Skip to content

Commit 09e5d75

Browse files
wheerdManuel Krebber
wheerd
and
Manuel Krebber
authored
fix: when VPC is disabled, disable vpc logging for it (nozaq#197)
Co-authored-by: Manuel Krebber <[email protected]>
1 parent d4153f8 commit 09e5d75

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

vpc_baselines.tf

+6-6
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
locals {
22
is_enabled = var.vpc_enable
3-
is_cw_logs = var.vpc_enable_flow_logs && (var.vpc_flow_logs_destination_type == "cloud-watch-logs")
4-
is_s3 = var.vpc_enable_flow_logs && (var.vpc_flow_logs_destination_type == "s3")
3+
is_cw_logs = local.is_enabled && var.vpc_enable_flow_logs && (var.vpc_flow_logs_destination_type == "cloud-watch-logs")
4+
is_s3 = local.is_enabled && var.vpc_enable_flow_logs && (var.vpc_flow_logs_destination_type == "s3")
55
flow_logs_s3_arn = local.is_s3 ? (
66
var.vpc_flow_logs_s3_arn != "" ? var.vpc_flow_logs_s3_arn : local.audit_log_bucket_arn
77
) : ""
@@ -12,7 +12,7 @@ locals {
1212
# Reference: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html#flow-logs-iam
1313
# --------------------------------------------------------------------------------------------------
1414
data "aws_iam_policy_document" "flow_logs_publisher_assume_role_policy" {
15-
count = local.is_enabled && var.vpc_enable_flow_logs && local.is_cw_logs ? 1 : 0
15+
count = local.is_cw_logs ? 1 : 0
1616

1717
statement {
1818
principals {
@@ -24,7 +24,7 @@ data "aws_iam_policy_document" "flow_logs_publisher_assume_role_policy" {
2424
}
2525

2626
resource "aws_iam_role" "flow_logs_publisher" {
27-
count = local.is_enabled && var.vpc_enable_flow_logs && local.is_cw_logs ? 1 : 0
27+
count = local.is_cw_logs ? 1 : 0
2828

2929
name = var.vpc_iam_role_name
3030
assume_role_policy = data.aws_iam_policy_document.flow_logs_publisher_assume_role_policy[0].json
@@ -33,7 +33,7 @@ resource "aws_iam_role" "flow_logs_publisher" {
3333
}
3434

3535
data "aws_iam_policy_document" "flow_logs_publish_policy" {
36-
count = local.is_enabled && var.vpc_enable_flow_logs && local.is_cw_logs ? 1 : 0
36+
count = local.is_cw_logs ? 1 : 0
3737

3838
statement {
3939
actions = [
@@ -48,7 +48,7 @@ data "aws_iam_policy_document" "flow_logs_publish_policy" {
4848
}
4949

5050
resource "aws_iam_role_policy" "flow_logs_publish_policy" {
51-
count = local.is_enabled && var.vpc_enable_flow_logs && local.is_cw_logs ? 1 : 0
51+
count = local.is_cw_logs ? 1 : 0
5252

5353
name = var.vpc_iam_role_policy_name
5454
role = aws_iam_role.flow_logs_publisher[0].id

0 commit comments

Comments
 (0)