feat: support the feature of enabling dns request logging on the vpc resolver

gambol99 · gambol99 · commit 118d6bc23d0e · 2025-03-22T18:11:56.000Z
diff --git a/README.md b/README.md
@@ -150,6 +150,22 @@ module "vpc" {
 }
 ```
 
+## Enable DNS Request Logging
+
+To enable DNS request logging in your VPC, you can use the `enable_dns_request_logging` variable. This feature allows you to log DNS queries made within your VPC, which can be useful for monitoring and troubleshooting.
+
+Here is an example configuration:
+
+```hcl
+module "vpc" {
+  source  = "appvia/network/aws"
+  version = "0.0.8"
+
+  enable_dns_request_logging = true
+  # ... other configuration ...
+}
+```
+
 ## Using Route53 Resolver Rules
 
 The module supports automatically associating shared Route53 Resolver Rules with your VPC. By default, any resolver rules shared with your account will be automatically associated. Here are some configuration examples:
@@ -229,8 +245,10 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_name"></a> [name](#input\_name) | Is the name of the network to provision | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to all resources | `map(string)` | n/a | yes |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | The number of availability zone the network should be deployed into | `number` | `2` | no |
+| <a name="input_dns_query_log_retention"></a> [dns\_query\_log\_retention](#input\_dns\_query\_log\_retention) | The number of days to retain DNS query logs | `number` | `7` | no |
 | <a name="input_enable_default_route_table_association"></a> [enable\_default\_route\_table\_association](#input\_enable\_default\_route\_table\_association) | Indicates the transit gateway default route table should be associated with the subnets | `bool` | `true` | no |
 | <a name="input_enable_default_route_table_propagation"></a> [enable\_default\_route\_table\_propagation](#input\_enable\_default\_route\_table\_propagation) | Indicates the transit gateway default route table should be propagated to the subnets | `bool` | `true` | no |
+| <a name="input_enable_dns_request_logging"></a> [enable\_dns\_request\_logging](#input\_enable\_dns\_request\_logging) | Enable logging of DNS requests | `bool` | `false` | no |
 | <a name="input_enable_private_endpoints"></a> [enable\_private\_endpoints](#input\_enable\_private\_endpoints) | Indicates the network should provision private endpoints | `list(string)` | `[]` | no |
 | <a name="input_enable_route53_resolver_rules"></a> [enable\_route53\_resolver\_rules](#input\_enable\_route53\_resolver\_rules) | Automatically associates any shared route53 resolver rules with the VPC | `bool` | `true` | no |
 | <a name="input_enable_ssm"></a> [enable\_ssm](#input\_enable\_ssm) | Indicates we should provision SSM private endpoints | `bool` | `false` | no |
diff --git a/data.tf b/data.tf
@@ -1,11 +1,12 @@
 
 ## Get the current region
 data "aws_region" "current" {}
+
 ## Find the current account id
 data "aws_caller_identity" "current" {}
+
 ## Find any forwarding rules which have been shared to us
 data "aws_route53_resolver_rules" "current" {
   rule_type    = "FORWARD"
   share_status = "SHARED_WITH_ME"
 }
-
diff --git a/main.tf b/main.tf
@@ -17,6 +17,31 @@ module "vpc" {
   vpc_ipv4_netmask_length  = var.vpc_netmask
 }
 
+## Enable DNS request logging if required
+resource "aws_cloudwatch_log_group" "dns_query_logs" {
+  count = var.enable_dns_request_logging ? 1 : 0
+
+  name              = "/aws/route53/${var.name}/dns-query-logs"
+  retention_in_days = var.dns_query_log_retention
+  tags              = var.tags
+}
+
+## Create the DNS query log config
+resource "aws_route53_resolver_query_log_config" "dns_query_log_config" {
+  count = var.enable_dns_request_logging ? 1 : 0
+
+  name            = "${var.name}-dns-query-logs"
+  destination_arn = aws_cloudwatch_log_group.dns_query_logs[0].arn
+}
+
+## Associate the DNS query log config with the VPC
+resource "aws_route53_resolver_query_log_config_association" "dns_query_log_association" {
+  count = var.enable_dns_request_logging ? 1 : 0
+
+  resolver_query_log_config_id = aws_route53_resolver_query_log_config.dns_query_log_config[0].id
+  resource_id                  = module.vpc.vpc_attributes.id
+}
+
 ## Associate any resolver rules with the vpc if required
 resource "aws_route53_resolver_rule_association" "vpc_associations" {
   for_each = var.enable_route53_resolver_rules ? toset(local.resolver_rules) : null
diff --git a/variables.tf b/variables.tf
@@ -4,10 +4,10 @@ variable "availability_zones" {
   default     = 2
 }
 
-variable "subnets" {
-  description = "Additional subnets to create in the network, keyed by the subnet name"
-  type        = any
-  default     = {}
+variable "dns_query_log_retention" {
+  description = "The number of days to retain DNS query logs"
+  type        = number
+  default     = 7
 }
 
 variable "enable_route53_resolver_rules" {
@@ -40,6 +40,12 @@ variable "enable_default_route_table_propagation" {
   default     = true
 }
 
+variable "enable_dns_request_logging" {
+  description = "Enable logging of DNS requests"
+  type        = bool
+  default     = false
+}
+
 variable "enable_transit_gateway_appliance_mode" {
   description = "Indicates the network should be connected to a transit gateway in appliance mode"
   type        = bool
@@ -111,6 +117,12 @@ variable "transit_gateway_routes" {
   }
 }
 
+variable "subnets" {
+  description = "Additional subnets to create in the network, keyed by the subnet name"
+  type        = any
+  default     = {}
+}
+
 variable "vpc_cidr" {
   description = "An optional cidr block to assign to the VPC (if not using IPAM)"
   type        = string
