AWS v7.10.0 published on Friday, Oct 24, 2025 by Pulumi
aws.ec2.FlowLog
Provides a VPC/Subnet/ENI/Transit Gateway/Transit Gateway Attachment Flow Log to capture IP traffic for a specific network interface, subnet, or VPC. Logs are sent to a CloudWatch Log Group, a S3 Bucket, or Amazon Data Firehose
Example Usage
CloudWatch Logging
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleLogGroup = new aws.cloudwatch.LogGroup("example", {name: "example"});
const assumeRole = aws.iam.getPolicyDocument({
statements: [{
effect: "Allow",
principals: [{
type: "Service",
identifiers: ["vpc-flow-logs.amazonaws.com"],
}],
actions: ["sts:AssumeRole"],
}],
});
const exampleRole = new aws.iam.Role("example", {
name: "example",
assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json),
});
const exampleFlowLog = new aws.ec2.FlowLog("example", {
iamRoleArn: exampleRole.arn,
logDestination: exampleLogGroup.arn,
trafficType: "ALL",
vpcId: exampleAwsVpc.id,
});
const example = aws.iam.getPolicyDocument({
statements: [{
effect: "Allow",
actions: [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
],
resources: ["*"],
}],
});
const exampleRolePolicy = new aws.iam.RolePolicy("example", {
name: "example",
role: exampleRole.id,
policy: example.then(example => example.json),
});
import pulumi
import pulumi_aws as aws
example_log_group = aws.cloudwatch.LogGroup("example", name="example")
assume_role = aws.iam.get_policy_document(statements=[{
"effect": "Allow",
"principals": [{
"type": "Service",
"identifiers": ["vpc-flow-logs.amazonaws.com"],
}],
"actions": ["sts:AssumeRole"],
}])
example_role = aws.iam.Role("example",
name="example",
assume_role_policy=assume_role.json)
example_flow_log = aws.ec2.FlowLog("example",
iam_role_arn=example_role.arn,
log_destination=example_log_group.arn,
traffic_type="ALL",
vpc_id=example_aws_vpc["id"])
example = aws.iam.get_policy_document(statements=[{
"effect": "Allow",
"actions": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
],
"resources": ["*"],
}])
example_role_policy = aws.iam.RolePolicy("example",
name="example",
role=example_role.id,
policy=example.json)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudwatch"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleLogGroup, err := cloudwatch.NewLogGroup(ctx, "example", &cloudwatch.LogGroupArgs{
Name: pulumi.String("example"),
})
if err != nil {
return err
}
assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "Service",
Identifiers: []string{
"vpc-flow-logs.amazonaws.com",
},
},
},
Actions: []string{
"sts:AssumeRole",
},
},
},
}, nil)
if err != nil {
return err
}
exampleRole, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
Name: pulumi.String("example"),
AssumeRolePolicy: pulumi.String(assumeRole.Json),
})
if err != nil {
return err
}
_, err = ec2.NewFlowLog(ctx, "example", &ec2.FlowLogArgs{
IamRoleArn: exampleRole.Arn,
LogDestination: exampleLogGroup.Arn,
TrafficType: pulumi.String("ALL"),
VpcId: pulumi.Any(exampleAwsVpc.Id),
})
if err != nil {
return err
}
example, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
},
Resources: []string{
"*",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iam.NewRolePolicy(ctx, "example", &iam.RolePolicyArgs{
Name: pulumi.String("example"),
Role: exampleRole.ID(),
Policy: pulumi.String(example.Json),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleLogGroup = new Aws.CloudWatch.LogGroup("example", new()
{
Name = "example",
});
var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
"vpc-flow-logs.amazonaws.com",
},
},
},
Actions = new[]
{
"sts:AssumeRole",
},
},
},
});
var exampleRole = new Aws.Iam.Role("example", new()
{
Name = "example",
AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var exampleFlowLog = new Aws.Ec2.FlowLog("example", new()
{
IamRoleArn = exampleRole.Arn,
LogDestination = exampleLogGroup.Arn,
TrafficType = "ALL",
VpcId = exampleAwsVpc.Id,
});
var example = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
},
Resources = new[]
{
"*",
},
},
},
});
var exampleRolePolicy = new Aws.Iam.RolePolicy("example", new()
{
Name = "example",
Role = exampleRole.Id,
Policy = example.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogGroup;
import com.pulumi.aws.cloudwatch.LogGroupArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleLogGroup = new LogGroup("exampleLogGroup", LogGroupArgs.builder()
.name("example")
.build());
final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("vpc-flow-logs.amazonaws.com")
.build())
.actions("sts:AssumeRole")
.build())
.build());
var exampleRole = new Role("exampleRole", RoleArgs.builder()
.name("example")
.assumeRolePolicy(assumeRole.json())
.build());
var exampleFlowLog = new FlowLog("exampleFlowLog", FlowLogArgs.builder()
.iamRoleArn(exampleRole.arn())
.logDestination(exampleLogGroup.arn())
.trafficType("ALL")
.vpcId(exampleAwsVpc.id())
.build());
final var example = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions(
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams")
.resources("*")
.build())
.build());
var exampleRolePolicy = new RolePolicy("exampleRolePolicy", RolePolicyArgs.builder()
.name("example")
.role(exampleRole.id())
.policy(example.json())
.build());
}
}
resources:
exampleFlowLog:
type: aws:ec2:FlowLog
name: example
properties:
iamRoleArn: ${exampleRole.arn}
logDestination: ${exampleLogGroup.arn}
trafficType: ALL
vpcId: ${exampleAwsVpc.id}
exampleLogGroup:
type: aws:cloudwatch:LogGroup
name: example
properties:
name: example
exampleRole:
type: aws:iam:Role
name: example
properties:
name: example
assumeRolePolicy: ${assumeRole.json}
exampleRolePolicy:
type: aws:iam:RolePolicy
name: example
properties:
name: example
role: ${exampleRole.id}
policy: ${example.json}
variables:
assumeRole:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
principals:
- type: Service
identifiers:
- vpc-flow-logs.amazonaws.com
actions:
- sts:AssumeRole
example:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
actions:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogGroups
- logs:DescribeLogStreams
resources:
- '*'
Amazon Data Firehose logging
Example coming soon!
Example coming soon!
Example coming soon!
Example coming soon!
