pulumi-aws-kotlin/com.pulumi.aws.ec2.kotlin/FlowLog

FlowLog

class FlowLog : KotlinCustomResource

Provides a VPC/Subnet/ENI/Transit Gateway/Transit Gateway Attachment Flow Log to capture IP traffic for a specific network interface, subnet, or VPC. Logs are sent to a CloudWatch Log Group, a S3 Bucket, or Amazon Kinesis Data Firehose

Example Usage

CloudWatch Logging

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogGroup;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleLogGroup = new LogGroup("exampleLogGroup");
        final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .effect("Allow")
                .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                    .type("Service")
                    .identifiers("vpc-flow-logs.amazonaws.com")
                    .build())
                .actions("sts:AssumeRole")
                .build())
            .build());
        var exampleRole = new Role("exampleRole", RoleArgs.builder()
            .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
            .build());
        var exampleFlowLog = new FlowLog("exampleFlowLog", FlowLogArgs.builder()
            .iamRoleArn(exampleRole.arn())
            .logDestination(exampleLogGroup.arn())
            .trafficType("ALL")
            .vpcId(aws_vpc.example().id())
            .build());
        final var examplePolicyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .effect("Allow")
                .actions(
                    "logs:CreateLogGroup",
                    "logs:CreateLogStream",
                    "logs:PutLogEvents",
                    "logs:DescribeLogGroups",
                    "logs:DescribeLogStreams")
                .resources("*")
                .build())
            .build());
        var exampleRolePolicy = new RolePolicy("exampleRolePolicy", RolePolicyArgs.builder()
            .role(exampleRole.id())
            .policy(examplePolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
            .build());
    }
}
Content copied to clipboard

Amazon Kinesis Data Firehose logging

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.kinesis.FirehoseDeliveryStream;
import com.pulumi.aws.kinesis.FirehoseDeliveryStreamArgs;
import com.pulumi.aws.kinesis.inputs.FirehoseDeliveryStreamExtendedS3ConfigurationArgs;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import com.pulumi.aws.s3.BucketAclV2;
import com.pulumi.aws.s3.BucketAclV2Args;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleBucketV2 = new BucketV2("exampleBucketV2");
        final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .effect("Allow")
                .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                    .type("Service")
                    .identifiers("firehose.amazonaws.com")
                    .build())
                .actions("sts:AssumeRole")
                .build())
            .build());
        var exampleRole = new Role("exampleRole", RoleArgs.builder()
            .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
            .build());
        var exampleFirehoseDeliveryStream = new FirehoseDeliveryStream("exampleFirehoseDeliveryStream", FirehoseDeliveryStreamArgs.builder()
            .destination("extended_s3")
            .extendedS3Configuration(FirehoseDeliveryStreamExtendedS3ConfigurationArgs.builder()
                .roleArn(exampleRole.arn())
                .bucketArn(exampleBucketV2.arn())
                .build())
            .tags(Map.of("LogDeliveryEnabled", "true"))
            .build());
        var exampleFlowLog = new FlowLog("exampleFlowLog", FlowLogArgs.builder()
            .logDestination(exampleFirehoseDeliveryStream.arn())
            .logDestinationType("kinesis-data-firehose")
            .trafficType("ALL")
            .vpcId(aws_vpc.example().id())
            .build());
        var exampleBucketAclV2 = new BucketAclV2("exampleBucketAclV2", BucketAclV2Args.builder()
            .bucket(exampleBucketV2.id())
            .acl("private")
            .build());
        final var examplePolicyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .effect("Allow")
            .actions(
                "logs:CreateLogDelivery",
                "logs:DeleteLogDelivery",
                "logs:ListLogDeliveries",
                "logs:GetLogDelivery",
                "firehose:TagDeliveryStream")
            .resources("*")
            .build());
        var exampleRolePolicy = new RolePolicy("exampleRolePolicy", RolePolicyArgs.builder()
            .role(exampleRole.id())
            .policy(examplePolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
            .build());
    }
}
Content copied to clipboard

S3 Logging

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleBucketV2 = new BucketV2("exampleBucketV2");
        var exampleFlowLog = new FlowLog("exampleFlowLog", FlowLogArgs.builder()
            .logDestination(exampleBucketV2.arn())
            .logDestinationType("s3")
            .trafficType("ALL")
            .vpcId(aws_vpc.example().id())
            .build());
    }
}
Content copied to clipboard

S3 Logging in Apache Parquet format with per-hour partitions

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import com.pulumi.aws.ec2.inputs.FlowLogDestinationOptionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleBucketV2 = new BucketV2("exampleBucketV2");
        var exampleFlowLog = new FlowLog("exampleFlowLog", FlowLogArgs.builder()
            .logDestination(exampleBucketV2.arn())
            .logDestinationType("s3")
            .trafficType("ALL")
            .vpcId(aws_vpc.example().id())
            .destinationOptions(FlowLogDestinationOptionsArgs.builder()
                .fileFormat("parquet")
                .perHourPartition(true)
                .build())
            .build());
    }
}
Content copied to clipboard

Import

Flow Logs can be imported using the id, e.g.,

$ pulumi import aws:ec2/flowLog:FlowLog test_flow_log fl-1a2b3c4d
Content copied to clipboard

Properties

Link copied to clipboard
val arn: Output<String>

The ARN of the Flow Log.

Link copied to clipboard
val deliverCrossAccountRole: Output<String>?

ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.

Link copied to clipboard
val destinationOptions: Output<FlowLogDestinationOptions>?

Describes the destination options for a flow log. More details below.

Link copied to clipboard
val eniId: Output<String>?

Elastic Network Interface ID to attach to

Link copied to clipboard
val iamRoleArn: Output<String>?

The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group

Link copied to clipboard
val id: Output<String>
Link copied to clipboard
val logDestination: Output<String>

The ARN of the logging destination. Either log_destination or log_group_name must be set.

Link copied to clipboard
val logDestinationType: Output<String>?

The type of the logging destination. Valid values: cloud-watch-logs, s3, kinesis-data-firehose. Default: cloud-watch-logs.

Link copied to clipboard
val logFormat: Output<String>

The fields to include in the flow log record, in the order in which they should appear.

Link copied to clipboard
val logGroupName: Output<String>

Deprecated: Use log_destination instead. The name of the CloudWatch log group. Either log_group_name or log_destination must be set.

Link copied to clipboard
val maxAggregationInterval: Output<Int>?

The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds (1 minute) or 600 seconds (10 minutes). Default: 600. When transit_gateway_id or transit_gateway_attachment_id is specified, max_aggregation_interval must be 60 seconds (1 minute).

Link copied to clipboard
val pulumiChildResources: Set<KotlinResource>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val subnetId: Output<String>?

Subnet ID to attach to

Link copied to clipboard
val tags: Output<Map<String, String>>?

Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Link copied to clipboard
val tagsAll: Output<Map<String, String>>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Link copied to clipboard
val trafficType: Output<String>?

The type of traffic to capture. Valid values: ACCEPT,REJECT, ALL.

Link copied to clipboard
val transitGatewayAttachmentId: Output<String>?

Transit Gateway Attachment ID to attach to

Link copied to clipboard
val transitGatewayId: Output<String>?

Transit Gateway ID to attach to

Link copied to clipboard
val urn: Output<String>
Link copied to clipboard
val vpcId: Output<String>?

VPC ID to attach to