aws-cdk-lib/aws-ec2/lib/vpc-flow-logs.js

Version 2 of the AWS Cloud Development Kit library

"use strict";var __esDecorate=exports&&exports.__esDecorate||function(ctor,descriptorIn,decorators,contextIn,initializers,extraInitializers){function accept(f){if(f!==void 0&&typeof f!="function")throw new TypeError("Function expected");return f}for(var kind=contextIn.kind,key=kind==="getter"?"get":kind==="setter"?"set":"value",target=!descriptorIn&&ctor?contextIn.static?ctor:ctor.prototype:null,descriptor=descriptorIn||(target?Object.getOwnPropertyDescriptor(target,contextIn.name):{}),_,done=!1,i=decorators.length-1;i>=0;i--){var context={};for(var p in contextIn)context[p]=p==="access"?{}:contextIn[p];for(var p in contextIn.access)context.access[p]=contextIn.access[p];context.addInitializer=function(f){if(done)throw new TypeError("Cannot add initializers after decoration has completed");extraInitializers.push(accept(f||null))};var result=(0,decorators[i])(kind==="accessor"?{get:descriptor.get,set:descriptor.set}:descriptor[key],context);if(kind==="accessor"){if(result===void 0)continue;if(result===null||typeof result!="object")throw new TypeError("Object expected");(_=accept(result.get))&&(descriptor.get=_),(_=accept(result.set))&&(descriptor.set=_),(_=accept(result.init))&&initializers.unshift(_)}else(_=accept(result))&&(kind==="field"?initializers.unshift(_):descriptor[key]=_)}target&&Object.defineProperty(target,contextIn.name,descriptor),done=!0},__runInitializers=exports&&exports.__runInitializers||function(thisArg,initializers,value){for(var useValue=arguments.length>2,i=0;i<initializers.length;i++)value=useValue?initializers[i].call(thisArg,value):initializers[i].call(thisArg);return useValue?value:void 0};Object.defineProperty(exports,"__esModule",{value:!0}),exports.FlowLog=exports.LogFormat=exports.FlowLogMaxAggregationInterval=exports.FlowLogDestination=exports.FlowLogFileFormat=exports.FlowLogResourceType=exports.FlowLogDestinationType=exports.FlowLogTrafficType=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var ec2_generated_1=()=>{var tmp=require("./ec2.generated");return ec2_generated_1=()=>tmp,tmp},iam=()=>{var tmp=require("../../aws-iam");return iam=()=>tmp,tmp},logs=()=>{var tmp=require("../../aws-logs");return logs=()=>tmp,tmp},s3=()=>{var tmp=require("../../aws-s3");return s3=()=>tmp,tmp},core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp},metadata_resource_1=()=>{var tmp=require("../../core/lib/metadata-resource");return metadata_resource_1=()=>tmp,tmp},prop_injectable_1=()=>{var tmp=require("../../core/lib/prop-injectable");return prop_injectable_1=()=>tmp,tmp},cx_api_1=()=>{var tmp=require("../../cx-api");return cx_api_1=()=>tmp,tmp};const NAME_TAG="Name";var FlowLogTrafficType;(function(FlowLogTrafficType2){FlowLogTrafficType2.ACCEPT="ACCEPT",FlowLogTrafficType2.ALL="ALL",FlowLogTrafficType2.REJECT="REJECT"})(FlowLogTrafficType||(exports.FlowLogTrafficType=FlowLogTrafficType={}));var FlowLogDestinationType;(function(FlowLogDestinationType2){FlowLogDestinationType2.CLOUD_WATCH_LOGS="cloud-watch-logs",FlowLogDestinationType2.S3="s3",FlowLogDestinationType2.KINESIS_DATA_FIREHOSE="kinesis-data-firehose"})(FlowLogDestinationType||(exports.FlowLogDestinationType=FlowLogDestinationType={}));class FlowLogResourceType{static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_ec2.FlowLogResourceType",version:"2.233.0"};static fromSubnet(subnet){try{jsiiDeprecationWarnings().aws_cdk_lib_interfaces_aws_ec2_ISubnetRef(subnet)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromSubnet),error}return{resourceType:"Subnet",resourceId:subnet.subnetRef.subnetId}}static