flowlogs: add enable_kinesis_stream variable

CHANGELOG.md

@@ -238,3 +238,7 @@
   - nacls
     - split out attachment subnets, if present
     - create attachment nacl, add entries in all, out all
+
+* 2.4.8 -- 2023-01-18
+  - flowlogs
+    - add enable_kinesis_stream flag

common/version.tf

@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.4.7"
+  _module_version = "2.4.8"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 

flowlogs/README.md

@@ -46,6 +46,7 @@ module "flowlogs" {
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
 | <a name="requirement_ldap"></a> [ldap](#requirement\_ldap) | >= 0.5.4 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.0.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 | <a name="requirement_template"></a> [template](#requirement\_template) | >= 2.0 |
@@ -55,7 +56,7 @@ module "flowlogs" {
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
-| <a name="provider_local"></a> [local](#provider\_local) | n/a |
+| <a name="provider_local"></a> [local](#provider\_local) | >= 1.0.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 3.0 |
 | <a name="provider_template"></a> [template](#provider\_template) | >= 2.0 |
 
@@ -77,22 +78,24 @@ No modules.
 | [null_resource.splunk_flowlog](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [template_file.splunk_flowlog](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
-| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| <a name="input_enable_kinesis_stream"></a> [enable\_kinesis\_stream](#input\_enable\_kinesis\_stream) | Flag to enable or disable creation of kineis stream for Splunk | `bool` | `true` | no |
 | <a name="input_flowlog_bucket_arn"></a> [flowlog\_bucket\_arn](#input\_flowlog\_bucket\_arn) | S3 Bucket to hold the VPC flowlogs | `string` | n/a | yes |
 | <a name="input_flowlog_role_arn"></a> [flowlog\_role\_arn](#input\_flowlog\_role\_arn) | IAM Role with proper permissions to allow writing VPC flowlogs to cloudwatch logs and streamss | `string` | n/a | yes |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs (not objects) | `list(string)` | `[]` | no |
-| <a name="input_private_subnets_ids"></a> [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br>    subnet            = string<br>    label             = string<br>    availability_zone = string<br>    id                = string<br>  }))</pre> | `[]` | no |
+| <a name="input_private_subnets_ids"></a> [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br>    subnet            = string<br>    label             = string<br>    availability_zone = string<br>    id                = string<br>    tags              = optional(map(string))<br>  }))</pre> | `[]` | no |
 | <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs (not objects) | `list(string)` | `[]` | no |
-| <a name="input_public_subnets_ids"></a> [public\_subnets\_ids](#input\_public\_subnets\_ids) | List of public subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br>    subnet            = string<br>    label             = string<br>    availability_zone = string<br>    id                = string<br>  }))</pre> | `[]` | no |
+| <a name="input_public_subnets_ids"></a> [public\_subnets\_ids](#input\_public\_subnets\_ids) | List of public subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br>    subnet            = string<br>    label             = string<br>    availability_zone = string<br>    id                = string<br>    tags              = optional(map(string))<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
 | <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |

flowlogs/main.tf

@@ -119,6 +119,7 @@ resource "aws_flow_log" "flowlog_cloudwatch" {
 }
 
 resource "aws_kinesis_stream" "flowlog" {
+  count               = var.enable_kinesis_stream ? 1 : 0
   name                = local.flowlog_stream_name
   shard_count         = 1
   retention_period    = 48
@@ -133,10 +134,11 @@ resource "aws_kinesis_stream" "flowlog" {
 
 # have to add the flowlog arn here to the policy used by flowlogs in common/{east,west}/flowlog.tf
 resource "aws_cloudwatch_log_subscription_filter" "flowlog" {
+  count           = var.enable_kinesis_stream ? 1 : 0
   name            = local.flowlog_stream_name
   role_arn        = var.flowlog_role_arn
   log_group_name  = aws_cloudwatch_log_group.flowlog.name
-  destination_arn = aws_kinesis_stream.flowlog.arn
+  destination_arn = try(aws_kinesis_stream.flowlog[0].arn, null)
   filter_pattern  = "[action=*]"
   distribution    = "ByLogStream"
 }
@@ -176,6 +178,7 @@ resource "null_resource" "splunk_flowlog" {
 }
 
 resource "local_file" "splunk_flowlog" {
+  count           = var.enable_kinesis_stream ? 1 : 0
   content         = data.template_file.splunk_flowlog.rendered
   file_permission = "0644"
   filename        = format("%v/%v", null_resource.splunk_flowlog.triggers.directory, null_resource.splunk_flowlog.triggers.filename)

flowlogs/variables.tf

@@ -19,3 +19,9 @@ variable "private_subnet_ids" {
   type        = list(string)
   default     = []
 }
+
+variable "enable_kinesis_stream" {
+  description = "Flag to enable or disable creation of kineis stream for Splunk"
+  type        = bool
+  default     = true
+}

vpc-transit-gateway-association/self/associate.tf

@@ -59,7 +59,8 @@ resource "aws_ec2_transit_gateway_route_table_association" "route_table_self" {
 locals {
   propagate_all_rt = ["services", "inter-region"]
   #  selected_rt      = [for k in keys(local.transit_gateway_route_table_ids_self) : k if ! contains(local.propagate_all_rt, k)]
-  selected_rt = [for k in keys(var.data_input.map_route_tables_self) : k if ! contains(local.propagate_all_rt, k)]
+  selected_rt     = [for k in keys(var.data_input.map_route_tables_self) : k if ! contains(local.propagate_all_rt, k)]
+  vpn_selected_rt = [for k in keys(var.data_input.map_route_tables_self) : k if ! contains(local.propagate_all_rt, k)]
 }
 
 #---