From 6a1f2466611128f9b546b48a5a2d16edb98b91c5 Mon Sep 17 00:00:00 2001
From: David Sibley <david.sibley@digital.justice.gov.uk>
Date: Mon, 23 Sep 2024 11:00:31 +0100
Subject: [PATCH] added flow logs from transit gateway to s3

---
 .../environments/core-network-services/locals.tf  |  4 +++-
 .../core-network-services/monitoring.tf           | 15 +++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/terraform/environments/core-network-services/locals.tf b/terraform/environments/core-network-services/locals.tf
index 01bd61f7a..961a468a1 100644
--- a/terraform/environments/core-network-services/locals.tf
+++ b/terraform/environments/core-network-services/locals.tf
@@ -5,7 +5,9 @@ data "aws_caller_identity" "modernisation-platform" {
 data "aws_organizations_organization" "root_account" {}
 
 locals {
-  application_name           = "core-network-services"
+  application_name = "core-network-services"
+  # Custom VPC flow log statement
+  custom_flow_log_format     = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id} $${pkt-src-aws-service} $${pkt-dst-aws-service} $${flow-direction} $${traffic-path}"
   environment_management     = jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)
   pagerduty_integration_keys = jsondecode(data.aws_secretsmanager_secret_version.pagerduty_integration_keys.secret_string)
 
diff --git a/terraform/environments/core-network-services/monitoring.tf b/terraform/environments/core-network-services/monitoring.tf
index 6e12c6c89..d2f80c00b 100644
--- a/terraform/environments/core-network-services/monitoring.tf
+++ b/terraform/environments/core-network-services/monitoring.tf
@@ -151,6 +151,21 @@ resource "aws_flow_log" "tgw_flowlog" {
   tags                          = local.tags
 }
 
+resource "aws_flow_log" "tgw_flowlog_s3" {
+  log_destination               = local.cloudwatch_log_buckets["vpc-flow-logs"]
+  log_destination_type          = "s3"
+  log_format                    = local.custom_flow_log_format
+  max_aggregation_interval      = "60"
+  traffic_type                  = "ALL"
+  transit_gateway_attachment_id = aws_ec2_transit_gateway.transit-gateway.id
+  tags = merge(
+    local.tags,
+    {
+      Name = "${aws_vpc.external_inspection.id}-vpc-flow-logs-s3"
+    }
+  )
+}
+
 resource "aws_cloudwatch_metric_alarm" "firewall-traffic-drop-alarm" {
   alarm_name          = "firewall-traffic-dropped"
   comparison_operator = "GreaterThanOrEqualToThreshold"