Last active
March 12, 2019 10:26
-
-
Save ambud/dbe1a7cd3f1edef9e5baadf85069f7c8 to your computer and use it in GitHub Desktop.
Terraform template (substitute XXXX for your account). Reference: http://stackoverflow.com/questions/38407660/terraform-configuring-cloudwatch-log-subscription-delivery-to-lambda
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Terraform template to have VPC flow logs be sent to AWS Lambda | |
| provider "aws" { | |
| region = "us-east-1" | |
| } | |
| resource "aws_cloudwatch_log_group" "vpc_flow_log_group" { | |
| name = "vpc-flow-log-group" | |
| retention_in_days = 1 | |
| } | |
| resource "aws_flow_log" "vpc_flow_log" { | |
| # log_group_name needs to exist before hand | |
| # until we have a CloudWatch Log Group Resource | |
| log_group_name = "${aws_cloudwatch_log_group.vpc_flow_log_group.name}" | |
| iam_role_arn = "${aws_iam_role.vpc_flow_logs_role.arn}" | |
| vpc_id = "vpc-XXXXXXXXX" | |
| traffic_type = "ALL" | |
| } | |
| resource "aws_iam_role" "vpc_flow_logs_role" { | |
| name = "vpc_flow_logs_role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "vpc-flow-logs.amazonaws.com" | |
| }, | |
| "Action": "sts:AssumeRole" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_role_policy" "vpc_flow_logs_policy" { | |
| name = "vpc_flow_logs_policy" | |
| role = "${aws_iam_role.vpc_flow_logs_role.id}" | |
| policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "logs:CreateLogGroup", | |
| "logs:CreateLogStream", | |
| "logs:PutLogEvents", | |
| "logs:DescribeLogGroups", | |
| "logs:DescribeLogStreams" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": "*" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_role" "cloudwatch_lambda_role" { | |
| name = "cloudwatch_lambda_role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": "sts:AssumeRole", | |
| "Principal": { | |
| "Service": "lambda.amazonaws.com" | |
| }, | |
| "Effect": "Allow" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_role_policy" "cloudwatch_lambda_policy" { | |
| name = "cloudwatch_lambda_policy" | |
| role = "${aws_iam_role.cloudwatch_lambda_role.id}" | |
| policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "AWSLambdaCloudwatchPolicy", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "logs:CreateLogStream", | |
| "logs:PutLogEvents", | |
| "ec2:DescribeNetworkInterfaces", | |
| "ec2:DeleteNetworkInterface", | |
| "ec2:CreateNetworkInterface" | |
| ], | |
| "Resource": "*" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_lambda_function" "flowlogs" { | |
| s3_key = "XXXXXXXXXX" | |
| function_name = "flowlogs" | |
| role = "${aws_iam_role.cloudwatch_lambda_role.arn}" | |
| handler = "XXXXXXXX" | |
| s3_bucket = "XXXXXXX" | |
| runtime = "java8" | |
| vpc_config { | |
| subnet_ids = [ "subnet-XXXXXX" ] | |
| security_group_ids = [ "sg-XXXXXX" ] | |
| } | |
| } | |
| resource "aws_lambda_permission" "flowlog_permission" { | |
| statement_id = "vpc_flow_log_activation" | |
| action = "lambda:InvokeFunction" | |
| function_name = "${aws_lambda_function.flowlogs.arn}" | |
| principal = "logs.us-east-1.amazonaws.com" | |
| source_arn = "${aws_cloudwatch_log_group.vpc_flow_log_group.arn}" | |
| } | |
| resource "aws_cloudwatch_log_subscription_filter" "flowlog_subscription_filter" { | |
| depends_on = ["aws_lambda_permission.flowlog_permission"] | |
| name = "cloudwatch_flowlog_lambda_subscription" | |
| log_group_name = "${aws_cloudwatch_log_group.vpc_flow_log_group.name}" | |
| filter_pattern = "" | |
| destination_arn = "${aws_lambda_function.flowlogs.arn}" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment