Docs Home
AWS v6.73.0 published on Wednesday, Mar 19, 2025 by Pulumi
aws.ec2.FlowLog
Explore with Pulumi AI
Provides a VPC/Subnet/ENI/Transit Gateway/Transit Gateway Attachment Flow Log to capture IP traffic for a specific network interface, subnet, or VPC. Logs are sent to a CloudWatch Log Group, a S3 Bucket, or Amazon Kinesis Data Firehose
Example Usage
CloudWatch Logging
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleLogGroup = new aws.cloudwatch.LogGroup("example", {name: "example"});
const assumeRole = aws.iam.getPolicyDocument({
statements: [{
effect: "Allow",
principals: [{
type: "Service",
identifiers: ["vpc-flow-logs.amazonaws.com"],
}],
actions: ["sts:AssumeRole"],
}],
});
const exampleRole = new aws.iam.Role("example", {
name: "example",
assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json),
});
const exampleFlowLog = new aws.ec2.FlowLog("example", {
iamRoleArn: exampleRole.arn,
logDestination: exampleLogGroup.arn,
trafficType: "ALL",
vpcId: exampleAwsVpc.id,
});
const example = aws.iam.getPolicyDocument({
statements: [{
effect: "Allow",
actions: [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
],
resources: ["*"],
}],
});
const exampleRolePolicy = new aws.iam.RolePolicy("example", {
name: "example",
role: exampleRole.id,
policy: example.then(example => example.json),
});
import pulumi
import pulumi_aws as aws
example_log_group = aws.cloudwatch.LogGroup("example", name="example")
assume_role = aws.iam.get_policy_document(statements=[{
"effect": "Allow",
"principals": [{
"type": "Service",
"identifiers": ["vpc-flow-logs.amazonaws.com"],
}],
"actions": ["sts:AssumeRole"],
}])
example_role = aws.iam.Role("example",
name="example",
assume_role_policy=assume_role.json)
example_flow_log = aws.ec2.FlowLog("example",
iam_role_arn=example_role.arn,
log_destination=example_log_group.arn,
traffic_type="ALL",
vpc_id=example_aws_vpc["id"])
example = aws.iam.get_policy_document(statements=[{
"effect": "Allow",
"actions": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
],
"resources": ["*"],
}])
example_role_policy = aws.iam.RolePolicy("example",
name="example",
role=example_role.id,
policy=example.json)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudwatch"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleLogGroup, err := cloudwatch.NewLogGroup(ctx, "example", &cloudwatch.LogGroupArgs{
Name: pulumi.String("example"),
})
if err != nil {
return err
}
assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "Service",
Identifiers: []string{
"vpc-flow-logs.amazonaws.com",
},
},
},
Actions: []string{
"sts:AssumeRole",
},
},
},
}, nil)
if err != nil {
return err
}
exampleRole, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
Name: pulumi.String("example"),
AssumeRolePolicy: pulumi.String(assumeRole.Json),
})
if err != nil {
return err
}
_, err = ec2.NewFlowLog(ctx, "example", &ec2.FlowLogArgs{
IamRoleArn: exampleRole.Arn,
LogDestination: exampleLogGroup.Arn,
TrafficType: pulumi.String("ALL"),
VpcId: pulumi.Any(exampleAwsVpc.Id),
})
if err != nil {
return err
}
example, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
},
Resources: []string{
"*",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iam.NewRolePolicy(ctx, "example", &iam.RolePolicyArgs{
Name: pulumi.String("example"),
Role: exampleRole.ID(),
Policy: pulumi.String(example.Json),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleLogGroup = new Aws.CloudWatch.LogGroup("example", new()
{
Name = "example",
});
var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
"vpc-flow-logs.amazonaws.com",
},
},
},
Actions = new[]
{
"sts:AssumeRole",
},
},
},
});
var exampleRole = new Aws.Iam.Role("example", new()
{
Name = "example",
AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var exampleFlowLog = new Aws.Ec2.FlowLog("example", new()
{
IamRoleArn = exampleRole.Arn,
LogDestination = exampleLogGroup.Arn,
TrafficType = "ALL",
VpcId = exampleAwsVpc.Id,
});
var example = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
},
Resources = new[]
{
"*",
},
},
},
});
var exampleRolePolicy = new Aws.Iam.RolePolicy("example", new()
{
Name = "example",
Role = exampleRole.Id,
Policy = example.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogGroup;
import com.pulumi.aws.cloudwatch.LogGroupArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleLogGroup = new LogGroup("exampleLogGroup", LogGroupArgs.builder()
.name("example")
.build());
