pr corrections

sourcefuse · Nov 12, 2024 · b02c0fd · b02c0fd
1 parent 9d90aa2
commit b02c0fd
Show file tree

Hide file tree

Showing 9 changed files with 42 additions and 176 deletions.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -169,7 +169,6 @@ locals {
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_kms"></a> [kms](#module\_kms) | sourcefuse/arc-kms/aws | 1.0.9 |
-| <a name="module_s3"></a> [s3](#module\_s3) | sourcefuse/arc-s3/aws | 0.0.4 |
 
 ## Resources
 
@@ -205,19 +204,16 @@ locals {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_acl"></a> [acl](#input\_acl) | Please node ACL is deprecated by AWS in favor of bucket policies.<br>Defaults to "private" for backwards compatibility,recommended to set `s3_object_ownership` to "BucketOwnerEnforced" instead. | `string` | `"private"` | no |
 | <a name="input_assign_generated_ipv6_cidr_block"></a> [assign\_generated\_ipv6\_cidr\_block](#input\_assign\_generated\_ipv6\_cidr\_block) | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. | `bool` | `false` | no |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | (optional) List of availability zones , if subnet map is null , subnet map autimatically derived | `list(string)` | `[]` | no |
+| <a name="input_bucket_arn"></a> [bucket\_arn](#input\_bucket\_arn) | The ARN of the S3 bucket where VPC flow logs will be stored if flow logs to S3 are enabled. This bucket must be created in advance, as the module will not create it. | `string` | `null` | no |
 | <a name="input_cidr_block"></a> [cidr\_block](#input\_cidr\_block) | The CIDR block for the VPC. | `string` | n/a | yes |
 | <a name="input_create_internet_geteway"></a> [create\_internet\_geteway](#input\_create\_internet\_geteway) | (optional) Whether to create internet gateway | `bool` | `true` | no |
-| <a name="input_deletion_window_in_days"></a> [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource | `number` | `10` | no |
 | <a name="input_enable_dns_hostnames"></a> [enable\_dns\_hostnames](#input\_enable\_dns\_hostnames) | A boolean flag to enable/disable DNS hostnames in the VPC. | `bool` | `true` | no |
 | <a name="input_enable_dns_support"></a> [enable\_dns\_support](#input\_enable\_dns\_support) | A boolean flag to enable/disable DNS support in the VPC. | `bool` | `true` | no |
-| <a name="input_enable_key_rotation"></a> [enable\_key\_rotation](#input\_enable\_key\_rotation) | Specifies whether key rotation is enabled | `bool` | `true` | no |
 | <a name="input_enable_network_address_usage_metrics"></a> [enable\_network\_address\_usage\_metrics](#input\_enable\_network\_address\_usage\_metrics) | Enable or disable network address usage metrics. | `bool` | `false` | no |
-| <a name="input_enable_vpc_flow_log_to_cloudwatch"></a> [enable\_vpc\_flow\_log\_to\_cloudwatch](#input\_enable\_vpc\_flow\_log\_to\_cloudwatch) | Flag to enable or disable VPC flow logs to Cloudwatch. | `bool` | `false` | no |
-| <a name="input_enable_vpc_flow_log_to_s3"></a> [enable\_vpc\_flow\_log\_to\_s3](#input\_enable\_vpc\_flow\_log\_to\_s3) | Flag to enable or disable VPC flow logs to S3 | `bool` | `true` | no |
-| <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `true` | no |
+| <a name="input_enable_vpc_flow_log"></a> [enable\_vpc\_flow\_log](#input\_enable\_vpc\_flow\_log) | Flag to enable or disable VPC flow logs to Cloudwatch. | `bool` | `false` | no |
+| <a name="input_enable_vpc_flow_log_to_s3"></a> [enable\_vpc\_flow\_log\_to\_s3](#input\_enable\_vpc\_flow\_log\_to\_s3) | Flag to enable or disable VPC flow logs to S3 | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Environmenr name | `string` | n/a | yes |
 | <a name="input_instance_tenancy"></a> [instance\_tenancy](#input\_instance\_tenancy) | A tenancy option for instances launched into the VPC. Can be 'default' or 'dedicated'. | `string` | `"default"` | no |
 | <a name="input_internet_geteway_name"></a> [internet\_geteway\_name](#input\_internet\_geteway\_name) | (optional) If the Internet Gateway name is not provided, it will be automatically derived. | `string` | `null` | no |
@@ -227,6 +223,7 @@ locals {
 | <a name="input_ipv6_cidr_block_network_border_group"></a> [ipv6\_cidr\_block\_network\_border\_group](#input\_ipv6\_cidr\_block\_network\_border\_group) | The network border group of the IPv6 CIDR block. | `string` | `null` | no |
 | <a name="input_ipv6_ipam_pool_id"></a> [ipv6\_ipam\_pool\_id](#input\_ipv6\_ipam\_pool\_id) | The IPv6 IPAM pool ID from which to allocate the CIDR. | `string` | `null` | no |
 | <a name="input_ipv6_netmask_length"></a> [ipv6\_netmask\_length](#input\_ipv6\_netmask\_length) | The netmask length of the IPv6 CIDR block to allocate to the VPC. | `number` | `null` | no |
+| <a name="input_kms_config"></a> [kms\_config](#input\_kms\_config) | n/a | <pre>object({<br>    deletion_window_in_days = number<br>    enable_key_rotation     = bool<br>  })</pre> | <pre>{<br>  "deletion_window_in_days": 30,<br>  "enable_key_rotation": true<br>}</pre> | no |
 | <a name="input_name"></a> [name](#input\_name) | VPC name | `string` | n/a | yes |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace name | `string` | n/a | yes |
 | <a name="input_retention_in_days"></a> [retention\_in\_days](#input\_retention\_in\_days) | The number of days to retain CloudWatch log events. | `number` | `7` | no |

