@pulumi/aws

import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Provides a VPC/Subnet/ENI/Transit Gateway/Transit Gateway Attachment Flow Log to capture IP traffic for a specific network * interface, subnet, or VPC. Logs are sent to a CloudWatch Log Group, a S3 Bucket, or Amazon Data Firehose * * ## Example Usage * * ### CloudWatch Logging * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const exampleLogGroup = new aws.cloudwatch.LogGroup("example", {name: "example"}); * const assumeRole = aws.iam.getPolicyDocument({ * statements: [{ * effect: "Allow", * principals: [{ * type: "Service", * identifiers: ["vpc-flow-logs.amazonaws.com"], * }], * actions: ["sts:AssumeRole"], * }], * }); * const exampleRole = new aws.iam.Role("example", { * name: "example", * assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json), * }); * const exampleFlowLog = new aws.ec2.FlowLog("example", { * iamRoleArn: exampleRole.arn, * logDestination: exampleLogGroup.arn, * trafficType: "ALL", * vpcId: exampleAwsVpc.id, * }); * const example = aws.iam.getPolicyDocument({ * statements: [{ * effect: "Allow", * actions: [ * "logs:CreateLogGroup", * "logs:CreateLogStream", * "logs:PutLogEvents", * "logs:DescribeLogGroups", * "logs:DescribeLogStreams", * ], * resources: ["*"], * }], * }); * const exampleRolePolicy = new aws.iam.RolePolicy("example", { * name: "example", * role: exampleRole.id, * policy: example.then(example => example.json), * }); * ``` * * ### Amazon Data Firehose logging * * ### S3 Logging * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const exampleBucket = new aws.s3.Bucket("example", {bucket: "example"}); * const example = new aws.ec2.FlowLog("example", { * logDestination: exampleBucket.arn, * logDestinationType: "s3", * trafficType: "ALL", * vpcId: exampleAwsVpc.id, * }); * ``` * * ### S3 Logging in Apache Parquet format with per-hour partitions * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const exampleBucket = new aws.s3.Bucket("example", {bucket: "example"}); * const example = new aws.ec2.FlowLog("example", { * logDestination: exampleBucket.arn, * logDestinationType: "s3", * trafficType: "ALL", * vpcId: exampleAwsVpc.id, * destinationOptions: { * fileFormat: "parquet", * perHourPartition: true, * }, * }); * ``` * * ### Cross-Account Amazon Data Firehose Logging * * The following example shows how to set up a flow log in one AWS account (source) that sends logs to an Amazon Data Firehose delivery stream in another AWS account (destination). * See the [AWS Documentation](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-firehose.html). * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * // For source account * const src = new aws.ec2.Vpc("src", {}); * const srcAssumeRolePolicy = aws.iam.getPolicyDocument({ * statements: [{ * actions: ["sts:AssumeRole"], * effect: "Allow", * principals: [{ * type: "Service", * identifiers: ["delivery.logs.amazonaws.com"], * }], * }], * }); * const srcRole = new aws.iam.Role("src", { * name: "tf-example-mySourceRole", * assumeRolePolicy: srcAssumeRolePolicy.then(srcAssumeRolePolicy => srcAssumeRolePolicy.json), * }); * // For destination account * const dstAssumeRolePolicy = aws.iam.getPolicyDocumentOutput({ * statements: [{ * actions: ["sts:AssumeRole"], * effect: "Allow", * principals: [{ * type: "AWS", * identifiers: [srcRole.arn], * }], * }], * }); * const dst = new aws.iam.Role("dst", { * name: "AWSLogDeliveryFirehoseCrossAccountRole", * assumeRolePolicy: dstAssumeRolePolicy.apply(dstAssumeRolePolicy => dstAssumeRolePolicy.json), * }); * const srcRolePolicy = aws.iam.getPolicyDocumentOutput({ * statements: [ * { * effect: "Allow", * actions: ["iam:PassRole"], * resources: [srcRole.arn], * conditions: [ * { * test: "StringEquals", * variable: "iam:PassedToService", * values: ["delivery.logs.amazonaws.com"], * }, * { * test: "StringLike", * variable: "iam:AssociatedResourceARN", * values: [src.arn], * }, * ], * }, * { * effect: "Allow", * actions: [ * "logs:CreateLogDelivery", * "logs:DeleteLogDelivery", * "logs:ListLogDeliveries", * "logs:GetLogDelivery", * ], * resources: ["*"], * }, * { * effect: "Allow", * actions: ["sts:AssumeRole"], * resources: [dst.arn], * }, * ], * }); * const srcPolicy = new aws.iam.RolePolicy("src_policy", { * name: "tf-example-mySourceRolePolicy", * role: srcRole.name, * policy: