Actualiser vpc-production.tf

vpc-production.tf

@@ -172,12 +172,18 @@ resource "aws_flow_log" "vpc_flow_logs" {
 
   iam_role_arn = aws_iam_role.flow_logs_role.arn
   log_destination = aws_cloudwatch_log_group.vpc_log_group.arn
+  log_destination_type = "cloud-watch-logs"
   traffic_type = "ALL"
 }
 
 #
 resource "aws_cloudwatch_log_group" "vpc_log_group" {
-  name = var.log_group_name
+#  name = var.log_group_name
+  name = "vpc_flow_logs"
+
+  tags = {
+    Environment = "${var.environment}"
+  }
 }
 
 #
@@ -185,37 +191,44 @@ resource "aws_iam_role" "flow_logs_role" {
   name = "flow-logs-role"
 
   assume_role_policy = jsonencode({
-    Version = "2024-12-31"
+    Version   = "2012-10-17"
     Statement = {
-      Effect = "Allow"
+      Action    = "sts:AssumeRole",
       Principal = {
         Service = "vpc-flow-logs.amazonaws.com"
-      }
+      },
-      Action = "sts:AssumeRole"
+      Effect = "Allow",
+      Sid    = ""
     }
   })
 }
 
 #
 resource "aws_iam_role_policy" "create_log_group_policy" {
-  name = "allow-log-group-policy"
+  name        = "allow-log-group-policy"
-  role = aws_iam_role.flow_logs_role.name
+  description = "Policy for VPC flow logs"
+  role        = aws_iam_role.flow_logs_role.name
 
   policy = jsonencode({
-    Version = "2024-12-31"
+    Version = "2012-10-17"
     Statement = [
       {
+        Sid= "VPCFlowLogsAccess",
+        Effect = "Allow",
         Action = [
           "logs:CreateLogGroup",
           "logs:CreateLogStream",
-          "logs:PutLogEvents",
+          "logs:DescribeLogGroups",
-          "logs:DescribeLogStreams"
+          "logs:DescribeLogStreams",
+          "logs:PutLogEvents"
         ],
-        Effect = "Allow",
+        Resource = ["*"]
-        Resource = [
-          "*"
-        ]
       }
     ]
   })
 }
+
+resource "aws_iam_role_policy_attachment" "flow_log_policy_attachment" {
+  role       = aws_iam_role.flow_log_role.name
+  policy_arn = aws_iam_policy.flow_log_policy.arn
+}