Simplify module interface for flow logs

Author: miguelaferreira

examples/vpc-flow-create-s3-bucket/main.tf

@@ -24,9 +24,6 @@ module "vpc" {
   single_nat_gateway = true
 
   enable_flow_log                      = true
-  create_flow_log_cloudwatch_log_group = false
-  create_flow_log_cloudwatch_iam_role  = false
-  create_flow_log_s3_bucket            = true
   push_flow_log_to_s3                  = true
   flow_log_force_destroy_s3_bucket     = true
 

examples/vpc-flow-provided-cloudwatch-log-group/README.md

@@ -1,13 +1,20 @@
 # VPC Flow Logs provided CloudWatch log group
 
 Configuration in this directory creates set of VPC resources with VPC FLow Logs enabled and configured to push the logs to CloudWatch using a provided (ie. pre-existing) log group.
+This configuration requires that the CloudWatch log group is already created before enabling the VPC FLow Logs because otherwise terraform will complain about a count attribute being computed.
+This is because the conditional logic that determines if a new CloudWatch log group should be created is dependent on the ARN string being empty, which cannot be determined before the actual resource is created.
+To that end, we can leverage terraform targeted plans to first create the log group, and then the VPC with Flow Logs enabled.
+A realist scenario for this is to have the log group created in a separate configuration (different layer or even account) and read in via terraform remote state.
+
+One way to avoid this issue would be the introduction of new boolean arguments that control the creation logic, but that would add at least two more boolean arguments that users need to set correctly.
 
 ## Usage
 
 To run this example you need to execute:
 
 ```bash
 $ terraform init
+$ terraform apply -target aws_cloudwatch_log_group.vpc_flow_log
 $ terraform plan
 $ terraform apply
 ```

examples/vpc-flow-provided-cloudwatch-log-group/main.tf

@@ -24,7 +24,6 @@ module "vpc" {
   single_nat_gateway = true
 
   enable_flow_log = true
-  create_flow_log_cloudwatch_log_group = false
   flow_log_destination_arn = aws_cloudwatch_log_group.vpc_flow_log.arn
 
   tags = {

examples/vpc-flow-provided-cloudwatch-role/README.md

@@ -1,14 +1,20 @@
 # VPC Flow Logs provided IAM role for CloudWatch
 
 Configuration in this directory creates set of VPC resources with VPC FLow Logs enabled and configured to push the logs to CloudWatch using a provided (ie. pre-existing) IAM role.
+This configuration requires that the IAM role is already created before enabling the VPC FLow Logs because otherwise terraform will complain about a count attribute being computed.
+This is because the conditional logic that determines if a new IAM role should be created is dependent on the ARN string being empty, which cannot be determined before the actual role is created.
+To that end, we can leverage terraform targeted plans to first create the role, and then the VPC with Flow Logs enabled.
+A realist scenario for this is to have the IAM role created in a separate configuration (different layer or even account) and read in via terraform remote state.
 
+One way to avoid this issue would be the introduction of new boolean arguments that control the creation logic, but that would add at least two more boolean arguments that users need to set correctly.
 
 ## Usage
 
 To run this example you need to execute:
 
 ```bash
 $ terraform init
+$ terraform apply -target aws_iam_role.vpc_flow_log_cloudwatch
 $ terraform plan
 $ terraform apply
 ```

examples/vpc-flow-provided-cloudwatch-role/main.tf

@@ -24,7 +24,6 @@ module "vpc" {
   single_nat_gateway = true
 
   enable_flow_log = true
-  create_flow_log_cloudwatch_iam_role = false
   flow_log_cloudwatch_iam_role_arn = aws_iam_role.vpc_flow_log_cloudwatch.arn
 
   tags = {

examples/vpc-flow-provided-s3-bucket/main.tf

@@ -24,8 +24,6 @@ module "vpc" {
   single_nat_gateway = true
 
   enable_flow_log                      = true
-  create_flow_log_cloudwatch_log_group = false
-  create_flow_log_cloudwatch_iam_role  = false
   push_flow_log_to_s3                  = true
   flow_log_destination_arn             = aws_s3_bucket.vpf_flow_log.arn
 

flow-logs.tf

@@ -2,9 +2,9 @@ locals {
   # Only create flow log if user selected to create a vpc as well
   enable_flow_log = var.create_vpc && var.enable_flow_log
 
-  create_flow_log_cloudwatch_iam_role  = local.enable_flow_log && var.create_flow_log_cloudwatch_iam_role
-  create_flow_log_cloudwatch_log_group = local.enable_flow_log && var.create_flow_log_cloudwatch_log_group
-  create_flow_log_s3_bucket            = local.enable_flow_log && var.create_flow_log_s3_bucket
+  create_flow_log_s3_bucket            = local.enable_flow_log && var.push_flow_log_to_s3 && var.flow_log_destination_arn == ""
+  create_flow_log_cloudwatch_iam_role  = local.enable_flow_log && !var.push_flow_log_to_s3 && var.flow_log_cloudwatch_iam_role_arn == ""
+  create_flow_log_cloudwatch_log_group = local.enable_flow_log && !var.push_flow_log_to_s3 && var.flow_log_destination_arn == ""
 
   flow_log_cloudwatch_destination = local.create_flow_log_cloudwatch_log_group ? join("", aws_cloudwatch_log_group.flow_log.*.arn) : var.flow_log_destination_arn
   flow_log_s3_destination         = local.create_flow_log_s3_bucket ? join("", aws_s3_bucket.flow_log.*.arn) : var.flow_log_destination_arn

variables.tf

@@ -1414,30 +1414,12 @@ variable "flow_log_destination_arn" {
   default     = ""
 }
 
-variable "create_flow_log_cloudwatch_log_group" {
-  description = "Whether or not to create acloudWatch log group"
-  type        = bool
-  default     = true
-}
-
-variable "create_flow_log_cloudwatch_iam_role" {
-  description = "Whether or not to create an IAM role to push VPC Flow Logs to CloudWatch"
-  type        = bool
-  default     = true
-}
-
 variable "flow_log_cloudwatch_iam_role_arn" {
   description = "The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When create_flow_log_cloudwatch_iam_role is set to false, this argument needs to be provided.When create_flow_log_cloudwatch_iam_role is set to true, this argument is ignored."
   type        = string
   default     = ""
 }
 
-variable "create_flow_log_s3_bucket" {
-  description = "Whether or not to create an S3 bucket to push the VPC Flow Logs to"
-  type        = bool
-  default     = false
-}
-
 variable "flow_log_force_destroy_s3_bucket" {
   description = "Whether or not to force destroy the Flow Logs S3 bucket created by this module"
   type        = bool