Merge pull request #131 from drewmullen/flowlog-name-override

provide name override field for flowlog definition
aws-ia · Oct 31, 2023 · ffe4f02 · ffe4f02
2 parents ebb6422 + 68c05b2
commit ffe4f02
Show file tree

Hide file tree

Showing 10 changed files with 53 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -387,7 +387,7 @@ Please see our [developer documentation](https://github.com/aws-ia/terraform-aws
 | <a name="input_vpc_egress_only_internet_gateway"></a> [vpc\_egress\_only\_internet\_gateway](#input\_vpc\_egress\_only\_internet\_gateway) | Set to use the Egress-only Internet gateway for all IPv6 traffic going to the Internet. | `bool` | `false` | no |
 | <a name="input_vpc_enable_dns_hostnames"></a> [vpc\_enable\_dns\_hostnames](#input\_vpc\_enable\_dns\_hostnames) | Indicates whether the instances launched in the VPC get DNS hostnames. If enabled, instances in the VPC get DNS hostnames; otherwise, they do not. Disabled by default for nondefault VPCs. | `bool` | `true` | no |
 | <a name="input_vpc_enable_dns_support"></a> [vpc\_enable\_dns\_support](#input\_vpc\_enable\_dns\_support) | Indicates whether the DNS resolution is supported for the VPC. If enabled, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC network range "plus two" succeed. If disabled, the Amazon provided DNS service in the VPC that resolves public DNS hostnames to IP addresses is not enabled. Enabled by default. | `bool` | `true` | no |
-| <a name="input_vpc_flow_logs"></a> [vpc\_flow\_logs](#input\_vpc\_flow\_logs) | Whether or not to create VPC flow logs and which type. Options: "cloudwatch", "s3", "none". By default creates flow logs to `cloudwatch`. Variable overrides null value types for some keys, defined in defaults.tf. | <pre>object({<br>    log_destination = optional(string)<br>    iam_role_arn    = optional(string)<br>    kms_key_id      = optional(string)<br><br>    log_destination_type = string<br>    retention_in_days    = optional(number)<br>    tags                 = optional(map(string))<br>    traffic_type         = optional(string, "ALL")<br>    destination_options = optional(object({<br>      file_format                = optional(string, "plain-text")<br>      hive_compatible_partitions = optional(bool, false)<br>      per_hour_partition         = optional(bool, false)<br>    }))<br>  })</pre> | <pre>{<br>  "log_destination_type": "none"<br>}</pre> | no |
+| <a name="input_vpc_flow_logs"></a> [vpc\_flow\_logs](#input\_vpc\_flow\_logs) | Whether or not to create VPC flow logs and which type. Options: "cloudwatch", "s3", "none". By default creates flow logs to `cloudwatch`. Variable overrides null value types for some keys, defined in defaults.tf. | <pre>object({<br>    name_override   = optional(string, "")<br>    log_destination = optional(string)<br>    iam_role_arn    = optional(string)<br>    kms_key_id      = optional(string)<br><br>    log_destination_type = string<br>    retention_in_days    = optional(number)<br>    tags                 = optional(map(string))<br>    traffic_type         = optional(string, "ALL")<br>    destination_options = optional(object({<br>      file_format                = optional(string, "plain-text")<br>      hive_compatible_partitions = optional(bool, false)<br>      per_hour_partition         = optional(bool, false)<br>    }))<br>  })</pre> | <pre>{<br>  "log_destination_type": "none"<br>}</pre> | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID to use if not creating VPC. | `string` | `null` | no |
 | <a name="input_vpc_instance_tenancy"></a> [vpc\_instance\_tenancy](#input\_vpc\_instance\_tenancy) | The allowed tenancy of instances launched into the VPC. | `string` | `"default"` | no |
 | <a name="input_vpc_ipv4_ipam_pool_id"></a> [vpc\_ipv4\_ipam\_pool\_id](#input\_vpc\_ipv4\_ipam\_pool\_id) | Set to use IPAM to get an IPv4 CIDR block. | `string` | `null` | no |
@@ -407,6 +407,7 @@ Please see our [developer documentation](https://github.com/aws-ia/terraform-aws
 | <a name="output_core_network_attachment"></a> [core\_network\_attachment](#output\_core\_network\_attachment) | AWS Cloud WAN's core network attachment. Full output of aws\_networkmanager\_vpc\_attachment. |
 | <a name="output_core_network_subnet_attributes_by_az"></a> [core\_network\_subnet\_attributes\_by\_az](#output\_core\_network\_subnet\_attributes\_by\_az) | Map of all core\_network subnets containing their attributes.<br><br>Example:<pre>core_network_subnet_attributes_by_az = {<br>  "us-east-1a" = {<br>    "arn" = "arn:aws:ec2:us-east-1:<>:subnet/subnet-04a86315c4839b519"<br>    "assign_ipv6_address_on_creation" = false<br>    ...<br>    <all attributes of subnet: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#attributes-reference><br>  }<br>  "us-east-1b" = {...)<br>}</pre> |
 | <a name="output_egress_only_internet_gateway"></a> [egress\_only\_internet\_gateway](#output\_egress\_only\_internet\_gateway) | Egress-only Internet gateway attributes. Full output of aws\_egress\_only\_internet\_gateway. |
+| <a name="output_flow_log_attributes"></a> [flow\_log\_attributes](#output\_flow\_log\_attributes) | Flow Log information. |
 | <a name="output_internet_gateway"></a> [internet\_gateway](#output\_internet\_gateway) | Internet gateway attributes. Full output of aws\_internet\_gateway. |
 | <a name="output_nat_gateway_attributes_by_az"></a> [nat\_gateway\_attributes\_by\_az](#output\_nat\_gateway\_attributes\_by\_az) | Map of nat gateway resource attributes by AZ.<br><br>Example:<pre>nat_gateway_attributes_by_az = {<br>  "us-east-1a" = {<br>    "allocation_id" = "eipalloc-0e8b20303eea88b13"<br>    "connectivity_type" = "public"<br>    "id" = "nat-0fde39f9550f4abb5"<br>    "network_interface_id" = "eni-0d422727088bf9a86"<br>    "private_ip" = "10.0.3.40"<br>    "public_ip" = <><br>    "subnet_id" = "subnet-0f11c92e439c8ab4a"<br>    "tags" = tomap({<br>      "Name" = "nat-my-public-us-east-1a"<br>    })<br>    "tags_all" = tomap({<br>      "Name" = "nat-my-public-us-east-1a"<br>    })<br>  }<br>  "us-east-1b" = { ... }<br>}</pre> |
 | <a name="output_natgw_id_per_az"></a> [natgw\_id\_per\_az](#output\_natgw\_id\_per\_az) | Map of nat gateway IDs for each resource. Will be duplicate ids if your var.subnets.public.nat\_gateway\_configuration = "single\_az".<br><br>Example:<pre>natgw_id_per_az = {<br>  "us-east-1a" = {<br>    "id" = "nat-0fde39f9550f4abb5"<br>  }<br>  "us-east-1b" = {<br>    "id" = "nat-0fde39f9550f4abb5"<br>   }<br>}</pre> |

