feat: Updated resources to be dynamic and added support for flow logs…

… to be published in cloudwatch
clouddrove · Jul 21, 2023 · 16ad441 · 16ad441
1 parent 341f695
commit 16ad441
Show file tree

Hide file tree

Showing 2 changed files with 185 additions and 86 deletions.
diff --git a/main.tf b/main.tf
@@ -25,14 +25,13 @@ module "labels" {
 ## A VPC is a virtual network that closely resembles a traditional network that you'd operate in your own data center.
 ###--------------------------------------------------------------------------------------------
 resource "aws_vpc" "default" {
-  count = var.vpc_enabled ? 1 : 0
-
-  cidr_block                           = var.cidr_block
-  ipv4_ipam_pool_id                    = try(var.additional_cidr_block.ipv4_ipam_pool_id, null)
-  ipv4_netmask_length                  = try(var.additional_cidr_block.ipv4_netmask_length, null)
-  ipv6_cidr_block                      = try(var.additional_ipv6_cidr_block.ipv6_cidr_block, null)
-  ipv6_ipam_pool_id                    = try(var.additional_ipv6_cidr_block.ipv6_ipam_pool_id, null)
-  ipv6_netmask_length                  = try(var.additional_ipv6_cidr_block.ipv6_netmask_length, null)
+  count                                = var.enable ? 1 : 0
+  cidr_block                           = var.ipam_pool_enable ? null : var.cidr_block
+  ipv4_ipam_pool_id                    = var.ipv4_ipam_pool_id
+  ipv4_netmask_length                  = var.ipv4_netmask_length
+  ipv6_cidr_block                      = var.ipv6_cidr_block
+  ipv6_ipam_pool_id                    = var.ipv6_ipam_pool_id
+  ipv6_netmask_length                  = var.ipv6_netmask_length
   instance_tenancy                     = var.instance_tenancy
   enable_dns_hostnames                 = var.dns_hostnames_enabled
   enable_dns_support                   = var.dns_support_enabled
@@ -67,7 +66,7 @@ resource "aws_vpc_ipv4_cidr_block_association" "default" {
 #              An AWS Internet Gateway virtual router that enables communication between VPC and the internet
 ####---------------------------------------------------------------------------------------
 resource "aws_internet_gateway" "default" {
-  count = var.vpc_enabled ? 1 : 0
+  count = var.enable ? 1 : 0
 
   vpc_id = join("", aws_vpc.default.*.id)
   tags = merge(
@@ -84,7 +83,7 @@ resource "aws_internet_gateway" "default" {
 #              An egress-only internet gateway provides outbound-only internet connectivity for resources within a VPC
 ##---------------------------------------------------------------------------------------------------
 resource "aws_egress_only_internet_gateway" "default" {
-  count = var.vpc_enabled && var.enabled_ipv6_egress_only_internet_gateway ? 1 : 0
+  count = var.enable && var.enabled_ipv6_egress_only_internet_gateway ? 1 : 0
 
   vpc_id = join("", aws_vpc.default.*.id)
   tags   = module.labels.tags
@@ -96,7 +95,7 @@ resource "aws_egress_only_internet_gateway" "default" {
 #              The default security group serves as a baseline security configuration within the VPC.
 ####----------------------------------------------------------------------------------
 resource "aws_default_security_group" "default" {
-  count = var.vpc_enabled && var.restrict_default_sg == true ? 1 : 0
+  count = var.enable && var.restrict_default_sg == true ? 1 : 0
 
   vpc_id = join("", aws_vpc.default.*.id)
   dynamic "ingress" {
@@ -142,16 +141,27 @@ resource "aws_default_security_group" "default" {
 #              Provides a resource to create an ASSOCIATION between gateway and routing table.
 # #----------------------------------------------------------------------------------
 resource "aws_default_route_table" "default" {
-  count = var.vpc_enabled && var.aws_default_route_table ? 1 : 0
+  count = var.enable && var.aws_default_route_table ? 1 : 0
 
   default_route_table_id = aws_vpc.default[0].default_route_table_id
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.default[0].id
-  }
-  route {
-    ipv6_cidr_block        = "::/0"
-    egress_only_gateway_id = aws_egress_only_internet_gateway.default[0].id
+  dynamic "route" {
+    for_each = var.default_route_table_routes
+    content {
+      # One of the following destinations must be provided
+      cidr_block                 = route.value.cidr_block
+      ipv6_cidr_block            = lookup(route.value, "ipv6_cidr_block", null)
+      destination_prefix_list_id = lookup(route.value, "destination_prefix_list_id", null)
+
+      # One of the following targets must be provided
+      egress_only_gateway_id    = lookup(route.value, "egress_only_gateway_id", null)
+      gateway_id                = lookup(route.value, "gateway_id", null)
+      instance_id               = lookup(route.value, "instance_id", null)
+      nat_gateway_id            = lookup(route.value, "nat_gateway_id", null)
+      network_interface_id      = lookup(route.value, "network_interface_id", null)
+      transit_gateway_id        = lookup(route.value, "transit_gateway_id", null)
+      vpc_endpoint_id           = lookup(route.value, "vpc_endpoint_id", null)
+      vpc_peering_connection_id = lookup(route.value, "vpc_peering_connection_id", null)
+    }
   }
   tags = merge(
     module.labels.tags,
@@ -166,7 +176,7 @@ resource "aws_default_route_table" "default" {
 #Description : Provides a VPC DHCP Options resource.
 ####--------------------------------------------------------------
 resource "aws_vpc_dhcp_options" "vpc_dhcp" {
-  count = var.vpc_enabled && var.enable_dhcp_options ? 1 : 0
+  count = var.enable && var.enable_dhcp_options ? 1 : 0
 
   domain_name          = var.dhcp_options_domain_name
   domain_name_servers  = var.dhcp_options_domain_name_servers
@@ -181,7 +191,7 @@ resource "aws_vpc_dhcp_options" "vpc_dhcp" {
   )
 }
 resource "aws_vpc_dhcp_options_association" "this" {
-  count = var.vpc_enabled && var.enable_dhcp_options ? 1 : 0
+  count = var.enable && var.enable_dhcp_options ? 1 : 0
 
   vpc_id          = join("", aws_vpc.default.*.id)
   dhcp_options_id = join("", aws_vpc_dhcp_options.vpc_dhcp.*.id)
@@ -193,7 +203,7 @@ resource "aws_vpc_dhcp_options_association" "this" {
 #              it create and control the cryptographic keys that are used to protect your data.
 ####--------------------------------------------------------------
 resource "aws_kms_key" "kms" {
-  count = var.enable_flow_log == true ? 1 : 0
+  count = var.enable && var.enable_flow_log ? 1 : 0
 
   deletion_window_in_days = 10
 }
@@ -204,13 +214,12 @@ resource "aws_kms_key" "kms" {
 #              S3 bucket is a public cloud storage resource available in AWS.
 ####------------------------------------------------------------------------------
 resource "aws_s3_bucket" "mybucket" {
-  count = var.enable_flow_log == true ? 1 : 0
+  count  = var.enable && var.enable_flow_log && var.flow_log_destination_type == "s3" ? 1 : 0
   bucket = var.flow_logs_bucket_name
-  #acl    = "private"
 }
 
 resource "aws_s3_bucket_ownership_controls" "example" {
-  count = var.enable_flow_log == true ? 1 : 0
+  count = var.enable && var.enable_flow_log && var.flow_log_destination_type == "s3" ? 1 : 0
 
   bucket = join("", aws_s3_bucket.mybucket.*.id)
   rule {
@@ -219,16 +228,14 @@ resource "aws_s3_bucket_ownership_controls" "example" {
 }
 
 resource "aws_s3_bucket_acl" "example" {
-  count = var.enable_flow_log == true ? 1 : 0
-
+  count      = var.enable && var.enable_flow_log && var.flow_log_destination_type == "s3" ? 1 : 0
   depends_on = [aws_s3_bucket_ownership_controls.example]
-
-  bucket = join("", aws_s3_bucket.mybucket.*.id)
-  acl    = "private"
+  bucket     = join("", aws_s3_bucket.mybucket.*.id)
+  acl        = "private"
 }
 
 resource "aws_s3_bucket_public_access_block" "example" {
-  count = var.enable_flow_log == true ? 1 : 0
+  count = var.enable && var.enable_flow_log && var.flow_log_destination_type == "s3" ? 1 : 0
 
