[#316] Add VPC flow log module

Author: tung-nimblehq

.tool-versions

@@ -1,3 +1,3 @@
 nodejs 18.12.1
-terraform 1.8.3
+terraform 1.13.3
 trivy 0.47.0

src/generators/addons/aws/advanced.test.ts

@@ -11,6 +11,7 @@ import {
   applyAwsRds,
   applyAwsS3,
   applyAwsSsm,
+  applyAwsVpcFlowLog,
 } from './modules';
 
 jest.mock('./modules');
@@ -65,5 +66,37 @@ describe('AWS advanced template', () => {
     it('applies ECS add-on', () => {
       expect(applyAwsEcs).toHaveBeenCalledWith(options);
     });
+
+    describe('given enabledSecurityFeatures is not set', () => {
+      it('does NOT apply VPC Flow Log add-on', () => {
+        expect(applyAwsVpcFlowLog).not.toHaveBeenCalled();
+      });
+    });
+
+    describe('given enabledSecurityFeatures is true', () => {
+      const optionsEnabledSecurityFeatures: AwsOptions = {
+        projectName: projectDir,
+        provider: 'aws',
+        infrastructureType: 'advanced',
+        awsRegion: 'ap-southeast-1',
+        enabledSecurityFeatures: true,
+      };
+
+      beforeAll(async () => {
+        jest.clearAllMocks();
+        await applyAdvancedTemplate(optionsEnabledSecurityFeatures);
+      });
+
+      afterAll(() => {
+        jest.clearAllMocks();
+        remove('/', projectDir);
+      });
+
+      it('applies VPC Flow Log add-on when flag is set', () => {
+        expect(applyAwsVpcFlowLog).toHaveBeenCalledWith(
+          optionsEnabledSecurityFeatures
+        );
+      });
+    });
   });
 });

src/generators/addons/aws/advanced.ts

@@ -8,6 +8,7 @@ import {
   applyAwsRds,
   applyAwsS3,
   applyAwsSsm,
+  applyAwsVpcFlowLog,
 } from './modules';
 
 const applyAdvancedTemplate = async (options: AwsOptions) => {
@@ -19,6 +20,10 @@ const applyAdvancedTemplate = async (options: AwsOptions) => {
   await applyAwsCloudwatch(options);
   await applyAwsS3(options);
   await applyAwsSsm(options);
+
+  if (options.enabledSecurityFeatures) {
+    await applyAwsVpcFlowLog(options);
+  }
 };
 
 export { applyAdvancedTemplate };

src/generators/addons/aws/dependencies.ts

@@ -13,6 +13,7 @@ import {
   applyAwsSecurityGroup,
   applyAwsSsm,
   applyAwsVpc,
+  applyAwsVpcFlowLog,
 } from '@/generators/addons/aws/modules';
 import { containsContent, isExisting } from '@/helpers/file';
 
@@ -85,6 +86,12 @@ const AWS_MODULES: Record<AwsModuleName | string, AwsModule> = {
     mainContent: 'module "ssm"',
     applyModuleFunction: (options: AwsOptions) => applyAwsSsm(options),
   },
+  vpcFlowLog: {
+    name: 'vpcFlowLog',
+    path: 'modules/vpc_flow_log',
+    mainContent: 'module "vpc_flow_log"',
+    applyModuleFunction: (options: AwsOptions) => applyAwsVpcFlowLog(options),
+  },
 };
 
 const isAwsModuleAdded = (

src/generators/addons/aws/index.ts

@@ -12,6 +12,12 @@ import {
   applyAwsVpc,
 } from './modules';
 
+type AwsOptions = GeneralOptions & {
+  infrastructureType?: 'blank' | 'advanced';
+  awsRegion?: string;
+  enabledSecurityFeatures?: boolean;
+};
+
 const awsChoices = [
   {
     type: 'list',
@@ -30,6 +36,14 @@ const awsChoices = [
       },
     ],
   },
+  {
+    type: 'confirm',
+    name: 'enabledSecurityFeatures',
+    message:
+      'Do you want to create (VPC Flow Logs + CloudTrail) to enhance security posture and compliance?',
+    default: false,
+    when: (answers: AwsOptions) => answers.infrastructureType === 'advanced',
+  },
   {
     type: 'input',
     name: 'awsRegion',
@@ -38,11 +52,6 @@ const awsChoices = [
   },
 ];
 
