From 88e9deffadafc43d93c043b02eb34d4e2a22b5f8 Mon Sep 17 00:00:00 2001 From: Teddy Reed Date: Thu, 11 Jul 2024 09:59:19 -0400 Subject: [PATCH] feat: Add VPC flow logs for module-created VPCs --- README.md | 1 + main.tf | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/README.md b/README.md index e786da3..5c96638 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,7 @@ No modules. | [aws_ecs_cluster.agentless_scan_ecs_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster) | resource | | [aws_ecs_cluster_capacity_providers.agentless_scan_capacity_providers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster_capacity_providers) | resource | | [aws_ecs_task_definition.agentless_scan_task_definition](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource | +| [aws_flow_log.agentless_scan_vpc_flow_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource | | [aws_iam_policy.agentless_scan_task_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.agentless_scan_cross_account_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.agentless_scan_ecs_event_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | diff --git a/main.tf b/main.tf index 9cd365a..5fe874a 100644 --- a/main.tf +++ b/main.tf @@ -904,6 +904,19 @@ resource "aws_vpc" "agentless_scan_vpc" { }) } +resource "aws_flow_log" "agentless_scan_vpc_flow_log" { + count = var.regional && !var.use_existing_vpc ? 1 : 0 + vpc_id = local.vpc_id + traffic_type = "REJECT" + log_destination = "cloud-watch-logs" + + tags = merge(var.tags, { + Name = "${local.prefix}-vpc" + LWTAG_SIDEKICK = "1" + LWTAG_LACEWORK_AGENTLESS = "1" + }) +} + resource "aws_default_network_acl" "default" { count = var.regional && !var.use_existing_vpc ? 1 : 0 default_network_acl_id = aws_vpc.agentless_scan_vpc[0].default_network_acl_id