diff --git a/flowlogs-transit-gateway/README.md b/flowlogs-transit-gateway/README.md
index bfee6af..035cc68 100644
--- a/flowlogs-transit-gateway/README.md
+++ b/flowlogs-transit-gateway/README.md
@@ -83,6 +83,7 @@ No modules.
|------|-------------|------|---------|:--------:|
| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| [enable\_kinesis](#input\_enable\_kinesis) | Flag to enable AWS Kinesis streams for flow logs | `bool` | `true` | no |
| [flowlog\_bucket\_arn](#input\_flowlog\_bucket\_arn) | S3 Bucket to hold the VPC flowlogs | `string` | n/a | yes |
| [flowlog\_role\_arn](#input\_flowlog\_role\_arn) | IAM Role with proper permissions to allow writing VPC flowlogs to cloudwatch logs and streamss | `string` | n/a | yes |
| [label](#input\_label) | Text label associated with the Transit Gateway | `string` | n/a | yes |
diff --git a/flowlogs-transit-gateway/main.tf b/flowlogs-transit-gateway/main.tf
index 249f63d..86e850c 100644
--- a/flowlogs-transit-gateway/main.tf
+++ b/flowlogs-transit-gateway/main.tf
@@ -102,6 +102,7 @@ resource "aws_flow_log" "flowlog_cloudwatch" {
}
resource "aws_kinesis_stream" "flowlog" {
+ count = var.enable_kinesis ? 1 : 0
name = local.flowlog_stream_name
shard_count = 1
retention_period = 48
@@ -116,10 +117,11 @@ resource "aws_kinesis_stream" "flowlog" {
# have to add the flowlog arn here to the policy used by flowlogs in common/{east,west}/flowlog.tf
resource "aws_cloudwatch_log_subscription_filter" "flowlog" {
+ count = var.enable_kinesis ? 1 : 0
name = local.flowlog_stream_name
role_arn = var.flowlog_role_arn
log_group_name = aws_cloudwatch_log_group.flowlog.name
- destination_arn = aws_kinesis_stream.flowlog.arn
+ destination_arn = var.enable_kinesis ? aws_kinesis_stream.flowlog[0].arn : ""
filter_pattern = "[action=*]"
distribution = "ByLogStream"
}
@@ -128,6 +130,7 @@ resource "aws_cloudwatch_log_subscription_filter" "flowlog" {
# generate splunk inputs file
#---
data "template_file" "splunk_flowlog" {
+ count = var.enable_kinesis ? 1 : 0
template = file("${path.module}/templates/aws_kinesis_tasks.conf.tpl")
vars = {
account_id = local.account_id
@@ -140,6 +143,7 @@ data "template_file" "splunk_flowlog" {
}
resource "null_resource" "splunk_flowlog" {
+ count = var.enable_kinesis ? 1 : 0
triggers = {
filename = format("aws_kinesis_tasks.%v-%v.%v.%v.conf", local.account_id, local.account_alias, local.region, local.flowlog_stream_name)
directory = format("%v/setup", path.root)
@@ -159,7 +163,8 @@ resource "null_resource" "splunk_flowlog" {
}
resource "local_file" "splunk_flowlog" {
- content = data.template_file.splunk_flowlog.rendered
+ count = var.enable_kinesis ? 1 : 0
+ content = var.enable_kinesis ? data.template_file.splunk_flowlog[0].rendered : ""
file_permission = "0644"
- filename = format("%v/%v", null_resource.splunk_flowlog.triggers.directory, null_resource.splunk_flowlog.triggers.filename)
+ filename = var.enable_kinesis ? format("%v/%v", null_resource.splunk_flowlog[0].triggers.directory, null_resource.splunk_flowlog[0].triggers.filename) : "__kinesis_disbaled__"
}
diff --git a/flowlogs-transit-gateway/variables.tf b/flowlogs-transit-gateway/variables.tf
index a7008a7..be2a3f7 100644
--- a/flowlogs-transit-gateway/variables.tf
+++ b/flowlogs-transit-gateway/variables.tf
@@ -17,3 +17,10 @@ variable "label" {
description = "Text label associated with the Transit Gateway"
type = string
}
+
+variable "enable_kinesis" {
+ description = "Flag to enable AWS Kinesis streams for flow logs"
+ type = bool
+ default = true
+}
+