Skip to content

feat(single-vm/aws): add VPC Flow Logs to close SECURITY-DEFAULTS gap#9

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/blissful-pascal-4JC3e
Open

feat(single-vm/aws): add VPC Flow Logs to close SECURITY-DEFAULTS gap#9
dmchaledev wants to merge 1 commit into
mainfrom
claude/blissful-pascal-4JC3e

Conversation

@dmchaledev
Copy link
Copy Markdown
Contributor

@dmchaledev dmchaledev commented Jun 1, 2026

Problem

SECURITY-DEFAULTS.md has always stated:

VPC Flow Logs / Azure NSG Flow Logs are enabled by default (enable_flow_logs = true).

But modules/single-vm/aws had zero flow-log resources — no aws_flow_log, no CloudWatch log group, no IAM role. Customers reading the security documentation and deploying the single-vm tier had no flow logs at all, creating a silent compliance and forensics gap.

unlimited-scale/aws already ships the correct implementation. This PR ports that pattern to single-vm/aws and updates both product wrappers to keep the wrapper-forwarding CI gate green.

Changes

File What changed
modules/single-vm/aws/variables.tf Add enable_flow_logs (bool, default true)
modules/single-vm/aws/main.tf Add aws_cloudwatch_log_group, aws_iam_role, aws_iam_role_policy, aws_flow_log — identical pattern to unlimited-scale/aws
modules/single-vm/aws/outputs.tf Add flow_log_group_name output
modules/asm-aws-single/{variables,main,outputs}.tf Forward enable_flow_logs, re-export flow_log_group_name
modules/sat-aws-single/{variables,main,outputs}.tf Same

No new Checkov suppressions needed — CKV_AWS_338 (CW log retention < 1 year) and CKV_AWS_158 (CW log group KMS when CMK is off) are already suppressed with documented rationale, and the #tfsec:ignore:aws-iam-no-policy-wildcards inline annotation handles the logs:DescribeLogGroups Resource = "*" requirement exactly as in unlimited-scale/aws.

What this does NOT change

  • ha-hot-hot/aws has the same gap. That's a larger module with its own VPC and more surface area — tracked separately so this small, self-contained fix can ship now.
  • No Azure changes in this PR. single-vm/azure NSG flow log parity is a follow-on.
  • Existing deployments: adding enable_flow_logs = true (the new default) on a VPC that already has a flow log is additive — AWS supports multiple flow log configurations per VPC. Operators who want to opt out can set enable_flow_logs = false.

Test plan

  • CI terraform validate passes on modules/single-vm/aws, asm-aws-single, sat-aws-single
  • CI wrapper-forwarding check passes (new variable is forwarded by both wrappers)
  • CI tflint passes
  • CI checkov passes (no new suppressions added)
  • Manually verify flow_log_group_name output is non-empty after terraform apply on a test VPC

https://claude.ai/code/session_01B6D637ANdrxC826zTQmSYi

Generated by Claude Code

@claude
feat(single-vm/aws): add VPC Flow Logs (enable_flow_logs = true)
bd0fbc6 
SECURITY-DEFAULTS.md has long claimed VPC Flow Logs are enabled by
default, but the single-vm/aws core module had no flow-log resources.
This gap meant customers relying on the documented default had no
flow logs at all.

Adds the same pattern already present in unlimited-scale/aws:
- aws_cloudwatch_log_group (30-day retention, optional CMK)
- aws_iam_role + aws_iam_role_policy scoped to that log group
- aws_flow_log targeting the caller-provided vpc_id

Variable enable_flow_logs defaults to true (matching SECURITY-DEFAULTS.md).
Wrappers asm-aws-single and sat-aws-single are updated to forward the
variable and re-export the new flow_log_group_name output so the
wrapper-forwarding CI gate passes.

ha-hot-hot/aws has the same gap and is tracked separately.

https://claude.ai/code/session_01B6D637ANdrxC826zTQmSYi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dmchaledev @claude