From e18d5bdea95a6acb51dc6375435c325265a877bb Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 15 Dec 2023 08:15:58 -0500
Subject: [PATCH] * 2.9.14 -- 2023-12-15   - vpn-transit-gateway     - add
 cloudwatch_log_prefix, to be set when log policy > 5120, to /aws/vendedlogs
 per AWS documentation at      
 https://docs.aws.amazon.com/step-functions/latest/dg/bp-cwl.html.  May also
 be possible with a cloudwatch log policy       resource, but unclear how that
 affects all the other log policies listed

---
 CHANGELOG.md                      |   6 ++
 common/version.tf                 |   2 +-
 vpn-transit-gateway/README.md     | 141 ++++++++++++++++++++++++++++++
 vpn-transit-gateway/cloudwatch.tf |   6 +-
 vpn-transit-gateway/variables.tf  |   5 ++
 5 files changed, 158 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 50b149c..cc0f170 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -372,3 +372,9 @@
 * 2.9.13 -- 2023-12-13
   - vpn-transit-gateway
     - change alarm templates to reduce size for aggregate alarms
+
+* 2.9.14 -- 2023-12-15
+  - vpn-transit-gateway
+    - add cloudwatch_log_prefix, to be set when log policy > 5120, to /aws/vendedlogs per AWS documentation at
+      https://docs.aws.amazon.com/step-functions/latest/dg/bp-cwl.html.  May also be possible with a cloudwatch log policy
+      resource, but unclear how that affects all the other log policies listed
diff --git a/common/version.tf b/common/version.tf
index c9003c2..9199f88 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.9.12"
+  _module_version = "2.9.14"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 
diff --git a/vpn-transit-gateway/README.md b/vpn-transit-gateway/README.md
index 771c876..0ab88eb 100644
--- a/vpn-transit-gateway/README.md
+++ b/vpn-transit-gateway/README.md
@@ -135,3 +135,144 @@ No modules.
 | <a name="output_customer_gateway_ids"></a> [customer\_gateway\_ids](#output\_customer\_gateway\_ids) | AWS Customer Gateway IDs |
 | <a name="output_vpn_labels"></a> [vpn\_labels](#output\_vpn\_labels) | VPN Labels for Description field of Endpoint device (Cisco ASR) |
 | <a name="output_vpn_tunnel_endpoints"></a> [vpn\_tunnel\_endpoints](#output\_vpn\_tunnel\_endpoints) | VPN Tunnel Endpoint IP Addresses |
+
+<!-- BEGIN_TF_DOCS -->
+# About aws-vpc-setup :: vpn-transit-gateway
+
+This sets up a VPN for the specified site (hq or bcc) and all the necessary related components:
+* customer gateway per site, environment and sequence
+* vpn connection to the transit gateway
+
+It generates a password for each site and uses the same one for each of the site's two tunnels.
+
+To download the configuration, follow these directions [page 24 from AWS docs](https://docs.aws.amazon.com/vpn/latest/s2svpn/s2s-vpn-user-guide.pdf):
+
+> To download the configuration file
+> 1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
+> 1. In the navigation pane, choose Site-to-Site VPN Connections.
+> 1. Select your VPN connection and choose Download Configuration.
+> 1. Select the vendor, platform, and software that corresponds to your customer gateway device or
+> 1oftware. If your device is not listed, choose Generic. Choose Download.
+>    * Vendor: Cisco Systems, Inc.