Example coming soon!
resources:
exampleFlowLog:
type: aws:ec2:FlowLog
name: example
properties:
logDestination: ${exampleFirehoseDeliveryStream.arn}
logDestinationType: kinesis-data-firehose
trafficType: ALL
vpcId: ${exampleAwsVpc.id}
exampleFirehoseDeliveryStream:
type: aws:kinesis:FirehoseDeliveryStream
name: example
properties:
name: kinesis_firehose_test
destination: extended_s3
extendedS3Configuration:
roleArn: ${exampleRole.arn}
bucketArn: ${exampleBucket.arn}
tags:
LogDeliveryEnabled: 'true'
exampleBucket:
type: aws:s3:Bucket
name: example
properties:
bucket: example
exampleBucketAcl:
type: aws:s3:BucketAcl
name: example
properties:
bucket: ${exampleBucket.id}
acl: private
exampleRole:
type: aws:iam:Role
name: example
properties:
name: firehose_test_role
assumeRolePolicy: ${assumeRole.json}
exampleRolePolicy:
type: aws:iam:RolePolicy
name: example
properties:
name: test
role: ${exampleRole.id}
policy: ${example.json}
variables:
assumeRole:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
principals:
- type: Service
identifiers:
- firehose.amazonaws.com
actions:
- sts:AssumeRole
example:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
effect: Allow
actions:
- logs:CreateLogDelivery
- logs:DeleteLogDelivery
- logs:ListLogDeliveries
- logs:GetLogDelivery
- firehose:TagDeliveryStream
resources:
- '*'
S3 Logging
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleBucket = new aws.s3.Bucket("example", {bucket: "example"});
const example = new aws.ec2.FlowLog("example", {
logDestination: exampleBucket.arn,
logDestinationType: "s3",
trafficType: "ALL",
vpcId: exampleAwsVpc.id,
});
import pulumi
import pulumi_aws as aws
example_bucket = aws.s3.Bucket("example", bucket="example")
example = aws.ec2.FlowLog("example",
log_destination=example_bucket.arn,
log_destination_type="s3",
traffic_type="ALL",
vpc_id=example_aws_vpc["id"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleBucket, err := s3.NewBucket(ctx, "example", &s3.BucketArgs{
Bucket: pulumi.String("example"),
})
if err != nil {
return err
}
_, err = ec2.NewFlowLog(ctx, "example", &ec2.FlowLogArgs{
LogDestination: exampleBucket.Arn,
LogDestinationType: pulumi.String("s3"),
TrafficType: pulumi.String("ALL"),
VpcId: pulumi.Any(exampleAwsVpc.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleBucket = new Aws.S3.Bucket("example", new()
{
BucketName = "example",
});
var example = new Aws.Ec2.FlowLog("example", new()
{
LogDestination = exampleBucket.Arn,
LogDestinationType = "s3",
TrafficType = "ALL",
VpcId = exampleAwsVpc.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.Bucket;
import com.pulumi.aws.s3.BucketArgs;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleBucket = new Bucket("exampleBucket", BucketArgs.builder()
.bucket("example")
.build());
var example = new FlowLog("example", FlowLogArgs.builder()
.logDestination(exampleBucket.arn())
.logDestinationType("s3")
.trafficType("ALL")
.vpcId(exampleAwsVpc.id())
.build());
}
}
resources:
example:
type: aws:ec2:FlowLog
properties:
logDestination: ${exampleBucket.arn}
logDestinationType: s3
trafficType: ALL
vpcId: ${exampleAwsVpc.id}
exampleBucket:
type: aws:s3:Bucket
name: example
properties:
bucket: example
S3 Logging in Apache Parquet format with per-hour partitions
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleBucket = new aws.s3.Bucket("example", {bucket: "example"});
const example = new aws.ec2.FlowLog("example", {
logDestination: exampleBucket.arn,
logDestinationType: "s3",
trafficType: "ALL",
vpcId: exampleAwsVpc.id,
destinationOptions: {
fileFormat: "parquet",
perHourPartition: true,
},
});
import pulumi
import pulumi_aws as aws
example_bucket = aws.s3.Bucket("example", bucket="example")
example = aws.ec2.FlowLog("example",
log_destination=example_bucket.arn,
log_destination_type="s3",
traffic_type="ALL",
vpc_id=example_aws_vpc["id"],
destination_options={
"file_format": "parquet",
"per_hour_partition": True,
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleBucket, err := s3.NewBucket(ctx, "example", &s3.BucketArgs{
Bucket: pulumi.String("example"),
})
if err != nil {
return err
}
_, err = ec2.NewFlowLog(ctx, "example", &ec2.FlowLogArgs{
LogDestination: exampleBucket.Arn,
LogDestinationType: pulumi.String("s3"),
TrafficType: pulumi.String("ALL"),
VpcId: pulumi.Any(exampleAwsVpc.Id),
DestinationOptions: &ec2.FlowLogDestinationOptionsArgs{
FileFormat: pulumi.String("parquet"),
PerHourPartition: pulumi.Bool(true),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleBucket = new Aws.S3.Bucket("example", new()
{
BucketName = "example",
});
var example = new Aws.Ec2.FlowLog("example", new()
{
LogDestination = exampleBucket.Arn,
LogDestinationType = "s3",
TrafficType = "ALL",
VpcId = exampleAwsVpc.Id,
DestinationOptions = new Aws.Ec2.Inputs.FlowLogDestinationOptionsArgs
{
FileFormat = "parquet",
PerHourPartition = true,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.Bucket;
import com.pulumi.aws.s3.BucketArgs;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import com.pulumi.aws.ec2.inputs.FlowLogDestinationOptionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleBucket = new Bucket("exampleBucket", BucketArgs.builder()
.bucket("example")
.build());
var example = new FlowLog("example", FlowLogArgs.builder()
.logDestination(exampleBucket.arn())
.logDestinationType("s3")
.trafficType("ALL")
.vpcId(exampleAwsVpc.id())
.destinationOptions(FlowLogDestinationOptionsArgs.builder()
.fileFormat("parquet")
.perHourPartition(true)
.build())
.build());
}
}
resources:
example:
type: aws:ec2:FlowLog
properties:
logDestination: ${exampleBucket.arn}
logDestinationType: s3
trafficType: ALL
vpcId: ${exampleAwsVpc.id}
destinationOptions:
fileFormat: parquet
perHourPartition: true
exampleBucket:
type: aws:s3:Bucket
name: example
properties:
bucket: example
Cross-Account Amazon Data Firehose Logging
The following example shows how to set up a flow log in one AWS account (source) that sends logs to an Amazon Data Firehose delivery stream in another AWS account (destination). See the AWS Documentation.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// For source account
