add prefixes for log-groups, add flowlogs-role

CHANGELOG.md

@@ -18,3 +18,7 @@
 * v1.0.3 -- 20210512
   - security-groups
     - add output of security_groups map(object{name,id,arn})
+
+* v1.0.4 -- 20210514
+  - flowlogs
+    - setup flow logs

common/prefixes.tf

@@ -22,5 +22,7 @@ locals {
     "customer-gateway" = "cgw-"
     "vpn-gateway"      = "vpcg-"
     "vpn-connection"   = "vpn_"
+    "log-group"        = "lg-"
+    "log-stream"       = "lgs-"
   }
 }

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.0.3"
+  _module_version = "1.0.4"
 }

flowlogs-role/README.md

@@ -0,0 +1,60 @@
+# aws-vpc-setup :: flowlogs-role
+
+This sets up the default flowlogs role and policies, allowign for kinesis streams to be used in all regions
+selected.  The role and policy created are `inf-flowlogs` with the appropriate prefix.
+
+# Usage
+```hcl
+module "role_flowlogs" {
+  source            = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//flowlogs-role"
+  regions           = values(var.region_map)
+  attached_policies = [ module.general.custom_policies_arn["deny_billing"]]
+  tags = { }
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_flowlogs"></a> [flowlogs](#module\_flowlogs) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git |  |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role_policy_attachment.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.flowlogs_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_attached_policies"></a> [attached\_policies](#input\_attached\_policies) | List of IAM Policy ARNs to attach to this role | `list(string)` | `[]` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_regions"></a> [regions](#input\_regions) | List of AWS Regions for which to grant Kinesis stream access | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | Created flowlogs role ARN |
+| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | Created flowlogs role name |