pulumi-aws-kotlin/com.pulumi.aws.ec2.kotlin/FlowLog

FlowLog

Provides a VPC/Subnet/ENI/Transit Gateway/Transit Gateway Attachment Flow Log to capture IP traffic for a specific network interface, subnet, or VPC. Logs are sent to a CloudWatch Log Group, a S3 Bucket, or Amazon Kinesis Data Firehose

Example Usage

CloudWatch Logging

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogGroup;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleLogGroup = new LogGroup("exampleLogGroup");
        var exampleRole = new Role("exampleRole", RoleArgs.builder()
            .assumeRolePolicy("""
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
            """)
            .build());
        var exampleFlowLog = new FlowLog("exampleFlowLog", FlowLogArgs.builder()
            .iamRoleArn(exampleRole.arn())
            .logDestination(exampleLogGroup.arn())
            .trafficType("ALL")
            .vpcId(aws_vpc.example().id())
            .build());
        var exampleRolePolicy = new RolePolicy("exampleRolePolicy", RolePolicyArgs.builder()
            .role(exampleRole.id())
            .policy("""
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
            """)
            .build());
    }
}

Amazon Kinesis Data Firehose logging

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.kinesis.FirehoseDeliveryStream;
import com.pulumi.aws.kinesis.FirehoseDeliveryStreamArgs;
import com.pulumi.aws.kinesis.inputs.FirehoseDeliveryStreamExtendedS3ConfigurationArgs;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import com.pulumi.aws.s3.BucketAclV2;
import com.pulumi.aws.s3.BucketAclV2Args;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleBucketV2 = new BucketV2("exampleBucketV2");
        var exampleRole = new Role("exampleRole", RoleArgs.builder()
            .assumeRolePolicy("""
 {
   "Version":"2012-10-17",
   "Statement": [
     {
       "Action":"sts:AssumeRole",
       "Principal":{
         "Service":"firehose.amazonaws.com"
       },
       "Effect":"Allow",
       "Sid":""
     }
   ]
 }
            """)
            .build());
        var exampleFirehoseDeliveryStream = new FirehoseDeliveryStream("exampleFirehoseDeliveryStream", FirehoseDeliveryStreamArgs.builder()
            .destination("extended_s3")
            .extendedS3Configuration(FirehoseDeliveryStreamExtendedS3ConfigurationArgs.builder()
                .roleArn(exampleRole.arn())
                .bucketArn(exampleBucketV2.arn())
                .build())
            .tags(Map.of("LogDeliveryEnabled", "true"))
            .build());
        var exampleFlowLog = new FlowLog("exampleFlowLog", FlowLogArgs.builder()
            .logDestination(exampleFirehoseDeliveryStream.arn())
            .logDestinationType("kinesis-data-firehose")
            .trafficType("ALL")
            .vpcId(aws_vpc.example().id())
            .build());
        var exampleBucketAclV2 = new BucketAclV2("exampleBucketAclV2", BucketAclV2Args.builder()
            .bucket(exampleBucketV2.id())
            .acl("private")
            .build());
        var exampleRolePolicy = new RolePolicy("exampleRolePolicy", RolePolicyArgs.builder()
            .role(exampleRole.id())
            .policy("""
 {
   "Version":"2012-10-17",
   "Statement":[
     {
       "Action": [
         "logs:CreateLogDelivery",
         "logs:DeleteLogDelivery",
         "logs:ListLogDeliveries",
         "logs:GetLogDelivery",
         "firehose:TagDeliveryStream"
       ],
       "Effect":"Allow",
       "Resource":"*"
     }
   ]
 }
            """)
            .build());
    }
}

S3 Logging

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleBucketV2 = new BucketV2("exampleBucketV2");
        var exampleFlowLog = new FlowLog("exampleFlowLog", FlowLogArgs.builder()
            .logDestination(exampleBucketV2.arn())
            .logDestinationType("s3")
            .trafficType("ALL")
            .vpcId(aws_vpc.example().id())
            .build());
    }
}

S3 Logging in Apache Parquet format with per-hour partitions

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import com.pulumi.aws.ec2.inputs.FlowLogDestinationOptionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleBucketV2 = new BucketV2("exampleBucketV2");
        var exampleFlowLog = new FlowLog("exampleFlowLog", FlowLogArgs.builder()
            .logDestination(exampleBucketV2.arn())
            .logDestinationType("s3")
            .trafficType("ALL")
            .vpcId(aws_vpc.example().id())
            .destinationOptions(FlowLogDestinationOptionsArgs.builder()
                .fileFormat("parquet")
                .perHourPartition(true)
                .build())
            .build());
    }
}

Import

Flow Logs can be imported using the id, e.g.,

$ pulumi import aws:ec2/flowLog:FlowLog test_flow_log fl-1a2b3c4d

Properties

arn

val arn: Output<String>

The ARN of the Flow Log.

destinationOptions

val destinationOptions: Output<FlowLogDestinationOptions>?

Describes the destination options for a flow log. More details below.

eniId

val eniId: Output<String>?

Elastic Network Interface ID to attach to

iamRoleArn

val iamRoleArn: Output<String>?

The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group

val id: Output<String>

logDestination

val logDestination: Output<String>

The ARN of the logging destination. Either log_destination or log_group_name must be set.

logDestinationType

val logDestinationType: Output<String>?

The type of the logging destination. Valid values: cloud-watch-logs, s3, kinesis-data-firehose. Default: cloud-watch-logs.

logFormat

val logFormat: Output<String>

The fields to include in the flow log record, in the order in which they should appear.

logGroupName

val ~~logGroupName~~: Output<String>

Deprecated: Use log_destination instead. The name of the CloudWatch log group. Either log_group_name or log_destination must be set.

maxAggregationInterval

val maxAggregationInterval: Output<Int>?

The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds (1 minute) or 600 seconds (10 minutes). Default: 600. When transit_gateway_id or transit_gateway_attachment_id is specified, max_aggregation_interval must be 60 seconds (1 minute).

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiResourceName

val pulumiResourceName: String

pulumiResourceType

val pulumiResourceType: String

subnetId

val subnetId: Output<String>?

Subnet ID to attach to