const src = new aws.ec2.Vpc("src", {});
const srcAssumeRolePolicy = aws.iam.getPolicyDocument({
statements: [{
actions: ["sts:AssumeRole"],
effect: "Allow",
principals: [{
type: "Service",
identifiers: ["delivery.logs.amazonaws.com"],
}],
}],
});
const srcRole = new aws.iam.Role("src", {
name: "tf-example-mySourceRole",
assumeRolePolicy: srcAssumeRolePolicy.then(srcAssumeRolePolicy => srcAssumeRolePolicy.json),
});
// For destination account
const dstAssumeRolePolicy = aws.iam.getPolicyDocumentOutput({
statements: [{
actions: ["sts:AssumeRole"],
effect: "Allow",
principals: [{
type: "AWS",
identifiers: [srcRole.arn],
}],
}],
});
const dst = new aws.iam.Role("dst", {
name: "AWSLogDeliveryFirehoseCrossAccountRole",
assumeRolePolicy: dstAssumeRolePolicy.apply(dstAssumeRolePolicy => dstAssumeRolePolicy.json),
});
const srcRolePolicy = aws.iam.getPolicyDocumentOutput({
statements: [
{
effect: "Allow",
actions: ["iam:PassRole"],
resources: [srcRole.arn],
conditions: [
{
test: "StringEquals",
variable: "iam:PassedToService",
values: ["delivery.logs.amazonaws.com"],
},
{
test: "StringLike",
variable: "iam:AssociatedResourceARN",
values: [src.arn],
},
],
},
{
effect: "Allow",
actions: [
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:GetLogDelivery",
],
resources: ["*"],
},
{
effect: "Allow",
actions: ["sts:AssumeRole"],
resources: [dst.arn],
},
],
});
const srcPolicy = new aws.iam.RolePolicy("src_policy", {
name: "tf-example-mySourceRolePolicy",
role: srcRole.name,
policy: srcRolePolicy.apply(srcRolePolicy => srcRolePolicy.json),
});
const dstFirehoseDeliveryStream = new aws.kinesis.FirehoseDeliveryStream("dst", {tags: {
LogDeliveryEnabled: "true",
}});
const srcFlowLog = new aws.ec2.FlowLog("src", {
logDestinationType: "kinesis-data-firehose",
logDestination: dstFirehoseDeliveryStream.arn,
trafficType: "ALL",
vpcId: src.id,
iamRoleArn: srcRole.arn,
deliverCrossAccountRole: dst.arn,
});
const dstRolePolicy = aws.iam.getPolicyDocument({
statements: [{
effect: "Allow",
actions: [
"iam:CreateServiceLinkedRole",
"firehose:TagDeliveryStream",
],
resources: ["*"],
}],
});
const dstRolePolicy2 = new aws.iam.RolePolicy("dst", {
name: "AWSLogDeliveryFirehoseCrossAccountRolePolicy",
role: dst.name,
policy: dstRolePolicy.then(dstRolePolicy => dstRolePolicy.json),
});
import pulumi
import pulumi_aws as aws
# For source account
src = aws.ec2.Vpc("src")
src_assume_role_policy = aws.iam.get_policy_document(statements=[{
"actions": ["sts:AssumeRole"],
"effect": "Allow",
"principals": [{
"type": "Service",
"identifiers": ["delivery.logs.amazonaws.com"],
}],
}])
src_role = aws.iam.Role("src",
name="tf-example-mySourceRole",
assume_role_policy=src_assume_role_policy.json)
# For destination account
dst_assume_role_policy = aws.iam.get_policy_document_output(statements=[{
"actions": ["sts:AssumeRole"],
"effect": "Allow",
"principals": [{
"type": "AWS",
"identifiers": [src_role.arn],
}],
}])
dst = aws.iam.Role("dst",
name="AWSLogDeliveryFirehoseCrossAccountRole",
assume_role_policy=dst_assume_role_policy.json)
src_role_policy = aws.iam.get_policy_document_output(statements=[
{
"effect": "Allow",
"actions": ["iam:PassRole"],
"resources": [src_role.arn],
"conditions": [
{
"test": "StringEquals",
"variable": "iam:PassedToService",
"values": ["delivery.logs.amazonaws.com"],
},
{
"test": "StringLike",
"variable": "iam:AssociatedResourceARN",
"values": [src.arn],
},
],
},
{
"effect": "Allow",
"actions": [
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:GetLogDelivery",
],
"resources": ["*"],
},
{
"effect": "Allow",
"actions": ["sts:AssumeRole"],
"resources": [dst.arn],
},
])
src_policy = aws.iam.RolePolicy("src_policy",
name="tf-example-mySourceRolePolicy",
role=src_role.name,
policy=src_role_policy.json)
dst_firehose_delivery_stream = aws.kinesis.FirehoseDeliveryStream("dst", tags={
"LogDeliveryEnabled": "true",
})
src_flow_log = aws.ec2.FlowLog("src",
log_destination_type="kinesis-data-firehose",
log_destination=dst_firehose_delivery_stream.arn,
traffic_type="ALL",
vpc_id=src.id,
iam_role_arn=src_role.arn,
deliver_cross_account_role=dst.arn)
dst_role_policy = aws.iam.get_policy_document(statements=[{
"effect": "Allow",
"actions": [
"iam:CreateServiceLinkedRole",
"firehose:TagDeliveryStream",
],
"resources": ["*"],
}])
dst_role_policy2 = aws.iam.RolePolicy("dst",
name="AWSLogDeliveryFirehoseCrossAccountRolePolicy",
role=dst.name,
policy=dst_role_policy.json)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kinesis"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// For source account
src, err := ec2.NewVpc(ctx, "src", nil)
if err != nil {
return err
}
srcAssumeRolePolicy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Actions: []string{
"sts:AssumeRole",
},
Effect: pulumi.StringRef("Allow"),
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "Service",
Identifiers: []string{
"delivery.logs.amazonaws.com",
},
},
},
},
},
}, nil)
if err != nil {
return err
}
srcRole, err := iam.NewRole(ctx, "src", &iam.RoleArgs{
Name: pulumi.String("tf-example-mySourceRole"),
AssumeRolePolicy: pulumi.String(srcAssumeRolePolicy.Json),
})
if err != nil {
return err
}
// For destination account
dstAssumeRolePolicy := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Actions: pulumi.StringArray{
pulumi.String("sts:AssumeRole"),
},
Effect: pulumi.String("Allow"),
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Type: pulumi.String("AWS"),
Identifiers: pulumi.StringArray{
srcRole.Arn,
},
},
},
},
},
}, nil)
dst, err := iam.NewRole(ctx, "dst", &iam.RoleArgs{
Name: pulumi.String("AWSLogDeliveryFirehoseCrossAccountRole"),
AssumeRolePolicy: pulumi.String(dstAssumeRolePolicy.ApplyT(func(dstAssumeRolePolicy iam.GetPolicyDocumentResult) (*string, error) {
return &dstAssumeRolePolicy.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
srcRolePolicy := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Effect: pulumi.String("Allow"),
