From 9d90aa23091e1ab31895483143c5a586cc1dc9bd Mon Sep 17 00:00:00 2001
From: chandra <“Chandrashekar.reddy@sourcefuse.com”>
Date: Mon, 11 Nov 2024 19:54:41 +0530
Subject: [PATCH] fix flowlogs policy

---
 examples/simple/main.tf | 2 +-
 main.tf                 | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/examples/simple/main.tf b/examples/simple/main.tf
index ca2de2e..4cbf0b0 100644
--- a/examples/simple/main.tf
+++ b/examples/simple/main.tf
@@ -40,7 +40,7 @@ module "network" {
   name                              = "arc-poc"
   create_internet_geteway           = true
   enable_vpc_flow_log_to_cloudwatch = true
-  enable_vpc_flow_log_to_s3         = true
+  enable_vpc_flow_log_to_s3         = false
 
   availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
   cidr_block         = "10.0.0.0/16"
diff --git a/main.tf b/main.tf
index 74a62b4..21b55c3 100644
--- a/main.tf
+++ b/main.tf
@@ -222,7 +222,8 @@ data "aws_iam_policy_document" "flow_logs_policy" {
       "logs:DescribeLogGroups",
       "logs:DescribeLogStreams"
     ]
-    resources = local.enable_vpc_flow_log_to_cloudwatch && length(aws_cloudwatch_log_group.this) > 0 ? [aws_cloudwatch_log_group.this[0].arn] : ["*"]
+    resources = local.enable_vpc_flow_log_to_cloudwatch && length(aws_cloudwatch_log_group.this) > 0 ? [aws_cloudwatch_log_group.this[0].arn, "${aws_cloudwatch_log_group.this[0].arn}:*"] : ["*"]
+
   }
 }