final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("vpc-flow-logs.amazonaws.com")
.build())
.actions("sts:AssumeRole")
.build())
.build());
var exampleRole = new Role("exampleRole", RoleArgs.builder()
.name("example")
.assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
var exampleFlowLog = new FlowLog("exampleFlowLog", FlowLogArgs.builder()
.iamRoleArn(exampleRole.arn())
.logDestination(exampleLogGroup.arn())
.trafficType("ALL")
.vpcId(exampleAwsVpc.id())
.build());
final var example = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions(
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams")
.resources("*")
.build())
.build());
var exampleRolePolicy = new RolePolicy("exampleRolePolicy", RolePolicyArgs.builder()
.name("example")
.role(exampleRole.id())
.policy(example.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}
resources:
exampleFlowLog:
type: aws:ec2:FlowLog
name: example
properties:
iamRoleArn: ${exampleRole.arn}
logDestination: ${exampleLogGroup.arn}
trafficType: ALL
vpcId: ${exampleAwsVpc.id}
exampleLogGroup:
type: aws:cloudwatch:LogGroup
name: example
properties:
name: example
exampleRole:
type: aws:iam:Role
name: example
properties:
name: example
assumeRolePolicy: ${assumeRole.json}
exampleRolePolicy:
type: aws:iam:RolePolicy
name: example
properties:
name: example
role: ${exampleRole.id}
policy: ${example.json}
variables:
assumeRole:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
principals:
- type: Service
identifiers:
- vpc-flow-logs.amazonaws.com
actions:
- sts:AssumeRole
example:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
actions:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogGroups
- logs:DescribeLogStreams
resources:
- '*'
Amazon Kinesis Data Firehose logging
Coming soon!
Coming soon!
Coming soon!
Coming soon!
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.kinesis.FirehoseDeliveryStream;
import com.pulumi.aws.kinesis.FirehoseDeliveryStreamArgs;
import com.pulumi.aws.kinesis.inputs.FirehoseDeliveryStreamExtendedS3ConfigurationArgs;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import com.pulumi.aws.s3.BucketAclV2;
import com.pulumi.aws.s3.BucketAclV2Args;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleBucketV2 = new BucketV2("exampleBucketV2", BucketV2Args.builder()
.bucket("example")
.build());
final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("firehose.amazonaws.com")
.build())
.actions("sts:AssumeRole")
.build())
.build());
var exampleRole = new Role("exampleRole", RoleArgs.builder()
.name("firehose_test_role")
.assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
var exampleFirehoseDeliveryStream = new FirehoseDeliveryStream("exampleFirehoseDeliveryStream", FirehoseDeliveryStreamArgs.builder()
.name("kinesis_firehose_test")
.destination("extended_s3")
.extendedS3Configuration(FirehoseDeliveryStreamExtendedS3ConfigurationArgs.builder()
.roleArn(exampleRole.arn())
.bucketArn(exampleBucketV2.arn())
.build())
.tags(Map.of("LogDeliveryEnabled", "true"))
.build());
var exampleFlowLog = new FlowLog("exampleFlowLog", FlowLogArgs.builder()
.logDestination(exampleFirehoseDeliveryStream.arn())
.logDestinationType("kinesis-data-firehose")
.trafficType("ALL")
.vpcId(exampleAwsVpc.id())
.build());
var exampleBucketAclV2 = new BucketAclV2("exampleBucketAclV2", BucketAclV2Args.builder()
.bucket(exampleBucketV2.id())
.acl("private")
.build());
final var example = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.effect("Allow")
.actions(
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:GetLogDelivery",
"firehose:TagDeliveryStream")
.resources("*")
.build());
var exampleRolePolicy = new RolePolicy("exampleRolePolicy", RolePolicyArgs.builder()
.name("test")
.role(exampleRole.id())
.policy(example.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}
resources:
exampleFlowLog:
type: aws:ec2:FlowLog
name: example
properties:
logDestination: ${exampleFirehoseDeliveryStream.arn}
logDestinationType: kinesis-data-firehose
trafficType: ALL
vpcId: ${exampleAwsVpc.id}
exampleFirehoseDeliveryStream:
type: aws:kinesis:FirehoseDeliveryStream
name: example
properties:
name: kinesis_firehose_test
destination: extended_s3
extendedS3Configuration:
roleArn: ${exampleRole.arn}
bucketArn: ${exampleBucketV2.arn}
tags:
LogDeliveryEnabled: 'true'
exampleBucketV2:
type: aws:s3:BucketV2
name: example
properties:
bucket: example
exampleBucketAclV2:
type: aws:s3:BucketAclV2
name: example
properties:
