From b4cc504f5cd794cefd25354a47d90d70ec0337ac Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Tue, 2 Aug 2022 10:05:07 -0400
Subject: [PATCH] enable_kinesis as flag

---
 flowlogs-transit-gateway/README.md    |  1 +
 flowlogs-transit-gateway/main.tf      | 11 ++++++++---
 flowlogs-transit-gateway/variables.tf |  7 +++++++
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/flowlogs-transit-gateway/README.md b/flowlogs-transit-gateway/README.md
index bfee6af..035cc68 100644
--- a/flowlogs-transit-gateway/README.md
+++ b/flowlogs-transit-gateway/README.md
@@ -83,6 +83,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| <a name="input_enable_kinesis"></a> [enable\_kinesis](#input\_enable\_kinesis) | Flag to enable AWS Kinesis streams for flow logs | `bool` | `true` | no |
 | <a name="input_flowlog_bucket_arn"></a> [flowlog\_bucket\_arn](#input\_flowlog\_bucket\_arn) | S3 Bucket to hold the VPC flowlogs | `string` | n/a | yes |
 | <a name="input_flowlog_role_arn"></a> [flowlog\_role\_arn](#input\_flowlog\_role\_arn) | IAM Role with proper permissions to allow writing VPC flowlogs to cloudwatch logs and streamss | `string` | n/a | yes |
 | <a name="input_label"></a> [label](#input\_label) | Text label associated with the Transit Gateway | `string` | n/a | yes |
diff --git a/flowlogs-transit-gateway/main.tf b/flowlogs-transit-gateway/main.tf
index 249f63d..86e850c 100644
--- a/flowlogs-transit-gateway/main.tf
+++ b/flowlogs-transit-gateway/main.tf
@@ -102,6 +102,7 @@ resource "aws_flow_log" "flowlog_cloudwatch" {
 }
 
 resource "aws_kinesis_stream" "flowlog" {
+  count               = var.enable_kinesis ? 1 : 0
   name                = local.flowlog_stream_name
   shard_count         = 1
   retention_period    = 48
@@ -116,10 +117,11 @@ resource "aws_kinesis_stream" "flowlog" {
 
 # have to add the flowlog arn here to the policy used by flowlogs in common/{east,west}/flowlog.tf
 resource "aws_cloudwatch_log_subscription_filter" "flowlog" {
+  count           = var.enable_kinesis ? 1 : 0
   name            = local.flowlog_stream_name
   role_arn        = var.flowlog_role_arn
   log_group_name  = aws_cloudwatch_log_group.flowlog.name
-  destination_arn = aws_kinesis_stream.flowlog.arn
+  destination_arn = var.enable_kinesis ? aws_kinesis_stream.flowlog[0].arn : ""
   filter_pattern  = "[action=*]"
   distribution    = "ByLogStream"
 }
@@ -128,6 +130,7 @@ resource "aws_cloudwatch_log_subscription_filter" "flowlog" {
 # generate splunk inputs file
 #---
 data "template_file" "splunk_flowlog" {
+  count    = var.enable_kinesis ? 1 : 0
   template = file("${path.module}/templates/aws_kinesis_tasks.conf.tpl")
   vars = {
     account_id          = local.account_id
@@ -140,6 +143,7 @@ data "template_file" "splunk_flowlog" {
 }
 
 resource "null_resource" "splunk_flowlog" {
+  count = var.enable_kinesis ? 1 : 0
   triggers = {
     filename  = format("aws_kinesis_tasks.%v-%v.%v.%v.conf", local.account_id, local.account_alias, local.region, local.flowlog_stream_name)
     directory = format("%v/setup", path.root)
@@ -159,7 +163,8 @@ resource "null_resource" "splunk_flowlog" {
 }
 
 resource "local_file" "splunk_flowlog" {
-  content         = data.template_file.splunk_flowlog.rendered
+  count           = var.enable_kinesis ? 1 : 0
+  content         = var.enable_kinesis ? data.template_file.splunk_flowlog[0].rendered : ""
   file_permission = "0644"
-  filename        = format("%v/%v", null_resource.splunk_flowlog.triggers.directory, null_resource.splunk_flowlog.triggers.filename)
+  filename        = var.enable_kinesis ? format("%v/%v", null_resource.splunk_flowlog[0].triggers.directory, null_resource.splunk_flowlog[0].triggers.filename) : "__kinesis_disbaled__"
 }
diff --git a/flowlogs-transit-gateway/variables.tf b/flowlogs-transit-gateway/variables.tf
index a7008a7..be2a3f7 100644
--- a/flowlogs-transit-gateway/variables.tf
+++ b/flowlogs-transit-gateway/variables.tf
@@ -17,3 +17,10 @@ variable "label" {
   description = "Text label associated with the Transit Gateway"
   type        = string
 }
+
+variable "enable_kinesis" {
+  description = "Flag to enable AWS Kinesis streams for flow logs"
+  type        = bool
+  default     = true
+}
+