Flow
data class FlowLogArgs(val deliverCrossAccountRole: Output<String>? = null, val destinationOptions: Output<FlowLogDestinationOptionsArgs>? = null, val eniId: Output<String>? = null, val iamRoleArn: Output<String>? = null, val logDestination: Output<String>? = null, val logDestinationType: Output<String>? = null, val logFormat: Output<String>? = null, val logGroupName: Output<String>? = null, val maxAggregationInterval: Output<Int>? = null, val subnetId: Output<String>? = null, val tags: Output<Map<String, String>>? = null, val trafficType: Output<String>? = null, val transitGatewayAttachmentId: Output<String>? = null, val transitGatewayId: Output<String>? = null, val vpcId: Output<String>? = null) : ConvertibleToJava<FlowLogArgs>
Provides a VPC/Subnet/ENI/Transit Gateway/Transit Gateway Attachment Flow Log to capture IP traffic for a specific network interface, subnet, or VPC. Logs are sent to a CloudWatch Log Group, a S3 Bucket, or Amazon Kinesis Data Firehose
Example Usage
CloudWatch Logging
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogGroup;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleLogGroup = new LogGroup("exampleLogGroup");
final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("vpc-flow-logs.amazonaws.com")
.build())
.actions("sts:AssumeRole")
.build())
.build());
var exampleRole = new Role("exampleRole", RoleArgs.builder()
.assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
var exampleFlowLog = new FlowLog("exampleFlowLog", FlowLogArgs.builder()
.iamRoleArn(exampleRole.arn())
.logDestination(exampleLogGroup.arn())
.trafficType("ALL")
.vpcId(aws_vpc.example().id())
.build());
final var examplePolicyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions(
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams")
.resources("*")
.build())
.build());
var exampleRolePolicy = new RolePolicy("exampleRolePolicy", RolePolicyArgs.builder()
.role(exampleRole.id())
.policy(examplePolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}Content copied to clipboard
Amazon Kinesis Data Firehose logging
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.kinesis.FirehoseDeliveryStream;
import com.pulumi.aws.kinesis.FirehoseDeliveryStreamArgs;
import com.pulumi.aws.kinesis.inputs.FirehoseDeliveryStreamExtendedS3ConfigurationArgs;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import com.pulumi.aws.s3.BucketAclV2;
import com.pulumi.aws.s3.BucketAclV2Args;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleBucketV2 = new BucketV2("exampleBucketV2");
final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("firehose.amazonaws.com")
.build())
.actions("sts:AssumeRole")
.build())
.build());
var exampleRole = new Role("exampleRole", RoleArgs.builder()
.assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
var exampleFirehoseDeliveryStream = new FirehoseDeliveryStream("exampleFirehoseDeliveryStream", FirehoseDeliveryStreamArgs.builder()
.destination("extended_s3")
.extendedS3Configuration(FirehoseDeliveryStreamExtendedS3ConfigurationArgs.builder()
.roleArn(exampleRole.arn())
.bucketArn(exampleBucketV2.arn())
.build())
.tags(Map.of("LogDeliveryEnabled", "true"))
.build());
var exampleFlowLog = new FlowLog("exampleFlowLog", FlowLogArgs.builder()
.logDestination(exampleFirehoseDeliveryStream.arn())
.logDestinationType("kinesis-data-firehose")
.trafficType("ALL")
.vpcId(aws_vpc.example().id())
.build());
var exampleBucketAclV2 = new BucketAclV2("exampleBucketAclV2", BucketAclV2Args.builder()
.bucket(exampleBucketV2.id())
.acl("private")
.build());
final var examplePolicyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.effect("Allow")
.actions(
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:GetLogDelivery",
"firehose:TagDeliveryStream")
.resources("*")
.build());
var exampleRolePolicy = new RolePolicy("exampleRolePolicy", RolePolicyArgs.builder()
.role(exampleRole.id())
.policy(examplePolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}Content copied to clipboard
S3 Logging
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleBucketV2 = new BucketV2("exampleBucketV2");
var exampleFlowLog = new FlowLog("exampleFlowLog", FlowLogArgs.builder()
.logDestination(exampleBucketV2.arn())
.logDestinationType("s3")
.trafficType("ALL")
.vpcId(aws_vpc.example().id())
.build());
}
}Content copied to clipboard
S3 Logging in Apache Parquet format with per-hour partitions
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import com.pulumi.aws.ec2.inputs.FlowLogDestinationOptionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleBucketV2 = new BucketV2("exampleBucketV2");
var exampleFlowLog = new FlowLog("exampleFlowLog", FlowLogArgs.builder()
.logDestination(exampleBucketV2.arn())
.logDestinationType("s3")
.trafficType("ALL")
.vpcId(aws_vpc.example().id())
.destinationOptions(FlowLogDestinationOptionsArgs.builder()
.fileFormat("parquet")
.perHourPartition(true)
.build())
.build());
}
}Content copied to clipboard
Import
Flow Logs can be imported using the id, e.g.,
$ pulumi import aws:ec2/flowLog:FlowLog test_flow_log fl-1a2b3c4dContent copied to clipboard
Constructors
Link copied to clipboard
constructor(deliverCrossAccountRole: Output<String>? = null, destinationOptions: Output<FlowLogDestinationOptionsArgs>? = null, eniId: Output<String>? = null, iamRoleArn: Output<String>? = null, logDestination: Output<String>? = null, logDestinationType: Output<String>? = null, logFormat: Output<String>? = null, logGroupName: Output<String>? = null, maxAggregationInterval: Output<Int>? = null, subnetId: Output<String>? = null, tags: Output<Map<String, String>>? = null, trafficType: Output<String>? = null, transitGatewayAttachmentId: Output<String>? = null, transitGatewayId: Output<String>? = null, vpcId: Output<String>? = null)
Properties
Link copied to clipboard
ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
Link copied to clipboard
Describes the destination options for a flow log. More details below.
Link copied to clipboard
The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group
Link copied to clipboard
The ARN of the logging destination. Either log_destination or log_group_name must be set.
Link copied to clipboard
The type of the logging destination. Valid values: cloud-watch-logs, s3, kinesis-data-firehose. Default: cloud-watch-logs.
Link copied to clipboard
Deprecated: Use log_destination instead. The name of the CloudWatch log group. Either log_group_name or log_destination must be set.
Link copied to clipboard
The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds (1 minute) or 600 seconds (10 minutes). Default: 600. When transit_gateway_id or transit_gateway_attachment_id is specified, max_aggregation_interval must be 60 seconds (1 minute).
Link copied to clipboard
The type of traffic to capture. Valid values: ACCEPT,REJECT, ALL.
Link copied to clipboard
Transit Gateway Attachment ID to attach to
Link copied to clipboard
Transit Gateway ID to attach to