bucket: ${exampleBucketV2.id}
acl: private
exampleRole:
type: aws:iam:Role
name: example
properties:
name: firehose_test_role
assumeRolePolicy: ${assumeRole.json}
exampleRolePolicy:
type: aws:iam:RolePolicy
name: example
properties:
name: test
role: ${exampleRole.id}
policy: ${example.json}
variables:
assumeRole:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
principals:
- type: Service
identifiers:
- firehose.amazonaws.com
actions:
- sts:AssumeRole
example:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
effect: Allow
actions:
- logs:CreateLogDelivery
- logs:DeleteLogDelivery
- logs:ListLogDeliveries
- logs:GetLogDelivery
- firehose:TagDeliveryStream
resources:
- '*'
S3 Logging
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleBucketV2 = new aws.s3.BucketV2("example", {bucket: "example"});
const example = new aws.ec2.FlowLog("example", {
logDestination: exampleBucketV2.arn,
logDestinationType: "s3",
trafficType: "ALL",
vpcId: exampleAwsVpc.id,
});
import pulumi
import pulumi_aws as aws
example_bucket_v2 = aws.s3.BucketV2("example", bucket="example")
example = aws.ec2.FlowLog("example",
log_destination=example_bucket_v2.arn,
log_destination_type="s3",
traffic_type="ALL",
vpc_id=example_aws_vpc["id"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleBucketV2, err := s3.NewBucketV2(ctx, "example", &s3.BucketV2Args{
Bucket: pulumi.String("example"),
})
if err != nil {
return err
}
_, err = ec2.NewFlowLog(ctx, "example", &ec2.FlowLogArgs{
LogDestination: exampleBucketV2.Arn,
LogDestinationType: pulumi.String("s3"),
TrafficType: pulumi.String("ALL"),
VpcId: pulumi.Any(exampleAwsVpc.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleBucketV2 = new Aws.S3.BucketV2("example", new()
{
Bucket = "example",
});
var example = new Aws.Ec2.FlowLog("example", new()
{
LogDestination = exampleBucketV2.Arn,
LogDestinationType = "s3",
TrafficType = "ALL",
VpcId = exampleAwsVpc.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleBucketV2 = new BucketV2("exampleBucketV2", BucketV2Args.builder()
.bucket("example")
.build());
var example = new FlowLog("example", FlowLogArgs.builder()
.logDestination(exampleBucketV2.arn())
.logDestinationType("s3")
.trafficType("ALL")
.vpcId(exampleAwsVpc.id())
.build());
}
}
resources:
example:
type: aws:ec2:FlowLog
properties:
logDestination: ${exampleBucketV2.arn}
logDestinationType: s3
trafficType: ALL
vpcId: ${exampleAwsVpc.id}
exampleBucketV2:
type: aws:s3:BucketV2
name: example
properties:
bucket: example
S3 Logging in Apache Parquet format with per-hour partitions
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleBucketV2 = new aws.s3.BucketV2("example", {bucket: "example"});
const example = new aws.ec2.FlowLog("example", {
logDestination: exampleBucketV2.arn,
logDestinationType: "s3",
trafficType: "ALL",
vpcId: exampleAwsVpc.id,
destinationOptions: {
fileFormat: "parquet",
perHourPartition: true,
},
});
import pulumi
import pulumi_aws as aws
example_bucket_v2 = aws.s3.BucketV2("example", bucket="example")
example = aws.ec2.FlowLog("example",
log_destination=example_bucket_v2.arn,
log_destination_type="s3",
traffic_type="ALL",
vpc_id=example_aws_vpc["id"],
destination_options={
"file_format": "parquet",
"per_hour_partition": True,
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleBucketV2, err := s3.NewBucketV2(ctx, "example", &s3.BucketV2Args{
Bucket: pulumi.String("example"),
})
if err != nil {
return err
}
_, err = ec2.NewFlowLog(ctx, "example", &ec2.FlowLogArgs{
LogDestination: exampleBucketV2.Arn,
LogDestinationType: pulumi.String("s3"),
TrafficType: pulumi.String("ALL"),
VpcId: pulumi.Any(exampleAwsVpc.Id),
DestinationOptions: &ec2.FlowLogDestinationOptionsArgs{
FileFormat: pulumi.String("parquet"),
PerHourPartition: pulumi.Bool(true),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleBucketV2 = new Aws.S3.BucketV2("example", new()
{
Bucket = "example",
});
var example = new Aws.Ec2.FlowLog("example", new()
{
LogDestination = exampleBucketV2.Arn,
LogDestinationType = "s3",
TrafficType = "ALL",
VpcId = exampleAwsVpc.Id,
DestinationOptions = new Aws.Ec2.Inputs.FlowLogDestinationOptionsArgs
{
FileFormat = "parquet",
PerHourPartition = true,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.ec2.FlowLog;
import com.pulumi.aws.ec2.FlowLogArgs;
import com.pulumi.aws.ec2.inputs.FlowLogDestinationOptionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleBucketV2 = new BucketV2("exampleBucketV2", BucketV2Args.builder()