+>    * Platform: Cisco ASR 1000
+>    * Software: IOS 12.4+
+
+# Usage
+
+```hcl
+module "vpn_transit-gateway" {
+  source          = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpn-transit-gateway"
+  create          = true
+  vpc_id          = "vpc-1234568"
+  transit_gateway_id = "tgw-12345678"
+  tgw_environment = "dev"
+  vpn_settings = [
+    { site = "hq",   environment = "dev", sequence = 1, "bgp_asn_id" = 65510, "ip_address" = "148.129.160.100" },
+    { site = "bcc",  environment = "dev", sequence = 1, "bgp_asn_id" = 65511, "ip_address" = "148.129.90.100" },
+  ]
+  tgw_route_table_association = "tgw-rtb-123123123123"
+  tgw_route_table_propagation = [ "tgw-rtb-123123123123", "tgw-rtb-234234234234" ]
+  tags            = {}
+
+ # optional
+ # use_tgw_prefixes = true
+ # enable_cloudwatch_alarms = true
+ # cloudwatch_alarm_topic_arn = data.aws_sns_topic.mytopic.arn
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
+| <a name="requirement_ldap"></a> [ldap](#requirement\_ldap) | >= 0.5.4 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.0.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
+| <a name="requirement_template"></a> [template](#requirement\_template) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
+| <a name="provider_local"></a> [local](#provider\_local) | >= 1.0.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | >= 3.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_composite_alarm.tgw_vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_composite_alarm) | resource |
+| [aws_cloudwatch_composite_alarm.tgw_vpn_site](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_composite_alarm) | resource |
+| [aws_cloudwatch_log_group.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_metric_alarm.tgw_vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
+| [aws_customer_gateway.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/customer_gateway) | resource |
+| [aws_customer_gateway.vpn_single](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/customer_gateway) | resource |
+| [aws_ec2_tag.vpn_tag_created_by](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.vpn_tag_environment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.vpn_tag_name](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_transit_gateway_route_table_association.route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource |
+| [aws_ec2_transit_gateway_route_table_propagation.propagate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
+| [aws_vpn_connection.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_connection) | resource |
+| [local_sensitive_file.vpn_details_json](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
+| [local_sensitive_file.vpn_details_yaml](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
+| [local_sensitive_file.vpn_site_details_json](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
+| [local_sensitive_file.vpn_site_details_yaml](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
+| [null_resource.directory_setup](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.generate_configs](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [random_string.tunnel_preshared_key](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [random_string.tunnel_preshared_key_single](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| <a name="input_cloudwatch_alarm_topic_arn"></a> [cloudwatch\_alarm\_topic\_arn](#input\_cloudwatch\_alarm\_topic\_arn) | SNS ARN for Cloudwtch Metric Alarms for VPN tunnels.  If null, no alarms will be created. | `string` | `null` | no |
+| <a name="input_cloudwatch_log_prefix"></a> [cloudwatch\_log\_prefix](#input\_cloudwatch\_log\_prefix) | Prefix for CloudWatch Logs, to be used when size of policy > 5120.  Should be set to /aws/vendedlogs | `string` | `""` | no |
+| <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
+| <a name="input_enable_cloudwatch_alarms"></a> [enable\_cloudwatch\_alarms](#input\_enable\_cloudwatch\_alarms) | Flag to enable or disable creation of Cloudwatch Metric Alarms for VPN tunnels (requires cloudwatch\_alarm\_topic\_arn to be defined). | `bool` | `true` | no |
+| <a name="input_enable_cloudwatch_logging"></a> [enable\_cloudwatch\_logging](#input\_enable\_cloudwatch\_logging) | Flag to enable or disable VPN tunnel logging to CloudWatch.  If Enabled, it will create the cloudwatch log groups | `bool` | `false` | no |
+| <a name="input_generate_json_files"></a> [generate\_json\_files](#input\_generate\_json\_files) | Flag to enable or disable generation of JSON file from VPN information | `bool` | `false` | no |
