Adds VPC Flow Logs to Existing VPCs

base/account_standards/flowlogs.tf

@@ -0,0 +1,53 @@
+# Flow logs need to be created per VPC, but we need a role
+resource "aws_cloudwatch_log_group" "vpc_flow_logs" {
+  name = "vpc_flow_logs"
+  retention_in_days = 7
+  kms_key_id = var.cloudtrail_key_arn
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_iam_role" "flowlogs" {
+  name = "flowlogs"
+  path = "/aws_services/"
+  tags = merge(var.standard_tags, var.tags)
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "vpc-flow-logs.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "flowlogs" {
+  name = "flowlogs"
+  role = aws_iam_role.flowlogs.id
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}

base/account_standards/standard-vpc.tf

@@ -0,0 +1,19 @@
+# For now, we've left the standard VPC, but we still need it compliant.
+# If we change our minds, this would be a good place to delete the standard vpc.
+data "aws_vpcs" "foo" {
+  filter {
+    name = "isDefault"
+    values = [ true ]
+  }
+}
+
+resource "aws_flow_log" "flowlogs" {
+  # Note: Flow log configuration is "special" here. For a generic version you can copy to your own module,
+  # see the example in standard_vpc
+  for_each = data.aws_vpcs.foo.ids
+  iam_role_arn = aws_iam_role.flowlogs.arn
+  log_destination = aws_cloudwatch_log_group.vpc_flow_logs.arn
+
+  traffic_type = "REJECT" # CIS only requires reject, and "ALL" is expensive
+  vpc_id = each.value
+}

base/qualys_scanners/main.tf

@@ -45,3 +45,12 @@ module "vpc" {
     Name = var.name
   }
 }
+
+resource "aws_flow_log" "flowlogs" {
+  iam_role_arn    = "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws_services/flowlogs"
+  log_destination = "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:vpc_flow_logs"
+
+  traffic_type    = "REJECT" # ALL is very noisy, and CIS only requires rejects.
+  vpc_id          = module.vpc.vpc_id
+  tags            = merge(var.standard_tags, var.tags)
+}

base/qualys_scanners/vars.tf

@@ -35,35 +35,8 @@ variable "personalization_codes" {
 # ----------------------------------
 # Below this line are variables inherited from higher levels, so they
 # do not need to be explicitly passed to this module.
-variable "standard_tags" {
-  type        = map
-}
-
-variable "inside_domain" {
-  type        = string
-}
-
-variable "aws_region" {
-  type        = string
-}
-
-#variable "environment_vars" {
-#  description = "Environment Vars"
-#  type        = map
-#}
-#
-#variable "partition_vars" {
-#  description = "Partition Vars"
-#  type        = map
-#}
-#
-#variable "region_vars" {
-#  description = "Region Vars"
-#  type        = map
-#}
-#
-#variable "account_vars" {
-#  description = "Account Vars"
-#  type        = map
-#}
-
+variable "standard_tags" { type = map }
+variable "inside_domain" { type = string }
+variable "aws_region" { type = string }
+variable "aws_partition" { type = string }
+variable "aws_account_id" { type = string }

base/security_vpc/main.tf

@@ -58,6 +58,15 @@ module "vpc" {
   tags = merge(var.standard_tags, var.tags)
 }
 
+resource "aws_flow_log" "flowlogs" {
+  iam_role_arn    = "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws_services/flowlogs"
+  log_destination = "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:vpc_flow_logs"
+
+  traffic_type    = "REJECT" # ALL is very noisy, and CIS only requires rejects.
+  vpc_id          = module.vpc.vpc_id
+  tags            = merge(var.standard_tags, var.tags)
+}
+
 resource "aws_subnet" "mgmt" {
   count = 2
   depends_on = [ module.vpc ]

base/standard_vpc/main.tf

@@ -56,6 +56,16 @@ module "vpc" {
   }
 }
 
+resource "aws_flow_log" "flowlogs" {
+  iam_role_arn    = "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws_services/flowlogs"
+  log_destination = "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:vpc_flow_logs"
+
+  traffic_type    = "REJECT" # ALL is very noisy, and CIS only requires rejects.
+  vpc_id          = module.vpc.vpc_id
+  tags            = merge(var.standard_tags, var.tags)
+}
+
+
 resource "aws_vpc_endpoint" "ec2messages" {
   vpc_id            = module.vpc.vpc_id
   service_name      = "com.amazonaws.${var.aws_region}.ec2messages"

base/standard_vpc/vars.tf

@@ -14,38 +14,9 @@ variable "tags" {
   default     = { }
 }
 
-# ----------------------------------
-# Below this line are variables inherited from higher levels, so they
-# do not need to be explicitly passed to this module.
-variable "standard_tags" {
-  type        = map
-}
-
-variable "inside_domain" {
-  type        = string
-}
-
-variable "aws_region" {
-  type        = string
-}
-
-#variable "environment_vars" {
-#  description = "Environment Vars"
-#  type        = map
-#}
-#
-#variable "partition_vars" {
-#  description = "Partition Vars"
-#  type        = map
-#}
-#
-#variable "region_vars" {
-#  description = "Region Vars"
-#  type        = map
-#}
-#
-#variable "account_vars" {
-#  description = "Account Vars"
-#  type        = map
-#}
-
+# Inherited
+variable "standard_tags" { type = map }
+variable "inside_domain" { type = string }
+variable "aws_region" { type = string }
+variable "aws_account_id" { type = string }
+variable "aws_partition" { type = string }