feat: Add cloudwatch logs policy to vpc-cni for networkpolicy logging (#13)

Author: shaunofneuron

README.md

@@ -532,6 +532,7 @@ No modules.
 | <a name="input_aws_node_termination_handler_sqs_queue_arns"></a> [aws\_node\_termination\_handler\_sqs\_queue\_arns](#input\_aws\_node\_termination\_handler\_sqs\_queue\_arns) | List of SQS ARNs that contain node termination events | `list(string)` | `[]` | no |
 | <a name="input_aws_privateca_issuer_acmca_arns"></a> [aws\_privateca\_issuer\_acmca\_arns](#input\_aws\_privateca\_issuer\_acmca\_arns) | List of ACM Private CA ARNs to issue certificates from | `list(string)` | `[]` | no |
 | <a name="input_aws_privateca_issuer_policy_name"></a> [aws\_privateca\_issuer\_policy\_name](#input\_aws\_privateca\_issuer\_policy\_name) | Custom name of the AWS Private CA Issuer IAM policy | `string` | `null` | no |
+| <a name="input_aws_vpc_cni_enable_cloudwatch_logs"></a> [aws\_vpc\_cni\_enable\_cloudwatch\_logs](#input\_aws\_vpc\_cni\_enable\_cloudwatch\_logs) | Determines whether to enable VPC CNI permission to create CloudWatch Log groups and publish network policy events | `bool` | `false` | no |
 | <a name="input_aws_vpc_cni_enable_ipv4"></a> [aws\_vpc\_cni\_enable\_ipv4](#input\_aws\_vpc\_cni\_enable\_ipv4) | Determines whether to enable IPv4 permissions for VPC CNI policy | `bool` | `false` | no |
 | <a name="input_aws_vpc_cni_enable_ipv6"></a> [aws\_vpc\_cni\_enable\_ipv6](#input\_aws\_vpc\_cni\_enable\_ipv6) | Determines whether to enable IPv6 permissions for VPC CNI policy | `bool` | `false` | no |
 | <a name="input_aws_vpc_cni_policy_name"></a> [aws\_vpc\_cni\_policy\_name](#input\_aws\_vpc\_cni\_policy\_name) | Custom name of the VPC CNI IAM policy | `string` | `null` | no |

aws_vpc_cni.tf

@@ -9,6 +9,21 @@ data "aws_iam_policy_document" "vpc_cni" {
   source_policy_documents   = [data.aws_iam_policy_document.base[0].json]
   override_policy_documents = var.override_policy_documents
 
+  # https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html#cni-network-policy-setup
+  dynamic "statement" {
+    for_each = var.aws_vpc_cni_enable_cloudwatch_logs ? [1] : []
+    content {
+      sid = "CloudWatchLogs"
+      actions = [
+        "logs:DescribeLogGroups",
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+      ]
+      resources = ["*"]
+    }
+  }
+
   statement {
     actions   = ["ec2:CreateTags"]
     resources = ["arn:${local.partition}:ec2:*:*:network-interface/*"]

variables.tf

@@ -328,6 +328,12 @@ variable "aws_vpc_cni_policy_name" {
   default     = null
 }
 
+variable "aws_vpc_cni_enable_cloudwatch_logs" {
+  description = "Determines whether to enable VPC CNI permission to create CloudWatch Log groups and publish network policy events"
+  type        = bool
+  default     = false
+}
+
 variable "aws_vpc_cni_enable_ipv4" {
   description = "Determines whether to enable IPv4 permissions for VPC CNI policy"
   type        = bool

wrappers/main.tf

@@ -43,6 +43,7 @@ module "wrapper" {
   aws_node_termination_handler_sqs_queue_arns              = try(each.value.aws_node_termination_handler_sqs_queue_arns, var.defaults.aws_node_termination_handler_sqs_queue_arns, [])
   aws_privateca_issuer_acmca_arns                          = try(each.value.aws_privateca_issuer_acmca_arns, var.defaults.aws_privateca_issuer_acmca_arns, [])
   aws_privateca_issuer_policy_name                         = try(each.value.aws_privateca_issuer_policy_name, var.defaults.aws_privateca_issuer_policy_name, null)
+  aws_vpc_cni_enable_cloudwatch_logs                       = try(each.value.aws_vpc_cni_enable_cloudwatch_logs, var.defaults.aws_vpc_cni_enable_cloudwatch_logs, false)
   aws_vpc_cni_enable_ipv4                                  = try(each.value.aws_vpc_cni_enable_ipv4, var.defaults.aws_vpc_cni_enable_ipv4, false)
   aws_vpc_cni_enable_ipv6                                  = try(each.value.aws_vpc_cni_enable_ipv6, var.defaults.aws_vpc_cni_enable_ipv6, false)
   aws_vpc_cni_policy_name                                  = try(each.value.aws_vpc_cni_policy_name, var.defaults.aws_vpc_cni_policy_name, null)