diff --git a/examples/custom-subnets/.terraform.lock.hcl b/examples/custom-subnets/.terraform.lock.hcl
diff --git a/examples/custom-subnets/main.tf b/examples/custom-subnets/main.tf
@@ -37,12 +37,12 @@ module "network" {
   namespace   = var.namespace
   environment = var.environment
 
-  name                              = "arc-poc"
-  create_internet_geteway           = true
-  subnet_map                        = local.subnet_map
-  cidr_block                        = "10.0.0.0/16"
-  enable_vpc_flow_log_to_cloudwatch = true
-  enable_vpc_flow_log_to_s3         = false
+  name                    = "arc-poc"
+  create_internet_geteway = true
+  subnet_map              = local.subnet_map
+  cidr_block              = "10.0.0.0/16"
+  enable_vpc_flow_log     = true
+
   vpc_endpoint_data = [
     {
       service            = "s3"

diff --git a/examples/simple/.terraform.lock.hcl b/examples/simple/.terraform.lock.hcl
diff --git a/examples/simple/main.tf b/examples/simple/main.tf
@@ -37,10 +37,9 @@ module "network" {
   namespace   = var.namespace
   environment = var.environment
 
-  name                              = "arc-poc"
-  create_internet_geteway           = true
-  enable_vpc_flow_log_to_cloudwatch = true
-  enable_vpc_flow_log_to_s3         = false
+  name                    = "arc-poc"
+  create_internet_geteway = true
+  enable_vpc_flow_log     = true
 
   availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
   cidr_block         = "10.0.0.0/16"

diff --git a/locals.tf b/locals.tf
@@ -13,8 +13,8 @@ locals {
   additional_routes     = flatten([for key, value in local.subnet_map : [for route in value.additional_routes : merge({ key : key }, route)] if length(value.additional_routes) > 0])
   additional_routes_map = { for route in local.additional_routes : route.id => route }
 
-  subnet_map                        = var.subnet_map == null ? tomap(local.subnet_map_auto) : var.subnet_map
-  enable_vpc_flow_log_to_cloudwatch = var.enable_vpc_flow_log_to_cloudwatch
+  subnet_map          = var.subnet_map == null ? tomap(local.subnet_map_auto) : var.subnet_map
+  enable_vpc_flow_log = var.enable_vpc_flow_log
 
