Resource: awsFlowLog
Provides a VPC/Subnet/ENI/Transit Gateway/Transit Gateway Attachment Flow Log to capture IP traffic for a specific network interface, subnet, or VPC. Logs are sent to a CloudWatch Log Group, a S3 Bucket, or Amazon Kinesis Data Firehose
Example Usage
CloudWatch Logging
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsCloudwatchLogGroupExample =
new aws.cloudwatchLogGroup.CloudwatchLogGroup(this, "example", {
name: "example",
});
const dataAwsIamPolicyDocumentAssumeRole =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
this,
"assume_role",
{
statement: [
{
actions: ["sts:AssumeRole"],
effect: "Allow",
principals: [
{
identifiers: ["vpc-flow-logs.amazonaws.com"],
type: "Service",
},
],
},
],
}
);
const dataAwsIamPolicyDocumentExample =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "example_2", {
statement: [
{
actions: [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
],
effect: "Allow",
resources: ["*"],
},
],
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsIamPolicyDocumentExample.overrideLogicalId("example");
const awsIamRoleExample = new aws.iamRole.IamRole(this, "example_3", {
assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
name: "example",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRoleExample.overrideLogicalId("example");
const awsIamRolePolicyExample = new aws.iamRolePolicy.IamRolePolicy(
this,
"example_4",
{
name: "example",
policy: dataAwsIamPolicyDocumentExample.json,
role: awsIamRoleExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyExample.overrideLogicalId("example");
const awsFlowLogExample = new aws.flowLog.FlowLog(this, "example_5", {
iamRoleArn: awsIamRoleExample.arn,
logDestination: awsCloudwatchLogGroupExample.arn,
trafficType: "ALL",
vpcId: "${aws_vpc.example.id}",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsFlowLogExample.overrideLogicalId("example");
Amazon Kinesis Data Firehose logging
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketExample = new aws.s3Bucket.S3Bucket(this, "example", {
bucket: "example",
});
const awsS3BucketAclExample = new aws.s3BucketAcl.S3BucketAcl(
this,
"example_1",
{
acl: "private",
bucket: awsS3BucketExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketAclExample.overrideLogicalId("example");
const dataAwsIamPolicyDocumentAssumeRole =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
this,
"assume_role",
{
statement: [
{
actions: ["sts:AssumeRole"],
effect: "Allow",
principals: [
{
identifiers: ["firehose.amazonaws.com"],
type: "Service",
},
],
},
],
}
);
const dataAwsIamPolicyDocumentExample =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "example_3", {
actions: [
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:GetLogDelivery",
"firehose:TagDeliveryStream",
],
effect: "Allow",
resources: ["*"],
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsIamPolicyDocumentExample.overrideLogicalId("example");
const awsIamRoleExample = new aws.iamRole.IamRole(this, "example_4", {
assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
name: "firehose_test_role",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRoleExample.overrideLogicalId("example");
const awsIamRolePolicyExample = new aws.iamRolePolicy.IamRolePolicy(
this,
"example_5",
{
name: "test",
policy: dataAwsIamPolicyDocumentExample.json,
role: awsIamRoleExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyExample.overrideLogicalId("example");
const awsKinesisFirehoseDeliveryStreamExample =
new aws.kinesisFirehoseDeliveryStream.KinesisFirehoseDeliveryStream(
this,
"example_6",
{
destination: "extended_s3",
extendedS3Configuration: {
bucketArn: awsS3BucketExample.arn,
roleArn: awsIamRoleExample.arn,
},
name: "kinesis_firehose_test",
tags: {
LogDeliveryEnabled: "true",
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsKinesisFirehoseDeliveryStreamExample.overrideLogicalId("example");
const awsFlowLogExample = new aws.flowLog.FlowLog(this, "example_7", {
logDestination: awsKinesisFirehoseDeliveryStreamExample.arn,
logDestinationType: "kinesis-data-firehose",
trafficType: "ALL",
vpcId: "${aws_vpc.example.id}",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsFlowLogExample.overrideLogicalId("example");
S3 Logging
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketExample = new aws.s3Bucket.S3Bucket(this, "example", {
bucket: "example",
});
const awsFlowLogExample = new aws.flowLog.FlowLog(this, "example_1", {
logDestination: awsS3BucketExample.arn,
logDestinationType: "s3",
trafficType: "ALL",
vpcId: "${aws_vpc.example.id}",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsFlowLogExample.overrideLogicalId("example");
S3 Logging in Apache Parquet format with per-hour partitions
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketExample = new aws.s3Bucket.S3Bucket(this, "example", {
bucket: "example",
});
const awsFlowLogExample = new aws.flowLog.FlowLog(this, "example_1", {
destinationOptions: {
fileFormat: "parquet",
perHourPartition: true,
},
logDestination: awsS3BucketExample.arn,
logDestinationType: "s3",
trafficType: "ALL",
vpcId: "${aws_vpc.example.id}",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsFlowLogExample.overrideLogicalId("example");
Argument Reference
\~> NOTE: One of eniId, subnetId, transitGatewayId, transitGatewayAttachmentId, or vpcId must be specified.
The following arguments are supported:
trafficType- (Required) The type of traffic to capture. Valid values:accept,reject,all.deliverCrossAccountRole- (Optional) ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.eniId- (Optional) Elastic Network Interface ID to attach toiamRoleArn- (Optional) The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log grouplogDestinationType- (Optional) The type of the logging destination. Valid values:cloudWatchLogs,s3,kinesisDataFirehose. Default:cloudWatchLogs.logDestination- (Optional) The ARN of the logging destination. EitherlogDestinationorlogGroupNamemust be set.logGroupName- (Optional) Deprecated: UselogDestinationinstead. The name of the CloudWatch log group. EitherlogGroupNameorlogDestinationmust be set.subnetId- (Optional) Subnet ID to attach totransitGatewayId- (Optional) Transit Gateway ID to attach totransitGatewayAttachmentId- (Optional) Transit Gateway Attachment ID to attach tovpcId- (Optional) VPC ID to attach tologFormat- (Optional) The fields to include in the flow log record, in the order in which they should appear.maxAggregationInterval- (Optional) The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values:60seconds (1 minute) or600seconds (10 minutes). Default:600. WhentransitGatewayIdortransitGatewayAttachmentIdis specified,maxAggregationIntervalmust be 60 seconds (1 minute).destinationOptions- (Optional) Describes the destination options for a flow log. More details below.tags- (Optional) Key-value map of resource tags. If configured with a providerdefaultTagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
destinationOptions
Describes the destination options for a flow log.
fileFormat- (Optional) The format for the flow log. Default value:plainText. Valid values:plainText,parquet.hiveCompatiblePartitions- (Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value:false.perHourPartition- (Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value:false.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id- The Flow Log IDarn- The ARN of the Flow Log.tagsAll- A map of tags assigned to the resource, including those inherited from the providerdefaultTagsconfiguration block.
Import
Flow Logs can be imported using the id, e.g.,