add full module configuration

Author: marcincuber

.pre-commit-config.yaml

@@ -0,0 +1,25 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.1.0
+  hooks:
+  - id: check-added-large-files
+    args: ['--maxkb=500']
+  - id: check-executables-have-shebangs
+  - id: pretty-format-json
+    args: ['--autofix', '--no-sort-keys', '--indent=2']
+  - id: check-byte-order-marker
+  - id: check-case-conflict
+  - id: check-executables-have-shebangs
+  - id: check-merge-conflict
+  - id: check-symlinks
+  - id: detect-private-key
+  - id: check-merge-conflict
+  - id: detect-aws-credentials
+    args: ['--allow-missing-credentials']
+  - id: trailing-whitespace
+- repo: git://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.62.3
+  hooks:
+  - id: terraform_fmt
+  - id: terraform_docs
+  - id: terraform_tflint

Makefile

@@ -0,0 +1,19 @@
+ifneq (,)
+.error This Makefile requires GNU Make.
+endif
+
+.PHONY: hooks validate changelog
+
+help:
+	@grep -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+hooks: ## Commit hooks setup
+	@pre-commit install
+	@pre-commit gc
+	@pre-commit autoupdate
+
+validate: ## Validate files with pre-commit hooks
+	@pre-commit run --all-files
+
+changelog:
+	git-chglog -o CHANGELOG.md

README.md

@@ -1,2 +1,96 @@
+[![GitHub release (latest by date)](https://img.shields.io/github/v/release/native-cube/terraform-aws-vpc-flow-logs)](https://github.com/native-cube/terraform-aws-vpc-flow-logs/releases/latest)
+
 # terraform-aws-vpc-flow-logs
 Terraform module for enabling AWS VPC flow logs.
+
+## Usage
+
+```hcl
+module "vpc-flow-logs" {
+  source = "native-cube/vpc-flow-logs/aws"
+  version = "~> 1.0.0"
+
+  name_prefix = "native-cube-example"
+  vpc_id      = "vpc-123456789"
+
+  traffic_type = "ALL"
+
+  tags = {
+    Project = "native-cube"
+  }
+}
+```
+
+## Examples
+
+* [VPC flow logs](https://github.com/native-cube/terraform-aws-vpc-flow-logs/tree/master/examples/core)
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_flow_log.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |
+| [aws_iam_role.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_policy_document.cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data. Please note, after the AWS KMS CMK is disassociated from the log group, AWS CloudWatch Logs stops encrypting newly ingested data for the log group. All previously ingested data remains encrypted, and AWS CloudWatch Logs requires permissions for the CMK whenever the encrypted data is requested. | `string` | `null` | no |
+| <a name="input_max_aggregation_interval"></a> [max\_aggregation\_interval](#input\_max\_aggregation\_interval) | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds (1 minute) or 600 seconds (10 minutes) | `string` | `"600"` | no |
+| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | A prefix used for naming resources. | `string` | n/a | yes |
+| <a name="input_retention_in_days"></a> [retention\_in\_days](#input\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Default tags attached to all resources. | `map(string)` | `{}` | no |
+| <a name="input_traffic_type"></a> [traffic\_type](#input\_traffic\_type) | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL. | `string` | `"ALL"` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID where resources will be created and flow logs enabled. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_vpc_flow_logs_cloudwatch_group_arn"></a> [vpc\_flow\_logs\_cloudwatch\_group\_arn](#output\_vpc\_flow\_logs\_cloudwatch\_group\_arn) | The ARN specifying the log group used by Flow Logs. |
+| <a name="output_vpc_flow_logs_id"></a> [vpc\_flow\_logs\_id](#output\_vpc\_flow\_logs\_id) | The Flow Log ID. |
+| <a name="output_vpc_flow_logs_role_arn"></a> [vpc\_flow\_logs\_role\_arn](#output\_vpc\_flow\_logs\_role\_arn) | The ARN specifying the role used by Flow Logs. |
+| <a name="output_vpc_flow_logs_role_id"></a> [vpc\_flow\_logs\_role\_id](#output\_vpc\_flow\_logs\_role\_id) | The ID specifying the role used by Flow Logs. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## License
+
+See LICENSE file for full details.
+
+## Pre-commit hooks
+
+### Install dependencies
+
+* [`pre-commit`](https://pre-commit.com/#install)
+* [`terraform-docs`](https://github.com/segmentio/terraform-docs) required for `terraform_docs` hooks.
+* [`TFLint`](https://github.com/terraform-linters/tflint) required for `terraform_tflint` hook.
+
+#### MacOS
+
+```bash
+brew install pre-commit terraform-docs tflint
+
+brew tap git-chglog/git-chglog
+brew install git-chglog
+```

