Merge pull request #13 from Ajay-sops/main

RohitSquareops · web-flow · commit 950dec55d802 · 2023-08-31T12:32:13.000+05:30
cloud watch log group encryption
diff --git a/README.md b/README.md
@@ -40,6 +40,7 @@ module "vpc" {
   vpn_server_instance_type                        = "t3a.small"
   flow_log_max_aggregation_interval               = 60
   flow_log_cloudwatch_log_group_retention_in_days = 90
+  flow_log_cloudwatch_log_group_kms_key_arn       = "arn:aws:kms:us-east-2:222222222222:key/kms_key_arn" #Enter your kms key arn
 }
 ```
 Refer [this](https://github.com/squareops/terraform-aws-vpc/tree/main/examples) for more examples.
@@ -50,6 +51,42 @@ To prevent destruction interruptions, any resources that have been created outsi
 
 The private key generated by Keypair module will be stored in AWS Systems Manager Parameter Store. For more details refer [this](https://registry.terraform.io/modules/squareops/keypair/aws)
 
+For encrypting vpc flow log cloudwatch log group please use this kms key policy. Change the account id and region.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Id": "allow-cloudwatch-logs-encryption",
+    "Statement": [
+        {
+            "Sid": "AllowRootFullPermissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::12345678:root"
+            },
+            "Action": "kms:*",
+            "Resource": "*"
+        },
+        {
+            "Sid": "AllowCloudWatchLogsEncryption",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "logs.us-east-2.amazonaws.com"
+            },
+            "Action": [
+                "kms:Encrypt*",
+                "kms:Decrypt*",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:Describe*"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+
 ## Network Scenarios
 
 Users need to declare `vpc_cidr` and subnets are calculated with the help of in-built functions.
@@ -81,6 +118,7 @@ This module supports three scenarios to create Network resource on AWS. Each wil
   - `flow_log_enabled          = true`
   - `flow_log_max_aggregation_interval               = 60`
   - `flow_log_cloudwatch_log_group_retention_in_days = 90`
+  - `flow_log_cloudwatch_log_group_kms_key_arn       = "arn:aws:kms:us-east-2:222222222222:key/kms_key_arn"`
 
 - **vpc-peering:** VPC peering support is available using submodule `vpc_peering`. Refer [Peering Docs](https://github.com/squareops/terraform-aws-vpc/tree/main/modules/vpc_peering) for more information
   - `accepter_name          = ""`
@@ -175,12 +213,13 @@ In this module, we have implemented the following CIS Compliance checks for VPC:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_auto_assign_public_ip"></a> [auto\_assign\_public\_ip](#input\_auto\_assign\_public\_ip) | Specify true to indicate that instances launched into the subnet should be assigned a public IP address. | `bool` | `false` | no |
-| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | Number of Availability Zone to be used by VPC Subnets | `number` | `2` | no |
+| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | Number of Availability Zone to be used by VPC Subnets | `list(any)` | `[]` | no |
 | <a name="input_database_subnet_assign_ipv6_address_on_creation"></a> [database\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_database\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
 | <a name="input_database_subnet_cidrs"></a> [database\_subnet\_cidrs](#input\_database\_subnet\_cidrs) | Database Tier subnet CIDRs to be created | `list(any)` | `[]` | no |
 | <a name="input_database_subnet_enabled"></a> [database\_subnet\_enabled](#input\_database\_subnet\_enabled) | Set true to enable database subnets | `bool` | `false` | no |
 | <a name="input_default_network_acl_ingress"></a> [default\_network\_acl\_ingress](#input\_default\_network\_acl\_ingress) | List of maps of ingress rules to set on the Default Network ACL | `list(map(string))` | <pre>[<br>  {<br>    "action": "deny",<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 22,<br>    "protocol": "tcp",<br>    "rule_no": 98,<br>    "to_port": 22<br>  },<br>  {<br>    "action": "deny",<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 3389,<br>    "protocol": "tcp",<br>    "rule_no": 99,<br>    "to_port": 3389<br>  },<br>  {<br>    "action": "allow",<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_no": 100,<br>    "to_port": 0<br>  },<br>  {<br>    "action": "allow",<br>    "from_port": 0,<br>    "ipv6_cidr_block": "::/0",<br>    "protocol": "-1",<br>    "rule_no": 101,<br>    "to_port": 0<br>  }<br>]</pre> | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Specify the environment indentifier for the VPC | `string` | `""` | no |
+| <a name="input_flow_log_cloudwatch_log_group_kms_key_arn"></a> [flow\_log\_cloudwatch\_log\_group\_kms\_key\_arn](#input\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_arn) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs | `string` | `null` | no |
 | <a name="input_flow_log_cloudwatch_log_group_retention_in_days"></a> [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. | `number` | `null` | no |
 | <a name="input_flow_log_enabled"></a> [flow\_log\_enabled](#input\_flow\_log\_enabled) | Whether or not to enable VPC Flow Logs | `bool` | `false` | no |
 | <a name="input_flow_log_max_aggregation_interval"></a> [flow\_log\_max\_aggregation\_interval](#input\_flow\_log\_max\_aggregation\_interval) | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds. | `number` | `60` | no |
diff --git a/examples/complete-vpc-with-vpn/main.tf b/examples/complete-vpc-with-vpn/main.tf
@@ -22,9 +22,9 @@ module "vpc" {
   name                                            = local.name
   vpc_cidr                                        = local.vpc_cidr
   environment                                     = local.environment
-  flow_log_enabled                                = true
+  flow_log_enabled                                = false
   vpn_key_pair_name                               = module.key_pair_vpn.key_pair_name
-  availability_zones                              = 2
+  availability_zones                              = ["us-east-1a", "us-east-1b"]
   vpn_server_enabled                              = false
   intra_subnet_enabled                            = true
   public_subnet_enabled                           = true
@@ -35,4 +35,5 @@ module "vpc" {
   vpn_server_instance_type                        = "t3a.small"
   flow_log_max_aggregation_interval               = 60
   flow_log_cloudwatch_log_group_retention_in_days = 90
+  flow_log_cloudwatch_log_group_kms_key_arn       = "arn:aws:kms:us-east-2:222222222222:key/kms_key_arn" #Enter your kms key arn
 }
diff --git a/examples/simple-vpc/main.tf b/examples/simple-vpc/main.tf
@@ -15,7 +15,7 @@ module "vpc" {
   name                  = local.name
   vpc_cidr              = local.vpc_cidr
   environment           = local.environment
-  availability_zones    = 2
+  availability_zones    = ["us-east-1a", "us-east-1b"]
   public_subnet_enabled = true
   auto_assign_public_ip = true
 }
diff --git a/examples/vpc-with-ipv6/main.tf b/examples/vpc-with-ipv6/main.tf
@@ -16,7 +16,7 @@ module "vpc" {
   name                                            = local.name
   vpc_cidr                                        = local.vpc_cidr
   environment                                     = local.environment
-  availability_zones                              = 2
+  availability_zones                              = ["us-east-1a", "us-east-1b"]
   public_subnet_enabled                           = true
   private_subnet_enabled                          = true
   intra_subnet_enabled                            = false
diff --git a/examples/vpc-with-private-subnet/main.tf b/examples/vpc-with-private-subnet/main.tf
@@ -15,7 +15,7 @@ module "vpc" {
   name                   = local.name
   vpc_cidr               = local.vpc_cidr
   environment            = local.environment
-  availability_zones     = 2
+  availability_zones     = ["us-east-1a", "us-east-1b"]
   public_subnet_enabled  = true
   private_subnet_enabled = true
   auto_assign_public_ip  = true
diff --git a/main.tf b/main.tf
@@ -1,8 +1,9 @@
 locals {
-  intra_subnets                        = var.intra_subnet_enabled ? length(var.intra_subnet_cidrs) > 0 ? var.intra_subnet_cidrs : [for netnum in range(var.availability_zones * 3, var.availability_zones * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
-  public_subnets                       = var.public_subnet_enabled ? length(var.public_subnet_cidrs) > 0 ? var.public_subnet_cidrs : [for netnum in range(0, var.availability_zones) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
-  private_subnets                      = var.private_subnet_enabled ? length(var.private_subnet_cidrs) > 0 ? var.private_subnet_cidrs : [for netnum in range(var.availability_zones, var.availability_zones * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : []
-  database_subnets                     = var.database_subnet_enabled ? length(var.database_subnet_cidrs) > 0 ? var.database_subnet_cidrs : [for netnum in range(var.availability_zones * 2, var.availability_zones * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
+  azs                                  = length(var.availability_zones)