.bucket("example")
.build());
var example = new FlowLog("example", FlowLogArgs.builder()
.logDestination(exampleBucketV2.arn())
.logDestinationType("s3")
.trafficType("ALL")
.vpcId(exampleAwsVpc.id())
.destinationOptions(FlowLogDestinationOptionsArgs.builder()
.fileFormat("parquet")
.perHourPartition(true)
.build())
.build());
}
}
resources:
example:
type: aws:ec2:FlowLog
properties:
logDestination: ${exampleBucketV2.arn}
logDestinationType: s3
trafficType: ALL
vpcId: ${exampleAwsVpc.id}
destinationOptions:
fileFormat: parquet
perHourPartition: true
exampleBucketV2:
type: aws:s3:BucketV2
name: example
properties:
bucket: example
Create FlowLog Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new FlowLog(name: string, args?: FlowLogArgs, opts?: CustomResourceOptions);@overload
def FlowLog(resource_name: str,
args: Optional[FlowLogArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def FlowLog(resource_name: str,
opts: Optional[ResourceOptions] = None,
deliver_cross_account_role: Optional[str] = None,
destination_options: Optional[FlowLogDestinationOptionsArgs] = None,
eni_id: Optional[str] = None,
iam_role_arn: Optional[str] = None,
log_destination: Optional[str] = None,
log_destination_type: Optional[str] = None,
log_format: Optional[str] = None,
log_group_name: Optional[str] = None,
max_aggregation_interval: Optional[int] = None,
subnet_id: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
traffic_type: Optional[str] = None,
transit_gateway_attachment_id: Optional[str] = None,
transit_gateway_id: Optional[str] = None,
vpc_id: Optional[str] = None)func NewFlowLog(ctx *Context, name string, args *FlowLogArgs, opts ...ResourceOption) (*FlowLog, error)public FlowLog(string name, FlowLogArgs? args = null, CustomResourceOptions? opts = null)
public FlowLog(String name, FlowLogArgs args)
public FlowLog(String name, FlowLogArgs args, CustomResourceOptions options)
type: aws:ec2:FlowLog
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args FlowLogArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args FlowLogArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args FlowLogArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args FlowLogArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args FlowLogArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var flowLogResource = new Aws.Ec2.FlowLog("flowLogResource", new()
{
DeliverCrossAccountRole = "string",
DestinationOptions = new Aws.Ec2.Inputs.FlowLogDestinationOptionsArgs
{
FileFormat = "string",
HiveCompatiblePartitions = false,
PerHourPartition = false,
},
EniId = "string",
IamRoleArn = "string",
LogDestination = "string",
LogDestinationType = "string",
LogFormat = "string",
MaxAggregationInterval = 0,
SubnetId = "string",
Tags =
{
{ "string", "string" },
},
TrafficType = "string",
TransitGatewayAttachmentId = "string",
TransitGatewayId = "string",
VpcId = "string",
});
example, err := ec2.NewFlowLog(ctx, "flowLogResource", &ec2.FlowLogArgs{
DeliverCrossAccountRole: pulumi.String("string"),
DestinationOptions: &ec2.FlowLogDestinationOptionsArgs{
FileFormat: pulumi.String("string"),
HiveCompatiblePartitions: pulumi.Bool(false),
PerHourPartition: pulumi.Bool(false),
},
EniId: pulumi.String("string"),
IamRoleArn: pulumi.String("string"),
LogDestination: pulumi.String("string"),
LogDestinationType: pulumi.String("string"),
LogFormat: pulumi.String("string"),
MaxAggregationInterval: pulumi.Int(0),
SubnetId: pulumi.String("string"),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
TrafficType: pulumi.String("string"),
TransitGatewayAttachmentId: pulumi.String("string"),
TransitGatewayId: pulumi.String("string"),
VpcId: pulumi.String("string"),
})
var flowLogResource = new FlowLog("flowLogResource", FlowLogArgs.builder()
.deliverCrossAccountRole("string")
.destinationOptions(FlowLogDestinationOptionsArgs.builder()
.fileFormat("string")
.hiveCompatiblePartitions(false)
.perHourPartition(false)
.build())
.eniId("string")
.iamRoleArn("string")
.logDestination("string")
.logDestinationType("string")
.logFormat("string")
.maxAggregationInterval(0)
.subnetId("string")
.tags(Map.of("string", "string"))
.trafficType("string")
.transitGatewayAttachmentId("string")
.transitGatewayId("string")
.vpcId("string")
.build());
flow_log_resource = aws.ec2.FlowLog("flowLogResource",
deliver_cross_account_role="string",
destination_options={
"file_format": "string",