srcRolePolicy.apply(srcRolePolicy => srcRolePolicy.json), * }); * const dstFirehoseDeliveryStream = new aws.kinesis.FirehoseDeliveryStream("dst", {tags: { * LogDeliveryEnabled: "true", * }}); * const srcFlowLog = new aws.ec2.FlowLog("src", { * logDestinationType: "kinesis-data-firehose", * logDestination: dstFirehoseDeliveryStream.arn, * trafficType: "ALL", * vpcId: src.id, * iamRoleArn: srcRole.arn, * deliverCrossAccountRole: dst.arn, * }); * const dstRolePolicy = aws.iam.getPolicyDocument({ * statements: [{ * effect: "Allow", * actions: [ * "iam:CreateServiceLinkedRole", * "firehose:TagDeliveryStream", * ], * resources: ["*"], * }], * }); * const dstRolePolicy2 = new aws.iam.RolePolicy("dst", { * name: "AWSLogDeliveryFirehoseCrossAccountRolePolicy", * role: dst.name, * policy: dstRolePolicy.then(dstRolePolicy => dstRolePolicy.json), * }); * ``` * * ## Import * * Using `pulumi import`, import Flow Logs using the `id`. For example: * * ```sh * $ pulumi import aws:ec2/flowLog:FlowLog test_flow_log fl-1a2b3c4d * ``` */ export declare class FlowLog extends pulumi.CustomResource { /** * Get an existing FlowLog resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: FlowLogState, opts?: pulumi.CustomResourceOptions): FlowLog; /** * Returns true if the given object is an instance of FlowLog. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is FlowLog; /** * ARN of the Flow Log. */ readonly arn: pulumi.Output<string>; /** * ARN of the IAM role in the destination account used for cross-account delivery of flow logs. */ readonly deliverCrossAccountRole: pulumi.Output<string | undefined>; /** * Describes the destination options for a flow log. More details below. */ readonly destinationOptions: pulumi.Output<outputs.ec2.FlowLogDestinationOptions | undefined>; /** * Elastic Network Interface ID to attach to. */ readonly eniId: pulumi.Output<string | undefined>; /** * ARN of the IAM role used to post flow logs. Corresponds to `DeliverLogsPermissionArn` in the [AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFlowLogs.html). */ readonly iamRoleArn: pulumi.Output<string | undefined>; /** * ARN of the logging destination. */ readonly logDestination: pulumi.Output<string>; /** * Logging destination type. Valid values: `cloud-watch-logs`, `s3`, `kinesis-data-firehose`. Default: `cloud-watch-logs`. */ readonly logDestinationType: pulumi.Output<string | undefined>; /** * The fields to include in the flow log record. Accepted format example: `"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}"`. */ readonly logFormat: pulumi.Output<string>; /** * The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. * Valid Values: `60` seconds (1 minute) or `600` seconds (10 minutes). Default: `600`. * When `transitGatewayId` or `transitGatewayAttachmentId` is specified, `maxAggregationInterval` *must* be 60 seconds (1 minute). */ readonly maxAggregationInterval: pulumi.Output<number | undefined>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ readonly region: pulumi.Output<string>; /** * Subnet ID to attach to. */ readonly subnetId: pulumi.Output<string | undefined>; /** * Key-value map of resource tags. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. * * > **NOTE:** One of `eniId`, `subnetId`, `transitGatewayId`, `transitGatewayAttachmentId`, or `vpcId` must be specified. */ readonly tags: pulumi.Output<{ [key: string]: string; } | undefined>; /** * A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block. */ readonly tagsAll: pulumi.Output<{ [key: string]: string; }>; /** * The type of traffic to capture. Valid values: `ACCEPT`,`REJECT`, `ALL`. */ readonly trafficType: pulumi.Output<string | undefined>; /** * Transit Gateway Attachment ID to attach to. */ readonly transitGatewayAttachmentId: pulumi.Output<string | undefined>; /** * Transit Gateway ID to attach to. */ readonly transitGatewayId: pulumi.Output<string | undefined>; /** * VPC ID to attach to. */ readonly vpcId: pulumi.Output<string | undefined>; /** * Create a FlowLog resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args?: FlowLogArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering FlowLog resources. */ export interface FlowLogState { /** * ARN of the Flow Log. */ arn?: pulumi.Input<string>; /** * ARN of the IAM role in the destination account used for cross-account delivery of flow logs. */ deliverCrossAccountRole?: pulumi.Input<string>; /** * Describes the destination options for a flow log. More details below. */ destinationOptions?: pulumi.Input<inputs.ec2.FlowLogDestinationOptions>; /** * Elastic Network Interface ID to attach to. */ eniId?: pulumi.Input<string>; /** * ARN of the IAM role used to post flow logs. Corresponds to `DeliverLogsPermissionArn` in the [AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFlowLogs.html). */ iamRoleArn?: pulumi.Input<string>; /** * ARN of the logging destination. */ logDestination?: pulumi.Input<string>; /** * Logging destination type. Valid values: `cloud-watch-logs`, `s3`, `kinesis-data-firehose`. Default: `cloud-watch-logs`. */ logDestinationType?: pulumi.Input<string>; /** * The fields to include in the flow log record. Accepted format example: `"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}"`. */ logFormat?: pulumi.Input<string>; /** * The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. * Valid Values: `60` seconds (1 minute) or `600` seconds (10 minutes). Default: `600`. * When `transitGatewayId` or `transitGatewayAttachmentId` is specified, `maxAggregationInterval` *must* be 60 seconds (1 minute). */ maxAggregationInterval?: pulumi.Input<number>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ region?: pulumi.Input<string>; /** * Subnet ID to attach to. */ subnetId?: pulumi.Input<string>; /** * Key-value map of resource tags. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. * * > **NOTE:** One of `eniId`, `subnetId`, `transitGatewayId`, `transitGatewayAttachmentId`, or `vpcId` must be specified. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block. */ tagsAll?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * The type of traffic to capture. Valid values: `ACCEPT`,`REJECT`, `ALL`. */ trafficType?: pulumi.Input<string>; /** * Transit Gateway Attachment ID to attach to. */ transitGatewayAttachmentId?: pulumi.Input<string>; /** * Transit Gateway ID to attach to. */ transitGatewayId?: pulumi.Input<string>; /** * VPC ID to attach to. */ vpcId?: pulumi.Input<string>; } /** * The set of arguments for constructing a FlowLog resource. */ export interface FlowLogArgs { /** * ARN of the IAM role in the destination account used for cross-account delivery of flow logs. */ deliverCrossAccountRole?: pulumi.Input<string>; /** * Describes the destination options for a flow log. More details below. */ destinationOptions?: pulumi.Input<inputs.ec2.FlowLogDestinationOptions>; /** * Elastic Network Interface ID to attach to. */ eniId?: pulumi.Input<string>; /** * ARN of the IAM role used to post flow logs. Corresponds to `DeliverLogsPermissionArn` in the [AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFlowLogs.html). */ iamRoleArn?: pulumi.Input<string>; /** * ARN of the logging destination. */ logDestination?: pulumi.Input<string>; /** * Logging destination type. Valid values: `cloud-watch-logs`, `s3`, `kinesis-data-firehose`. Default: `cloud-watch-logs`. */ logDestinationType?: pulumi.Input<string>; /** * The fields to include in the flow log record. Accepted format example: `"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}"`. */ logFormat?: pulumi.Input<string>; /** * The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. * Valid Values: `60` seconds (1 minute) or `600` seconds (10 minutes). Default: `600`. * When `transitGatewayId` or `transitGatewayAttachmentId` is specified, `maxAggregationInterval` *must* be 60 seconds (1 minute). */ maxAggregationInterval?: pulumi.Input<number>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ region?: pulumi.Input<string>; /** * Subnet ID to attach to. */ subnetId?: pulumi.Input<string>; /** * Key-value map of resource tags. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. * * > **NOTE:** One of `eniId`, `subnetId`, `transitGatewayId`, `transitGatewayAttachmentId`, or `vpcId` must be specified. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * The type of traffic to capture. Valid values: `ACCEPT`,`REJECT`, `ALL`. */ trafficType?: pulumi.Input<string>; /** * Transit Gateway Attachment ID to attach to. */ transitGatewayAttachmentId?: pulumi.Input<string>; /** * Transit Gateway ID to attach to. */ transitGatewayId?: pulumi.Input<string>; /** * VPC ID to attach to. */ vpcId?: pulumi.Input<string>; }