diff --git a/data.tf b/data.tf
@@ -116,6 +116,8 @@ locals {
   # VPC LATTICE ############################################################
   # If var.vpc_lattice is defined (default = {}), the VPC association is created.
   lattice_association = length(keys(var.vpc_lattice)) > 0
+
+  log_name = var.vpc_flow_logs.name_override == "" ? var.name : var.vpc_flow_logs.name_override
 }
 
 data "aws_availability_zones" "current" {

diff --git a/examples/public_private_flow_logs/README.md b/examples/public_private_flow_logs/README.md
@@ -39,5 +39,10 @@ At this point, only cloud-watch logs are support, pending: https://github.com/aw
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_log_name"></a> [log\_name](#output\_log\_name) | Name of the flow log. |
+| <a name="output_private_subnets"></a> [private\_subnets](#output\_private\_subnets) | Map of private subnet attributes grouped by az. |
+| <a name="output_private_subnets_tags_length"></a> [private\_subnets\_tags\_length](#output\_private\_subnets\_tags\_length) | Count of private subnet tags for a single az. |
+| <a name="output_public_subnets_tags_length"></a> [public\_subnets\_tags\_length](#output\_public\_subnets\_tags\_length) | Count of public subnet tags for a single az. |
 <!-- END_TF_DOCS -->
diff --git a/examples/public_private_flow_logs/main.tf b/examples/public_private_flow_logs/main.tf
@@ -23,6 +23,7 @@ module "vpc1" {
   }
 
   vpc_flow_logs = {
+    name_override        = "test"
     log_destination_type = "cloud-watch-logs"
     retention_in_days    = 180
   }
@@ -46,4 +47,4 @@ module "vpc2" {
       file_format = "parquet"
     }
   }
-}
+}
diff --git a/examples/public_private_flow_logs/outputs.tf b/examples/public_private_flow_logs/outputs.tf
@@ -1 +1,22 @@
 
