removed fixed names from flow logs template and added test

kainepro · May 4, 2017 · 2d20739 · 2d20739
1 parent 9b60c0e
commit 2d20739
Show file tree

Hide file tree

Showing 10 changed files with 143 additions and 72 deletions.
diff --git a/docs/vpc.md b/docs/vpc.md
@@ -119,11 +119,28 @@ This template describes a VPC endpoint to securely route traffic within a VPC fo
 ![Architecture](./img/vpc-endpoint-s3.png)
 ## Installation Guide
 1. This templates depends on one of our `vpc-*azs.yaml` templates. [Launch Stack](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/vpc/vpc-2azs.yaml)
-1. [Launch Stack](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-endpoint-s3&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/vpc/vpc-endpoint-s3.yaml) for this VPC endpoint to S3.
+1. [Launch Stack](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-endpoint-s3&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/vpc/vpc-endpoint-s3.yaml)
 1. Click **Next** to proceed with the next step of the wizard.
 1. Specify a name and all parameters for the stack.
 1. Click **Next** to proceed with the next step of the wizard.
 1. Click **Next** to skip the **Options** step of the wizard.
 1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox.
 1. Click **Create** to start the creation of the stack.
 1. Wait until the stack reaches the state **CREATE_COMPLETE**
+
+# VPC Flow Logs to CloudWatch Logs
+This template enables [Flow Log](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html) for the specified VPC. Flow Logs contain aggregated network traffic data in your VPC.
+
+![Architecture](./img/vpc-endpoint-s3.png)
+## Installation Guide
+1. This templates depends on one of our `vpc-*azs.yaml` templates. [Launch Stack](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/vpc/vpc-2azs.yaml)
+1. [Launch Stack](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-endpoint-s3&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/vpc/vpc-flow-logs.yaml)
+1. Click **Next** to proceed with the next step of the wizard.
+1. Specify a name and all parameters for the stack.
+1. Click **Next** to proceed with the next step of the wizard.
+1. Click **Next** to skip the **Options** step of the wizard.
+1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox.
+1. Click **Create** to start the creation of the stack.
+1. Wait until the stack reaches the state **CREATE_COMPLETE**
+
+Flow Logs will show up in CloudWatch Logs a few minutes after activation.
diff --git a/test/src/test/java/de/widdix/awscftemplates/vpc/TestVPC2AZs.java b/test/src/test/java/de/widdix/awscftemplates/vpc/TestVPC2AZs.java
@@ -14,7 +14,7 @@ public void test() {
                     "vpc/vpc-2azs.yaml",
                     new Parameter().withParameterKey("ClassB").withParameterValue("10")
             );
-            // TODO how can we check if this stack works?  launch an EC2 instance into a public subnet and open google from the instance?
+            // TODO how can we check if this stack works? launch an EC2 instance into a public subnet and open google from the instance?
         } finally {
             this.deleteStack(stackName);
         }

diff --git a/test/src/test/java/de/widdix/awscftemplates/vpc/TestVPC3AZs.java b/test/src/test/java/de/widdix/awscftemplates/vpc/TestVPC3AZs.java
@@ -14,7 +14,7 @@ public void test() {
                     "vpc/vpc-3azs.yaml",
                     new Parameter().withParameterKey("ClassB").withParameterValue("10")
             );
-            // TODO how can we check if this stack works?  launch an EC2 instance into a public subnet and open google from the instance?
+            // TODO how can we check if this stack works? launch an EC2 instance into a public subnet and open google from the instance?
         } finally {
             this.deleteStack(stackName);
         }

diff --git a/test/src/test/java/de/widdix/awscftemplates/vpc/TestVPC4AZs.java b/test/src/test/java/de/widdix/awscftemplates/vpc/TestVPC4AZs.java
@@ -14,7 +14,7 @@ public void test() {
                     "vpc/vpc-4azs.yaml",
                     new Parameter().withParameterKey("ClassB").withParameterValue("10")
             );
-            // TODO how can we check if this stack works?  launch an EC2 instance into a public subnet and open google from the instance?
+            // TODO how can we check if this stack works? launch an EC2 instance into a public subnet and open google from the instance?
         } finally {
             this.deleteStack(stackName);
         }

