feat: enable VPC Flow Logs with CloudWatch and KMS encryption (#194)

Author: marekaf

README.md

@@ -176,6 +176,10 @@ Lambda functions live in `src/<lambda-name>/` directories with an `index.mjs` (o
 ## checkov
 [Checkov]() is an amazing tool to lint terraform (and other) resources, we use the non-official pre-commit hook by antonbabenko
 
+## VPC Flow Logs
+
+VPC Flow Logs capture network traffic metadata for security analysis, troubleshooting, and compliance. Example 05 enables flow logs using the VPC module's built-in support, sending logs to CloudWatch Logs with KMS encryption and 90-day retention. See `examples/05-aws-complete/networking.tf`.
+
 ## State Locking
 We use S3 native locking with `use_lockfile = true` (requires Terraform 1.6+). This eliminates the need for a separate DynamoDB table for state locking.
 

examples/05-aws-complete/networking.tf

@@ -16,6 +16,14 @@ module "vpc" {
   database_subnets             = var.subnets.database
   create_database_subnet_group = true
   enable_dns_hostnames         = true
+
+  enable_flow_log                                 = true
+  create_flow_log_cloudwatch_log_group            = true
+  create_flow_log_cloudwatch_iam_role             = true
+  flow_log_max_aggregation_interval               = 60
+  flow_log_cloudwatch_log_group_name_prefix       = "/aws/vpc-flow-logs/"
+  flow_log_cloudwatch_log_group_retention_in_days = 90
+  flow_log_cloudwatch_log_group_kms_key_id        = aws_kms_key.main.arn
 }
 
 # Specific security group for all VPC endpoints