"hive_compatible_partitions": False,
"per_hour_partition": False,
},
eni_id="string",
iam_role_arn="string",
log_destination="string",
log_destination_type="string",
log_format="string",
max_aggregation_interval=0,
subnet_id="string",
tags={
"string": "string",
},
traffic_type="string",
transit_gateway_attachment_id="string",
transit_gateway_id="string",
vpc_id="string")
const flowLogResource = new aws.ec2.FlowLog("flowLogResource", {
deliverCrossAccountRole: "string",
destinationOptions: {
fileFormat: "string",
hiveCompatiblePartitions: false,
perHourPartition: false,
},
eniId: "string",
iamRoleArn: "string",
logDestination: "string",
logDestinationType: "string",
logFormat: "string",
maxAggregationInterval: 0,
subnetId: "string",
tags: {
string: "string",
},
trafficType: "string",
transitGatewayAttachmentId: "string",
transitGatewayId: "string",
vpcId: "string",
});
type: aws:ec2:FlowLog
properties:
deliverCrossAccountRole: string
destinationOptions:
fileFormat: string
hiveCompatiblePartitions: false
perHourPartition: false
eniId: string
iamRoleArn: string
logDestination: string
logDestinationType: string
logFormat: string
maxAggregationInterval: 0
subnetId: string
tags:
string: string
trafficType: string
transitGatewayAttachmentId: string
transitGatewayId: string
vpcId: string
FlowLog Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The FlowLog resource accepts the following input properties:
- Deliver
Cross stringAccount Role - ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
- Destination
Options FlowLog Destination Options - Describes the destination options for a flow log. More details below.
- Eni
Id string - Elastic Network Interface ID to attach to
- Iam
Role stringArn - The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group
- Log
Destination string - The ARN of the logging destination. Either
log_destinationorlog_group_namemust be set. - Log
Destination stringType - The type of the logging destination. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - Log
Format string - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - Log
Group stringName - Deprecated: Use
log_destinationinstead. The name of the CloudWatch log group. Eitherlog_group_nameorlog_destinationmust be set. - Max
Aggregation intInterval - The maximum interval of time
during which a flow of packets is captured and aggregated into a flow
log record. Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - Subnet
Id string - Subnet ID to attach to
- Dictionary<string, string>
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Traffic
Type string - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - Transit
Gateway stringAttachment Id - Transit Gateway Attachment ID to attach to
- Transit
Gateway stringId - Transit Gateway ID to attach to
- Vpc
Id string - VPC ID to attach to
- Deliver
Cross stringAccount Role - ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
- Destination
Options FlowLog Destination Options Args - Describes the destination options for a flow log. More details below.
- Eni
Id string - Elastic Network Interface ID to attach to
- Iam
Role stringArn - The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group
- Log
Destination string - The ARN of the logging destination. Either
log_destinationorlog_group_namemust be set. - Log
Destination stringType - The type of the logging destination. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - Log
Format string - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - Log
Group stringName - Deprecated: Use
log_destinationinstead. The name of the CloudWatch log group. Eitherlog_group_nameorlog_destinationmust be set. - Max
Aggregation intInterval - The maximum interval of time
during which a flow of packets is captured and aggregated into a flow
log record. Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - Subnet
Id string - Subnet ID to attach to
- map[string]string
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Traffic
Type string - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - Transit
Gateway stringAttachment Id - Transit Gateway Attachment ID to attach to
- Transit
Gateway stringId - Transit Gateway ID to attach to
- Vpc
Id string - VPC ID to attach to
- deliver
Cross StringAccount Role - ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
- destination
Options FlowLog Destination Options - Describes the destination options for a flow log. More details below.
