create flowlogs-role

flowlogs-role/data.tf

@@ -0,0 +1 @@
+../common/data.tf

flowlogs-role/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

flowlogs-role/main.tf

@@ -0,0 +1,104 @@
+/*
+* # aws-vpc-setup :: flowlogs-role
+*
+* This sets up the default flowlogs role and policies, allowign for kinesis streams to be used in all regions
+* selected.  The role and policy created are `inf-flowlogs` with the appropriate prefix.
+*
+* # Usage
+* ```hcl
+* module "role_flowlogs" {
+*   source            = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//flowlogs-role"
+*   regions           = values(var.region_map)
+*   attached_policies = [ module.general.custom_policies_arn["deny_billing"]]
+*   tags = { }
+* }
+* ```
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+locals {
+  flowlogs_regions = var.regions
+  flowlogs_streams = [for r in local.flowlogs_regions :
+  format("arn:%v:kinesis:%v:%v:stream/%vvpc*", data.aws_arn.current.partition, r, data.aws_caller_identity.current.account_id, local._prefixes["log-stream"])]
+}
+
+module "flowlogs" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git"
+
+  role_name              = "inf-flowlogs"
+  enable_ldap_creation   = false
+  assume_policy_document = data.aws_iam_policy_document.flowlogs_assume.json
+  attached_policies      = var.attached_policies
+
+  tags = merge(
+    local.base_tags,
+    local.tags
+  )
+}
+
+#---
+# setup policy for flowlogs
+#  attach after creation of the role. This is because the policy references the role ARN
+#  and it cannot be added before it exists
+#---
+resource "aws_iam_policy" "flowlogs" {
+  name        = "p-inf-flowlog"
+  path        = "/"
+  description = "Policy for INF Flowlogs"
+  policy      = data.aws_iam_policy_document.flowlogs.json
+}
+
+resource "aws_iam_role_policy_attachment" "flowlogs" {
+  role       = module.flowlogs.role_name
+  policy_arn = aws_iam_policy.flowlogs.arn
+}
+
+data "aws_iam_policy_document" "flowlogs" {
+  statement {
+    sid       = "VPCFlowLogs"
+    effect    = "Allow"
+    resources = ["*"]
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams",
+      "logs:CreateLogDelivery",
+      "logs:DeleteLogDelivery",
+    ]
+  }
+  statement {
+    sid       = "VPCFlowLogsKinesisPassRole"
+    effect    = "Allow"
+    actions   = ["iam:PassRole"]
+    resources = [module.flowlogs.role_arn]
+  }
+  statement {
+    sid       = "VPCFlowLogsKinesis"
+    effect    = "Allow"
+    actions   = ["kinesis:PutRecord"]
+    resources = [local.flowlogs_streams]
+  }
+}
+
+data "aws_iam_policy_document" "flowlogs_assume" {
+  statement {
+    sid     = "VPCFlowLogsAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = concat(list("vpc-flow-logs.amazonaws.com"), formatlist("logs.%v.amazonaws.com", local.flowlogs_regions))
+    }
+  }
+}

flowlogs-role/outputs.tf

@@ -0,0 +1,10 @@
+output "role_arn" {
+  description = "Created flowlogs role ARN"
+  value       = module.flowlogs.role_arn
+}
+
+output "role_name" {
+  description = "Created flowlogs role name"
+  value       = module.flowlogs.role_name
+}
+

flowlogs-role/prefixes.tf

@@ -0,0 +1 @@
+../common/prefixes.tf

flowlogs-role/variables.common.tf

@@ -0,0 +1 @@
+../common/variables.common.tf

flowlogs-role/variables.tf

@@ -0,0 +1,11 @@
+variable "attached_policies" {
+  description = "List of IAM Policy ARNs to attach to this role"
+  type        = list(string)
+  default     = []
+}
+
+variable "regions" {
+  description = "List of AWS Regions for which to grant Kinesis stream access"
+  type        = list(string)
+  default     = []
+}

flowlogs-role/version.tf

@@ -0,0 +1 @@
+../common/version.tf