Actions: pulumi.StringArray{
pulumi.String("iam:PassRole"),
},
Resources: pulumi.StringArray{
srcRole.Arn,
},
Conditions: iam.GetPolicyDocumentStatementConditionArray{
&iam.GetPolicyDocumentStatementConditionArgs{
Test: pulumi.String("StringEquals"),
Variable: pulumi.String("iam:PassedToService"),
Values: pulumi.StringArray{
pulumi.String("delivery.logs.amazonaws.com"),
},
},
&iam.GetPolicyDocumentStatementConditionArgs{
Test: pulumi.String("StringLike"),
Variable: pulumi.String("iam:AssociatedResourceARN"),
Values: pulumi.StringArray{
src.Arn,
},
},
},
},
&iam.GetPolicyDocumentStatementArgs{
Effect: pulumi.String("Allow"),
Actions: pulumi.StringArray{
pulumi.String("logs:CreateLogDelivery"),
pulumi.String("logs:DeleteLogDelivery"),
pulumi.String("logs:ListLogDeliveries"),
pulumi.String("logs:GetLogDelivery"),
},
Resources: pulumi.StringArray{
pulumi.String("*"),
},
},
&iam.GetPolicyDocumentStatementArgs{
Effect: pulumi.String("Allow"),
Actions: pulumi.StringArray{
pulumi.String("sts:AssumeRole"),
},
Resources: pulumi.StringArray{
dst.Arn,
},
},
},
}, nil)
_, err = iam.NewRolePolicy(ctx, "src_policy", &iam.RolePolicyArgs{
Name: pulumi.String("tf-example-mySourceRolePolicy"),
Role: srcRole.Name,
Policy: pulumi.String(srcRolePolicy.ApplyT(func(srcRolePolicy iam.GetPolicyDocumentResult) (*string, error) {
return &srcRolePolicy.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
dstFirehoseDeliveryStream, err := kinesis.NewFirehoseDeliveryStream(ctx, "dst", &kinesis.FirehoseDeliveryStreamArgs{
Tags: pulumi.StringMap{
"LogDeliveryEnabled": pulumi.String("true"),
},
})
if err != nil {
return err
}
_, err = ec2.NewFlowLog(ctx, "src", &ec2.FlowLogArgs{
LogDestinationType: pulumi.String("kinesis-data-firehose"),
LogDestination: dstFirehoseDeliveryStream.Arn,
TrafficType: pulumi.String("ALL"),
VpcId: src.ID(),
IamRoleArn: srcRole.Arn,
DeliverCrossAccountRole: dst.Arn,
})
if err != nil {
return err
}
dstRolePolicy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"iam:CreateServiceLinkedRole",
"firehose:TagDeliveryStream",
},
Resources: []string{
"*",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iam.NewRolePolicy(ctx, "dst", &iam.RolePolicyArgs{
Name: pulumi.String("AWSLogDeliveryFirehoseCrossAccountRolePolicy"),
Role: dst.Name,
Policy: pulumi.String(dstRolePolicy.Json),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
// For source account
var src = new Aws.Ec2.Vpc("src");
var srcAssumeRolePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"sts:AssumeRole",
},
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
"delivery.logs.amazonaws.com",
},
},
},
},
},
});
var srcRole = new Aws.Iam.Role("src", new()
{
Name = "tf-example-mySourceRole",
AssumeRolePolicy = srcAssumeRolePolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
// For destination account
var dstAssumeRolePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"sts:AssumeRole",
},
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "AWS",
Identifiers = new[]
{
srcRole.Arn,
},
},
},
},
},
});
var dst = new Aws.Iam.Role("dst", new()
{
Name = "AWSLogDeliveryFirehoseCrossAccountRole",
AssumeRolePolicy = dstAssumeRolePolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var srcRolePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"iam:PassRole",
},
Resources = new[]
{
srcRole.Arn,
},
Conditions = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "StringEquals",
Variable = "iam:PassedToService",
Values = new[]
{
"delivery.logs.amazonaws.com",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "StringLike",
Variable = "iam:AssociatedResourceARN",
Values = new[]
{
src.Arn,
},
},
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:GetLogDelivery",
},
Resources = new[]
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"sts:AssumeRole",
},
Resources = new[]
{
dst.Arn,
},
},
},
});
var srcPolicy = new Aws.Iam.RolePolicy("src_policy", new()
{
Name = "tf-example-mySourceRolePolicy",
Role = srcRole.Name,
Policy = srcRolePolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var dstFirehoseDeliveryStream = new Aws.Kinesis.FirehoseDeliveryStream("dst", new()
{
Tags =
{
{ "LogDeliveryEnabled", "true" },
},
});
var srcFlowLog = new Aws.Ec2.FlowLog("src", new()
{
LogDestinationType = "kinesis-data-firehose",
LogDestination = dstFirehoseDeliveryStream.Arn,
TrafficType = "ALL",
VpcId = src.Id,
IamRoleArn = srcRole.Arn,
DeliverCrossAccountRole = dst.Arn,
});
var dstRolePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"iam:CreateServiceLinkedRole",
"firehose:TagDeliveryStream",
},
Resources = new[]
{
"*",
},
},
},
});
var dstRolePolicy2 = new Aws.Iam.RolePolicy("dst", new()
{
Name = "AWSLogDeliveryFirehoseCrossAccountRolePolicy",
Role = dst.Name,
Policy = dstRolePolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.Vpc;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import com.pulumi.aws.kinesis.FirehoseDeliveryStream;
import com.pulumi.aws.kinesis.FirehoseDeliveryStreamArgs;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// For source account
var src = new Vpc("src");
final var srcAssumeRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions("sts:AssumeRole")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("delivery.logs.amazonaws.com")
.build())
.build())
.build());
var srcRole = new Role("srcRole", RoleArgs.builder()
.name("tf-example-mySourceRole")
.assumeRolePolicy(srcAssumeRolePolicy.json())
.build());
// For destination account
final var dstAssumeRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions("sts:AssumeRole")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers(srcRole.arn())
.build())
.build())
.build());
var dst = new Role("dst", RoleArgs.builder()
.name("AWSLogDeliveryFirehoseCrossAccountRole")
.assumeRolePolicy(dstAssumeRolePolicy.applyValue(_dstAssumeRolePolicy -> _dstAssumeRolePolicy.json()))
.build());
final var srcRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("iam:PassRole")
.resources(srcRole.arn())
.conditions(