+  intra_subnets                        = var.intra_subnet_enabled ? length(var.intra_subnet_cidrs) > 0 ? var.intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
+  public_subnets                       = var.public_subnet_enabled ? length(var.public_subnet_cidrs) > 0 ? var.public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
+  private_subnets                      = var.private_subnet_enabled ? length(var.private_subnet_cidrs) > 0 ? var.private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : []
+  database_subnets                     = var.database_subnet_enabled ? length(var.database_subnet_cidrs) > 0 ? var.database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
   single_nat_gateway                   = var.one_nat_gateway_per_az == true ? false : true
   create_database_subnet_route_table   = var.database_subnet_enabled
   create_flow_log_cloudwatch_log_group = var.flow_log_enabled == true ? true : false
@@ -23,10 +24,10 @@ locals {
   database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false
   intra_subnet_assign_ipv6_address_on_creation    = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false
 
-  public_subnet_ipv6_prefixes   = var.public_subnet_enabled ? [for i in range(var.availability_zones) : i] : []
-  private_subnet_ipv6_prefixes  = var.private_subnet_enabled ? [for i in range(var.availability_zones) : i + length(data.aws_availability_zones.available.names)] : []
-  database_subnet_ipv6_prefixes = var.database_subnet_enabled ? [for i in range(var.availability_zones) : i + 2 * length(data.aws_availability_zones.available.names)] : []
-  intra_subnet_ipv6_prefixes    = var.intra_subnet_enabled ? [for i in range(var.availability_zones) : i + 3 * length(data.aws_availability_zones.available.names)] : []
+  public_subnet_ipv6_prefixes   = var.public_subnet_enabled ? [for i in range(local.azs) : i] : []
+  private_subnet_ipv6_prefixes  = var.private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : []
+  database_subnet_ipv6_prefixes = var.database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : []
+  intra_subnet_ipv6_prefixes    = var.intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : []
 }
 data "aws_availability_zones" "available" {}
 data "aws_ec2_instance_type" "arch" {
@@ -38,7 +39,7 @@ module "vpc" {
   version                                         = "5.1.1"
   name                                            = format("%s-%s-vpc", var.environment, var.name)
   cidr                                            = var.vpc_cidr # CIDR FOR VPC
-  azs                                             = [for n in range(0, var.availability_zones) : data.aws_availability_zones.available.names[n]]
+  azs                                             = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]]
   intra_subnets                                   = local.intra_subnets
   public_subnets                                  = local.public_subnets
   private_subnets                                 = local.private_subnets
@@ -63,6 +64,7 @@ module "vpc" {
   create_flow_log_cloudwatch_log_group            = local.create_flow_log_cloudwatch_log_group
   flow_log_max_aggregation_interval               = var.flow_log_max_aggregation_interval
   flow_log_cloudwatch_log_group_retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days
+  flow_log_cloudwatch_log_group_kms_key_id        = var.flow_log_cloudwatch_log_group_kms_key_arn
   enable_ipv6                                     = local.enable_ipv6
   #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation
   public_subnet_assign_ipv6_address_on_creation   = local.public_subnet_assign_ipv6_address_on_creation
diff --git a/variables.tf b/variables.tf
@@ -19,8 +19,8 @@ variable "vpc_cidr" {
 
 variable "availability_zones" {
   description = "Number of Availability Zone to be used by VPC Subnets"
-  default     = 2
-  type        = number
+  default     = []
+  type        = list(any)
 }
 
 variable "public_subnet_enabled" {
@@ -191,3 +191,9 @@ variable "intra_subnet_assign_ipv6_address_on_creation" {
   type        = bool
   default     = null
 }
+
+variable "flow_log_cloudwatch_log_group_kms_key_arn" {
+  description = "The ARN of the KMS Key to use when encrypting log data for VPC flow logs"
+  type        = string
+  default     = null
+}

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ module "vpc" {`
`15`	`15`	`name = local.name`
`16`	`16`	`vpc_cidr = local.vpc_cidr`
`17`	`17`	`environment = local.environment`
`18`		`- availability_zones = 2`
	`18`	`+ availability_zones = ["us-east-1a", "us-east-1b"]`
`19`	`19`	`public_subnet_enabled = true`
`20`	`20`	`auto_assign_public_ip = true`
`21`	`21`	`}`