Merge pull request #324 from lorengordon/fix/flow-log-role

plus3it · Nov 23, 2024 · 6e6efe2 · 6e6efe2
2 parents 3cf2880 + 82e9e03
commit 6e6efe2
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 16 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 3.0.0
+current_version = 3.0.1
 commit = True
 message = Bumps version to {new_version}
 tag = False

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### [3.0.1](https://github.com/plus3it/terraform-aws-tardigrade-vpc-flow-log/releases/tag/3.0.1)
+
+**Released**: 2024.11.22
+
+**Summary**:
+
+*   Moves iam role conditions to trust policy instead of role policy, per aws guidance
+    for mitigating confused deputy problem. See also:
+    *   https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-iam-role.html
+    *   https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html
+
 ### [3.0.0](https://github.com/plus3it/terraform-aws-tardigrade-vpc-flow-log/releases/tag/3.0.0)
 
 **Released**: 2024.11.20

diff --git a/README.md b/README.md
@@ -24,6 +24,7 @@ Terraform module to create a VPC Flow Log
 | [aws_iam_policy_document.cloudwatch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudwatch_trust](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 

diff --git a/main.tf b/main.tf
@@ -97,10 +97,12 @@ locals {
 
   account_id = data.aws_caller_identity.this.account_id
   partition  = data.aws_partition.this.partition
+  region     = data.aws_region.this.name
 }
 
 data "aws_caller_identity" "this" {}
 data "aws_partition" "this" {}
+data "aws_region" "this" {}
 
 data "aws_iam_policy_document" "cloudwatch_policy" {
   count = local.create_cloudwatch_iam_role ? 1 : 0
@@ -118,21 +120,6 @@ data "aws_iam_policy_document" "cloudwatch_policy" {
       "arn:${local.partition}:logs:*:*:log-group:${local.log_group_name}",
       "arn:${local.partition}:logs:*:*:log-group:${local.log_group_name}:*",
     ]
-
-    condition {
-      test     = "StringEquals"
-      variable = "aws:SourceAccount"
-      values   = [local.account_id]
-    }
-
-    condition {
-      test     = "ArnLike"
-      variable = "aws:SourceArn"
-      values = [
-        "arn:${local.partition}:logs:*:*:log-group:${local.log_group_name}",
-        "arn:${local.partition}:logs:*:*:log-group:${local.log_group_name}:*",
-      ]
-    }
   }
 }
 
@@ -146,5 +133,17 @@ data "aws_iam_policy_document" "cloudwatch_trust" {
       type        = "Service"
       identifiers = ["vpc-flow-logs.amazonaws.com"]
     }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [local.account_id]
+    }
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:ec2:${local.region}:${local.account_id}:vpc-flow-log/*"]
+    }
   }
 }