feat: Add VPC flow log configuration and outputs to AWS VPC module, including IAM role and policy for log management

Arnel Jan Sarmiento · ArJSarmiento · commit 366ff89a3436 · 2026-04-12T15:32:10.000+08:00
diff --git a/modules/aws/vpc/main.tf b/modules/aws/vpc/main.tf
@@ -54,7 +54,7 @@ resource "aws_subnet" "public" {
   vpc_id                  = aws_vpc.this.id
   cidr_block              = var.public_subnet_cidrs[each.value]
   availability_zone       = each.key
-  map_public_ip_on_launch = true
+  map_public_ip_on_launch = var.map_public_ip_on_launch
 
   tags = {
     Name = "${var.name}-public-${each.key}"
@@ -149,3 +149,67 @@ resource "aws_route" "private_nat" {
     aws_nat_gateway.this[var.availability_zones[0]].id
   ) : aws_nat_gateway.this[each.key].id
 }
+
+# ------------------------------------------------------------------------------
+# VPC Flow Logs
+# ------------------------------------------------------------------------------
+
+resource "aws_cloudwatch_log_group" "flow_log" {
+  name              = "/aws/vpc/${var.name}/flow-logs"
+  retention_in_days = var.flow_log_retention_days
+
+  tags = {
+    Name = "${var.name}-flow-logs"
+  }
+}
+
+resource "aws_iam_role" "flow_log" {
+  name = "${var.name}-vpc-flow-log"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Principal = {
+        Service = "vpc-flow-logs.amazonaws.com"
+      }
+      Action = "sts:AssumeRole"
+    }]
+  })
+
+  tags = {
+    Name = "${var.name}-vpc-flow-log"
+  }
+}
+
+resource "aws_iam_role_policy" "flow_log" {
+  name = "vpc-flow-log-publish"
+  role = aws_iam_role.flow_log.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams",
+      ]
+      Resource = "${aws_cloudwatch_log_group.flow_log.arn}:*"
+    }]
+  })
+}
+
+resource "aws_flow_log" "this" {
+  vpc_id               = aws_vpc.this.id
+  traffic_type         = var.flow_log_traffic_type
+  log_destination      = aws_cloudwatch_log_group.flow_log.arn
+  log_destination_type = "cloud-watch-logs"
+  iam_role_arn         = aws_iam_role.flow_log.arn
+
+  tags = {
+    Name = "${var.name}-flow-log"
+  }
+}
diff --git a/modules/aws/vpc/outputs.tf b/modules/aws/vpc/outputs.tf
@@ -47,3 +47,13 @@ output "private_route_table_ids" {
   description = "List of private route table IDs."
   value       = [for rt in aws_route_table.private : rt.id]
 }
+
+output "flow_log_id" {
+  description = "ID of the VPC flow log."
+  value       = aws_flow_log.this.id
+}
+
+output "flow_log_group_arn" {
+  description = "ARN of the CloudWatch log group for VPC flow logs."
+  value       = aws_cloudwatch_log_group.flow_log.arn
+}
diff --git a/modules/aws/vpc/variables.tf b/modules/aws/vpc/variables.tf
@@ -23,6 +23,12 @@ variable "private_subnet_cidrs" {
   type        = list(string)
 }
 
+variable "map_public_ip_on_launch" {
+  description = "Auto-assign public IPv4 addresses to instances launched in public subnets."
+  type        = bool
+  default     = false
+}
+
 variable "enable_nat_gateway" {
   description = "Create a NAT gateway for private subnet internet access."
   type        = bool
@@ -34,3 +40,15 @@ variable "single_nat_gateway" {
   type        = bool
   default     = true
 }
+
+variable "flow_log_traffic_type" {
+  description = "Type of traffic to capture in VPC flow logs (ACCEPT, REJECT, or ALL)."
+  type        = string
+  default     = "ALL"
+}
+
+variable "flow_log_retention_days" {
+  description = "Number of days to retain VPC flow logs in CloudWatch."
+  type        = number
+  default     = 30
+}
