Terraform module for managing AWS VPC flow logs.
IMPORTANT NOTE: The main branch is used as the module source for the usage examples, in place of the version. It is important to pin the release tag (e.g. ?ref=tags/x.y.z) for the module to the source, when using any portion of this module to provision resources. The main branch may contain undocumented breaking changes.
Create VPC Flow Logs and push them to a new AWS CloudWatch Log group.
module "vpc_flow_logs_default" {
source = "https://github.com/bsakdol/terraform-aws-vpc//modules/vpc-flow-logs?ref=main"
create_cloudwatch_iam_role = true
create_cloudwatch_log_group = true
vpc_id = "vpc-987321654afbecd"
tags = {
"Environment" = "development"
"GithubRepo" = "terraform-aws-vpc"
"Owner" = "bsakdol"
"Terraform" = "true"
}
}
Create VPC Flow Logs and push them to an existing AWS CloudWatch Log group.
module "vpc_flow_logs_default" {
source = "https://github.com/bsakdol/terraform-aws-vpc//modules/vpc-flow-logs?ref=main"
cloudwatch_iam_role_arn = "arn:aws:iam::123456789:role/vpc-flow-log-role-134679"
log_destination_arn = "arn:aws:logs:us-east-2:123456789:log-group:/aws/vpc-flow-log/vpc-987321654afbecd"
log_destination_type = "cloud-watch-logs"
vpc_id = "vpc-987321654afbecd"
tags = {
"Environment" = "development"
"GithubRepo" = "terraform-aws-vpc"
"Owner" = "bsakdol"
"Terraform" = "true"
}
}
Create VPC Flow Logs and push them to an existing S3 bucket.
module "vpc_flow_logs_default" {
source = "https://github.com/bsakdol/terraform-aws-vpc//modules/vpc-flow-logs?ref=main"
log_destination_arn = "arn:aws:s3:::vpc-flow-logs-to-s3-1"
log_destination_type = "s3"
vpc_id = "vpc-987321654afbecd"
tags = {
"Environment" = "development"
"GithubRepo" = "terraform-aws-vpc"
"Owner" = "bsakdol"
"Terraform" = "true"
}
}
| Name | Version |
|---|---|
| terraform | >= 1.1 |
| aws | >= 4.8 |
| Name | Version |
|---|---|
| aws | >= 4.8 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.this | resource |
| aws_flow_log.this | resource |
| aws_iam_policy.this | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy_attachment.this | resource |
| aws_iam_policy_document.cloudwatch | data source |
| aws_iam_policy_document.cloudwatch_assume_role | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cloudwatch_iam_role_arn | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. | string |
null |
no |
| create_cloudwatch_iam_role | Indicates whether or not to create an IAM role for use with the flow log. If not set to true, cloudwatch_iam_role_arn must be defined. flow_log_destination_typemust be s3 with this argument set true. |
bool |
false |
no |
| create_cloudwatch_log_group | Indicates whether or not to create a log group for the flow flog. If not set to true, log_destination_arn must be defined. flow_log_destination_typemust be s3 with this argument set true. |
bool |
false |
no |
| file_format | The format for the flow log. Valid values: plain-text, parquet. |
string |
null |
no |
| hive_compatible_partitions | Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. | bool |
null |
no |
| iam_role_permissions_boundary | ARN of the policy that is used to set the permissions boundary for the role. | string |
null |
no |
| log_destination_arn | The ARN of the logging destination. | string |
null |
no |
| log_destination_type | The type of the logging destination. Valid values: cloud-watch-logs, s3. |
string |
"cloud-watch-logs" |
no |
| log_format | The fields to include in the flow log record, in the order in which they should appear. | string |
null |
no |
| log_group_kms_key_id | The ARN of the KMS Key to use when encrypting log data. Please note, after the AWS KMS CMK is disassociated from the log group, AWS CloudWatch Logs stops encrypting newly ingested data for the log group. All previously ingested data remains encrypted, and AWS CloudWatch Logs requires permissions for the CMK whenever the encrypted data is requested. |
string |
null |
no |
| log_group_name_prefix | The name prefix of the CloudWatch log group for the VPC flow logs. The VPC ID will be appended after the name prefix to form the log group name. |
string |
"/aws/vpc-flow-log/" |
no |
| log_group_retention_in_days | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90,120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. Ifyou select 0, the events in the log group are always retained and never expire. |
number |
null |
no |
| max_aggregation_interval | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds (1 minute) or600 seconds (10 minutes). |
number |
null |
no |
| name | Name to be used as an identifier of all managed resources. | string |
null |
no |
| per_hour_partition | Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. |
bool |
null |
no |
| tags | A map of tags to assign to the resource. If configured with a providerdefault_tags configuration block present, tags with matching keys willoverwrite those defined at the provider-level. |
map(string) |
{} |
no |
| traffic_type | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL. |
string |
"ALL" |
no |
| vpc_flow_log_tags | A map of tags to assign to the VPC flow log resources. Resource specific tags will override all other tags. |
map(string) |
{} |
no |
| vpc_id | VPC ID to attach to. | string |
null |
no |
| Name | