feat: Updated resources to be dynamic and added support for flow logs to be published in cloudwatch

Author: 13archit

main.tf

@@ -25,14 +25,13 @@ module "labels" {
 ## A VPC is a virtual network that closely resembles a traditional network that you'd operate in your own data center.
 ###--------------------------------------------------------------------------------------------
 resource "aws_vpc" "default" {
- count = var.vpc_enabled ? 1 : 0
-
- cidr_block = var.cidr_block
- ipv4_ipam_pool_id = try(var.additional_cidr_block.ipv4_ipam_pool_id, null)
- ipv4_netmask_length = try(var.additional_cidr_block.ipv4_netmask_length, null)
- ipv6_cidr_block = try(var.additional_ipv6_cidr_block.ipv6_cidr_block, null)
- ipv6_ipam_pool_id = try(var.additional_ipv6_cidr_block.ipv6_ipam_pool_id, null)
- ipv6_netmask_length = try(var.additional_ipv6_cidr_block.ipv6_netmask_length, null)
+ count = var.enable ? 1 : 0
+ cidr_block = var.ipam_pool_enable ? null : var.cidr_block
+ ipv4_ipam_pool_id = var.ipv4_ipam_pool_id
+ ipv4_netmask_length = var.ipv4_netmask_length
+ ipv6_cidr_block = var.ipv6_cidr_block
+ ipv6_ipam_pool_id = var.ipv6_ipam_pool_id
+ ipv6_netmask_length = var.ipv6_netmask_length
  instance_tenancy = var.instance_tenancy
  enable_dns_hostnames = var.dns_hostnames_enabled
  enable_dns_support = var.dns_support_enabled
@@ -67,7 +66,7 @@ resource "aws_vpc_ipv4_cidr_block_association" "default" {
 # An AWS Internet Gateway virtual router that enables communication between VPC and the internet
 ####---------------------------------------------------------------------------------------
 resource "aws_internet_gateway" "default" {
- count = var.vpc_enabled ? 1 : 0
+ count = var.enable ? 1 : 0
 
  vpc_id = join("", aws_vpc.default.*.id)
  tags = merge(
@@ -84,7 +83,7 @@ resource "aws_internet_gateway" "default" {
 # An egress-only internet gateway provides outbound-only internet connectivity for resources within a VPC
 ##---------------------------------------------------------------------------------------------------
 resource "aws_egress_only_internet_gateway" "default" {
- count = var.vpc_enabled && var.enabled_ipv6_egress_only_internet_gateway ? 1 : 0
+ count = var.enable && var.enabled_ipv6_egress_only_internet_gateway ? 1 : 0
 
  vpc_id = join("", aws_vpc.default.*.id)
  tags = module.labels.tags
@@ -96,7 +95,7 @@ resource "aws_egress_only_internet_gateway" "default" {
 # The default security group serves as a baseline security configuration within the VPC.
 ####----------------------------------------------------------------------------------
 resource "aws_default_security_group" "default" {
- count = var.vpc_enabled && var.restrict_default_sg == true ? 1 : 0
+ count = var.enable && var.restrict_default_sg == true ? 1 : 0
 
  vpc_id = join("", aws_vpc.default.*.id)
  dynamic "ingress" {
@@ -142,16 +141,27 @@ resource "aws_default_security_group" "default" {
 # Provides a resource to create an ASSOCIATION between gateway and routing table.
 # #----------------------------------------------------------------------------------
 resource "aws_default_route_table" "default" {
- count = var.vpc_enabled && var.aws_default_route_table ? 1 : 0
+ count = var.enable && var.aws_default_route_table ? 1 : 0
 
  default_route_table_id = aws_vpc.default[0].default_route_table_id
- route {
- cidr_block = "0.0.0.0/0"
- gateway_id = aws_internet_gateway.default[0].id
- }
- route {
- ipv6_cidr_block = "::/0"
- egress_only_gateway_id = aws_egress_only_internet_gateway.default[0].id
+ dynamic "route" {
+ for_each = var.default_route_table_routes
+ content {
+ # One of the following destinations must be provided
+ cidr_block = route.value.cidr_block
+ ipv6_cidr_block = lookup(route.value, "ipv6_cidr_block", null)
+ destination_prefix_list_id = lookup(route.value, "destination_prefix_list_id", null)
+
+ # One of the following targets must be provided
+ egress_only_gateway_id = lookup(route.value, "egress_only_gateway_id", null)
+ gateway_id = lookup(route.value, "gateway_id", null)
+ instance_id = lookup(route.value, "instance_id", null)
+ nat_gateway_id = lookup(route.value, "nat_gateway_id", null)
+ network_interface_id = lookup(route.value, "network_interface_id", null)
+ transit_gateway_id = lookup(route.value, "transit_gateway_id", null)
+ vpc_endpoint_id = lookup(route.value, "vpc_endpoint_id", null)
+ vpc_peering_connection_id = lookup(route.value, "vpc_peering_connection_id", null)
+ }
  }
  tags = merge(
  module.labels.tags,
@@ -166,7 +176,7 @@ resource "aws_default_route_table" "default" {
 #Description : Provides a VPC DHCP Options resource.
 ####--------------------------------------------------------------
 resource "aws_vpc_dhcp_options" "vpc_dhcp" {
- count = var.vpc_enabled && var.enable_dhcp_options ? 1 : 0
+ count = var.enable && var.enable_dhcp_options ? 1 : 0
 
  domain_name = var.dhcp_options_domain_name
  domain_name_servers = var.dhcp_options_domain_name_servers
@@ -181,7 +191,7 @@ resource "aws_vpc_dhcp_options" "vpc_dhcp" {
  )
 }
 resource "aws_vpc_dhcp_options_association" "this" {
- count = var.vpc_enabled && var.enable_dhcp_options ? 1 : 0
+ count = var.enable && var.enable_dhcp_options ? 1 : 0
 
  vpc_id = join("", aws_vpc.default.*.id)
  dhcp_options_id = join("", aws_vpc_dhcp_options.vpc_dhcp.*.id)
@@ -193,7 +203,7 @@ resource "aws_vpc_dhcp_options_association" "this" {
 # it create and control the cryptographic keys that are used to protect your data.
 ####--------------------------------------------------------------
 resource "aws_kms_key" "kms" {
- count = var.enable_flow_log == true ? 1 : 0
+ count = var.enable && var.enable_flow_log ? 1 : 0
 
  deletion_window_in_days = 10
 }
@@ -204,13 +214,12 @@ resource "aws_kms_key" "kms" {
 # S3 bucket is a public cloud storage resource available in AWS.
 ####------------------------------------------------------------------------------
 resource "aws_s3_bucket" "mybucket" {
- count = var.enable_flow_log == true ? 1 : 0
+ count  = var.enable && var.enable_flow_log && var.flow_log_destination_type == "s3" ? 1 : 0
  bucket = var.flow_logs_bucket_name
- #acl = "private"
 }
 
 resource "aws_s3_bucket_ownership_controls" "example" {
- count = var.enable_flow_log == true ? 1 : 0
+ count = var.enable && var.enable_flow_log && var.flow_log_destination_type == "s3" ? 1 : 0
 
  bucket = join("", aws_s3_bucket.mybucket.*.id)
  rule {
@@ -219,16 +228,14 @@ resource "aws_s3_bucket_ownership_controls" "example" {
 }
 
 resource "aws_s3_bucket_acl" "example" {
- count = var.enable_flow_log == true ? 1 : 0
-
+ count = var.enable && var.enable_flow_log && var.flow_log_destination_type == "s3" ? 1 : 0
  depends_on = [aws_s3_bucket_ownership_controls.example]
-
- bucket = join("", aws_s3_bucket.mybucket.*.id)
- acl = "private"
+ bucket = join("", aws_s3_bucket.mybucket.*.id)
+ acl = "private"
 }
 
 resource "aws_s3_bucket_public_access_block" "example" {
- count = var.enable_flow_log == true ? 1 : 0
+ count = var.enable && var.enable_flow_log && var.flow_log_destination_type == "s3" ? 1 : 0
 
  bucket = aws_s3_bucket.mybucket[0].id
  block_public_acls = true
@@ -242,7 +249,7 @@ resource "aws_s3_bucket_public_access_block" "example" {
 # Description : Provides a S3 bucket server-side encryption configuration resource.
 ####-------------------------------------------------------------------------------
 resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
- count = var.enable_flow_log == true ? 1 : 0
+ count = var.enable && var.enable_flow_log && var.flow_log_destination_type == "s3" ? 1 : 0
 
  bucket = aws_s3_bucket.mybucket[0].id
  rule {
@@ -259,13 +266,24 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
 # specific network interface, subnet, or VPC. Logs are sent to S3 Bucket.
 ##---------------------------------------------------------------------------------------------
 resource "aws_flow_log" "vpc_flow_log" {
- count = var.vpc_enabled && var.enable_flow_log == true ? 1 : 0
+ count = var.enable && var.enable_flow_log == true ? 1 : 0
+ log_destination_type = var.flow_log_destination_type
+ log_destination = var.flow_log_destination_arn
+ log_format = var.flow_log_log_format
+ iam_role_arn = var.flow_log_iam_role_arn
+ traffic_type = var.flow_log_traffic_type
+ vpc_id = join("", aws_vpc.default.*.id)
+ max_aggregation_interval = var.flow_log_max_aggregation_interval
+ dynamic "destination_options" {
+ for_each = var.flow_log_destination_type == "s3" ? [true] : []
 
- log_destination = join("", aws_s3_bucket.mybucket.*.arn)
- log_destination_type = "s3"
- traffic_type = var.traffic_type
- vpc_id = join("", aws_vpc.default.*.id)
- tags = module.labels.tags
+ content {
+ file_format = var.flow_log_file_format
+ hive_compatible_partitions = var.flow_log_hive_compatible_partitions
+ per_hour_partition = var.flow_log_per_hour_partition
+ }
+ }
+ tags = module.labels.tags
 }
 
 ##----------------------------------------------------------------------------------------------------
@@ -274,23 +292,35 @@ resource "aws_flow_log" "vpc_flow_log" {
 ## similar to your security groups in order to add an additional layer of security to your VPC.
 ##-------------------------------------------------------------------------------------------------------
 resource "aws_default_network_acl" "default" {
- count = var.vpc_enabled && var.aws_default_network_acl ? 1 : 0
+ count = var.enable && var.aws_default_network_acl ? 1 : 0
  default_network_acl_id = aws_vpc.default[0].default_network_acl_id
- ingress {
- protocol = -1
- rule_no = 100
- action = "allow"
- cidr_block = "0.0.0.0/0"
- from_port = 0
- to_port = 0
+ dynamic "ingress" {
+ for_each = var.default_network_acl_ingress
+ content {
+ action = ingress.value.action
+ cidr_block = lookup(ingress.value, "cidr_block", null)
+ from_port = ingress.value.from_port
+ icmp_code = lookup(ingress.value, "icmp_code", null)
+ icmp_type = lookup(ingress.value, "icmp_type", null)
+ ipv6_cidr_block = lookup(ingress.value, "ipv6_cidr_block", null)
+ protocol = ingress.value.protocol
+ rule_no = ingress.value.rule_no
+ to_port = ingress.value.to_port
+ }
  }
- egress {
- protocol = -1
- rule_no = 100
- action = "allow"
- cidr_block = "0.0.0.0/0"
- from_port = 0
- to_port = 0
+ dynamic "egress" {
+ for_each = var.default_network_acl_egress
+ content {
+ action = egress.value.action
+ cidr_block = lookup(egress.value, "cidr_block", null)
+ from_port = egress.value.from_port
+ icmp_code = lookup(egress.value, "icmp_code", null)
+ icmp_type = lookup(egress.value, "icmp_type", null)
+ ipv6_cidr_block = lookup(egress.value, "ipv6_cidr_block", null)
+ protocol = egress.value.protocol
+ rule_no = egress.value.rule_no
+ to_port = egress.value.to_port
+ }
  }
  tags = merge(
  module.labels.tags,