[#316] Add VPC flow log module

Author: tung-nimblehq

.github/wiki/Security.md

@@ -0,0 +1,26 @@
+# Security
+
+This document provides an overview of the security modules available in the infrastructure templates to help enhance your AWS infrastructure security posture.
+
+## Available Security Modules
+
+### VPC Flow Log
+
+The VPC Flow Log module captures network traffic information in your VPC to help with security monitoring and network analysis.
+
+#### Overview
+
+VPC Flow Logs capture information about IP traffic going to and from network interfaces in your VPC. This module:
+
+- **Captures network flows**: Records detailed information about network traffic patterns in your VPC
+- **Stores logs in S3**: Saves all captured flow logs securely in an Amazon S3 bucket with configurable retention
+- **Enables querying via Athena**: Provides ready-to-use AWS Athena integration for analyzing log data using SQL queries
+
+## Getting Started
+
+To add security features to your infrastructure:
+
+1. Run the infrastructure generator
+2. Select "Complete infrastructure (VPC + ECR + RDS + S3 + FARGATE + Cloudwatch + Security groups + ALB)" when prompted for infrastructure type
+3. Choose "Yes" when asked "Do you want to create (VPC Flow Logs + CloudTrail) to enhance security posture and compliance?"
+

.github/wiki/_Sidebar.md

@@ -12,6 +12,7 @@
 - [[Add a new CLI command | Add new command]]
 - [[Add New Addon or Module | Add new addon module]]
 - [[Using The Generator As Reference]]
+- [[Security]]
 - [[Testing]]
 - [[Modify the Infrastructure Diagram | Modify infra diagram]]
 - [[Publishing]]

src/generators/addons/aws/advanced.test.ts

@@ -11,6 +11,7 @@ import {
   applyAwsRds,
   applyAwsS3,
   applyAwsSsm,
+  applyAwsVpcFlowLog,
 } from './modules';
 
 jest.mock('./modules');
@@ -65,5 +66,37 @@ describe('AWS advanced template', () => {
     it('applies ECS add-on', () => {
       expect(applyAwsEcs).toHaveBeenCalledWith(options);
     });
+
+    describe('given enabledSecurityFeatures is not set', () => {
+      it('does NOT apply VPC Flow Log add-on', () => {
+        expect(applyAwsVpcFlowLog).not.toHaveBeenCalled();
+      });
+    });
+
+    describe('given enabledSecurityFeatures is true', () => {
+      const optionsEnabledSecurityFeatures: AwsOptions = {
+        projectName: projectDir,
+        provider: 'aws',
+        infrastructureType: 'advanced',
+        awsRegion: 'ap-southeast-1',
+        enabledSecurityFeatures: true,
+      };
+
+      beforeAll(async () => {
+        jest.clearAllMocks();
+        await applyAdvancedTemplate(optionsEnabledSecurityFeatures);
+      });
+
+      afterAll(() => {
+        jest.clearAllMocks();
+        remove('/', projectDir);
+      });
+
+      it('applies VPC Flow Log add-on when flag is set', () => {
+        expect(applyAwsVpcFlowLog).toHaveBeenCalledWith(
+          optionsEnabledSecurityFeatures
+        );
+      });
+    });
   });
 });

src/generators/addons/aws/advanced.ts

@@ -8,6 +8,7 @@ import {
   applyAwsRds,
   applyAwsS3,
   applyAwsSsm,
+  applyAwsVpcFlowLog,
 } from './modules';
 
 const applyAdvancedTemplate = async (options: AwsOptions) => {
@@ -19,6 +20,10 @@ const applyAdvancedTemplate = async (options: AwsOptions) => {
   await applyAwsCloudwatch(options);
   await applyAwsS3(options);
   await applyAwsSsm(options);
+
+  if (options.enabledSecurityFeatures) {
+    await applyAwsVpcFlowLog(options);
+  }
 };
 
 export { applyAdvancedTemplate };

src/generators/addons/aws/dependencies.ts

@@ -13,6 +13,7 @@ import {
   applyAwsSecurityGroup,
   applyAwsSsm,
   applyAwsVpc,
+  applyAwsVpcFlowLog,
 } from '@/generators/addons/aws/modules';
 import { containsContent, isExisting } from '@/helpers/file';
 
@@ -85,6 +86,12 @@ const AWS_MODULES: Record<AwsModuleName | string, AwsModule> = {
     mainContent: 'module "ssm"',
     applyModuleFunction: (options: AwsOptions) => applyAwsSsm(options),
   },
+  vpcFlowLog: {
+    name: 'vpcFlowLog',
+    path: 'modules/vpc_flow_log',
+    mainContent: 'module "vpc_flow_log"',
+    applyModuleFunction: (options: AwsOptions) => applyAwsVpcFlowLog(options),
+  },
 };
 
 const isAwsModuleAdded = (

src/generators/addons/aws/index.ts

@@ -12,6 +12,12 @@ import {
   applyAwsVpc,
 } from './modules';
 
