[#316] Add VPC flow log module as an optional module#317
[#316] Add VPC flow log module as an optional module#317tung-nimblehq wants to merge 3 commits intodevelopfrom
Conversation
tung-nimblehq
force-pushed
the
feature/316-add-vpc-flows-log-module
branch
2 times, most recently
from
debef21 to
b55003b
Compare
tung-nimblehq
requested review from
andyduong1920,
bterone,
hoangmirs,
liamstevens111,
nvminhtue and
sanG-github
as code owners
tung-nimblehq
force-pushed
the
feature/316-add-vpc-flows-log-module
branch
from
b55003b to
73b05d7
Compare
|
@hoangmirs Can you recheck it? 🙏 |
|
Could you help rebase against the develop branch again? |
tung-nimblehq
force-pushed
the
feature/316-add-vpc-flows-log-module
branch
from
2625247 to
220e3c5
Compare
Rebased 🙏 |
tung-nimblehq
force-pushed
the
feature/316-add-vpc-flows-log-module
branch
from
220e3c5 to
c222713
Compare
tung-nimblehq
changed the base branch from
develop
to
feature/316-separate-s3-and-alb-module
tung-nimblehq
force-pushed
the
feature/316-separate-s3-and-alb-module
branch
from
5fc06d7 to
0aa0817
Compare
tung-nimblehq
force-pushed
the
feature/316-add-vpc-flows-log-module
branch
from
c222713 to
8f894f4
Compare
tung-nimblehq
force-pushed
the
feature/316-separate-s3-and-alb-module
branch
3 times, most recently
from
a7c33ad to
b619cf2
Compare
…and create dedicated locals and data files
tung-nimblehq
force-pushed
the
feature/316-add-vpc-flows-log-module
branch
from
8f894f4 to
84a9710
Compare
There was a problem hiding this comment.
@tung-nimblehq Just wondering if VPC Flow Log is something we've used in other projects?
If not, do you think it's essential for the B2B project? 🙏
Just a concern if we plan to add VPC Flow Log, it would be an additional cost for the project. 💭
.github/wiki/Security.md
Outdated
| 1. Run the infrastructure generator | ||
| 2. Select "Complete infrastructure (VPC + ECR + RDS + S3 + FARGATE + Cloudwatch + Security groups + ALB)" when prompted for infrastructure type | ||
| 3. Choose "Yes" when asked "Do you want to create (VPC Flow Logs + CloudTrail) to enhance security posture and compliance?" | ||
|
|
| expect(applyAwsEcs).toHaveBeenCalledWith(options); | ||
| }); | ||
|
|
||
| describe('given enabledSecurityFeatures is not set', () => { |
There was a problem hiding this comment.
Hmmmm, I'm not entirely convinced that VPC Flow and CloudTrail are security features.
→ Should we label them as Audit or Monitoring features instead?
If yes, we should rename Security.md accordingly and other variables too.
There was a problem hiding this comment.
VPC Flow Logs and AWS CloudTrail are foundational components that bridge Security, Audit, and Monitoring in AWS. @toby-thanathip I used security since it includes Audit, and Monitoring.
| variable "s3_bucket_name" { | ||
| description = "The name of the S3 bucket to store the flow logs." | ||
| type = string | ||
| } |
There was a problem hiding this comment.
Do we need s3_key_prefix here too? Similar what we did for CloudTrail.
| "projection.aws_region.type" = "enum" | ||
| "projection.aws_region.values" = "${data.aws_region.current.region}" | ||
| "projection.year.type" = "integer" | ||
| "projection.year.range" = "2025,2030" # Update the range as needed |
There was a problem hiding this comment.
| "projection.year.range" = "2025,2030" # Update the range as needed | |
| "projection.year.range" = "2026,2030" # Update the range as needed |
|
|
||
| env_namespace = local.env_namespace | ||
| bucket_name = "\${local.env_namespace}-flow-logs-\${data.aws_caller_identity.current.account_id}" | ||
| force_destroy = true |
There was a problem hiding this comment.
