Expand description
Provides a VPC/Subnet/ENI/Transit Gateway/Transit Gateway Attachment Flow Log to capture IP traffic for a specific network interface, subnet, or VPC. Logs are sent to a CloudWatch Log Group, a S3 Bucket, or Amazon Kinesis Data Firehose
§Example Usage
§CloudWatch Logging
resources:
exampleFlowLog:
type: aws:ec2:FlowLog
name: example
properties:
iamRoleArn: ${exampleRole.arn}
logDestination: ${exampleLogGroup.arn}
trafficType: ALL
vpcId: ${exampleAwsVpc.id}
exampleLogGroup:
type: aws:cloudwatch:LogGroup
name: example
properties:
name: example
exampleRole:
type: aws:iam:Role
name: example
properties:
name: example
assumeRolePolicy: ${assumeRole.json}
exampleRolePolicy:
type: aws:iam:RolePolicy
name: example
properties:
name: example
role: ${exampleRole.id}
policy: ${example.json}
variables:
assumeRole:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
principals:
- type: Service
identifiers:
- vpc-flow-logs.amazonaws.com
actions:
- sts:AssumeRole
example:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
actions:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogGroups
- logs:DescribeLogStreams
resources:
- '*'§Amazon Kinesis Data Firehose logging
resources:
exampleFlowLog:
type: aws:ec2:FlowLog
name: example
properties:
logDestination: ${exampleFirehoseDeliveryStream.arn}
logDestinationType: kinesis-data-firehose
trafficType: ALL
vpcId: ${exampleAwsVpc.id}
exampleFirehoseDeliveryStream:
type: aws:kinesis:FirehoseDeliveryStream
name: example
properties:
name: kinesis_firehose_test
destination: extended_s3
extendedS3Configuration:
roleArn: ${exampleRole.arn}
bucketArn: ${exampleBucketV2.arn}
tags:
LogDeliveryEnabled: 'true'
exampleBucketV2:
type: aws:s3:BucketV2
name: example
properties:
bucket: example
exampleBucketAclV2:
type: aws:s3:BucketAclV2
name: example
properties:
bucket: ${exampleBucketV2.id}
acl: private
exampleRole:
type: aws:iam:Role
name: example
properties:
name: firehose_test_role
assumeRolePolicy: ${assumeRole.json}
exampleRolePolicy:
type: aws:iam:RolePolicy
name: example
properties:
name: test
role: ${exampleRole.id}
policy: ${example.json}
variables:
assumeRole:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
principals:
- type: Service
identifiers:
- firehose.amazonaws.com
actions:
- sts:AssumeRole
example:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
effect: Allow
actions:
- logs:CreateLogDelivery
- logs:DeleteLogDelivery
- logs:ListLogDeliveries
- logs:GetLogDelivery
- firehose:TagDeliveryStream
resources:
- '*'§S3 Logging
ⓘ
use pulumi_wasm_rust::Output;
use pulumi_wasm_rust::{add_export, pulumi_main};
#[pulumi_main]
fn test_main() -> Result<(), Error> {
let example = flow_log::create(
"example",
FlowLogArgs::builder()
.log_destination("${exampleBucketV2.arn}")
.log_destination_type("s3")
.traffic_type("ALL")
.vpc_id("${exampleAwsVpc.id}")
.build_struct(),
);
let exampleBucketV2 = bucket_v_2::create(
"exampleBucketV2",
BucketV2Args::builder().bucket("example").build_struct(),
);
}§S3 Logging in Apache Parquet format with per-hour partitions
ⓘ
use pulumi_wasm_rust::Output;
use pulumi_wasm_rust::{add_export, pulumi_main};
#[pulumi_main]
fn test_main() -> Result<(), Error> {
let example = flow_log::create(
"example",
FlowLogArgs::builder()
.destination_options(
FlowLogDestinationOptions::builder()
.fileFormat("parquet")
.perHourPartition(true)
.build_struct(),
)
.log_destination("${exampleBucketV2.arn}")
.log_destination_type("s3")
.traffic_type("ALL")
.vpc_id("${exampleAwsVpc.id}")
.build_struct(),
);
let exampleBucketV2 = bucket_v_2::create(
"exampleBucketV2",
BucketV2Args::builder().bucket("example").build_struct(),
);
}§Import
Using pulumi import, import Flow Logs using the id. For example:
$ pulumi import aws:ec2/flowLog:FlowLog test_flow_log fl-1a2b3c4dStructs§
- Use builder syntax to set the inputs and finish with
build_struct().
Functions§
- Registers a new resource with the given unique name and arguments