enable_kinesis as flag

flowlogs-transit-gateway/README.md

@@ -83,6 +83,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| <a name="input_enable_kinesis"></a> [enable\_kinesis](#input\_enable\_kinesis) | Flag to enable AWS Kinesis streams for flow logs | `bool` | `true` | no |
 | <a name="input_flowlog_bucket_arn"></a> [flowlog\_bucket\_arn](#input\_flowlog\_bucket\_arn) | S3 Bucket to hold the VPC flowlogs | `string` | n/a | yes |
 | <a name="input_flowlog_role_arn"></a> [flowlog\_role\_arn](#input\_flowlog\_role\_arn) | IAM Role with proper permissions to allow writing VPC flowlogs to cloudwatch logs and streamss | `string` | n/a | yes |
 | <a name="input_label"></a> [label](#input\_label) | Text label associated with the Transit Gateway | `string` | n/a | yes |

flowlogs-transit-gateway/main.tf

@@ -102,6 +102,7 @@ resource "aws_flow_log" "flowlog_cloudwatch" {
 }
 
 resource "aws_kinesis_stream" "flowlog" {
+  count               = var.enable_kinesis ? 1 : 0
   name                = local.flowlog_stream_name
   shard_count         = 1
   retention_period    = 48
@@ -116,10 +117,11 @@ resource "aws_kinesis_stream" "flowlog" {
 
 # have to add the flowlog arn here to the policy used by flowlogs in common/{east,west}/flowlog.tf
 resource "aws_cloudwatch_log_subscription_filter" "flowlog" {
+  count           = var.enable_kinesis ? 1 : 0
   name            = local.flowlog_stream_name
   role_arn        = var.flowlog_role_arn
   log_group_name  = aws_cloudwatch_log_group.flowlog.name
-  destination_arn = aws_kinesis_stream.flowlog.arn
+  destination_arn = var.enable_kinesis ? aws_kinesis_stream.flowlog[0].arn : ""
   filter_pattern  = "[action=*]"
   distribution    = "ByLogStream"
 }
@@ -128,6 +130,7 @@ resource "aws_cloudwatch_log_subscription_filter" "flowlog" {
 # generate splunk inputs file
 #---
 data "template_file" "splunk_flowlog" {
+  count    = var.enable_kinesis ? 1 : 0
   template = file("${path.module}/templates/aws_kinesis_tasks.conf.tpl")
   vars = {
     account_id          = local.account_id
@@ -140,6 +143,7 @@ data "template_file" "splunk_flowlog" {
 }
 
 resource "null_resource" "splunk_flowlog" {
+  count = var.enable_kinesis ? 1 : 0
   triggers = {
     filename  = format("aws_kinesis_tasks.%v-%v.%v.%v.conf", local.account_id, local.account_alias, local.region, local.flowlog_stream_name)
     directory = format("%v/setup", path.root)
@@ -159,7 +163,8 @@ resource "null_resource" "splunk_flowlog" {
 }
 
 resource "local_file" "splunk_flowlog" {
-  content         = data.template_file.splunk_flowlog.rendered
+  count           = var.enable_kinesis ? 1 : 0
+  content         = var.enable_kinesis ? data.template_file.splunk_flowlog[0].rendered : ""
   file_permission = "0644"
-  filename        = format("%v/%v", null_resource.splunk_flowlog.triggers.directory, null_resource.splunk_flowlog.triggers.filename)
+  filename        = var.enable_kinesis ? format("%v/%v", null_resource.splunk_flowlog[0].triggers.directory, null_resource.splunk_flowlog[0].triggers.filename) : "__kinesis_disbaled__"
 }

flowlogs-transit-gateway/variables.tf

@@ -17,3 +17,10 @@ variable "label" {
   description = "Text label associated with the Transit Gateway"
   type        = string
 }
+
+variable "enable_kinesis" {
+  description = "Flag to enable AWS Kinesis streams for flow logs"
+  type        = bool
+  default     = true
+}
+