| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253 |
- # Flow logs need to be created per VPC, but we need a role
- resource "aws_cloudwatch_log_group" "vpc_flow_logs" {
- name = "vpc_flow_logs"
- retention_in_days = 7
- kms_key_id = var.cloudtrail_key_arn
- tags = merge(var.standard_tags, var.tags)
- }
- resource "aws_iam_role" "flowlogs" {
- name = "flowlogs"
- path = "/aws_services/"
- tags = merge(var.standard_tags, var.tags)
- assume_role_policy = <<EOF
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "",
- "Effect": "Allow",
- "Principal": {
- "Service": "vpc-flow-logs.amazonaws.com"
- },
- "Action": "sts:AssumeRole"
- }
- ]
- }
- EOF
- }
- resource "aws_iam_role_policy" "flowlogs" {
- name = "flowlogs"
- role = aws_iam_role.flowlogs.id
- policy = <<EOF
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Action": [
- "logs:CreateLogGroup",
- "logs:CreateLogStream",
- "logs:PutLogEvents",
- "logs:DescribeLogGroups",
- "logs:DescribeLogStreams"
- ],
- "Effect": "Allow",
- "Resource": "*"
- }
- ]
- }
- EOF
- }
|