-type AwsOptions = GeneralOptions & {
-  infrastructureType?: 'blank' | 'advanced';
-  awsRegion?: string;
-};
-
 const applyProviderAndRegion = async (options: AwsOptions) => {
   await applyTerraformAwsProvider(options);
   await applyAwsRegion(options);
@@ -52,10 +61,12 @@ const generateAwsTemplate = async (
   generalOptions: GeneralOptions
 ): Promise<void> => {
   const awsOptionsPrompt = await prompt(awsChoices);
+
   const awsOptions: AwsOptions = {
     ...generalOptions,
     infrastructureType: awsOptionsPrompt.infrastructureType,
     awsRegion: awsOptionsPrompt.awsRegion,
+    enabledSecurityFeatures: awsOptionsPrompt.enabledSecurityFeatures,
   };
 
   switch (awsOptions.infrastructureType) {

src/generators/addons/aws/modules/index.ts

@@ -11,6 +11,7 @@ import applyAwsEcs from './ecs';
 import applyAwsRds from './rds';
 import applyAwsS3 from './s3';
 import applyAwsSsm from './ssm';
+import applyAwsVpcFlowLog from './vpcFlowLog';
 
 export {
   applyAwsAlb,
@@ -26,4 +27,5 @@ export {
   applyAwsSecurityGroup,
   applyAwsSsm,
   applyAwsVpc,
+  applyAwsVpcFlowLog,
 };

src/generators/addons/aws/modules/vpcFlowLog.test.ts

@@ -0,0 +1,74 @@
+import { AwsOptions } from '@/generators/addons/aws';
+import { applyTerraformCore } from '@/generators/terraform';
+import { remove } from '@/helpers/file';
+
+import applyTerraformAwsProvider from './core/provider';
+import applyAwsVpcFlowLog, {
+  vpcFlowLogModuleContent,
+  vpcFlowLogOutputsContent,
+  vpcFlowLogVariablesContent,
+} from './vpcFlowLog';
+
+jest.mock('inquirer', () => {
+  return {
+    prompt: jest.fn().mockResolvedValue({ apply: true }),
+  };
+});
+
+describe('VPC Flow Log add-on', () => {
+  describe('given valid AWS options', () => {
+    const projectDir = 'vpc-flow-log-addon-test';
+
+    beforeAll(async () => {
+      const awsOptions: AwsOptions = {
+        projectName: projectDir,
+        provider: 'aws',
+        infrastructureType: 'advanced',
+      };
+
+      await applyTerraformCore(awsOptions);
+      await applyTerraformAwsProvider(awsOptions);
+      await applyAwsVpcFlowLog(awsOptions);
+    });
+
+    afterAll(() => {
+      jest.clearAllMocks();
+      remove('/', projectDir);
+    });
+
+    it('creates expected files', () => {
+      const expectedFiles = [
+        'core/main.tf',
+        'core/providers.tf',
+        'core/outputs.tf',
+        'core/variables.tf',
+        'modules/vpc_flow_log/main.tf',
+        'modules/vpc_flow_log/variables.tf',
+        'modules/vpc_flow_log/outputs.tf',
+      ];
+
+      expect(projectDir).toHaveFiles(expectedFiles);
+    });
+
+    it('adds vpc_flow_log module to main.tf', () => {
+      expect(projectDir).toHaveContentInFile(
+        'core/main.tf',
+        vpcFlowLogModuleContent
+      );
+    });
+
+    it('adds vpc_flow_log variables to variables.tf', () => {
+      expect(projectDir).toHaveContentInFile(
+        'core/variables.tf',
+        vpcFlowLogVariablesContent
+      );
+    });
+
+    it('adds vpc_flow_log outputs to outputs.tf', () => {
+      expect(projectDir).toHaveContentInFile(
+        'core/outputs.tf',
+        vpcFlowLogOutputsContent
+      );
+    });
+  });
+});

