diff --git a/vpc-production.tf b/vpc-production.tf index 0f68c6d..fe1e5e6 100644 --- a/vpc-production.tf +++ b/vpc-production.tf @@ -172,12 +172,18 @@ resource "aws_flow_log" "vpc_flow_logs" { iam_role_arn = aws_iam_role.flow_logs_role.arn log_destination = aws_cloudwatch_log_group.vpc_log_group.arn + log_destination_type = "cloud-watch-logs" traffic_type = "ALL" } # resource "aws_cloudwatch_log_group" "vpc_log_group" { - name = var.log_group_name +# name = var.log_group_name + name = "vpc_flow_logs" + + tags = { + Environment = "${var.environment}" + } } # @@ -185,37 +191,44 @@ resource "aws_iam_role" "flow_logs_role" { name = "flow-logs-role" assume_role_policy = jsonencode({ - Version = "2024-12-31" + Version = "2012-10-17" Statement = { - Effect = "Allow" + Action = "sts:AssumeRole", Principal = { Service = "vpc-flow-logs.amazonaws.com" - } - Action = "sts:AssumeRole" + }, + Effect = "Allow", + Sid = "" } }) } # resource "aws_iam_role_policy" "create_log_group_policy" { - name = "allow-log-group-policy" - role = aws_iam_role.flow_logs_role.name + name = "allow-log-group-policy" + description = "Policy for VPC flow logs" + role = aws_iam_role.flow_logs_role.name policy = jsonencode({ - Version = "2024-12-31" + Version = "2012-10-17" Statement = [ { + Sid= "VPCFlowLogsAccess", + Effect = "Allow", Action = [ "logs:CreateLogGroup", "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:DescribeLogStreams" + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:PutLogEvents" ], - Effect = "Allow", - Resource = [ - "*" - ] + Resource = ["*"] } ] }) } + +resource "aws_iam_role_policy_attachment" "flow_log_policy_attachment" { + role = aws_iam_role.flow_log_role.name + policy_arn = aws_iam_policy.flow_log_policy.arn +} \ No newline at end of file