   ##### KMS policy for
   kms_policy = jsonencode({
@@ -48,40 +48,4 @@ locals {
     ]
   })
 
-  ## S3 bucket policy
-  lifecycle_config = {
-    enabled = true
-    rules = [
-      {
-        id = "rule-1"
-        expiration = {
-          date = "2024-12-31T00:00:00.000Z"
-        }
-        transition = {
-          date          = "2024-12-30T00:00:00.000Z"
-          days          = 180
-          storage_class = "GLACIER"
-        }
-
-        noncurrent_version_expiration = {
-          newer_noncurrent_versions = 2
-          noncurrent_days           = 200
-        }
-        noncurrent_version_transition = {
-          newer_noncurrent_versions = 2
-          noncurrent_days           = 30
-          storage_class             = "STANDARD_IA"
-        }
-        filter = {
-          object_size_greater_than = "131072"
-          object_size_less_than    = "1000000"
-          prefix                   = "logs/"
-          tags = {
-            "environment" = "production"
-            "department"  = "IT"
-          }
-        }
-      }
-    ]
-  }
 }
diff --git a/main.tf b/main.tf
@@ -150,10 +150,9 @@ resource "aws_route_table_association" "additional" {
 module "kms" {
   source                  = "sourcefuse/arc-kms/aws"
   version                 = "1.0.9"
-  count                   = var.enable_vpc_flow_log_to_cloudwatch ? 1 : 0
-  enabled                 = var.enabled
-  deletion_window_in_days = var.deletion_window_in_days
-  enable_key_rotation     = var.enable_key_rotation
+  count                   = var.enable_vpc_flow_log ? 1 : 0
+  deletion_window_in_days = var.kms_config.deletion_window_in_days
+  enable_key_rotation     = var.kms_config.enable_key_rotation
   alias                   = "alias/vpc-flow-logs-key"
   tags = merge(
     {
@@ -164,29 +163,12 @@ module "kms" {
   policy = local.kms_policy
 }
 
-
-module "s3" {
-  source           = "sourcefuse/arc-s3/aws"
-  version          = "0.0.4"
-  count            = var.enable_vpc_flow_log_to_s3 ? 1 : 0
-  name             = "${var.name}-vpc-flowlogs"
-  acl              = var.acl
-  lifecycle_config = local.lifecycle_config
-  tags = merge(
-    {
-      Name = "${var.name}-vpc-flowlogs"
-    },
-    var.tags
-  )
-}
-
-
 #### AWS Caller Identity Data Source
 data "aws_caller_identity" "current" {}
 
 ### CloudWatch Log Group for VPC Flow Logs
 resource "aws_cloudwatch_log_group" "this" {
-  count             = var.enable_vpc_flow_log_to_cloudwatch ? 1 : 0
+  count             = var.enable_vpc_flow_log ? 1 : 0
   name_prefix       = "${var.name}-vpcflowlog"
   kms_key_id        = module.kms[0].key_arn
   retention_in_days = var.retention_in_days
@@ -207,7 +189,7 @@ data "aws_iam_policy_document" "assume" {
 
 ### IAM Role for VPC Flow Logs
 resource "aws_iam_role" "this" {
-  count              = var.enable_vpc_flow_log_to_cloudwatch ? 1 : 0
+  count              = var.enable_vpc_flow_log ? 1 : 0
   name_prefix        = "${var.name}-vpcflowlog-role"
   assume_role_policy = data.aws_iam_policy_document.assume.json
 }
@@ -222,26 +204,26 @@ data "aws_iam_policy_document" "flow_logs_policy" {
       "logs:DescribeLogGroups",
       "logs:DescribeLogStreams"
     ]
-    resources = local.enable_vpc_flow_log_to_cloudwatch && length(aws_cloudwatch_log_group.this) > 0 ? [aws_cloudwatch_log_group.this[0].arn, "${aws_cloudwatch_log_group.this[0].arn}:*"] : ["*"]
+    resources = local.enable_vpc_flow_log && length(aws_cloudwatch_log_group.this) > 0 ? [aws_cloudwatch_log_group.this[0].arn, "${aws_cloudwatch_log_group.this[0].arn}:*"] : ["*"]
 
