diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9ae1206..e84004b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -238,3 +238,7 @@
- nacls
- split out attachment subnets, if present
- create attachment nacl, add entries in all, out all
+
+* 2.4.8 -- 2023-01-18
+ - flowlogs
+ - add enable_kinesis_stream flag
diff --git a/common/version.tf b/common/version.tf
index 1d918eb..8aadedb 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
locals {
- _module_version = "2.4.7"
+ _module_version = "2.4.8"
_module_names = {
"_main_" = "aws-vpc-setup"
diff --git a/flowlogs/README.md b/flowlogs/README.md
index 16eb00c..707869f 100644
--- a/flowlogs/README.md
+++ b/flowlogs/README.md
@@ -46,6 +46,7 @@ module "flowlogs" {
| [terraform](#requirement\_terraform) | >= 0.13 |
| [aws](#requirement\_aws) | >= 3.66.0 |
| [ldap](#requirement\_ldap) | >= 0.5.4 |
+| [local](#requirement\_local) | >= 1.0.0 |
| [null](#requirement\_null) | >= 3.0 |
| [random](#requirement\_random) | >= 3.0 |
| [template](#requirement\_template) | >= 2.0 |
@@ -55,7 +56,7 @@ module "flowlogs" {
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 3.66.0 |
-| [local](#provider\_local) | n/a |
+| [local](#provider\_local) | >= 1.0.0 |
| [null](#provider\_null) | >= 3.0 |
| [template](#provider\_template) | >= 2.0 |
@@ -77,6 +78,7 @@ No modules.
| [null_resource.splunk_flowlog](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [template_file.splunk_flowlog](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
@@ -84,15 +86,16 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
-| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| [enable\_kinesis\_stream](#input\_enable\_kinesis\_stream) | Flag to enable or disable creation of kineis stream for Splunk | `bool` | `true` | no |
| [flowlog\_bucket\_arn](#input\_flowlog\_bucket\_arn) | S3 Bucket to hold the VPC flowlogs | `string` | n/a | yes |
| [flowlog\_role\_arn](#input\_flowlog\_role\_arn) | IAM Role with proper permissions to allow writing VPC flowlogs to cloudwatch logs and streamss | `string` | n/a | yes |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs (not objects) | `list(string)` | `[]` | no |
-| [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | list(object({
subnet = string
label = string
availability_zone = string
id = string
})) | `[]` | no |
+| [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | list(object({
subnet = string
label = string
availability_zone = string
id = string
tags = optional(map(string))
})) | `[]` | no |
| [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs (not objects) | `list(string)` | `[]` | no |
-| [public\_subnets\_ids](#input\_public\_subnets\_ids) | List of public subnet objects including: subnet, label, availability\_zone, id | list(object({
subnet = string
label = string
availability_zone = string
id = string
})) | `[]` | no |
+| [public\_subnets\_ids](#input\_public\_subnets\_ids) | List of public subnet objects including: subnet, label, availability\_zone, id | list(object({
subnet = string
label = string
availability_zone = string
id = string
tags = optional(map(string))
})) | `[]` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
diff --git a/flowlogs/main.tf b/flowlogs/main.tf
index 2fa816a..43fa25b 100644
--- a/flowlogs/main.tf
+++ b/flowlogs/main.tf
@@ -119,6 +119,7 @@ resource "aws_flow_log" "flowlog_cloudwatch" {
}
resource "aws_kinesis_stream" "flowlog" {
+ count = var.enable_kinesis_stream ? 1 : 0
name = local.flowlog_stream_name
shard_count = 1
retention_period = 48
@@ -133,10 +134,11 @@ resource "aws_kinesis_stream" "flowlog" {
# have to add the flowlog arn here to the policy used by flowlogs in common/{east,west}/flowlog.tf
resource "aws_cloudwatch_log_subscription_filter" "flowlog" {
+ count = var.enable_kinesis_stream ? 1 : 0
name = local.flowlog_stream_name
role_arn = var.flowlog_role_arn
log_group_name = aws_cloudwatch_log_group.flowlog.name
- destination_arn = aws_kinesis_stream.flowlog.arn
+ destination_arn = try(aws_kinesis_stream.flowlog[0].arn, null)
filter_pattern = "[action=*]"
distribution = "ByLogStream"
}
@@ -176,6 +178,7 @@ resource "null_resource" "splunk_flowlog" {
}
resource "local_file" "splunk_flowlog" {
+ count = var.enable_kinesis_stream ? 1 : 0
content = data.template_file.splunk_flowlog.rendered
file_permission = "0644"
filename = format("%v/%v", null_resource.splunk_flowlog.triggers.directory, null_resource.splunk_flowlog.triggers.filename)
diff --git a/flowlogs/variables.tf b/flowlogs/variables.tf
index ce5367f..aed8488 100644
--- a/flowlogs/variables.tf
+++ b/flowlogs/variables.tf
@@ -19,3 +19,9 @@ variable "private_subnet_ids" {
type = list(string)
default = []
}
+
+variable "enable_kinesis_stream" {
+ description = "Flag to enable or disable creation of kineis stream for Splunk"
+ type = bool
+ default = true
+}
diff --git a/vpc-transit-gateway-association/self/associate.tf b/vpc-transit-gateway-association/self/associate.tf
index 284696a..b047032 100644
--- a/vpc-transit-gateway-association/self/associate.tf
+++ b/vpc-transit-gateway-association/self/associate.tf
@@ -59,7 +59,8 @@ resource "aws_ec2_transit_gateway_route_table_association" "route_table_self" {
locals {
propagate_all_rt = ["services", "inter-region"]
# selected_rt = [for k in keys(local.transit_gateway_route_table_ids_self) : k if ! contains(local.propagate_all_rt, k)]
- selected_rt = [for k in keys(var.data_input.map_route_tables_self) : k if ! contains(local.propagate_all_rt, k)]
+ selected_rt = [for k in keys(var.data_input.map_route_tables_self) : k if ! contains(local.propagate_all_rt, k)]
+ vpn_selected_rt = [for k in keys(var.data_input.map_route_tables_self) : k if ! contains(local.propagate_all_rt, k)]
}
#---