- eni
Id String - Elastic Network Interface ID to attach to
- iam
Role StringArn - The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group
- log
Destination String - The ARN of the logging destination. Either
log_destinationorlog_group_namemust be set. - log
Destination StringType - The type of the logging destination. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log
Format String - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - log
Group StringName - Deprecated: Use
log_destinationinstead. The name of the CloudWatch log group. Eitherlog_group_nameorlog_destinationmust be set. - max
Aggregation IntegerInterval - The maximum interval of time
during which a flow of packets is captured and aggregated into a flow
log record. Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - subnet
Id String - Subnet ID to attach to
- Map<String,String>
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - traffic
Type String - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit
Gateway StringAttachment Id - Transit Gateway Attachment ID to attach to
- transit
Gateway StringId - Transit Gateway ID to attach to
- vpc
Id String - VPC ID to attach to
- deliver
Cross stringAccount Role - ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
- destination
Options FlowLog Destination Options - Describes the destination options for a flow log. More details below.
- eni
Id string - Elastic Network Interface ID to attach to
- iam
Role stringArn - The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group
- log
Destination string - The ARN of the logging destination. Either
log_destinationorlog_group_namemust be set. - log
Destination stringType - The type of the logging destination. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log
Format string - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - log
Group stringName - Deprecated: Use
log_destinationinstead. The name of the CloudWatch log group. Eitherlog_group_nameorlog_destinationmust be set. - max
Aggregation numberInterval - The maximum interval of time
during which a flow of packets is captured and aggregated into a flow
log record. Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - subnet
Id string - Subnet ID to attach to
- {[key: string]: string}
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - traffic
Type string - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit
Gateway stringAttachment Id - Transit Gateway Attachment ID to attach to
- transit
Gateway stringId - Transit Gateway ID to attach to
- vpc
Id string - VPC ID to attach to
- deliver_
cross_ straccount_ role - ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
- destination_
options FlowLog Destination Options Args - Describes the destination options for a flow log. More details below.
- eni_
id str - Elastic Network Interface ID to attach to
- iam_
role_ strarn - The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group
- log_
destination str - The ARN of the logging destination. Either
log_destinationorlog_group_namemust be set. - log_
destination_ strtype - The type of the logging destination. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log_
format str - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - log_
group_ strname - Deprecated: Use
log_destinationinstead. The name of the CloudWatch log group. Eitherlog_group_nameorlog_destinationmust be set. - max_
aggregation_ intinterval - The maximum interval of time
during which a flow of packets is captured and aggregated into a flow
log record. Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - subnet_
id str - Subnet ID to attach to
- Mapping[str, str]
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - traffic_
type str - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit_
gateway_ strattachment_ id - Transit Gateway Attachment ID to attach to
- transit_
gateway_ strid - Transit Gateway ID to attach to
- vpc_
id str - VPC ID to attach to
- deliver
Cross StringAccount Role - ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
- destination
Options Property Map - Describes the destination options for a flow log. More details below.
- eni
Id String - Elastic Network Interface ID to attach to
- iam
Role StringArn - The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group
- log
Destination String - The ARN of the logging destination. Either
log_destinationorlog_group_namemust be set. - log
Destination StringType - The type of the logging destination. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log
Format String - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - log
Group StringName - Deprecated: Use
log_destinationinstead. The name of the CloudWatch log group. Eitherlog_group_nameorlog_destinationmust be set. - max
Aggregation NumberInterval - The maximum interval of time
during which a flow of packets is captured and aggregated into a flow
log record. Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - subnet
Id String - Subnet ID to attach to
- Map<String>
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - traffic
Type String - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit
Gateway StringAttachment Id - Transit Gateway Attachment ID to attach to
- transit
Gateway StringId - Transit Gateway ID to attach to
- vpc
Id String - VPC ID to attach to
Outputs
All input properties are implicitly available as output properties. Additionally, the FlowLog resource produces the following output properties:
Look up Existing FlowLog Resource
Get an existing FlowLog resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: FlowLogState, opts?: CustomResourceOptions): FlowLog@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
arn: Optional[str] = None,
deliver_cross_account_role: Optional[str] = None,
destination_options: Optional[FlowLogDestinationOptionsArgs] = None,
eni_id: Optional[str] = None,
iam_role_arn: Optional[str] = None,
log_destination: Optional[str] = None,
log_destination_type: Optional[str] = None,
log_format: Optional[str] = None,
log_group_name: Optional[str] = None,
max_aggregation_interval: Optional[int] = None,
subnet_id: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None,
traffic_type: Optional[str] = None,
transit_gateway_attachment_id: Optional[str] = None,
transit_gateway_id: Optional[str] = None,
vpc_id: Optional[str] = None) -> FlowLogfunc GetFlowLog(ctx *Context, name string, id IDInput, state *FlowLogState, opts ...ResourceOption) (*FlowLog, error)public static FlowLog Get(string name, Input<string> id, FlowLogState? state, CustomResourceOptions? opts = null)public static FlowLog get(String name, Output<String> id, FlowLogState state, CustomResourceOptions options)resources: _: type: aws:ec2:FlowLog get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Arn string
- The ARN of the Flow Log.