fromVpc(vpc){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_ec2_IVpc(vpc)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromVpc),error}return{resourceType:"VPC",resourceId:vpc.vpcId}}static fromNetworkInterfaceId(id){return{resourceType:"NetworkInterface",resourceId:id}}static fromTransitGatewayId(id){return{resourceType:"TransitGateway",resourceId:id}}static fromTransitGatewayAttachmentId(id){return{resourceType:"TransitGatewayAttachment",resourceId:id}}}exports.FlowLogResourceType=FlowLogResourceType;var FlowLogFileFormat;(function(FlowLogFileFormat2){FlowLogFileFormat2.PLAIN_TEXT="plain-text",FlowLogFileFormat2.PARQUET="parquet"})(FlowLogFileFormat||(exports.FlowLogFileFormat=FlowLogFileFormat={}));class FlowLogDestination{static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_ec2.FlowLogDestination",version:"2.233.0"};static toCloudWatchLogs(logGroup,iamRole){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_logs_ILogGroup(logGroup),jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IRole(iamRole)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.toCloudWatchLogs),error}return new CloudWatchLogsDestination({logDestinationType:FlowLogDestinationType.CLOUD_WATCH_LOGS,logGroup,iamRole})}static toS3(bucket,keyPrefix,options){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_s3_IBucket(bucket),jsiiDeprecationWarnings().aws_cdk_lib_aws_ec2_S3DestinationOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.toS3),error}return new S3Destination({logDestinationType:FlowLogDestinationType.S3,s3Bucket:bucket,keyPrefix,destinationOptions:options})}static toKinesisDataFirehoseDestination(deliveryStreamArn){return new KinesisDataFirehoseDestination({logDestinationType:FlowLogDestinationType.KINESIS_DATA_FIREHOSE,deliveryStreamArn})}}exports.FlowLogDestination=FlowLogDestination;class S3Destination extends FlowLogDestination{props;constructor(props){super(),this.props=props}bind(scope,_flowLog){let s3Bucket;if(this.props.s3Bucket===void 0?s3Bucket=new(s3()).Bucket(scope,"Bucket",{removalPolicy:core_1().RemovalPolicy.RETAIN}):s3Bucket=this.props.s3Bucket,core_1().FeatureFlags.of(scope).isEnabled(cx_api_1().S3_CREATE_DEFAULT_LOGGING_POLICY)){const stack=core_1().Stack.of(scope);let keyPrefix=this.props.keyPrefix??"";keyPrefix&&!keyPrefix.endsWith("/")&&(keyPrefix=keyPrefix+"/");const prefix=this.props.destinationOptions?.hiveCompatiblePartitions?s3Bucket.arnForObjects(`${keyPrefix}AWSLogs/aws-account-id=${stack.account}/*`):s3Bucket.arnForObjects(`${keyPrefix}AWSLogs/${stack.account}/*`);s3Bucket.addToResourcePolicy(new(iam()).PolicyStatement({effect:iam().Effect.ALLOW,principals:[new(iam()).ServicePrincipal("delivery.logs.amazonaws.com")],resources:[prefix],actions:["s3:PutObject"],conditions:{StringEquals:{"s3:x-amz-acl":"bucket-owner-full-control","aws:SourceAccount":stack.account},ArnLike:{"aws:SourceArn":stack.formatArn({service:"logs",resource:"*"})}}})),s3Bucket.addToResourcePolicy(new(iam()).PolicyStatement({effect:iam().Effect.ALLOW,principals:[new(iam()).ServicePrincipal("delivery.logs.amazonaws.com")],resources:[s3Bucket.bucketArn],actions:["s3:GetBucketAcl","s3:ListBucket"],conditions:{StringEquals:{"aws:SourceAccount":stack.account},ArnLike:{"aws:SourceArn":stack.formatArn({service:"logs",resource:"*"})}}}))}return{logDestinationType:FlowLogDestinationType.S3,s3Bucket,keyPrefix:this.props.keyPrefix,destinationOptions:this.props.destinationOptions?.fileFormat||this.props.destinationOptions?.perHourPartition||this.props.destinationOptions?.hiveCompatiblePartitions?