diff --git a/test/src/test/java/de/widdix/awscftemplates/vpc/TestVPCFlowLogs.java b/test/src/test/java/de/widdix/awscftemplates/vpc/TestVPCFlowLogs.java
@@ -0,0 +1,39 @@
+package de.widdix.awscftemplates.vpc;
+
+import com.amazonaws.services.cloudformation.model.Parameter;
+import de.widdix.awscftemplates.ACloudFormationTest;
+import org.junit.Test;
+
+public class TestVPCFlowLogs extends ACloudFormationTest {
+
+    @Test
+    public void test() {
+        final String vpcStackName = "vpc-2azs-" + this.random8String();
+        final String flowLogsStackName = "vpc-flow-logs-" + this.random8String();
+        final String classB = "10";
+        final String keyName = "key-" + this.random8String();
+        try {
+            this.createKey(keyName);
+            try {
+                this.createStack(vpcStackName,
+                        "vpc/vpc-2azs.yaml",
+                        new Parameter().withParameterKey("ClassB").withParameterValue(classB)
+                );
+                try {
+                    this.createStack(flowLogsStackName,
+                            "vpc/vpc-flow-logs.yaml",
+                            new Parameter().withParameterKey("ParentVPCStack").withParameterValue(vpcStackName)
+                    );
+                    // TODO how can we check if this stack works?
+                } finally {
+                    this.deleteStack(flowLogsStackName);
+                }
+            } finally {
+                this.deleteStack(vpcStackName);
+            }
+        } finally {
+            this.deleteKey(keyName);
+        }
+    }
+
+}
diff --git a/test/src/test/java/de/widdix/awscftemplates/vpc/TestVPCNatGateway.java b/test/src/test/java/de/widdix/awscftemplates/vpc/TestVPCNatGateway.java
@@ -21,7 +21,7 @@ public void test() {
                         "vpc/vpc-nat-gateway.yaml",
                         new Parameter().withParameterKey("ParentVPCStack").withParameterValue(vpcStackName)
                 );
-                // TODO how can we check if this stack works?  launch an EC2 instance into a private subnet and open google from the instance?
+                // TODO how can we check if this stack works? launch an EC2 instance into a private subnet and open google from the instance?
             } finally {
                 this.deleteStack(natStackName);
             }

diff --git a/test/src/test/java/de/widdix/awscftemplates/vpc/TestVPCNatInstance.java b/test/src/test/java/de/widdix/awscftemplates/vpc/TestVPCNatInstance.java
@@ -25,7 +25,7 @@ public void test() {
                             new Parameter().withParameterKey("ParentVPCStack").withParameterValue(vpcStackName),
                             new Parameter().withParameterKey("KeyName").withParameterValue(keyName)
                     );
-                    // TODO how can we check if this stack works?  launch an EC2 instance into a private subnet and open google from the instance?
+                    // TODO how can we check if this stack works? launch an EC2 instance into a private subnet and open google from the instance?
                 } finally {
                     this.deleteStack(natStackName);
                 }

diff --git a/vpc/vpc-endpoint-s3.yaml b/vpc/vpc-endpoint-s3.yaml
@@ -1,6 +1,6 @@
 ---
 AWSTemplateFormatVersion: '2010-09-09'
-Description: 'VPC: Endpoint to S3 for private subnets, a cloudonaut.io template'
+Description: 'VPC: Endpoint to S3 for private subnets, a cloudonaut.io template, contributed by https://github.com/btsuhako'
 Metadata:
   'AWS::CloudFormation::Interface':
     ParameterGroups:

diff --git a/vpc/vpc-flow-logs.yaml b/vpc/vpc-flow-logs.yaml
@@ -0,0 +1,80 @@
+---
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'VPC: Publish flow logs to CloudWatch Logs, a cloudonaut.io template, contributed by https://github.com/statik'
+Metadata:
+  'AWS::CloudFormation::Interface':
+    ParameterGroups:
+    - Label:
+        default: 'Parent Stacks'
+      Parameters:
+      - ParentVPCStack
+    - Label:
+        default: 'Flow Logs Parameters'
+      Parameters:
+      - RetentionInDays
+      - TrafficType
+Parameters:
+  ParentVPCStack:
+    Description: 'Stack name of parent VPC stack based on vpc/vpc-*azs.yaml template.'
+    Type: String
+  RetentionInDays:
+    Description: 'Specifies the number of days you want to retain log events.'
+    Type: Number
+    Default: 14
+    AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
+  TrafficType:
+    Description: 'The type of traffic to log.'
+    Type: String
+    Default: REJECT
+    AllowedValues:
+    - ACCEPT
+    - REJECT
+    - ALL
+Resources:
+  Role:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service:
+            - 'vpc-flow-logs.amazonaws.com'
+          Action: 'sts:AssumeRole'
+      Policies:
+      - PolicyName: 'flowlogs-policy'
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Effect: Allow
+            Action:
+            - 'logs:CreateLogGroup'
+            - 'logs:CreateLogStream'
+            - 'logs:PutLogEvents'
+            - 'logs:DescribeLogGroups'
+            - 'logs:DescribeLogStreams'
+            Resource: '*'
+  LogGroup:
+    Type: 'AWS::Logs::LogGroup'
+    Properties:
+      RetentionInDays: !Ref RetentionInDays
+  FlowLog:
+    Type: 'AWS::EC2::FlowLog'
+    Properties:
+      DeliverLogsPermissionArn: !GetAtt 'Role.Arn'
+      LogGroupName: !Ref LogGroup
+      ResourceId :
+        'Fn::ImportValue': !Sub '${ParentVPCStack}-VPC'
+      ResourceType: 'VPC'
+      TrafficType: !Ref TrafficType
+Outputs:
+  TemplateID:
+    Description: 'cloudonaut.io template id.'
+    Value: 'vpc/vpc-flowlog'
+  LogGroupName:
+    Description: 'The name of the CloudWatch Logs log group where Amazon EC2 publishes your flow logs.'
+    Value: !Ref LogGroup
+  LogGroupARN:
+    Description: 'The ARN of the CloudWatch Logs log group where Amazon EC2 publishes your flow logs.'
+    Value: !GetAtt 'LogGroup.Arn'
diff --git a/vpc/vpc-flowlogs.yaml b/vpc/vpc-flowlogs.yaml