GetPolicyDocumentStatementConditionArgs.builder()
.test("StringEquals")
.variable("iam:PassedToService")
.values("delivery.logs.amazonaws.com")
.build(),
GetPolicyDocumentStatementConditionArgs.builder()
.test("StringLike")
.variable("iam:AssociatedResourceARN")
.values(src.arn())
.build())
.build(),
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions(
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:GetLogDelivery")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("sts:AssumeRole")
.resources(dst.arn())
.build())
.build());
var srcPolicy = new RolePolicy("srcPolicy", RolePolicyArgs.builder()
.name("tf-example-mySourceRolePolicy")
.role(srcRole.name())
.policy(srcRolePolicy.applyValue(_srcRolePolicy -> _srcRolePolicy.json()))
.build());
var dstFirehoseDeliveryStream = new FirehoseDeliveryStream("dstFirehoseDeliveryStream", FirehoseDeliveryStreamArgs.builder()
.tags(Map.of("LogDeliveryEnabled", "true"))
.build());
var srcFlowLog = new FlowLog("srcFlowLog", FlowLogArgs.builder()
.logDestinationType("kinesis-data-firehose")
.logDestination(dstFirehoseDeliveryStream.arn())
.trafficType("ALL")
.vpcId(src.id())
.iamRoleArn(srcRole.arn())
.deliverCrossAccountRole(dst.arn())
.build());
final var dstRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions(
"iam:CreateServiceLinkedRole",
"firehose:TagDeliveryStream")
.resources("*")
.build())
.build());
var dstRolePolicy2 = new RolePolicy("dstRolePolicy2", RolePolicyArgs.builder()
.name("AWSLogDeliveryFirehoseCrossAccountRolePolicy")
.role(dst.name())
.policy(dstRolePolicy.json())
.build());
}
}
resources:
# For source account
src:
type: aws:ec2:Vpc
srcRole:
type: aws:iam:Role
name: src
properties:
name: tf-example-mySourceRole
assumeRolePolicy: ${srcAssumeRolePolicy.json}
srcPolicy:
type: aws:iam:RolePolicy
name: src_policy
properties:
name: tf-example-mySourceRolePolicy
role: ${srcRole.name}
policy: ${srcRolePolicy.json}
srcFlowLog:
type: aws:ec2:FlowLog
name: src
properties:
logDestinationType: kinesis-data-firehose
logDestination: ${dstFirehoseDeliveryStream.arn}
trafficType: ALL
vpcId: ${src.id}
iamRoleArn: ${srcRole.arn}
deliverCrossAccountRole: ${dst.arn}
dst:
type: aws:iam:Role
properties:
name: AWSLogDeliveryFirehoseCrossAccountRole
assumeRolePolicy: ${dstAssumeRolePolicy.json}
dstRolePolicy2:
type: aws:iam:RolePolicy
name: dst
properties:
name: AWSLogDeliveryFirehoseCrossAccountRolePolicy
role: ${dst.name}
policy: ${dstRolePolicy.json}
dstFirehoseDeliveryStream:
type: aws:kinesis:FirehoseDeliveryStream
name: dst
properties:
tags:
LogDeliveryEnabled: 'true'
variables:
srcAssumeRolePolicy:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- actions:
- sts:AssumeRole
effect: Allow
principals:
- type: Service
identifiers:
- delivery.logs.amazonaws.com
srcRolePolicy:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
actions:
- iam:PassRole
resources:
- ${srcRole.arn}
conditions:
- test: StringEquals
variable: iam:PassedToService
values:
- delivery.logs.amazonaws.com
- test: StringLike
variable: iam:AssociatedResourceARN
values:
- ${src.arn}
- effect: Allow
actions:
- logs:CreateLogDelivery
- logs:DeleteLogDelivery
- logs:ListLogDeliveries
- logs:GetLogDelivery
resources:
- '*'
- effect: Allow
actions:
- sts:AssumeRole
resources:
- ${dst.arn}
# For destination account
dstAssumeRolePolicy:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- actions:
- sts:AssumeRole
effect: Allow
principals:
- type: AWS
identifiers:
- ${srcRole.arn}
dstRolePolicy:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
actions:
- iam:CreateServiceLinkedRole
- firehose:TagDeliveryStream
resources:
- '*'
Create FlowLog Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new FlowLog(name: string, args?: FlowLogArgs, opts?: CustomResourceOptions);@overload
def FlowLog(resource_name: str,
args: Optional[FlowLogArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def FlowLog(resource_name: str,
opts: Optional[ResourceOptions] = None,
deliver_cross_account_role: Optional[str] = None,
destination_options: Optional[FlowLogDestinationOptionsArgs] = None,
eni_id: Optional[str] = None,
iam_role_arn: Optional[str] = None,
log_destination: Optional[str] = None,
log_destination_type: Optional[str] = None,
log_format: Optional[str] = None,
max_aggregation_interval: Optional[int] = None,
region: Optional[str] = None,
subnet_id: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
traffic_type: Optional[str] = None,
transit_gateway_attachment_id: Optional[str] = None,
transit_gateway_id: Optional[str] = None,
vpc_id: Optional[str] = None)func NewFlowLog(ctx *Context, name string, args *FlowLogArgs, opts ...ResourceOption) (*FlowLog, error)public FlowLog(string name, FlowLogArgs? args = null, CustomResourceOptions? opts = null)
public FlowLog(String name, FlowLogArgs args)
public FlowLog(String name, FlowLogArgs args, CustomResourceOptions options)
type: aws:ec2:FlowLog
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args FlowLogArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args FlowLogArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args FlowLogArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args FlowLogArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args FlowLogArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var flowLogResource = new Aws.Ec2.FlowLog("flowLogResource", new()
{
DeliverCrossAccountRole = "string",
DestinationOptions = new Aws.Ec2.Inputs.FlowLogDestinationOptionsArgs
{
FileFormat = "string",
HiveCompatiblePartitions = false,
PerHourPartition = false,
},
EniId = "string",
IamRoleArn = "string",
LogDestination = "string",
LogDestinationType = "string",
LogFormat = "string",
MaxAggregationInterval = 0,
Region = "string",
SubnetId = "string",
Tags =
{
{ "string", "string" },
},
TrafficType = "string",
TransitGatewayAttachmentId = "string",
TransitGatewayId = "string",
VpcId = "string",
});
example, err := ec2.NewFlowLog(ctx, "flowLogResource", &ec2.FlowLogArgs{
DeliverCrossAccountRole: pulumi.String("string"),
