SHARE
TWEET

Untitled

a guest Jun 19th, 2017 53 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Terraform template to have VPC flow logs be sent to AWS Lambda
  2.  
  3. provider "aws" {
  4.   region = "us-west-2"
  5. }
  6.  
  7. resource "aws_cloudwatch_log_group" "vpc_flow_log_group" {
  8.   name = "vpc-flow-log-group"
  9.   retention_in_days = 1
  10. }
  11.  
  12. resource "aws_flow_log" "vpc_flow_log" {
  13.   # log_group_name needs to exist before hand
  14.   # until we have a CloudWatch Log Group Resource
  15.   log_group_name = "${aws_cloudwatch_log_group.vpc_flow_log_group.name}"
  16.   iam_role_arn = "${aws_iam_role.vpc_flow_logs_role.arn}"
  17.   vpc_id = "vpc-XXXXXXXXX"
  18.   traffic_type = "ALL"
  19. }
  20.  
  21. resource "aws_iam_role" "vpc_flow_logs_role" {
  22.   name = "vpc_flow_logs_role"
  23.   assume_role_policy = <<EOF
  24. {
  25.   "Version": "2012-10-17",
  26.   "Statement": [
  27.     {
  28.       "Sid": "",
  29.       "Effect": "Allow",
  30.       "Principal": {
  31.         "Service": "vpc-flow-logs.amazonaws.com"
  32.       },
  33.       "Action": "sts:AssumeRole"
  34.     }
  35.   ]
  36. }
  37. EOF
  38. }
  39.  
  40. resource "aws_iam_role_policy" "vpc_flow_logs_policy" {
  41.   name = "vpc_flow_logs_policy"
  42.   role = "${aws_iam_role.vpc_flow_logs_role.id}"
  43.   policy = <<EOF
  44. {
  45.   "Version": "2012-10-17",
  46.   "Statement": [
  47.     {
  48.       "Action": [
  49.         "logs:CreateLogGroup",
  50.         "logs:CreateLogStream",
  51.         "logs:PutLogEvents",
  52.         "logs:DescribeLogGroups",
  53.         "logs:DescribeLogStreams"
  54.       ],
  55.       "Effect": "Allow",
  56.       "Resource": "*"
  57.     }
  58.   ]
  59. }
  60. EOF
  61. }
  62.  
  63. resource "aws_iam_role" "cloudwatch_lambda_role" {
  64.   name = "cloudwatch_lambda_role"
  65.   assume_role_policy = <<EOF
  66. {
  67.   "Version": "2012-10-17",
  68.   "Statement": [
  69.     {
  70.       "Action": "sts:AssumeRole",
  71.       "Principal": {
  72.         "Service": "lambda.amazonaws.com"
  73.       },
  74.       "Effect": "Allow"
  75.     }
  76.   ]
  77. }
  78. EOF
  79. }
  80.  
  81. resource "aws_iam_role_policy" "cloudwatch_lambda_policy" {
  82.   name = "cloudwatch_lambda_policy"
  83.   role = "${aws_iam_role.cloudwatch_lambda_role.id}"
  84.   policy = <<EOF
  85. {
  86.   "Version": "2012-10-17",
  87.   "Statement": [
  88.     {
  89.       "Sid": "AWSLambdaCloudwatchPolicy",
  90.       "Effect": "Allow",
  91.       "Action": [
  92.         "logs:CreateLogStream",
  93.         "logs:PutLogEvents",
  94.         "ec2:DescribeNetworkInterfaces",
  95.         "ec2:DeleteNetworkInterface",
  96.         "ec2:CreateNetworkInterface"
  97.       ],
  98.       "Resource": "*"
  99.     }
  100.   ]
  101. }
  102. EOF
  103. }
  104.  
  105. resource "aws_lambda_function" "flowlogs" {
  106.     s3_key = "XXXXXXXXXX"
  107.     function_name = "flowlogs"
  108.     role = "${aws_iam_role.cloudwatch_lambda_role.arn}"
  109.     handler = "XXXXXXXX"
  110.     s3_bucket = "XXXXXXX"
  111.     runtime = "java8"
  112.     vpc_config {
  113.         subnet_ids = [ "subnet-XXXXXX" ]
  114.         security_group_ids = [ "sg-XXXXXX" ]
  115.     }
  116. }
  117.  
  118. resource "aws_lambda_permission" "flowlog_permission" {
  119.   statement_id = "vpc_flow_log_activation"
  120.   action = "lambda:InvokeFunction"
  121.   function_name = "${aws_lambda_function.flowlogs.arn}"
  122.   principal = "logs.us-east-1.amazonaws.com"
  123.   source_arn = "${aws_cloudwatch_log_group.vpc_flow_log_group.arn}"
  124. }
  125.  
  126. resource "aws_cloudwatch_log_subscription_filter" "flowlog_subscription_filter" {
  127.   depends_on = ["aws_lambda_permission.flowlog_permission"]
  128.   name = "cloudwatch_flowlog_lambda_subscription"
  129.   log_group_name = "${aws_cloudwatch_log_group.vpc_flow_log_group.name}"
  130.   filter_pattern = ""
  131.   destination_arn = "${aws_lambda_function.flowlogs.arn}"
  132. }
RAW Paste Data
Pastebin PRO Summer Special!
Get 40% OFF on Pastebin PRO accounts!
Top