   bucket                  = aws_s3_bucket.mybucket[0].id
   block_public_acls       = true
@@ -242,7 +249,7 @@ resource "aws_s3_bucket_public_access_block" "example" {
 # Description : Provides a S3 bucket server-side encryption configuration resource.
 ####-------------------------------------------------------------------------------
 resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
-  count = var.enable_flow_log == true ? 1 : 0
+  count = var.enable && var.enable_flow_log && var.flow_log_destination_type == "s3" ? 1 : 0
 
   bucket = aws_s3_bucket.mybucket[0].id
   rule {
@@ -259,13 +266,24 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
 #              specific network interface, subnet, or VPC. Logs are sent to S3 Bucket.
 ##---------------------------------------------------------------------------------------------
 resource "aws_flow_log" "vpc_flow_log" {
-  count = var.vpc_enabled && var.enable_flow_log == true ? 1 : 0
+  count                    = var.enable && var.enable_flow_log == true ? 1 : 0
+  log_destination_type     = var.flow_log_destination_type
+  log_destination          = var.flow_log_destination_arn
+  log_format               = var.flow_log_log_format
+  iam_role_arn             = var.flow_log_iam_role_arn
+  traffic_type             = var.flow_log_traffic_type
+  vpc_id                   = join("", aws_vpc.default.*.id)
+  max_aggregation_interval = var.flow_log_max_aggregation_interval
+  dynamic "destination_options" {
+    for_each = var.flow_log_destination_type == "s3" ? [true] : []
 
-  log_destination      = join("", aws_s3_bucket.mybucket.*.arn)
-  log_destination_type = "s3"
-  traffic_type         = var.traffic_type
-  vpc_id               = join("", aws_vpc.default.*.id)
-  tags                 = module.labels.tags
+    content {
+      file_format                = var.flow_log_file_format
+      hive_compatible_partitions = var.flow_log_hive_compatible_partitions
+      per_hour_partition         = var.flow_log_per_hour_partition
+    }
+  }
+  tags = module.labels.tags
 }
 
 ##----------------------------------------------------------------------------------------------------
@@ -274,23 +292,35 @@ resource "aws_flow_log" "vpc_flow_log" {
 ## similar to your security groups in order to add an additional layer of security to your VPC.
 ##-------------------------------------------------------------------------------------------------------
 resource "aws_default_network_acl" "default" {
-  count                  = var.vpc_enabled && var.aws_default_network_acl ? 1 : 0
+  count                  = var.enable && var.aws_default_network_acl ? 1 : 0
   default_network_acl_id = aws_vpc.default[0].default_network_acl_id
-  ingress {
-    protocol   = -1
-    rule_no    = 100
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    from_port  = 0
-    to_port    = 0
+  dynamic "ingress" {
+    for_each = var.default_network_acl_ingress
+    content {
+      action          = ingress.value.action
+      cidr_block      = lookup(ingress.value, "cidr_block", null)
+      from_port       = ingress.value.from_port
+      icmp_code       = lookup(ingress.value, "icmp_code", null)
+      icmp_type       = lookup(ingress.value, "icmp_type", null)
+      ipv6_cidr_block = lookup(ingress.value, "ipv6_cidr_block", null)
+      protocol        = ingress.value.protocol
+      rule_no         = ingress.value.rule_no
+      to_port         = ingress.value.to_port
+    }
   }
-  egress {
-    protocol   = -1
-    rule_no    = 100
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    from_port  = 0
-    to_port    = 0
+  dynamic "egress" {
+    for_each = var.default_network_acl_egress
+    content {
+      action          = egress.value.action
+      cidr_block      = lookup(egress.value, "cidr_block", null)
+      from_port       = egress.value.from_port
+      icmp_code       = lookup(egress.value, "icmp_code", null)
+      icmp_type       = lookup(egress.value, "icmp_type", null)
+      ipv6_cidr_block = lookup(egress.value, "ipv6_cidr_block", null)
+      protocol        = egress.value.protocol
+      rule_no         = egress.value.rule_no
+      to_port         = egress.value.to_port
+    }
   }
   tags = merge(
     module.labels.tags,