DestinationOptions: &ec2.FlowLogDestinationOptionsArgs{
FileFormat: pulumi.String("string"),
HiveCompatiblePartitions: pulumi.Bool(false),
PerHourPartition: pulumi.Bool(false),
},
EniId: pulumi.String("string"),
IamRoleArn: pulumi.String("string"),
LogDestination: pulumi.String("string"),
LogDestinationType: pulumi.String("string"),
LogFormat: pulumi.String("string"),
MaxAggregationInterval: pulumi.Int(0),
Region: pulumi.String("string"),
SubnetId: pulumi.String("string"),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
TrafficType: pulumi.String("string"),
TransitGatewayAttachmentId: pulumi.String("string"),
TransitGatewayId: pulumi.String("string"),
VpcId: pulumi.String("string"),
})
var flowLogResource = new FlowLog("flowLogResource", FlowLogArgs.builder()
.deliverCrossAccountRole("string")
.destinationOptions(FlowLogDestinationOptionsArgs.builder()
.fileFormat("string")
.hiveCompatiblePartitions(false)
.perHourPartition(false)
.build())
.eniId("string")
.iamRoleArn("string")
.logDestination("string")
.logDestinationType("string")
.logFormat("string")
.maxAggregationInterval(0)
.region("string")
.subnetId("string")
.tags(Map.of("string", "string"))
.trafficType("string")
.transitGatewayAttachmentId("string")
.transitGatewayId("string")
.vpcId("string")
.build());
flow_log_resource = aws.ec2.FlowLog("flowLogResource",
deliver_cross_account_role="string",
destination_options={
"file_format": "string",
"hive_compatible_partitions": False,
"per_hour_partition": False,
},
eni_id="string",
iam_role_arn="string",
log_destination="string",
log_destination_type="string",
log_format="string",
max_aggregation_interval=0,
region="string",
subnet_id="string",
tags={
"string": "string",
},
traffic_type="string",
transit_gateway_attachment_id="string",
transit_gateway_id="string",
vpc_id="string")
const flowLogResource = new aws.ec2.FlowLog("flowLogResource", {
deliverCrossAccountRole: "string",
destinationOptions: {
fileFormat: "string",
hiveCompatiblePartitions: false,
perHourPartition: false,
},
eniId: "string",
iamRoleArn: "string",
logDestination: "string",
logDestinationType: "string",
logFormat: "string",
maxAggregationInterval: 0,
region: "string",
subnetId: "string",
tags: {
string: "string",
},
trafficType: "string",
transitGatewayAttachmentId: "string",
transitGatewayId: "string",
vpcId: "string",
});
type: aws:ec2:FlowLog
properties:
deliverCrossAccountRole: string
destinationOptions:
fileFormat: string
hiveCompatiblePartitions: false
perHourPartition: false
eniId: string
iamRoleArn: string
logDestination: string
logDestinationType: string
logFormat: string
maxAggregationInterval: 0
region: string
subnetId: string
tags:
string: string
trafficType: string
transitGatewayAttachmentId: string
transitGatewayId: string
vpcId: string
FlowLog Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The FlowLog resource accepts the following input properties:
- Deliver
Cross stringAccount Role - ARN of the IAM role in the destination account used for cross-account delivery of flow logs.
- Destination
Options FlowLog Destination Options - Describes the destination options for a flow log. More details below.
- Eni
Id string - Elastic Network Interface ID to attach to.
- Iam
Role stringArn - ARN of the IAM role used to post flow logs. Corresponds to
DeliverLogsPermissionArnin the AWS API. - Log
Destination string - ARN of the logging destination.
- Log
Destination stringType - Logging destination type. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - Log
Format string - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - Max
Aggregation intInterval - The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.
Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Subnet
Id string - Subnet ID to attach to.
- Dictionary<string, string>
Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.NOTE: One of
eni_id,subnet_id,transit_gateway_id,transit_gateway_attachment_id, orvpc_idmust be specified.- Traffic
Type string - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - Transit
Gateway stringAttachment Id - Transit Gateway Attachment ID to attach to.
- Transit
Gateway stringId - Transit Gateway ID to attach to.
- Vpc
Id string - VPC ID to attach to.
- Deliver
Cross stringAccount Role - ARN of the IAM role in the destination account used for cross-account delivery of flow logs.
- Destination
Options FlowLog Destination Options Args - Describes the destination options for a flow log. More details below.
- Eni
Id string - Elastic Network Interface ID to attach to.
- Iam
Role stringArn - ARN of the IAM role used to post flow logs. Corresponds to
DeliverLogsPermissionArnin the AWS API. - Log
Destination string - ARN of the logging destination.
- Log
Destination stringType - Logging destination type. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - Log
Format string - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - Max
Aggregation intInterval - The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.
Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Subnet
Id string - Subnet ID to attach to.
- map[string]string
Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.NOTE: One of
eni_id,subnet_id,transit_gateway_id,transit_gateway_attachment_id, orvpc_idmust be specified.- Traffic
Type string - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - Transit
Gateway stringAttachment Id - Transit Gateway Attachment ID to attach to.
- Transit
Gateway stringId - Transit Gateway ID to attach to.
- Vpc
Id string - VPC ID to attach to.
- deliver
Cross StringAccount Role - ARN of the IAM role in the destination account used for cross-account delivery of flow logs.
- destination
Options FlowLog Destination Options - Describes the destination options for a flow log. More details below.
- eni
Id String - Elastic Network Interface ID to attach to.
- iam
Role StringArn - ARN of the IAM role used to post flow logs. Corresponds to
DeliverLogsPermissionArnin the AWS API. - log
Destination String - ARN of the logging destination.