+output "private_subnets" {
+  description = "Map of private subnet attributes grouped by az."
+  value       = module.vpc1.private_subnet_attributes_by_az
+}
+
+## Used for Testing, do not delete
+
+output "public_subnets_tags_length" {
+  description = "Count of public subnet tags for a single az."
+  value       = length(module.vpc1.public_subnet_attributes_by_az[data.aws_availability_zones.current.names[0]].tags)
+}
+
+output "private_subnets_tags_length" {
+  description = "Count of private subnet tags for a single az."
+  value       = length(module.vpc1.private_subnet_attributes_by_az["private/${data.aws_availability_zones.current.names[0]}"].tags)
+}
+
+output "log_name" {
+  description = "Name of the flow log."
+  value       = module.vpc1.flow_log_attributes.tags["Name"]
+}
diff --git a/examples/public_private_flow_logs/variables.tf b/examples/public_private_flow_logs/variables.tf
@@ -1,6 +1,5 @@
 variable "aws_region" {
   description = "AWS Region."
   type        = string
-
-  default = "eu-west-1"
+  default     = "eu-west-1"
 }
diff --git a/main.tf b/main.tf
@@ -508,7 +508,7 @@ module "flow_logs" {
 
   source = "./modules/flow_logs"
 
-  name                = var.name
+  name                = local.log_name
   flow_log_definition = var.vpc_flow_logs
   vpc_id              = local.vpc.id
 
@@ -527,4 +527,4 @@ resource "aws_vpclattice_service_network_vpc_association" "vpc_lattice_service_n
     module.tags.tags_aws,
     module.vpc_lattice_tags.tags_aws
   )
-}
+}
diff --git a/outputs.tf b/outputs.tf
@@ -192,4 +192,9 @@ output "egress_only_internet_gateway" {
 output "vpc_lattice_service_network_association" {
   value       = try(aws_vpclattice_service_network_vpc_association.vpc_lattice_service_network_association[0], null)
   description = "VPC Lattice Service Network VPC association. Full output of aws_vpclattice_service_network_vpc_association"
-}
+}
+
+output "flow_log_attributes" {
+  description = "Flow Log information."
+  value       = try(module.flow_logs[0].flow_log, null)
+}
diff --git a/test/examples_public_private_test.go b/test/examples_public_private_test.go
@@ -2,7 +2,7 @@ package test
 
 import (
 	"testing"
-
+	"github.com/stretchr/testify/assert"
 	"github.com/gruntwork-io/terratest/modules/terraform"
 )
 
@@ -14,4 +14,12 @@ func TestExamplesPublicPrivateFlowLogs(t *testing.T) {
 
 	defer terraform.Destroy(t, terraformOptions)
 	terraform.InitAndApply(t, terraformOptions)
-}
+	terraform.ApplyAndIdempotent(t, terraformOptions)
+
+	log_name := terraform.Output(t, terraformOptions, "log_name")
+	assert.Contains(t, "test", log_name)
+	publicTagsLength := terraform.Output(t, terraformOptions, "public_subnets_tags_length")
+	assert.Equal(t, "2", publicTagsLength)
+	privateTagsLength := terraform.Output(t, terraformOptions, "private_subnets_tags_length")
+	assert.Equal(t, "1", privateTagsLength)
+}
diff --git a/variables.tf b/variables.tf
@@ -262,6 +262,7 @@ variable "vpc_flow_logs" {
   description = "Whether or not to create VPC flow logs and which type. Options: \"cloudwatch\", \"s3\", \"none\". By default creates flow logs to `cloudwatch`. Variable overrides null value types for some keys, defined in defaults.tf."
 
   type = object({
+    name_override   = optional(string, "")
     log_destination = optional(string)
     iam_role_arn    = optional(string)
     kms_key_id      = optional(string)