awscc_ec2_flow_log (Resource)

Specifies a VPC flow log, which enables you to capture IP traffic for a specific network interface, subnet, or VPC.

Example Usage

CloudWatch Loggging

Creates a AWS VPC flow log with CloudWatch Logs as the destination.

resource "awscc_ec2_flow_log" "example" {
  deliver_logs_permission_arn = awscc_iam_role.example.arn
  log_destination_type        = "cloud-watch-logs"
  log_destination             = awscc_logs_log_group.example.arn
  traffic_type                = "ALL"
  resource_id                 = var.vpc_id
  resource_type               = "VPC"
  tags = [{
    key   = "Managed By"
    value = "AWSCC"
  }]
}

resource "awscc_logs_log_group" "example" {
  log_group_name = "example"
}

resource "awscc_iam_role" "example" {
  role_name = "cloudwatch_flow_log_role"
  assume_role_policy_document = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "vpc-flow-logs.amazonaws.com"
        }
      },
    ]
  })
}

resource "awscc_iam_role_policy" "example" {
  policy_name = "example"
  role_name   = awscc_iam_role.example.role_name
  policy_document = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "logs:CreateLogStream",
          "logs:DescribeLogGroups",
          "logs:DescribeLogStreams",
          "logs:PutLogEvents",
        ]
        Effect   = "Allow"
        Resource = "${awscc_logs_log_group.example.arn}:*"
      },
    ]
  })
}

Amazon Data Firehose

Creates a AWS VPC flow log with Amazon Data Firehose as the destination.

data "aws_caller_identity" "current" {}

resource "awscc_ec2_flow_log" "example" {
  log_destination      = awscc_kinesisfirehose_delivery_stream.example.arn
  log_destination_type = "kinesis-data-firehose"
  traffic_type         = "ALL"
  resource_id          = var.vpc_id
  resource_type        = "VPC"
  tags = [{
    key   = "Managed By"
    value = "AWSCC"
  }]
}

resource "awscc_kinesisfirehose_delivery_stream" "example" {
  delivery_stream_name = "vpc_flow_log"
  s3_destination_configuration = {
    bucket_arn = awscc_s3_bucket.example.arn
    role_arn   = awscc_iam_role.example.arn
  }
}

resource "awscc_s3_bucket" "example" {
  bucket_name = "example-${data.aws_caller_identity.current.account_id}"
  public_access_block_configuration = {
    block_public_acls       = true
    block_public_policy     = true
    ignore_public_acls      = true
    restrict_public_buckets = true
  }
}

resource "awscc_iam_role" "example" {
  role_name = "firehose_flow_log_role"
  assume_role_policy_document = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "firehose.amazonaws.com"
        }
      },
    ]
  })
}

resource "awscc_iam_role_policy" "example" {
  policy_name = "example"
  role_name   = awscc_iam_role.example.role_name
  policy_document = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow",
        Action = [
          "s3:AbortMultipartUpload",
          "s3:GetBucketLocation",
          "s3:GetObject",
          "s3:ListBucket",
          "s3:ListBucketMultipartUploads",
          "s3:PutObject"
        ],
        Resource = [
          "${awscc_s3_bucket.example.arn}",
          "${awscc_s3_bucket.example.arn}/*"
        ]
      },
      {
        Effect = "Allow",
        Action = [
          "kinesis:DescribeStream",
          "kinesis:GetShardIterator",
          "kinesis:GetRecords",
          "kinesis:ListShards"
        ],
        Resource = "${awscc_kinesisfirehose_delivery_stream.example.arn}"
      }
    ]
  })
}

S3 Logging

Creates a AWS VPC flow log with S3 as the destination.

data "aws_caller_identity" "current" {}

resource "awscc_ec2_flow_log" "example" {
  log_destination      = awscc_s3_bucket.example.arn
  log_destination_type = "s3"
  traffic_type         = "ALL"
  resource_id          = var.vpc_id
  resource_type        = "VPC"
  tags = [{
    key   = "Managed By"
    value = "AWSCC"
  }]
}

resource "awscc_s3_bucket" "example" {
  bucket_name = "example-${data.aws_caller_identity.current.account_id}"
  public_access_block_configuration = {
    block_public_acls       = true
    block_public_policy     = true
    ignore_public_acls      = true
    restrict_public_buckets = true
  }
}

S3 Logging in Parquet Format

Creates a AWS VPC flow log with S3 as the destination in Parquet file format.

data "aws_caller_identity" "current" {}

resource "awscc_ec2_flow_log" "example" {
  log_destination      = awscc_s3_bucket.example.arn
  log_destination_type = "s3"
  traffic_type         = "ALL"
  resource_id          = var.vpc_id
  resource_type        = "VPC"
  destination_options = {
    file_format                = "parquet"
    per_hour_partition         = true
    hive_compatible_partitions = true
  }
  tags = [{
    key   = "Managed By"
    value = "AWSCC"
  }]
}

resource "awscc_s3_bucket" "example" {
  bucket_name = "example-${data.aws_caller_identity.current.account_id}-p"
  public_access_block_configuration = {
    block_public_acls       = true
    block_public_policy     = true
    ignore_public_acls      = true
    restrict_public_buckets = true
  }
}

Schema

Required

Optional

Read-Only

Nested Schema for destination_options

Required:

Nested Schema for tags

Required:

Import

Import is supported using the following syntax:

$ terraform import awscc_ec2_flow_log.example <resource ID>