* 2.8.3 -- 2023-04-25

- vpc: - enable enable_network_address_usage_metrics - vpc-flow-logs - use default retention of 6 months, allow it as a variable - examples/full-setup-tf-upgrade - change vpc-endpoints to be in subdirectory, by default use all endpoints, and no local endpoints
terraform-modules · Apr 25, 2023 · 20acf65 · 20acf65
1 parent 10a5083
commit 20acf65
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -303,3 +303,10 @@
     - add additional information to ssm parameter
     - cleanup zone creation based on endpoint service definition (some are missing a zone)
 
+* 2.8.3 -- 2023-04-25
+  - vpc:
+    - enable enable_network_address_usage_metrics
+  - vpc-flow-logs
+    - use default retention of 6 months, allow it as a variable
+  - examples/full-setup-tf-upgrade
+    - change vpc-endpoints to be in subdirectory, by default use all endpoints, and no local endpoints
diff --git a/common/version.tf b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.8.2"
+  _module_version = "2.8.3"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 

diff --git a/flowlogs/README.md b/flowlogs/README.md
@@ -96,6 +96,7 @@ No modules.
 | <a name="input_private_subnets_ids"></a> [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br>    subnet            = string<br>    label             = string<br>    availability_zone = string<br>    id                = string<br>    tags              = optional(map(string))<br>  }))</pre> | `[]` | no |
 | <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs (not objects) | `list(string)` | `[]` | no |
 | <a name="input_public_subnets_ids"></a> [public\_subnets\_ids](#input\_public\_subnets\_ids) | List of public subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br>    subnet            = string<br>    label             = string<br>    availability_zone = string<br>    id                = string<br>    tags              = optional(map(string))<br>  }))</pre> | `[]` | no |
+| <a name="input_retention_in_days"></a> [retention\_in\_days](#input\_retention\_in\_days) | Number of days to keep cloudwatch logs (default is 180). See the documentation for available values. | `number` | `180` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
 | <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |

diff --git a/flowlogs/main.tf b/flowlogs/main.tf
@@ -106,10 +106,11 @@ resource "aws_cloudwatch_log_group" "flowlog" {
 }
 
 resource "aws_flow_log" "flowlog_cloudwatch" {
-  log_destination = aws_cloudwatch_log_group.flowlog.arn
-  iam_role_arn    = var.flowlog_role_arn
-  traffic_type    = "ALL"
-  vpc_id          = var.vpc_id
+  log_destination   = aws_cloudwatch_log_group.flowlog.arn
+  iam_role_arn      = var.flowlog_role_arn
+  traffic_type      = "ALL"
+  vpc_id            = var.vpc_id
+  retention_in_days = var.retention_in_days
 
   tags = merge(
     local.base_tags,

diff --git a/flowlogs/variables.tf b/flowlogs/variables.tf
@@ -25,3 +25,16 @@ variable "enable_kinesis_stream" {
   type        = bool
   default     = true
 }
+
+variable "retention_in_days" {
+  description = "Number of days to keep cloudwatch logs (default is 180). See the documentation for available values."
+  type        = number
+  default     = 180
+
+  # valid and allowed here: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180
+  # valid but excluded here: 365, 400, 545, 731, 1827, 2192, 2557, 2922, 3288, 3653
+  validation {
+    condition     = var.retention_in_days > 0 && var.retention_in_days <= 180 && contains([1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180], var.retention_in_days)
+    error_message = "VPC flowlogs cloudwatch logs must not be 0 (infinite), and be between 1 and 180 days (180 is default)."
+  }
+}
diff --git a/vpc/main.tf b/vpc/main.tf
@@ -70,9 +70,10 @@ resource "aws_vpc_dhcp_options_association" "vpc" {
 # vpc
 #---
 resource "aws_vpc" "vpc" {
-  cidr_block           = var.vpc_cidr_block
-  enable_dns_support   = local.enable_dns_support
-  enable_dns_hostnames = local.enable_dns_hostnames
+  cidr_block                           = var.vpc_cidr_block
+  enable_dns_support                   = local.enable_dns_support
+  enable_dns_hostnames                 = local.enable_dns_hostnames
+  enable_network_address_usage_metrics = true
 
   tags = merge(
     local.base_tags,