- log
Destination StringType - Logging destination type. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log
Format String - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - max
Aggregation IntegerInterval - The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.
Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- subnet
Id String - Subnet ID to attach to.
- Map<String,String>
Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.NOTE: One of
eni_id,subnet_id,transit_gateway_id,transit_gateway_attachment_id, orvpc_idmust be specified.- traffic
Type String - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit
Gateway StringAttachment Id - Transit Gateway Attachment ID to attach to.
- transit
Gateway StringId - Transit Gateway ID to attach to.
- vpc
Id String - VPC ID to attach to.
- deliver
Cross stringAccount Role - ARN of the IAM role in the destination account used for cross-account delivery of flow logs.
- destination
Options FlowLog Destination Options - Describes the destination options for a flow log. More details below.
- eni
Id string - Elastic Network Interface ID to attach to.
- iam
Role stringArn - ARN of the IAM role used to post flow logs. Corresponds to
DeliverLogsPermissionArnin the AWS API. - log
Destination string - ARN of the logging destination.
- log
Destination stringType - Logging destination type. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log
Format string - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - max
Aggregation numberInterval - The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.
Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- subnet
Id string - Subnet ID to attach to.
- {[key: string]: string}
Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.NOTE: One of
eni_id,subnet_id,transit_gateway_id,transit_gateway_attachment_id, orvpc_idmust be specified.- traffic
Type string - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit
Gateway stringAttachment Id - Transit Gateway Attachment ID to attach to.
- transit
Gateway stringId - Transit Gateway ID to attach to.
- vpc
Id string - VPC ID to attach to.
- deliver_
cross_ straccount_ role - ARN of the IAM role in the destination account used for cross-account delivery of flow logs.
- destination_
options FlowLog Destination Options Args - Describes the destination options for a flow log. More details below.
- eni_
id str - Elastic Network Interface ID to attach to.
- iam_
role_ strarn - ARN of the IAM role used to post flow logs. Corresponds to
DeliverLogsPermissionArnin the AWS API. - log_
destination str - ARN of the logging destination.
- log_
destination_ strtype - Logging destination type. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log_
format str - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - max_
aggregation_ intinterval - The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.
Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - region str
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- subnet_
id str - Subnet ID to attach to.
- Mapping[str, str]
Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.NOTE: One of
eni_id,subnet_id,transit_gateway_id,transit_gateway_attachment_id, orvpc_idmust be specified.- traffic_
type str - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit_
gateway_ strattachment_ id - Transit Gateway Attachment ID to attach to.
- transit_
gateway_ strid - Transit Gateway ID to attach to.
- vpc_
id str - VPC ID to attach to.
- deliver
Cross StringAccount Role - ARN of the IAM role in the destination account used for cross-account delivery of flow logs.
- destination
Options Property Map - Describes the destination options for a flow log. More details below.
- eni
Id String - Elastic Network Interface ID to attach to.
- iam
Role StringArn - ARN of the IAM role used to post flow logs. Corresponds to
DeliverLogsPermissionArnin the AWS API. - log
Destination String - ARN of the logging destination.
- log
Destination StringType - Logging destination type. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log
Format String - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - max
Aggregation NumberInterval - The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.
Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- subnet
Id String - Subnet ID to attach to.
- Map<String>
Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.NOTE: One of
eni_id,subnet_id,transit_gateway_id,transit_gateway_attachment_id, orvpc_idmust be specified.- traffic
Type String - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit
Gateway StringAttachment Id - Transit Gateway Attachment ID to attach to.
- transit
Gateway StringId - Transit Gateway ID to attach to.
- vpc
Id String - VPC ID to attach to.
Outputs
All input properties are implicitly available as output properties. Additionally, the FlowLog resource produces the following output properties:
Look up Existing FlowLog Resource
Get an existing FlowLog resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: FlowLogState, opts?: CustomResourceOptions): FlowLog@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
arn: Optional[str] = None,
deliver_cross_account_role: Optional[str] = None,
destination_options: Optional[FlowLogDestinationOptionsArgs] = None,
eni_id: Optional[str] = None,
iam_role_arn: Optional[str] = None,
log_destination: Optional[str] = None,
log_destination_type: Optional[str] = None,
log_format: Optional[str] = None,
max_aggregation_interval: Optional[int] = None,
region: Optional[str] = None,
subnet_id: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None,
traffic_type: Optional[str] = None,
transit_gateway_attachment_id: Optional[str] = None,
transit_gateway_id: Optional[str] = None,
vpc_id: Optional[str] = None) -> FlowLogfunc GetFlowLog(ctx *Context, name string, id IDInput, state *FlowLogState, opts ...ResourceOption) (*FlowLog, error)public static FlowLog Get(string name, Input<string> id, FlowLogState? state, CustomResourceOptions? opts = null)public static FlowLog get(String name, Output<String> id, FlowLogState state, CustomResourceOptions options)resources: _: type: aws:ec2:FlowLog get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Arn string
- ARN of the Flow Log.
- Deliver
Cross stringAccount Role - ARN of the IAM role in the destination account used for cross-account delivery of flow logs.
- Destination
Options FlowLog Destination Options - Describes the destination options for a flow log. More details below.
- Eni
Id string - Elastic Network Interface ID to attach to.
- Iam
Role stringArn - ARN of the IAM role used to post flow logs. Corresponds to
DeliverLogsPermissionArnin the AWS API. - Log
Destination string - ARN of the logging destination.
- Log
Destination stringType - Logging destination type. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - Log
Format string - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - Max
Aggregation intInterval - The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.
Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Subnet
Id string - Subnet ID to attach to.
- Dictionary<string, string>
Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.NOTE: One of
eni_id,subnet_id,transit_gateway_id,transit_gateway_attachment_id, orvpc_idmust be specified.- Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Traffic
Type string - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - Transit
Gateway stringAttachment Id - Transit Gateway Attachment ID to attach to.
- Transit
Gateway stringId - Transit Gateway ID to attach to.
- Vpc
Id string - VPC ID to attach to.
- Arn string
- ARN of the Flow Log.
- Deliver
Cross stringAccount Role - ARN of the IAM role in the destination account used for cross-account delivery of flow logs.
- Destination
Options FlowLog Destination Options Args - Describes the destination options for a flow log. More details below.
- Eni
Id string - Elastic Network Interface ID to attach to.