src/generators/addons/aws/modules/vpcFlowLog.ts

@@ -0,0 +1,98 @@
+import { dedent } from 'ts-dedent';
+
+import { AwsOptions } from '@/generators/addons/aws';
+import {
+  isAwsModuleAdded,
+  requireAwsModules,
+} from '@/generators/addons/aws/dependencies';
+import {
+  INFRA_CORE_MAIN_PATH,
+  INFRA_CORE_VARIABLES_PATH,
+  INFRA_CORE_OUTPUTS_PATH,
+} from '@/generators/terraform/constants';
+import { appendToFile, copy } from '@/helpers/file';
+
+import { AWS_TEMPLATE_PATH } from '../constants';
+
+const vpcFlowLogVariablesContent = dedent`
+  variable "vpc_flow_log_s3_bucket_name" {
+    description = "The name of the S3 bucket to store VPC Flow Logs"
+    type        = string
+  }
+
+  variable "vpc_flow_log_retention_days" {
+    description = "The number of days to retain VPC Flow Logs in S3"
+    type        = number
+    default     = 90
+  }`;
+
+const vpcFlowLogModuleContent = dedent`
+  module "vpc_flow_log" {
+    source = "../modules/vpc_flow_log"
+
+    env_namespace       = local.env_namespace
+    vpc_id              = module.vpc.vpc_id
+    s3_bucket_name      = var.vpc_flow_log_s3_bucket_name
+    log_retention_days  = var.vpc_flow_log_retention_days
+  }`;
+
+const vpcFlowLogOutputsContent = dedent`
+  output "vpc_flow_log_s3_bucket_id" {
+    description = "The ID of the S3 bucket to store VPC Flow Logs"
+    value       = module.vpc_flow_log.s3_bucket_id
+  }
+
+  output "vpc_flow_log_s3_bucket_name" {
+    description = "The name of the S3 bucket to store VPC Flow Logs"
+    value       = module.vpc_flow_log.s3_bucket_name
+  }
+
+  output "vpc_flow_log_arn" {
+    description = "The ARN of the VPC Flow Log"
+    value       = module.vpc_flow_log.vpc_flow_log_arn
+  }
+
+  output "vpc_flow_log_athena_table_name" {
+    description = "The name of the Athena table for VPC Flow Logs"
+    value       = module.vpc_flow_log.vpc_flow_log_athena_table_name
+  }
+
+  output "vpc_flow_log_athena_table_arn" {
+    description = "The arn of the Athena table for VPC Flow Logs"
+    value       = module.vpc_flow_log.vpc_flow_log_athena_table_arn
+  }`;
+
+const applyAwsVpcFlowLog = async (options: AwsOptions) => {
+  if (isAwsModuleAdded('vpcFlowLog', options.projectName)) {
+    return;
+  }
+  await requireAwsModules('vpcFlowLog', 'vpc', options);
+
+  copy(
+    `${AWS_TEMPLATE_PATH}/modules/vpc_flow_log`,
+    'modules/vpc_flow_log',
+    options.projectName
+  );
+  appendToFile(
+    INFRA_CORE_VARIABLES_PATH,
+    vpcFlowLogVariablesContent,
+    options.projectName
+  );
+  appendToFile(
+    INFRA_CORE_MAIN_PATH,
+    vpcFlowLogModuleContent,
+    options.projectName
+  );
+  appendToFile(
+    INFRA_CORE_OUTPUTS_PATH,
+    vpcFlowLogOutputsContent,
+    options.projectName
+  );
+};
+
+export default applyAwsVpcFlowLog;
+export {
+  vpcFlowLogVariablesContent,
+  vpcFlowLogModuleContent,
+  vpcFlowLogOutputsContent,
+};

src/generators/terraform/types.ts

@@ -11,6 +11,7 @@ const awsModules = [
   'rds',
   's3',
   'ssm',
+  'vpcFlowLog',
 ] as const;
 
 type AwsModuleName = (typeof awsModules)[number] | string;