Terraform to enable vpc flow logs to amazon s3

1
votes

I am working on terraform script to automate aws resource creation. As part of that I am creating a vpc and trying to enable vpc flow logs for that. I have created an s3 bucket and also created an iam role as mentioned in the terraform docs https://www.terraform.io/docs/providers/aws/r/flow_log.html

My terraform code is given below

data "aws_s3_bucket" "selected" {
  bucket = "${var.s3_bucket_name}"
}

resource "aws_flow_log" "vpc_flow_log" {
    count = "${var.enable_vpc_flow_log}"
    iam_role_arn    = "${aws_iam_role.test_role.arn}"
    log_destination      = "${data.aws_s3_bucket.selected.arn}"
    log_destination_type = "s3"
    traffic_type         = "ALL"
    vpc_id               = "${var.vpc_id}"

}

resource "aws_iam_role" "test_role" {
  name = "example"
  count = "${var.enable_vpc_flow_log}"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}
resource "aws_iam_role_policy" "example" {
  name = "example"
  count = "${var.enable_vpc_flow_log}"
  role = "${aws_iam_role.test_role.id}"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

When I execute terraform plan am getting the following error

Error: module.enable_vpc_flow_log.aws_flow_log.vpc_flow_log: "log_group_name": required field is not set

Error: module.enable_vpc_flow_log.aws_flow_log.vpc_flow_log: : invalid or unknown key: log_destination

Error: module.enable_vpc_flow_log.aws_flow_log.vpc_flow_log: : invalid or unknown key: log_destination_type

According to the terraform documentation log_group_name is optional and we have to specify its value only if we are selecting cloud_watch_logs as the log_destination_type

Can anyone help me to resolve my error and to enable the vpc flow logs to s3.

3
amazon-web-servicesterraformterraform-provider-awsinfrastructure-as-code
What version of the AWS provider are you using?ydaetskcoR
@ydaetskcoR Am currentlu using Terraform v0.11.8. I will update my version to v0.11.10 and try to create the flow logs.Hajas
No, I asked what version of the AWS provider you are using. Terraform unbunled the providers from core Terraform back in 0.10 so the resources and data sources you use depend on the provider version, not the core Terraform version.ydaetskcoR

3 Answers

1
votes

I got this error as well because I was using 1.41 of the AWS provider. Looking through the code I discovered that support for these properties was only released in 1.42. Upgrading to 1.49 did the trick.

0
votes

I have updated my terraform version from 0.11.8 to 0.11.10. I am now able to configure the vpc flow logs to s3 without any errors using the below resource block.

resource "aws_flow_log" "vpc_flow_log" {
    log_destination      = "${var.s3_bucket_arn}"
    log_destination_type = "s3"
    traffic_type         = "ALL"
    vpc_id               = "${var.vpc_id}"
}
0
votes

While sending logs of VPC to s3 you can not set a log_group_name but you can append group name to the arn of s3 , it will automatically create a folder for you.

resource "aws_flow_log" "vpc_flow_log" {
log_destination      = "${var.s3_bucket_arn}/group_name"
log_destination_type = "s3"
traffic_type         = "ALL"
vpc_id               = "${var.vpc_id}"
}