- Deliver
Cross stringAccount Role - ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
- Destination
Options FlowLog Destination Options - Describes the destination options for a flow log. More details below.
- Eni
Id string - Elastic Network Interface ID to attach to
- Iam
Role stringArn - The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group
- Log
Destination string - The ARN of the logging destination. Either
log_destinationorlog_group_namemust be set. - Log
Destination stringType - The type of the logging destination. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - Log
Format string - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - Log
Group stringName - Deprecated: Use
log_destinationinstead. The name of the CloudWatch log group. Eitherlog_group_nameorlog_destinationmust be set. - Max
Aggregation intInterval - The maximum interval of time
during which a flow of packets is captured and aggregated into a flow
log record. Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - Subnet
Id string - Subnet ID to attach to
- Dictionary<string, string>
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Traffic
Type string - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - Transit
Gateway stringAttachment Id - Transit Gateway Attachment ID to attach to
- Transit
Gateway stringId - Transit Gateway ID to attach to
- Vpc
Id string - VPC ID to attach to
- Arn string
- The ARN of the Flow Log.
- Deliver
Cross stringAccount Role - ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
- Destination
Options FlowLog Destination Options Args - Describes the destination options for a flow log. More details below.
- Eni
Id string - Elastic Network Interface ID to attach to
- Iam
Role stringArn - The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group
- Log
Destination string - The ARN of the logging destination. Either
log_destinationorlog_group_namemust be set. - Log
Destination stringType - The type of the logging destination. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - Log
Format string - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - Log
Group stringName - Deprecated: Use
log_destinationinstead. The name of the CloudWatch log group. Eitherlog_group_nameorlog_destinationmust be set. - Max
Aggregation intInterval - The maximum interval of time
during which a flow of packets is captured and aggregated into a flow
log record. Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - Subnet
Id string - Subnet ID to attach to
- map[string]string
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Traffic
Type string - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - Transit
Gateway stringAttachment Id - Transit Gateway Attachment ID to attach to
- Transit
Gateway stringId - Transit Gateway ID to attach to
- Vpc
Id string - VPC ID to attach to
- arn String
- The ARN of the Flow Log.
- deliver
Cross StringAccount Role - ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
- destination
Options FlowLog Destination Options - Describes the destination options for a flow log. More details below.
- eni
Id String - Elastic Network Interface ID to attach to
- iam
Role StringArn - The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group
- log
Destination String - The ARN of the logging destination. Either
log_destinationorlog_group_namemust be set. - log
Destination StringType - The type of the logging destination. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log
Format String - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - log
Group StringName - Deprecated: Use
log_destinationinstead. The name of the CloudWatch log group. Eitherlog_group_nameorlog_destinationmust be set. - max
Aggregation IntegerInterval - The maximum interval of time
during which a flow of packets is captured and aggregated into a flow
log record. Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - subnet
Id String - Subnet ID to attach to
- Map<String,String>
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - traffic
Type String - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit
Gateway StringAttachment Id - Transit Gateway Attachment ID to attach to
- transit
Gateway StringId - Transit Gateway ID to attach to
- vpc
Id String - VPC ID to attach to
- arn string
- The ARN of the Flow Log.
- deliver
Cross stringAccount Role - ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
- destination
Options FlowLog Destination Options - Describes the destination options for a flow log. More details below.