+type AwsOptions = GeneralOptions & {
+  infrastructureType?: 'blank' | 'advanced';
+  awsRegion?: string;
+  enabledSecurityFeatures?: boolean;
+};
+
 const awsChoices = [
   {
     type: 'list',
@@ -30,6 +36,14 @@ const awsChoices = [
       },
     ],
   },
+  {
+    type: 'confirm',
+    name: 'enabledSecurityFeatures',
+    message:
+      'Do you want to create (VPC Flow Logs + CloudTrail) to enhance security posture and compliance?',
+    default: false,
+    when: (answers: AwsOptions) => answers.infrastructureType === 'advanced',
+  },
   {
     type: 'input',
     name: 'awsRegion',
@@ -38,11 +52,6 @@ const awsChoices = [
   },
 ];
 
-type AwsOptions = GeneralOptions & {
-  infrastructureType?: 'blank' | 'advanced';
-  awsRegion?: string;
-};
-
 const applyProviderAndRegion = async (options: AwsOptions) => {
   await applyTerraformAwsProvider(options);
   await applyAwsRegion(options);
@@ -52,10 +61,12 @@ const generateAwsTemplate = async (
   generalOptions: GeneralOptions
 ): Promise<void> => {
   const awsOptionsPrompt = await prompt(awsChoices);
+
   const awsOptions: AwsOptions = {
     ...generalOptions,
     infrastructureType: awsOptionsPrompt.infrastructureType,
     awsRegion: awsOptionsPrompt.awsRegion,
+    enabledSecurityFeatures: awsOptionsPrompt.enabledSecurityFeatures,
   };
 
   switch (awsOptions.infrastructureType) {

src/generators/addons/aws/modules/index.ts

@@ -11,6 +11,7 @@ import applyAwsEcs from './ecs';
 import applyAwsRds from './rds';
 import applyAwsS3 from './s3';
 import applyAwsSsm from './ssm';
+import applyAwsVpcFlowLog from './vpcFlowLog';
 
 export {
   applyAwsAlb,
@@ -26,4 +27,5 @@ export {
   applyAwsSecurityGroup,
   applyAwsSsm,
   applyAwsVpc,
+  applyAwsVpcFlowLog,
 };

src/generators/addons/aws/modules/vpcFlowLog.test.ts

@@ -0,0 +1,66 @@
+import { AwsOptions } from '@/generators/addons/aws';
+import { applyTerraformCore } from '@/generators/terraform';
+import { remove } from '@/helpers/file';
+
+import applyTerraformAwsProvider from './core/provider';
+import applyAwsVpcFlowLog, {
+  vpcFlowLogModuleContent,
+  vpcFlowLogVariablesContent,
+} from './vpcFlowLog';
+
+jest.mock('inquirer', () => {
+  return {
+    prompt: jest.fn().mockResolvedValue({ apply: true }),
+  };
+});
+
+describe('VPC Flow Log add-on', () => {
+  describe('given valid AWS options', () => {
+    const projectDir = 'vpc-flow-log-addon-test';
+
+    beforeAll(async () => {
+      const awsOptions: AwsOptions = {
+        projectName: projectDir,
+        provider: 'aws',
+        infrastructureType: 'advanced',
+      };
+
+      await applyTerraformCore(awsOptions);
+      await applyTerraformAwsProvider(awsOptions);
+      await applyAwsVpcFlowLog(awsOptions);
+    });
+
+    afterAll(() => {
+      jest.clearAllMocks();
+      remove('/', projectDir);
+    });
+
+    it('creates expected files', () => {
+      const expectedFiles = [
+        'core/main.tf',
+        'core/providers.tf',
+        'core/outputs.tf',
+        'core/variables.tf',
+        'modules/vpc_flow_log/main.tf',
+        'modules/vpc_flow_log/variables.tf',
+        'modules/vpc_flow_log/outputs.tf',
+      ];
+
+      expect(projectDir).toHaveFiles(expectedFiles);
+    });
+
+    it('adds vpc_flow_log module to main.tf', () => {
+      expect(projectDir).toHaveContentInFile(
+        'core/main.tf',
+        vpcFlowLogModuleContent
+      );
+    });
+
+    it('adds vpc_flow_log variables to variables.tf', () => {
+      expect(projectDir).toHaveContentInFile(
+        'core/variables.tf',
+        vpcFlowLogVariablesContent
+      );
+    });
+  });
+});

