /dev/null
+++ b/s3-flow-logs/README.md
@@ -0,0 +1,83 @@
+# aws-inf-setup :: s3-flow-logs
+
+This set up the needed components for S3 VPC flow log bucket.  Only one flow log bucket is  
+needed
+
+* S3 bucket
+* S3 bucket objects (key prefixes, aka "directories")
+* S3 bucket policy
+
+# Usage  
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "flowlogs" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs"
+}
+```
+
+This one can be used if you need to customize stuff, though really, the defaults are all built  
+for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in  
+variable file generation.
+
+```hcl
+module "flowlogs_full" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs"
+
+  # optional
+  account_alias         = "do2-govcloud"
+  bucket_name           = "inf-flowlogs-123456789012"
+
+  # flowlogs is generally not needed and not recommended
+  component_tags        = {
+    "s3" = {
+      "SpecialTag1" = "something"
+      "SpecialTag2" = "somethingElse"
+    }
+  }
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Modules
+
+No Modules.
+
+## Resources
+
+| Name |
+|------|
+| [aws_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) |
+| [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
+| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) |
+| [aws_s3_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) |
+| [aws_s3_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) |
+| [aws_s3_bucket_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| account\_alias | AWS Account Alias (required) | `string` | `""` | no |
+| account\_id | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| bucket\_name | VPC Flow Logs S3 bucket name | `string` | `""` | no |
+| bucket\_name\_prefix | VPC Flow Logs S3 bucket prefix, prepended to the AWS account ID to make the bucket name. | `string` | `"inf-flowlogs"` | no |
+| component\_tags | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| override\_prefixes | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| tags | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| flowlogs\_bucket\_arn | VPC Flow Logs S3 bucket ARN |