- Iam
Role stringArn - ARN of the IAM role used to post flow logs. Corresponds to
DeliverLogsPermissionArnin the AWS API. - Log
Destination string - ARN of the logging destination.
- Log
Destination stringType - Logging destination type. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - Log
Format string - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - Max
Aggregation intInterval - The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.
Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Subnet
Id string - Subnet ID to attach to.
- map[string]string
Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.NOTE: One of
eni_id,subnet_id,transit_gateway_id,transit_gateway_attachment_id, orvpc_idmust be specified.- map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Traffic
Type string - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - Transit
Gateway stringAttachment Id - Transit Gateway Attachment ID to attach to.
- Transit
Gateway stringId - Transit Gateway ID to attach to.
- Vpc
Id string - VPC ID to attach to.
- arn String
- ARN of the Flow Log.
- deliver
Cross StringAccount Role - ARN of the IAM role in the destination account used for cross-account delivery of flow logs.
- destination
Options FlowLog Destination Options - Describes the destination options for a flow log. More details below.
- eni
Id String - Elastic Network Interface ID to attach to.
- iam
Role StringArn - ARN of the IAM role used to post flow logs. Corresponds to
DeliverLogsPermissionArnin the AWS API. - log
Destination String - ARN of the logging destination.
- log
Destination StringType - Logging destination type. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log
Format String - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - max
Aggregation IntegerInterval - The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.
Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- subnet
Id String - Subnet ID to attach to.
- Map<String,String>
Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.NOTE: One of
eni_id,subnet_id,transit_gateway_id,transit_gateway_attachment_id, orvpc_idmust be specified.- Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - traffic
Type String - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit
Gateway StringAttachment Id - Transit Gateway Attachment ID to attach to.
- transit
Gateway StringId - Transit Gateway ID to attach to.
- vpc
Id String - VPC ID to attach to.
- arn string
- ARN of the Flow Log.
- deliver
Cross stringAccount Role - ARN of the IAM role in the destination account used for cross-account delivery of flow logs.
- destination
Options FlowLog Destination Options - Describes the destination options for a flow log. More details below.
- eni
Id string - Elastic Network Interface ID to attach to.
- iam
Role stringArn - ARN of the IAM role used to post flow logs. Corresponds to
DeliverLogsPermissionArnin the AWS API. - log
Destination string - ARN of the logging destination.
- log
Destination stringType - Logging destination type. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log
Format string - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - max
Aggregation numberInterval - The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.
Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- subnet
Id string - Subnet ID to attach to.
- {[key: string]: string}
Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.NOTE: One of
eni_id,subnet_id,transit_gateway_id,transit_gateway_attachment_id, orvpc_idmust be specified.- {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - traffic
Type string - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit
Gateway stringAttachment Id - Transit Gateway Attachment ID to attach to.
- transit
Gateway stringId - Transit Gateway ID to attach to.
- vpc
Id string - VPC ID to attach to.
- arn str
- ARN of the Flow Log.
- deliver_
cross_ straccount_ role - ARN of the IAM role in the destination account used for cross-account delivery of flow logs.
- destination_
options FlowLog Destination Options Args - Describes the destination options for a flow log. More details below.
- eni_
id str - Elastic Network Interface ID to attach to.
- iam_
role_ strarn - ARN of the IAM role used to post flow logs. Corresponds to
DeliverLogsPermissionArnin the AWS API. - log_
destination str - ARN of the logging destination.
- log_
destination_ strtype - Logging destination type. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log_
format str - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - max_
aggregation_ intinterval - The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.
Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - region str
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- subnet_
id str - Subnet ID to attach to.
- Mapping[str, str]
Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.NOTE: One of
eni_id,subnet_id,transit_gateway_id,transit_gateway_attachment_id, orvpc_idmust be specified.- Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - traffic_
type str - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit_
gateway_ strattachment_ id - Transit Gateway Attachment ID to attach to.
- transit_
gateway_ strid - Transit Gateway ID to attach to.
- vpc_
id str - VPC ID to attach to.
- arn String
- ARN of the Flow Log.
- deliver
Cross StringAccount Role - ARN of the IAM role in the destination account used for cross-account delivery of flow logs.
- destination
Options Property Map - Describes the destination options for a flow log. More details below.
- eni
Id String - Elastic Network Interface ID to attach to.
- iam
Role StringArn - ARN of the IAM role used to post flow logs. Corresponds to
DeliverLogsPermissionArnin the AWS API. - log
Destination String - ARN of the logging destination.
- log
Destination StringType - Logging destination type. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log
Format String - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - max
Aggregation NumberInterval - The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record.
Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- subnet
Id String - Subnet ID to attach to.
- Map<String>
Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.NOTE: One of
eni_id,subnet_id,transit_gateway_id,transit_gateway_attachment_id, orvpc_idmust be specified.- Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - traffic
Type String - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit
Gateway StringAttachment Id - Transit Gateway Attachment ID to attach to.
- transit
Gateway StringId - Transit Gateway ID to attach to.
- vpc
Id String - VPC ID to attach to.
Supporting Types
FlowLogDestinationOptions, FlowLogDestinationOptionsArgs
- File
Format string - File format for the flow log. Default value:
plain-text. Valid values:plain-text,parquet. - Hive
Compatible boolPartitions - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value:
false. - Per
Hour boolPartition - Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value:
false.
- File
Format string - File format for the flow log. Default value:
plain-text. Valid values:plain-text,parquet. - Hive
Compatible boolPartitions - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value:
false. - Per
Hour boolPartition - Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value:
false.
- file
Format String - File format for the flow log. Default value:
plain-text. Valid values:plain-text,parquet. - hive
Compatible BooleanPartitions - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value:
false. - per
Hour BooleanPartition - Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value:
false.
- file
Format string - File format for the flow log. Default value:
plain-text. Valid values:plain-text,parquet. - hive
Compatible booleanPartitions - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value:
false. - per
Hour booleanPartition - Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value:
false.
- file_
format str - File format for the flow log. Default value:
plain-text. Valid values:plain-text,parquet. - hive_
compatible_ boolpartitions - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value:
false. - per_
hour_ boolpartition - Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value:
false.
- file
Format String - File format for the flow log. Default value:
plain-text. Valid values:plain-text,parquet. - hive
Compatible BooleanPartitions - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value:
false. - per
Hour BooleanPartition - Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value:
false.
Import
Using pulumi import, import Flow Logs using the id. For example:
$ pulumi import aws:ec2/flowLog:FlowLog test_flow_log fl-1a2b3c4d
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.