{fileFormat:this.props.destinationOptions.fileFormat??FlowLogFileFormat.PLAIN_TEXT,perHourPartition:this.props.destinationOptions.perHourPartition??!1,hiveCompatiblePartitions:this.props.destinationOptions.hiveCompatiblePartitions??!1}:void 0}}}class CloudWatchLogsDestination extends FlowLogDestination{props;constructor(props){super(),this.props=props}bind(scope,_flowLog){let iamRole,logGroup;return this.props.iamRole===void 0?iamRole=new(iam()).Role(scope,"IAMRole",{roleName:core_1().PhysicalName.GENERATE_IF_NEEDED,assumedBy:new(iam()).ServicePrincipal("vpc-flow-logs.amazonaws.com")}):iamRole=this.props.iamRole,this.props.logGroup===void 0?logGroup=new(logs()).LogGroup(scope,"LogGroup"):logGroup=this.props.logGroup,iamRole.addToPrincipalPolicy(new(iam()).PolicyStatement({actions:["logs:CreateLogStream","logs:PutLogEvents","logs:DescribeLogStreams"],effect:iam().Effect.ALLOW,resources:[logGroup.logGroupArn]})),{logDestinationType:FlowLogDestinationType.CLOUD_WATCH_LOGS,logGroup,iamRole}}}class KinesisDataFirehoseDestination extends FlowLogDestination{props;constructor(props){super(),this.props=props}bind(scope,_flowLog){if(this.props.deliveryStreamArn===void 0)throw new(core_1()).ValidationError("deliveryStreamArn is required",scope);const deliveryStreamArn=this.props.deliveryStreamArn;return{logDestinationType:FlowLogDestinationType.KINESIS_DATA_FIREHOSE,deliveryStreamArn}}}var FlowLogMaxAggregationInterval;(function(FlowLogMaxAggregationInterval2){FlowLogMaxAggregationInterval2[FlowLogMaxAggregationInterval2.ONE_MINUTE=60]="ONE_MINUTE",FlowLogMaxAggregationInterval2[FlowLogMaxAggregationInterval2.TEN_MINUTES=600]="TEN_MINUTES"})(FlowLogMaxAggregationInterval||(exports.FlowLogMaxAggregationInterval=FlowLogMaxAggregationInterval={}));class LogFormat{value;static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_ec2.LogFormat",version:"2.233.0"};static VERSION=LogFormat.field("version");static ACCOUNT_ID=LogFormat.field("account-id");static INTERFACE_ID=LogFormat.field("interface-id");static SRC_ADDR=LogFormat.field("srcaddr");static DST_ADDR=LogFormat.field("dstaddr");static SRC_PORT=LogFormat.field("srcport");static DST_PORT=LogFormat.field("dstport");static PROTOCOL=LogFormat.field("protocol");static PACKETS=LogFormat.field("packets");static BYTES=LogFormat.field("bytes");static START_TIMESTAMP=LogFormat.field("start");static END_TIMESTAMP=LogFormat.field("end");static ACTION=LogFormat.field("action");static LOG_STATUS=LogFormat.field("log-status");static VPC_ID=LogFormat.field("vpc-id");static SUBNET_ID=LogFormat.field("subnet-id");static INSTANCE_ID=LogFormat.field("instance-id");static TCP_FLAGS=LogFormat.field("tcp-flags");static TRAFFIC_TYPE=LogFormat.field("type");static PKT_SRC_ADDR=LogFormat.field("pkt-srcaddr");static PKT_DST_ADDR=LogFormat.field("pkt-dstaddr");static REGION=LogFormat.field("region");static AZ_ID=LogFormat.field("az-id");static SUBLOCATION_TYPE=LogFormat.field("sublocation-type");static SUBLOCATION_ID=LogFormat.field("sublocation-id");static PKT_SRC_AWS_SERVICE=LogFormat.field("pkt-src-aws-service");static PKT_DST_AWS_SERVICE=LogFormat.field("pkt-dst-aws-service");static FLOW_DIRECTION=LogFormat.field("flow-direction");static TRAFFIC_PATH=LogFormat.field("traffic-path");static ECS_CLUSTER_ARN=LogFormat.field("ecs-cluster-arn");static ECS_CLUSTER_NAME=LogFormat.field("ecs-cluster-name");static ECS_CONTAINER_INSTANCE_ARN=LogFormat.field("ecs-container-instance-arn");static ECS_CONTAINER_INSTANCE_ID=LogFormat.field("ecs-container-instance-id");static ECS_CONTAINER_ID=LogFormat.field("ecs-container-id");static ECS_SECOND_CONTAINER_ID=LogFormat.field("ecs-second-container-id");static ECS_SERVICE_NAME=LogFormat.field("ecs-service-name");static ECS_TASK_DEFINITION_ARN=LogFormat.field("ecs-task-definition-arn");static ECS_TASK_ARN=LogFormat.field("ecs-task-arn");static ECS_TASK_ID=LogFormat.field("ecs-task-id");static ALL_DEFAULT_FIELDS=new LogFormat("${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}");static custom(formatString){return