resource "aws_flow_log" "vpc-flowlog" { count = var.enable-flow-log ? 1 : 0 iam_role_arn = aws_iam_role.vpcflowlog-role.arn log_destination = aws_cloudwatch_log_group.vpcflowlog-loggroup[0].arn traffic_type = "ALL" vpc_id = aws_vpc.vpc.id tags = { Name = "${var.resource-prefix}-vpcflowlog" } } resource "aws_cloudwatch_log_group" "vpcflowlog-loggroup" { count = var.enable-flow-log ? 1 : 0 name_prefix = "/aws/vpcflowlog/" kms_key_id = var.vpcflowlog-cwl-loggroup-key-arn retention_in_days = var.vpcflowlog-retain-days log_group_class = var.log-group-class } resource "random_id" "rid" { byte_length = 2 } resource "aws_iam_role" "vpcflowlog-role" { name = "VpcFlowlogRole-${random_id.rid.dec}" path = "/service/" assume_role_policy = <