src/generators/addons/aws/modules/vpcFlowLog.ts

@@ -0,0 +1,142 @@
+import { dedent } from 'ts-dedent';
+
+import { AwsOptions } from '@/generators/addons/aws';
+import {
+  isAwsModuleAdded,
+  requireAwsModules,
+} from '@/generators/addons/aws/dependencies';
+import {
+  INFRA_CORE_LOCALS_PATH,
+  INFRA_CORE_MAIN_PATH,
+  INFRA_CORE_VARIABLES_PATH,
+  MODULES_LOCALS_INDICATOR,
+} from '@/generators/terraform/constants';
+import { appendToFile, copy, injectToFile } from '@/helpers/file';
+
+import { AWS_TEMPLATE_PATH } from '../constants';
+
+const vpcFlowLogLocalesContent = `  ###VPC Flow Log###
+  vpc_flow_log_s3_bucket_policy = {
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Sid    = "AWSLogDeliveryWrite"
+          Effect = "Allow"
+          Principal = {
+            Service = "delivery.logs.amazonaws.com"
+          }
+          Action   = "s3:PutObject"
+          Resource = "arn:aws:s3:::\${module.s3_flow_log.aws_s3_bucket_name}/*"
+          Condition = {
+            StringEquals = {
+              "aws:SourceAccount" = data.aws_caller_identity.current.account_id
+              "s3:x-amz-acl"      = "bucket-owner-full-control"
+            }
+            ArnLike = {
+              "aws:SourceArn" = "arn:aws:logs:\${data.aws_region.current.region}:\${data.aws_caller_identity.current.account_id}:*"
+            }
+          }
+        },
+        {
+          Sid    = "AWSLogDeliveryAclCheck"
+          Effect = "Allow"
+          Principal = {
+            Service = "delivery.logs.amazonaws.com"
+          }
+          Action = [
+            "s3:GetBucketAcl",
+            "s3:ListBucket"
+          ]
+          Resource = "arn:aws:s3:::\${module.s3_flow_log.aws_s3_bucket_name}"
+          Condition = {
+            StringEquals = {
+              "aws:SourceAccount" = data.aws_caller_identity.current.account_id
+            }
+            ArnLike = {
+              "aws:SourceArn" = "arn:aws:logs:\${data.aws_region.current.region}:\${data.aws_caller_identity.current.account_id}:*"
+            }
+          }
+        },
+        {
+          Effect    = "Deny"
+          Principal = "*"
+          Action    = "s3:*"
+          Resource = [
+            "arn:aws:s3:::\${module.s3_flow_log.aws_s3_bucket_name}",
+            "arn:aws:s3:::\${module.s3_flow_log.aws_s3_bucket_name}/*"
+          ]
+          Condition = {
+            Bool = {
+              "aws:SecureTransport" = "false"
+            }
+          }
+        }
+      ]
+    }`;
+
+const vpcFlowLogVariablesContent = dedent`
+  variable "vpc_flow_log_retention_days" {
+    description = "The number of days to retain VPC Flow Logs in S3"
+    type        = number
+    default     = 90
+  }`;
+
+const vpcFlowLogModuleContent = dedent`
+  module "s3_flow_log" {
+    source = "../modules/s3"
+
+    env_namespace    = local.env_namespace
+    bucket_name      = "\${local.env_namespace}-flow-logs-\${data.aws_caller_identity.current.account_id}"
+    force_destroy    = true
+    object_ownership = "BucketOwnerPreferred"
+  }
+
+  module "s3_flow_log_policy" {
+    source = "../modules/s3/bucket_policy"
+
+    s3_bucket_name = module.s3_flow_log.aws_s3_bucket_name
+    s3_bucket_policy = local.vpc_flow_log_s3_bucket_policy
+  }
+
+  module "vpc_flow_log" {
+    source = "../modules/vpc_flow_log"
+
+    env_namespace      = local.env_namespace
+    vpc_id             = module.vpc.vpc_id
+    s3_bucket_name     = module.s3_flow_log.aws_s3_bucket_name
+    log_retention_days = var.vpc_flow_log_retention_days
+  }`;
+
+const applyAwsVpcFlowLog = async (options: AwsOptions) => {
+  if (isAwsModuleAdded('vpcFlowLog', options.projectName)) {
+    return;
+  }
+  await requireAwsModules('vpcFlowLog', 'vpc', options);
+
+  copy(
+    `${AWS_TEMPLATE_PATH}/modules/vpc_flow_log`,
+    'modules/vpc_flow_log',
+    options.projectName
+  );
+  injectToFile(
+    INFRA_CORE_LOCALS_PATH,
+    vpcFlowLogLocalesContent,
+    options.projectName,
+    {
+      insertAfter: MODULES_LOCALS_INDICATOR,
+    }
+  );
+  appendToFile(
+    INFRA_CORE_VARIABLES_PATH,
+    vpcFlowLogVariablesContent,
+    options.projectName
+  );
+  appendToFile(
+    INFRA_CORE_MAIN_PATH,
+    vpcFlowLogModuleContent,
+    options.projectName
+  );
+};
+
+export default applyAwsVpcFlowLog;
+export { vpcFlowLogModuleContent, vpcFlowLogVariablesContent };