Sounds concerning, are we sure we want to have it as true? 🙏
| const vpcFlowLogLocalesContent = dedent` | ||
| ### Begin VPC Flow Log ### | ||
| locals { | ||
| vpc_flow_log_s3_bucket_policy = { |
There was a problem hiding this comment.
I'm new to Terraform, forgive me; Why don't we add this to locals.tf?
→ Or should some parts be defined inside main.tf? 💭
There was a problem hiding this comment.
It will be created inside core/locals.tf after we generate for the project, @toby-thanathip. According to our convention, constants should be defined in locals.tf, not in main.tf. Also, we shouldn’t move everything directly into core/locals.tf at this stage for two reasons: It would separate these values from the main module logic, which could make the flow harder to follow. Some locals may require dynamic values passed from modules, so defining them too early or too centrally could limit flexibility.
|
|
||
| import { AWS_TEMPLATE_PATH } from '../constants'; | ||
|
|
||
| const vpcFlowLogLocalesContent = dedent` |
There was a problem hiding this comment.
| const vpcFlowLogLocalesContent = dedent` | |
| const vpcFlowLogLocalsContent = dedent` |
| { key = "flow_direction", value = "string" }, | ||
| { key = "traffic_path", value = "int" }, | ||
| { key = "ecs_task_id", value = "string" }, | ||
| { key = "reject_reason", value = "string" }, |
There was a problem hiding this comment.
Do you think all these columns are useful to us?
→ Just thinking if we reduce the amount of columns, it would reduce the cost for storage.
Fewer columns = smaller files = lower storage cost over time.
There was a problem hiding this comment.
I think yes, it provides us with some useful information like reject_reason, traffic_path... we can adjust these columns at the project level. I think these columns are fine at the template level
| variable "log_retention_days" { | ||
| description = "The number of days to retain the flow logs in S3." | ||
| type = number | ||
| default = 90 |
There was a problem hiding this comment.
Do you think 90 days is too long for troubleshooting cases? 💭
→ "The longer the retention, the more you accumulate, the more you pay."
src/generators/addons/aws/index.ts
Outdated
| type: 'confirm', | ||
| name: 'enabledSecurityFeatures', | ||
| message: | ||
| 'Do you want to create (VPC Flow Logs + CloudTrail) to enhance security posture and compliance?', |
There was a problem hiding this comment.
Just thinking, if it's too strict too force them together.
→ Would there be any case where we only want one (instead of both), to reduce costs?
| }; | ||
|
|
||
| export default applyAwsVpcFlowLog; | ||
| export { vpcFlowLogModuleContent, vpcFlowLogVariablesContent }; |
There was a problem hiding this comment.
Any reason we don't export the outputs, same as we did for Cloudtrail?
There was a problem hiding this comment.
I think we won't need any output from these modules for now. That's why I don't expose it here.
tung-nimblehq
force-pushed
the
feature/316-add-vpc-flows-log-module
branch
from
795a49a to
0d16418
Compare
tung-nimblehq
force-pushed
the
feature/316-add-vpc-flows-log-module
branch
from
0d16418 to
fe38800
Compare
3 participants
What happened 👀
vpc-flow-logmoduleenabledSecurityFeaturesflag to makevpc-flow-logmodule an optional module.Insight 📝
Add a Glue table for Athena to query flow logs. Since Athena charges based on queries: https://www.amazonaws.cn/en/athena/pricing/
Proof Of Work 📹
Apply on AWS correctly
Logs
S3 bucket
Athena Query
Example query:
99825aeb-13ee-4801-87c3-5c512f619a50.csv
Create VPC flow log in the Advanced template with flag set true.
Screen.Recording.2025-10-05.at.12.41.38.mov
Does not create VPC flow log in Blank template.
Screen.Recording.2025-10-05.at.12.38.54.mov
Does not create VPC flow log in the Advanced template with the flag not set.
Screen.Recording.2025-10-05.at.12.40.24.mov