modules/mu/providers/aws/vpc.rb in cloud-mu-3.5.1 vs modules/mu/providers/aws/vpc.rb in cloud-mu-3.6.3
- old
+ new
@@ -112,24 +112,10 @@
end
raise MuError, "VPC endpoint failed #{endpoint_id}: #{resp}" if resp.state == "failed"
end
- if @config["enable_traffic_logging"]
- loggroup = @deploy.findLitterMate(name: @config['name']+"loggroup", type: "logs")
- logrole = @deploy.findLitterMate(name: @config['name']+"logrole", type: "roles")
-
- MU.log "Enabling traffic logging on VPC #{@mu_name} to log group #{loggroup.mu_name}"
- MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).create_flow_logs(
- resource_ids: [@cloud_id],
- resource_type: "VPC",
- traffic_type: "ALL",
- log_group_name: loggroup.mu_name,
- deliver_logs_permission_arn: logrole.cloudobj.arn
- )
- end
-
nat_gateways = create_subnets
notify
if !nat_gateways.empty?
@@ -268,10 +254,43 @@
}
}
end
+ if @config["enable_traffic_logging"]
+ ext = MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).describe_flow_logs(
+ filter: [
+ { name: "resource-id", values: [@cloud_id] }
+ ]
+ )
+ # XXX a smarter guard would filter with more specificity
+ if !ext or ext.flow_logs.empty?
+ loggroup = if @config['log_group_name']
+ @config['log_group_name']
+ else
+ @deploy.findLitterMate(name: @config['name']+"loggroup", type: "logs").mu_name
+ end
+ logrole = @deploy.findLitterMate(name: @config['name']+"logrole", type: "roles")
+
+
+ MU.log "Enabling traffic logging on VPC #{@mu_name} to log group #{loggroup}"
+ MU::Cloud::AWS.ec2(region: @region, credentials: @credentials).create_flow_logs(
+ resource_ids: [@cloud_id],
+ resource_type: "VPC",
+ traffic_type: "ALL",
+ log_group_name: loggroup,
+ deliver_logs_permission_arn: logrole.cloudobj.arn,
+ tag_specifications: [
+ {
+ resource_type: "vpc-flow-log",
+ tags: @tags.each_key.map { |k| { :key => k, :value => @tags[k] } }
+ }
+ ]
+ )
+ end
+ end
+
end
# Locate an existing VPC or VPCs and return an array containing matching AWS resource descriptors for those that match.
# @return [Hash<String,OpenStruct>]: The cloud provider's complete descriptions of matching VPCs
def self.find(**args)
@@ -940,17 +959,19 @@
# @return [Boolean]: True if validation succeeded, False otherwise
def self.validateConfig(vpc, configurator)
ok = true
if vpc["enable_traffic_logging"]
- logdesc = {
- "name" => vpc['name']+"loggroup",
- }
- logdesc["tags"] = vpc["tags"] if !vpc["tags"].nil?
-# logdesc["optional_tags"] = vpc["optional_tags"] if !vpc["optional_tags"].nil?
- configurator.insertKitten(logdesc, "logs")
- MU::Config.addDependency(vpc, vpc['name']+"loggroup", "log")
+ if !vpc['log_group_name']
+ logdesc = {
+ "name" => vpc['name']+"loggroup",
+ }
+ logdesc["tags"] = vpc["tags"] if !vpc["tags"].nil?
+# logdesc["optional_tags"] = vpc["optional_tags"] if !vpc["optional_tags"].nil?
+ configurator.insertKitten(logdesc, "logs")
+ MU::Config.addDependency(vpc, vpc['name']+"loggroup", "log")
+ end
roledesc = {
"name" => vpc['name']+"logrole",
"can_assume" => [
{
@@ -969,23 +990,26 @@
"logs:PutLogEvents"
],
"targets" => [
{
"type" => "log",
- "identifier" => vpc['name']+"loggroup"
+ "identifier" => vpc['log_group_name'] ? vpc['log_group_name'] : vpc['name']+"loggroup"
}
]
}
- ],
- "dependencies" => [
+ ]
+ }
+ if !vpc['log_group_name']
+ roledesc["dependencies"] = [
{
"type" => "log",
"name" => vpc['name']+"loggroup"
}
]
- }
+ end
roledesc["tags"] = vpc["tags"] if !vpc["tags"].nil?
roledesc["optional_tags"] = vpc["optional_tags"] if !vpc["optional_tags"].nil?
+
configurator.insertKitten(roledesc, "roles")
MU::Config.addDependency(vpc, vpc['name']+"logrole", "role")
end
subnet_routes = Hash.new