Skip to content

feat(single-vm/aws): add VPC Flow Logs to close SECURITY-DEFAULTS gap#9

Closed
dmchaledev wants to merge 3 commits into
mainfrom
claude/blissful-pascal-4JC3e
Closed

feat(single-vm/aws): add VPC Flow Logs to close SECURITY-DEFAULTS gap#9
dmchaledev wants to merge 3 commits into
mainfrom
claude/blissful-pascal-4JC3e

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

Problem

SECURITY-DEFAULTS.md has always stated:

VPC Flow Logs / Azure NSG Flow Logs are enabled by default (enable_flow_logs = true).

But modules/single-vm/aws had zero flow-log resources — no aws_flow_log, no CloudWatch log group, no IAM role. Customers reading the security documentation and deploying the single-vm tier had no flow logs at all, creating a silent compliance and forensics gap.

unlimited-scale/aws already ships the correct implementation. This PR ports that pattern to single-vm/aws and updates both product wrappers to keep the wrapper-forwarding CI gate green.

Changes

File What changed
modules/single-vm/aws/variables.tf Add enable_flow_logs (bool, default true)
modules/single-vm/aws/main.tf Add aws_cloudwatch_log_group, aws_iam_role, aws_iam_role_policy, aws_flow_log — identical pattern to unlimited-scale/aws
modules/single-vm/aws/outputs.tf Add flow_log_group_name output
modules/asm-aws-single/{variables,main,outputs}.tf Forward enable_flow_logs, re-export flow_log_group_name
modules/sat-aws-single/{variables,main,outputs}.tf Same

No new Checkov suppressions needed — CKV_AWS_338 (CW log retention < 1 year) and CKV_AWS_158 (CW log group KMS when CMK is off) are already suppressed with documented rationale, and the #tfsec:ignore:aws-iam-no-policy-wildcards inline annotation handles the logs:DescribeLogGroups Resource = "*" requirement exactly as in unlimited-scale/aws.

What this does NOT change

  • ha-hot-hot/aws has the same gap. That's a larger module with its own VPC and more surface area — tracked separately so this small, self-contained fix can ship now.
  • No Azure changes in this PR. single-vm/azure NSG flow log parity is a follow-on.
  • Existing deployments: adding enable_flow_logs = true (the new default) on a VPC that already has a flow log is additive — AWS supports multiple flow log configurations per VPC. Operators who want to opt out can set enable_flow_logs = false.

Test plan

  • CI terraform validate passes on modules/single-vm/aws, asm-aws-single, sat-aws-single
  • CI wrapper-forwarding check passes (new variable is forwarded by both wrappers)
  • CI tflint passes
  • CI checkov passes (no new suppressions added)
  • Manually verify flow_log_group_name output is non-empty after terraform apply on a test VPC

https://claude.ai/code/session_01B6D637ANdrxC826zTQmSYi


Generated by Claude Code

claude and others added 3 commits June 1, 2026 14:50
SECURITY-DEFAULTS.md has long claimed VPC Flow Logs are enabled by
default, but the single-vm/aws core module had no flow-log resources.
This gap meant customers relying on the documented default had no
flow logs at all.

Adds the same pattern already present in unlimited-scale/aws:
- aws_cloudwatch_log_group (30-day retention, optional CMK)
- aws_iam_role + aws_iam_role_policy scoped to that log group
- aws_flow_log targeting the caller-provided vpc_id

Variable enable_flow_logs defaults to true (matching SECURITY-DEFAULTS.md).
Wrappers asm-aws-single and sat-aws-single are updated to forward the
variable and re-export the new flow_log_group_name output so the
wrapper-forwarding CI gate passes.

ha-hot-hot/aws has the same gap and is tracked separately.

https://claude.ai/code/session_01B6D637ANdrxC826zTQmSYi
dmchaledev pushed a commit that referenced this pull request Jun 26, 2026
…erage

Folds two open PRs that could not be merged from their own branches (their
mock-based tests broke once rebased and the branches are not pushable here);
re-implemented with the test gaps fixed.

#9 — VPC Flow Logs for single-vm/aws (closes #9):
  Adds opt-in VPC Flow Logs (enable_flow_logs, default true) sending ALL traffic
  to a CloudWatch log group, with a least-privilege flow-log IAM role. Closes the
  gap vs SECURITY-DEFAULTS.md. Forwarded through asm-aws-single / sat-aws-single
  with a flow_log_group_name output. The existing single-vm/aws basic test now
  mocks aws_cloudwatch_log_group with a valid ARN so aws_flow_log's
  log_destination passes provider-side ARN validation.

#34 — terraform test coverage for the network modules (closes #34):
  Adds .tftest.hcl suites for network/aws (basic apply + feature-flag plans) and
  network/azure (basic apply), and adds both to the terraform-test CI matrix —
  the only modules previously lacking native tests. The azure test mocks
  azurerm_network_security_group, and both network/aws tests mock
  aws_cloudwatch_log_group, with well-formed ARNs so the subnet-NSG association
  and flow-log destination validate under the mock provider.

Verified locally: terraform validate, tflint, terraform test (single-vm/aws 5/5,
network/aws 5/5, network/azure 1/1), checkov (1078 passed, 0 failed), trivy
(0 findings), and the wrapper drift check (0 warnings) all pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AFfgnPaoyGhp52vQL2PVU3

Copy link
Copy Markdown
Contributor Author

Superseded by #41 (merged), which lands the VPC Flow Logs feature for single-vm/aws (+ asm/sat wrappers and the flow_log_group_name output). The only addition vs this PR: the single-vm/aws basic tftest now mocks aws_cloudwatch_log_group with a valid ARN so aws_flow_log.log_destination passes provider-side ARN validation under the mock provider (otherwise the test goes red once rebased). Thanks for the contribution — the feature is in main. Closing.


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants