feat: Add Cross Account Flow Support (#1014)

kclinden · Kasey Linden · bryantbiggs · web-flow · commit 6e25437b1695 · 2023-12-11T10:34:22.000-05:00
* feat: Add Cross Account Flow Support

* fix: update flow log naming convention

---------

Co-authored-by: Kasey Linden &lt;klinden@vmware.com&gt;
Co-authored-by: Bryant Biggs &lt;bryantbiggs@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -450,8 +450,9 @@ No modules.
 | <a name="input_flow_log_cloudwatch_log_group_name_suffix"></a> [flow\_log\_cloudwatch\_log\_group\_name\_suffix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_suffix) | Specifies the name suffix of CloudWatch Log Group for VPC flow logs | `string` | `""` | no |
 | <a name="input_flow_log_cloudwatch_log_group_retention_in_days"></a> [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs | `number` | `null` | no |
 | <a name="input_flow_log_cloudwatch_log_group_skip_destroy"></a> [flow\_log\_cloudwatch\_log\_group\_skip\_destroy](#input\_flow\_log\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `false` | no |
+| <a name="input_flow_log_deliver_cross_account_role"></a> [flow\_log\_deliver\_cross\_account\_role](#input\_flow\_log\_deliver\_cross\_account\_role) | (Optional) ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts. | `string` | `null` | no |
 | <a name="input_flow_log_destination_arn"></a> [flow\_log\_destination\_arn](#input\_flow\_log\_destination\_arn) | The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create\_flow\_log\_cloudwatch\_log\_group is set to false this argument must be provided | `string` | `""` | no |
-| <a name="input_flow_log_destination_type"></a> [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3 or cloud-watch-logs | `string` | `"cloud-watch-logs"` | no |
+| <a name="input_flow_log_destination_type"></a> [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3, kinesis-data-firehose or cloud-watch-logs | `string` | `"cloud-watch-logs"` | no |
 | <a name="input_flow_log_file_format"></a> [flow\_log\_file\_format](#input\_flow\_log\_file\_format) | (Optional) The format for the flow log. Valid values: `plain-text`, `parquet` | `string` | `null` | no |
 | <a name="input_flow_log_hive_compatible_partitions"></a> [flow\_log\_hive\_compatible\_partitions](#input\_flow\_log\_hive\_compatible\_partitions) | (Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 | `bool` | `false` | no |
 | <a name="input_flow_log_log_format"></a> [flow\_log\_log\_format](#input\_flow\_log\_log\_format) | The fields to include in the flow log record, in the order in which they should appear | `string` | `null` | no |
@@ -682,6 +683,7 @@ No modules.
 | <a name="output_vpc_enable_dns_hostnames"></a> [vpc\_enable\_dns\_hostnames](#output\_vpc\_enable\_dns\_hostnames) | Whether or not the VPC has DNS hostname support |
 | <a name="output_vpc_enable_dns_support"></a> [vpc\_enable\_dns\_support](#output\_vpc\_enable\_dns\_support) | Whether or not the VPC has DNS support |
 | <a name="output_vpc_flow_log_cloudwatch_iam_role_arn"></a> [vpc\_flow\_log\_cloudwatch\_iam\_role\_arn](#output\_vpc\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN of the IAM role used when pushing logs to Cloudwatch log group |
+| <a name="output_vpc_flow_log_deliver_cross_account_role"></a> [vpc\_flow\_log\_deliver\_cross\_account\_role](#output\_vpc\_flow\_log\_deliver\_cross\_account\_role) | The ARN of the IAM role used when pushing logs cross account |
 | <a name="output_vpc_flow_log_destination_arn"></a> [vpc\_flow\_log\_destination\_arn](#output\_vpc\_flow\_log\_destination\_arn) | The ARN of the destination for VPC Flow Logs |
 | <a name="output_vpc_flow_log_destination_type"></a> [vpc\_flow\_log\_destination\_type](#output\_vpc\_flow\_log\_destination\_type) | The type of the destination for VPC Flow Logs |
 | <a name="output_vpc_flow_log_id"></a> [vpc\_flow\_log\_id](#output\_vpc\_flow\_log\_id) | The ID of the Flow Log resource |
diff --git a/outputs.tf b/outputs.tf
@@ -609,6 +609,11 @@ output "vpc_flow_log_cloudwatch_iam_role_arn" {
   value       = local.flow_log_iam_role_arn
 }
 
+output "vpc_flow_log_deliver_cross_account_role" {
+  description = "The ARN of the IAM role used when pushing logs cross account"
+  value       = try(aws_flow_log.this[0].deliver_cross_account_role, null)
+}
+
 ################################################################################
 # Static values (arguments)
 ################################################################################
diff --git a/variables.tf b/variables.tf
@@ -1485,7 +1485,7 @@ variable "flow_log_traffic_type" {
 }
 
 variable "flow_log_destination_type" {
-  description = "Type of flow log destination. Can be s3 or cloud-watch-logs"
+  description = "Type of flow log destination. Can be s3, kinesis-data-firehose or cloud-watch-logs"
   type        = string
   default     = "cloud-watch-logs"
 }
@@ -1502,6 +1502,12 @@ variable "flow_log_destination_arn" {
   default     = ""
 }
 
+variable "flow_log_deliver_cross_account_role" {
+  description = "(Optional) ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts."
+  type        = string
+  default     = null
+}
+
 variable "flow_log_file_format" {
   description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`"
   type        = string
diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf
@@ -17,13 +17,14 @@ locals {
 resource "aws_flow_log" "this" {
   count = local.enable_flow_log ? 1 : 0
 
-  log_destination_type     = var.flow_log_destination_type
-  log_destination          = local.flow_log_destination_arn
-  log_format               = var.flow_log_log_format
-  iam_role_arn             = local.flow_log_iam_role_arn
-  traffic_type             = var.flow_log_traffic_type
-  vpc_id                   = local.vpc_id
-  max_aggregation_interval = var.flow_log_max_aggregation_interval
+  log_destination_type       = var.flow_log_destination_type
+  log_destination            = local.flow_log_destination_arn
+  log_format                 = var.flow_log_log_format
+  iam_role_arn               = local.flow_log_iam_role_arn
+  deliver_cross_account_role = var.flow_log_deliver_cross_account_role
+  traffic_type               = var.flow_log_traffic_type
+  vpc_id                     = local.vpc_id
+  max_aggregation_interval   = var.flow_log_max_aggregation_interval
 
   dynamic "destination_options" {
     for_each = var.flow_log_destination_type == "s3" ? [true] : []

Original file line number	Diff line number	Diff line change
`@@ -1485,7 +1485,7 @@ variable "flow_log_traffic_type" {`
`1485`	`1485`	`}`
`1486`	`1486`
`1487`	`1487`	`variable "flow_log_destination_type" {`
`1488`		`- description = "Type of flow log destination. Can be s3 or cloud-watch-logs"`
	`1488`	`+ description = "Type of flow log destination. Can be s3, kinesis-data-firehose or cloud-watch-logs"`
`1489`	`1489`	`type = string`
`1490`	`1490`	`default = "cloud-watch-logs"`
`1491`	`1491`	`}`
`@@ -1502,6 +1502,12 @@ variable "flow_log_destination_arn" {`
`1502`	`1502`	`default = ""`
`1503`	`1503`	`}`
`1504`	`1504`
	`1505`	`+variable "flow_log_deliver_cross_account_role" {`
	`1506`	`+ description = "(Optional) ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts."`
	`1507`	`+ type = string`
	`1508`	`+ default = null`
	`1509`	`+}`
	`1510`	`+`
`1505`	`1511`	`variable "flow_log_file_format" {`
`1506`	`1512`	description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`"
`1507`	`1513`	`type = string`