+| <a name="input_generate_yaml_files"></a> [generate\_yaml\_files](#input\_generate\_yaml\_files) | Flag to enable or disable generation of YAML file from VPN information | `bool` | `true` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_profile"></a> [profile](#input\_profile) | AWS Profile Name, used for makign AWS call to download VPN configurations | `string` | `"default"` | no |
+| <a name="input_route_table_ids"></a> [route\_table\_ids](#input\_route\_table\_ids) | List of created route table IDs for privating routing to be used for VPN route propagation | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_tgw_environment"></a> [tgw\_environment](#input\_tgw\_environment) | Transit Gatewway environment purpose (services, dev, test, stage, prod, cre) | `string` | `null` | no |
+| <a name="input_tgw_route_table_association"></a> [tgw\_route\_table\_association](#input\_tgw\_route\_table\_association) | Transit Gateway Route Table to associate the VPN attachments with.  Only one route table may be associated with a VPN attachment. | `string` | `null` | no |
+| <a name="input_tgw_route_table_propagation"></a> [tgw\_route\_table\_propagation](#input\_tgw\_route\_table\_propagation) | Transit Gateway Route Tables to propagate the VPN attachments.  Multiple route tables may be selected. | `list(string)` | `[]` | no |
+| <a name="input_tgw_vpn_settings"></a> [tgw\_vpn\_settings](#input\_tgw\_vpn\_settings) | Transit Gateway VPN Connection details array of objects | <pre>list(object(<br>    {<br>      site              = string<br>      environment       = string<br>      sequence          = number<br>      region            = optional(string)<br>      bgp_asn_id        = number<br>      ip_address        = string<br>      tunnel_ips        = list(string)<br>      preshared_keys    = list(string)<br>      tunnel_interfaces = optional(list(number))<br>      tunnel_track      = optional(list(number))<br>      tunnel_loopback   = optional(number)<br>    }<br>  ))</pre> | `[]` | no |
+| <a name="input_transit_gateway_id"></a> [transit\_gateway\_id](#input\_transit\_gateway\_id) | Transit Gateway ID | `string` | n/a | yes |
+| <a name="input_use_single_cgw"></a> [use\_single\_cgw](#input\_use\_single\_cgw) | Flag to enable or disable the use of a single customer gateway per site vs one per site and VPN | `bool` | `false` | no |
+| <a name="input_use_tgw_prefixes"></a> [use\_tgw\_prefixes](#input\_use\_tgw\_prefixes) | Flag to enable or disable the use of Transit Gateway prefixes (default: false) | `bool` | `false` | no |
+| <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
+| <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
+| <a name="input_vpc_index"></a> [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
+| <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
+| <a name="input_vpc_short_name"></a> [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_customer_gateway_arns"></a> [customer\_gateway\_arns](#output\_customer\_gateway\_arns) | AWS Customer Gateway ARNs |
+| <a name="output_customer_gateway_ids"></a> [customer\_gateway\_ids](#output\_customer\_gateway\_ids) | AWS Customer Gateway IDs |
+| <a name="output_vpn_labels"></a> [vpn\_labels](#output\_vpn\_labels) | VPN Labels for Description field of Endpoint device (Cisco ASR) |
+| <a name="output_vpn_tunnel_endpoints"></a> [vpn\_tunnel\_endpoints](#output\_vpn\_tunnel\_endpoints) | VPN Tunnel Endpoint IP Addresses |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/vpn-transit-gateway/cloudwatch.tf b/vpn-transit-gateway/cloudwatch.tf
index e9dac07..1dbf6ba 100644
--- a/vpn-transit-gateway/cloudwatch.tf
+++ b/vpn-transit-gateway/cloudwatch.tf
@@ -1,7 +1,11 @@
+locals {
+  cloudwatch_log_prefix = var.cloudwatch_log_prefix != "" ? format("%v/", trimsuffix(var.cloudwatch_log_prefix, "/")) : var.cloudwatch_log_prefix
+}
+
 resource "aws_cloudwatch_log_group" "log" {
   #  for_each = var.enable_cloudwatch_logging ? local.vpn_tunnel_outputs : {}
   for_each = var.enable_cloudwatch_logging ? local.vpn_settings : {}
-  name     = format("vpn/tgw/%v/%v", var.tgw_environment, each.key)
+  name     = format("%vvpn/tgw/%v/%v", local.cloudwatch_log_prefix, var.tgw_environment, each.key)
   #  kms_key_id        = var.kms_key_arn
   retention_in_days = 60
 
diff --git a/vpn-transit-gateway/variables.tf b/vpn-transit-gateway/variables.tf
index 3b8bdea..df4a735 100644
--- a/vpn-transit-gateway/variables.tf
+++ b/vpn-transit-gateway/variables.tf
@@ -99,3 +99,8 @@ variable "cloudwatch_alarm_topic_arn" {
   default     = null
 }
 
+variable "cloudwatch_log_prefix" {
+  description = "Prefix for CloudWatch Logs, to be used when size of policy > 5120.  Should be set to /aws/vendedlogs"
+  type        = string
+  default     = ""
+}