Deploy a Production Ready Network Source of Truth (NSOT) IPAM solution in AWS Part III – Create Terraform Logs Module to capture VPC Flow Logs

In our previous article, we walked through the Terraform code to create the base VPC module for our Production ready NSOT (Network Source of Truth) IP Address Management application. The next module we are going to create is a “logs” module that will be used to set up VPC flow logs for our VPC. VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs and Amazon S3. After you’ve created a flow log, you can retrieve and view its data in the chosen ­­­­­­destination. For more information on VPC flow logs, here is a link to the AWS documentation on this topic. Before we dive into this module, lets briefly explain how to call, use, and pass parameters to Terraform modules as well as pass variables from one module to another. At the end of our previous article we discussed the use of output variables:

The output variables are created in the file in vpc modules folder:

Output variables can be used to pass a variable used in one module to another or to pass information generated when a resource within the module is created to another module. For example, the output variable named vpc_id will have a value of the VPC ID when the VPC is created:

The file located in the root directory of the Repo is where we call the modules we want to use and can pass parameters to the variables within the modules themselves:

In the file:

This is where we are passing the vpc_id generated from the VPC module we reviewed in the previous article to the log’s module. You do so by using the following format: module. <module name>.<output variable name>:

Now when we call the local vpc_id variable in the log’s module, it will have a value of the VPC id for the VPC created in the VPC module.

Now that we understand how to call Terraform modules we created, pass parameters to variables within the module, and pass resource information generated from one module to another, let’s look at the VPC flow logs module we are going to create. The logs module only has two files, the file and the file:

The modules/logs/ file only has the variables:

In the modules/logs/ file, we will create the log resources to turn on vpc flow logs for this VPC. This will also require us to create the necessary IAM roles/permissions to allow the AWS flow log service to assume a role with permissions to write the flow logs to cloudwatch. You will find more information on cloudwatch here.

That’s it! Once you deploy this module, along with the VPC module we walked through in the previous article, you will have a working VPC with all traffic in/out of the VPC logged to cloud watch. In the next article, we will deploy a highly available MySQL RDS instance (AWS Relational Database Service) across two AZs, in the VPC created in the previous article as the backend database for our IPAM solution. All of the code to deploy the two modules we discussed today can be found here: <add repo link here>