From 20acf65f86fb63ddb3b7b01b7f74537851cfec91 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 25 Apr 2023 11:17:11 -0400 Subject: [PATCH] * 2.8.3 -- 2023-04-25 - vpc: - enable enable_network_address_usage_metrics - vpc-flow-logs - use default retention of 6 months, allow it as a variable - examples/full-setup-tf-upgrade - change vpc-endpoints to be in subdirectory, by default use all endpoints, and no local endpoints --- CHANGELOG.md | 7 +++++++ common/version.tf | 2 +- flowlogs/README.md | 1 + flowlogs/main.tf | 9 +++++---- flowlogs/variables.tf | 13 +++++++++++++ vpc/main.tf | 7 ++++--- 6 files changed, 31 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8d45199..5266857 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -303,3 +303,10 @@ - add additional information to ssm parameter - cleanup zone creation based on endpoint service definition (some are missing a zone) +* 2.8.3 -- 2023-04-25 + - vpc: + - enable enable_network_address_usage_metrics + - vpc-flow-logs + - use default retention of 6 months, allow it as a variable + - examples/full-setup-tf-upgrade + - change vpc-endpoints to be in subdirectory, by default use all endpoints, and no local endpoints diff --git a/common/version.tf b/common/version.tf index e66bbb9..f031e1a 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,5 +1,5 @@ locals { - _module_version = "2.8.2" + _module_version = "2.8.3" _module_names = { "_main_" = "aws-vpc-setup" diff --git a/flowlogs/README.md b/flowlogs/README.md index 707869f..74bfd36 100644 --- a/flowlogs/README.md +++ b/flowlogs/README.md @@ -96,6 +96,7 @@ No modules. | [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | 
list(object({
    subnet            = string
    label             = string
    availability_zone = string
    id                = string
    tags              = optional(map(string))
  }))
| `[]` | no | | [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs (not objects) | `list(string)` | `[]` | no | | [public\_subnets\_ids](#input\_public\_subnets\_ids) | List of public subnet objects including: subnet, label, availability\_zone, id | 
list(object({
    subnet            = string
    label             = string
    availability_zone = string
    id                = string
    tags              = optional(map(string))
  }))
| `[]` | no | +| [retention\_in\_days](#input\_retention\_in\_days) | Number of days to keep cloudwatch logs (default is 180). See the documentation for available values. | `number` | `180` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | | [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no | | [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no | diff --git a/flowlogs/main.tf b/flowlogs/main.tf index 23c7a0b..2bc3527 100644 --- a/flowlogs/main.tf +++ b/flowlogs/main.tf @@ -106,10 +106,11 @@ resource "aws_cloudwatch_log_group" "flowlog" { } resource "aws_flow_log" "flowlog_cloudwatch" { - log_destination = aws_cloudwatch_log_group.flowlog.arn - iam_role_arn = var.flowlog_role_arn - traffic_type = "ALL" - vpc_id = var.vpc_id + log_destination = aws_cloudwatch_log_group.flowlog.arn + iam_role_arn = var.flowlog_role_arn + traffic_type = "ALL" + vpc_id = var.vpc_id + retention_in_days = var.retention_in_days tags = merge( local.base_tags, diff --git a/flowlogs/variables.tf b/flowlogs/variables.tf index aed8488..4ff039b 100644 --- a/flowlogs/variables.tf +++ b/flowlogs/variables.tf @@ -25,3 +25,16 @@ variable "enable_kinesis_stream" { type = bool default = true } + +variable "retention_in_days" { + description = "Number of days to keep cloudwatch logs (default is 180). See the documentation for available values." + type = number + default = 180 + + # valid and allowed here: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180 + # valid but excluded here: 365, 400, 545, 731, 1827, 2192, 2557, 2922, 3288, 3653 + validation { + condition = var.retention_in_days > 0 && var.retention_in_days <= 180 && contains([1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180], var.retention_in_days) + error_message = "VPC flowlogs cloudwatch logs must not be 0 (infinite), and be between 1 and 180 days (180 is default)." + } +} diff --git a/vpc/main.tf b/vpc/main.tf index addac63..76682ed 100644 --- a/vpc/main.tf +++ b/vpc/main.tf @@ -70,9 +70,10 @@ resource "aws_vpc_dhcp_options_association" "vpc" { # vpc #--- resource "aws_vpc" "vpc" { - cidr_block = var.vpc_cidr_block - enable_dns_support = local.enable_dns_support - enable_dns_hostnames = local.enable_dns_hostnames + cidr_block = var.vpc_cidr_block + enable_dns_support = local.enable_dns_support + enable_dns_hostnames = local.enable_dns_hostnames + enable_network_address_usage_metrics = true tags = merge( local.base_tags,