# Terraform template to have VPC flow logs be sent to AWS Lambdaprovider "aws"

1. # Terraform template to have VPC flow logs be sent to AWS Lambda
2.  
3. provider "aws" {
4. region = "us-west-2"
5. }
6.  
7. resource "aws_cloudwatch_log_group" "vpc_flow_log_group" {
8. name = "vpc-flow-log-group"
9. retention_in_days = 1
10. }
11.  
12. resource "aws_flow_log" "vpc_flow_log" {
13. # log_group_name needs to exist before hand
14. # until we have a CloudWatch Log Group Resource
15. log_group_name = "${aws_cloudwatch_log_group.vpc_flow_log_group.name}"
16. iam_role_arn = "${aws_iam_role.vpc_flow_logs_role.arn}"
17. vpc_id = "vpc-XXXXXXXXX"
18. traffic_type = "ALL"
19. }
20.  
21. resource "aws_iam_role" "vpc_flow_logs_role" {
22. name = "vpc_flow_logs_role"
23. assume_role_policy = <<EOF
24. {
25. "Version": "2012-10-17",
26. "Statement": [
27. {
28. "Sid": "",
29. "Effect": "Allow",
30. "Principal": {
31. "Service": "vpc-flow-logs.amazonaws.com"
32. },
33. "Action": "sts:AssumeRole"
34. }
35. ]
36. }
37. EOF
38. }
39.  
40. resource "aws_iam_role_policy" "vpc_flow_logs_policy" {
41. name = "vpc_flow_logs_policy"
42. role = "${aws_iam_role.vpc_flow_logs_role.id}"
43. policy = <<EOF
44. {
45. "Version": "2012-10-17",
46. "Statement": [
47. {
48. "Action": [
49. "logs:CreateLogGroup",
50. "logs:CreateLogStream",
51. "logs:PutLogEvents",
52. "logs:DescribeLogGroups",
53. "logs:DescribeLogStreams"
54. ],
55. "Effect": "Allow",
56. "Resource": "*"
57. }
58. ]
59. }
60. EOF
61. }
62.  
63. resource "aws_iam_role" "cloudwatch_lambda_role" {
64. name = "cloudwatch_lambda_role"
65. assume_role_policy = <<EOF
66. {
67. "Version": "2012-10-17",
68. "Statement": [
69. {
70. "Action": "sts:AssumeRole",
71. "Principal": {
72. "Service": "lambda.amazonaws.com"
73. },
74. "Effect": "Allow"
75. }
76. ]
77. }
78. EOF
79. }
80.  
81. resource "aws_iam_role_policy" "cloudwatch_lambda_policy" {
82. name = "cloudwatch_lambda_policy"
83. role = "${aws_iam_role.cloudwatch_lambda_role.id}"
84. policy = <<EOF
85. {
86. "Version": "2012-10-17",
87. "Statement": [
88. {
89. "Sid": "AWSLambdaCloudwatchPolicy",
90. "Effect": "Allow",
91. "Action": [
92. "logs:CreateLogStream",
93. "logs:PutLogEvents",
94. "ec2:DescribeNetworkInterfaces",
95. "ec2:DeleteNetworkInterface",
96. "ec2:CreateNetworkInterface"
97. ],
98. "Resource": "*"
99. }
100. ]
101. }
102. EOF
103. }
104.  
105. resource "aws_lambda_function" "flowlogs" {
106. s3_key = "XXXXXXXXXX"
107. function_name = "flowlogs"
108. role = "${aws_iam_role.cloudwatch_lambda_role.arn}"
109. handler = "XXXXXXXX"
110. s3_bucket = "XXXXXXX"
111. runtime = "java8"
112. vpc_config {
113. subnet_ids = [ "subnet-XXXXXX" ]
114. security_group_ids = [ "sg-XXXXXX" ]
115. }
116. }
117.  
118. resource "aws_lambda_permission" "flowlog_permission" {
119. statement_id = "vpc_flow_log_activation"
120. action = "lambda:InvokeFunction"
121. function_name = "${aws_lambda_function.flowlogs.arn}"
122. principal = "logs.us-east-1.amazonaws.com"
123. source_arn = "${aws_cloudwatch_log_group.vpc_flow_log_group.arn}"
124. }
125.  
126. resource "aws_cloudwatch_log_subscription_filter" "flowlog_subscription_filter" {
127. depends_on = ["aws_lambda_permission.flowlog_permission"]
128. name = "cloudwatch_flowlog_lambda_subscription"
129. log_group_name = "${aws_cloudwatch_log_group.vpc_flow_log_group.name}"
130. filter_pattern = ""
131. destination_arn = "${aws_lambda_function.flowlogs.arn}"
132. }