data.tf

@@ -0,0 +1,13 @@
+data "aws_iam_policy_document" "cloudwatch" {
+  statement {
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams"
+    ]
+
+    resources = ["*"]
+  }
+}

examples/core/main.tf

@@ -0,0 +1,19 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+module "flow-logs" {
+  source = "../../"
+
+  name_prefix = "native-cube-example"
+  vpc_id      = "vpc-123456789"
+
+  traffic_type = "ALL"
+  # retention_in_days = 30
+  # max_aggregation_interval = 60
+
+  tags = {
+    Environment = "test"
+    Project     = "native-cube"
+  }
+}

main.tf

@@ -0,0 +1,47 @@
+resource "aws_cloudwatch_log_group" "vpc" {
+  name = "${var.name_prefix}-vpc-flow-logs"
+
+  retention_in_days = var.retention_in_days
+  kms_key_id        = var.kms_key_id
+
+  tags = var.tags
+}
+
+resource "aws_iam_role" "vpc" {
+  name = "${var.name_prefix}-vpc-flow-logs"
+
+  assume_role_policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Principal" : {
+            "Service" : "vpc-flow-logs.amazonaws.com"
+          },
+          "Action" : "sts:AssumeRole"
+        }
+      ]
+    }
+  )
+
+  inline_policy {
+    name   = "cloudwatch-policy"
+    policy = data.aws_iam_policy_document.cloudwatch.json
+  }
+
+  tags = var.tags
+}
+
+resource "aws_flow_log" "vpc" {
+  log_destination_type = "cloud-watch-logs"
+  log_destination      = aws_cloudwatch_log_group.vpc.arn
+
+  iam_role_arn = aws_iam_role.vpc.arn
+  vpc_id       = var.vpc_id
+  traffic_type = var.traffic_type
+
+  max_aggregation_interval = var.max_aggregation_interval
+
+  tags = var.tags
+}

outputs.tf

@@ -0,0 +1,19 @@
+output "vpc_flow_logs_id" {
+  value       = aws_flow_log.vpc.id
+  description = "The Flow Log ID."
+}
+
+output "vpc_flow_logs_role_arn" {
+  value       = aws_iam_role.vpc.arn
+  description = "The ARN specifying the role used by Flow Logs."
+}
+
+output "vpc_flow_logs_role_id" {
+  value       = aws_iam_role.vpc.id
+  description = "The ID specifying the role used by Flow Logs."
+}
+
+output "vpc_flow_logs_cloudwatch_group_arn" {
+  value       = aws_cloudwatch_log_group.vpc.arn
+  description = "The ARN specifying the log group used by Flow Logs."
+}

variables.tf

@@ -0,0 +1,39 @@
+variable "name_prefix" {
+  description = "A prefix used for naming resources."
+  type        = string
+}
+
+variable "vpc_id" {
+  type        = string
+  description = "VPC ID where resources will be created and flow logs enabled."
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Default tags attached to all resources."
+  default     = {}
+}
+
+variable "retention_in_days" {
+  type        = string
+  description = "Specifies the number of days you want to retain log events in the specified log group."
+  default     = null
+}
+
+variable "kms_key_id" {
+  type        = string
+  description = "The ARN of the KMS Key to use when encrypting log data. Please note, after the AWS KMS CMK is disassociated from the log group, AWS CloudWatch Logs stops encrypting newly ingested data for the log group. All previously ingested data remains encrypted, and AWS CloudWatch Logs requires permissions for the CMK whenever the encrypted data is requested."
+  default     = null
+}
+
+variable "traffic_type" {
+  type        = string
+  description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL."
+  default     = "ALL"
+}
+
+variable "max_aggregation_interval" {
+  type        = string
+  description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds (1 minute) or 600 seconds (10 minutes)"
+  default     = "600"
+}

versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.0"
+    }
+  }
+}