new LogFormat(formatString)}static field(field){return new LogFormat(`\${${field}}`)}constructor(value){this.value=value}}exports.LogFormat=LogFormat;class FlowLogBase extends core_1().Resource{get flowLogRef(){return{flowLogId:this.flowLogId}}}let FlowLog=(()=>{let _classDecorators=[prop_injectable_1().propertyInjectable],_classDescriptor,_classExtraInitializers=[],_classThis,_classSuper=FlowLogBase;var FlowLog2=class extends _classSuper{static{_classThis=this}static{const _metadata=typeof Symbol=="function"&&Symbol.metadata?Object.create(_classSuper[Symbol.metadata]??null):void 0;__esDecorate(null,_classDescriptor={value:_classThis},_classDecorators,{kind:"class",name:_classThis.name,metadata:_metadata},null,_classExtraInitializers),FlowLog2=_classThis=_classDescriptor.value,_metadata&&Object.defineProperty(_classThis,Symbol.metadata,{enumerable:!0,configurable:!0,writable:!0,value:_metadata})}static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_ec2.FlowLog",version:"2.233.0"};static PROPERTY_INJECTION_ID="aws-cdk-lib.aws-ec2.FlowLog";static fromFlowLogId(scope,id,flowLogId){class Import extends FlowLogBase{flowLogId=flowLogId}return new Import(scope,id)}flowLogId;bucket;keyPrefix;iamRole;logGroup;deliveryStreamArn;constructor(scope,id,props){super(scope,id);try{jsiiDeprecationWarnings().aws_cdk_lib_aws_ec2_FlowLogProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,FlowLog2),error}(0,metadata_resource_1().addConstructMetadata)(this,props);const destinationConfig=(props.destination||FlowLogDestination.toCloudWatchLogs()).bind(this,this);this.logGroup=destinationConfig.logGroup,this.bucket=destinationConfig.s3Bucket,this.iamRole=destinationConfig.iamRole,this.keyPrefix=destinationConfig.keyPrefix,this.deliveryStreamArn=destinationConfig.deliveryStreamArn,core_1().Tags.of(this).add(NAME_TAG,props.flowLogName||this.node.path);let logDestination;this.bucket&&(logDestination=this.keyPrefix?this.bucket.arnForObjects(this.keyPrefix):this.bucket.bucketArn),this.deliveryStreamArn&&(logDestination=this.deliveryStreamArn);let customLogFormat;props.logFormat&&(customLogFormat=props.logFormat.map(elm=>elm.value).join(" "));let trafficType=props.trafficType??FlowLogTrafficType.ALL;if(props.resourceType.resourceType==="TransitGateway"||props.resourceType.resourceType==="TransitGatewayAttachment"){if(props.trafficType)throw new(core_1()).ValidationError("trafficType is not supported for Transit Gateway and Transit Gateway Attachment",this);if(props.maxAggregationInterval&&props.maxAggregationInterval!==FlowLogMaxAggregationInterval.ONE_MINUTE)throw new(core_1()).ValidationError("maxAggregationInterval must be set to ONE_MINUTE for Transit Gateway and Transit Gateway Attachment",this);trafficType=void 0}const flowLog=new(ec2_generated_1()).CfnFlowLog(this,"FlowLog",{destinationOptions:destinationConfig.destinationOptions,deliverLogsPermissionArn:this.iamRole?this.iamRole.roleArn:void 0,logDestinationType:destinationConfig.logDestinationType,logGroupName:this.logGroup?this.logGroup.logGroupName:void 0,maxAggregationInterval:props.maxAggregationInterval,resourceId:props.resourceType.resourceId,resourceType:props.resourceType.resourceType,trafficType,logFormat:customLogFormat,logDestination});this.bucket?.policy?.node.defaultChild instanceof core_1().CfnResource&&flowLog.addDependency(this.bucket?.policy.node.defaultChild);const deleteObjects=this.bucket?.node.tryFindChild("AutoDeleteObjectsCustomResource")?.node.defaultChild;deleteObjects instanceof core_1().CfnResource&&flowLog.addDependency(deleteObjects),this.flowLogId=flowLog.ref,this.node.defaultChild=flowLog}static{__runInitializers(_classThis,_classExtraInitializers)}};return FlowLog2=_classThis})();exports.FlowLog=FlowLog;