- eni
Id string - Elastic Network Interface ID to attach to
- iam
Role stringArn - The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group
- log
Destination string - The ARN of the logging destination. Either
log_destinationorlog_group_namemust be set. - log
Destination stringType - The type of the logging destination. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log
Format string - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - log
Group stringName - Deprecated: Use
log_destinationinstead. The name of the CloudWatch log group. Eitherlog_group_nameorlog_destinationmust be set. - max
Aggregation numberInterval - The maximum interval of time
during which a flow of packets is captured and aggregated into a flow
log record. Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - subnet
Id string - Subnet ID to attach to
- {[key: string]: string}
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - traffic
Type string - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit
Gateway stringAttachment Id - Transit Gateway Attachment ID to attach to
- transit
Gateway stringId - Transit Gateway ID to attach to
- vpc
Id string - VPC ID to attach to
- arn str
- The ARN of the Flow Log.
- deliver_
cross_ straccount_ role - ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
- destination_
options FlowLog Destination Options Args - Describes the destination options for a flow log. More details below.
- eni_
id str - Elastic Network Interface ID to attach to
- iam_
role_ strarn - The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group
- log_
destination str - The ARN of the logging destination. Either
log_destinationorlog_group_namemust be set. - log_
destination_ strtype - The type of the logging destination. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log_
format str - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - log_
group_ strname - Deprecated: Use
log_destinationinstead. The name of the CloudWatch log group. Eitherlog_group_nameorlog_destinationmust be set. - max_
aggregation_ intinterval - The maximum interval of time
during which a flow of packets is captured and aggregated into a flow
log record. Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - subnet_
id str - Subnet ID to attach to
- Mapping[str, str]
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - traffic_
type str - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit_
gateway_ strattachment_ id - Transit Gateway Attachment ID to attach to
- transit_
gateway_ strid - Transit Gateway ID to attach to
- vpc_
id str - VPC ID to attach to
- arn String
- The ARN of the Flow Log.
- deliver
Cross StringAccount Role - ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
- destination
Options Property Map - Describes the destination options for a flow log. More details below.
- eni
Id String - Elastic Network Interface ID to attach to
- iam
Role StringArn - The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group
- log
Destination String - The ARN of the logging destination. Either
log_destinationorlog_group_namemust be set. - log
Destination StringType - The type of the logging destination. Valid values:
cloud-watch-logs,s3,kinesis-data-firehose. Default:cloud-watch-logs. - log
Format String - The fields to include in the flow log record. Accepted format example:
"$${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport}". - log
Group StringName - Deprecated: Use
log_destinationinstead. The name of the CloudWatch log group. Eitherlog_group_nameorlog_destinationmust be set. - max
Aggregation NumberInterval - The maximum interval of time
during which a flow of packets is captured and aggregated into a flow
log record. Valid Values:
60seconds (1 minute) or600seconds (10 minutes). Default:600. Whentransit_gateway_idortransit_gateway_attachment_idis specified,max_aggregation_intervalmust be 60 seconds (1 minute). - subnet
Id String - Subnet ID to attach to
- Map<String>
- Key-value map of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - traffic
Type String - The type of traffic to capture. Valid values:
ACCEPT,REJECT,ALL. - transit
Gateway StringAttachment Id - Transit Gateway Attachment ID to attach to
- transit
Gateway StringId - Transit Gateway ID to attach to
- vpc
Id String - VPC ID to attach to
Supporting Types
FlowLogDestinationOptions, FlowLogDestinationOptionsArgs
- File
Format string - The format for the flow log. Default value:
plain-text. Valid values:plain-text,parquet. - Hive
Compatible boolPartitions - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value:
false. - Per
Hour boolPartition - Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value:
false.
- File
Format string - The format for the flow log. Default value:
plain-text. Valid values:plain-text,parquet. - Hive
Compatible boolPartitions - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value:
false. - Per
Hour boolPartition - Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value:
false.
- file
Format String - The format for the flow log. Default value:
plain-text. Valid values:plain-text,parquet. - hive
Compatible BooleanPartitions - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value:
false. - per
Hour BooleanPartition - Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value:
false.
- file
Format string - The format for the flow log. Default value:
plain-text. Valid values:plain-text,parquet. - hive
Compatible booleanPartitions - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value:
false. - per
Hour booleanPartition - Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value:
false.
- file_
format str - The format for the flow log. Default value:
plain-text. Valid values:plain-text,parquet. - hive_
compatible_ boolpartitions - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value:
false. - per_
hour_ boolpartition - Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value:
false.
- file
Format String - The format for the flow log. Default value:
plain-text. Valid values:plain-text,parquet. - hive
Compatible BooleanPartitions - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value:
false. - per
Hour BooleanPartition - Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value:
false.
Import
Using pulumi import, import Flow Logs using the id. For example:
$ pulumi import aws:ec2/flowLog:FlowLog test_flow_log fl-1a2b3c4d
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.