   }
 }
 
 resource "aws_iam_policy" "this" {
-  count       = var.enable_vpc_flow_log_to_cloudwatch ? 1 : 0
+  count       = var.enable_vpc_flow_log ? 1 : 0
   name_prefix = "${var.name}-vpcflowlog-policy"
   policy      = data.aws_iam_policy_document.flow_logs_policy.json
 }
 
 resource "aws_iam_role_policy_attachment" "attach_flow_logs_policy" {
-  count      = var.enable_vpc_flow_log_to_cloudwatch ? 1 : 0
+  count      = var.enable_vpc_flow_log ? 1 : 0
   role       = aws_iam_role.this[count.index].name
   policy_arn = aws_iam_policy.this[count.index].arn
 }
 
 # VPC Flow Log Configuration for CloudWatch
 resource "aws_flow_log" "cloudwatch" {
-  count           = var.enable_vpc_flow_log_to_cloudwatch ? 1 : 0
+  count           = var.enable_vpc_flow_log ? 1 : 0
   iam_role_arn    = aws_iam_role.this[count.index].arn
   log_destination = aws_cloudwatch_log_group.this[0].arn
   traffic_type    = "ALL"
@@ -251,7 +233,7 @@ resource "aws_flow_log" "cloudwatch" {
 # VPC Flow Log Configuration for S3
 resource "aws_flow_log" "s3" {
   count                = var.enable_vpc_flow_log_to_s3 ? 1 : 0
-  log_destination      = module.s3[0].bucket_arn
+  log_destination      = var.bucket_arn
   log_destination_type = "s3"
   traffic_type         = "ALL"
   vpc_id               = aws_vpc.this.id

diff --git a/variables.tf b/variables.tf
@@ -173,53 +173,37 @@ variable "tags" {
   default     = {}
 }
 
-variable "enable_vpc_flow_log_to_cloudwatch" {
+variable "enable_vpc_flow_log" {
   type        = bool
   description = "Flag to enable or disable VPC flow logs to Cloudwatch."
   default     = false
 }
 
-variable "deletion_window_in_days" {
-  type        = number
-  default     = 10
-  description = "Duration in days after which the key is deleted after destruction of the resource"
-}
-
-variable "enable_key_rotation" {
-  type        = bool
-  default     = true
-  description = "Specifies whether key rotation is enabled"
-}
-
-variable "enabled" {
-  type        = bool
-  default     = true
-  description = "Set to false to prevent the module from creating any resources"
-}
-
 variable "retention_in_days" {
   description = "The number of days to retain CloudWatch log events."
   type        = number
   default     = 7
 }
-
-# variable "enable_flow_logs" {
-#   description = "Boolean flag to enable or disable VPC flow logs"
-#   type        = bool
-#   default     = false
-# }
-
 variable "enable_vpc_flow_log_to_s3" {
-  default     = true
+  default     = false
   description = "Flag to enable or disable VPC flow logs to S3"
   type        = bool
 }
 
-variable "acl" {
+variable "bucket_arn" {
+  description = "The ARN of the S3 bucket where VPC flow logs will be stored if flow logs to S3 are enabled. This bucket must be created in advance, as the module will not create it."
   type        = string
-  default     = "private"
-  description = <<-EOT
-    Please node ACL is deprecated by AWS in favor of bucket policies.
-    Defaults to "private" for backwards compatibility,recommended to set `s3_object_ownership` to "BucketOwnerEnforced" instead.
-  EOT
+  default     = null # Set as null by default, can be overridden
+}
+
+
+variable "kms_config" {
+  type = object({
+    deletion_window_in_days = number
+    enable_key_rotation     = bool
+  })
+  default = {
+    deletion_window_in_days = 30
+    enable_key_rotation     = true
+  }
 }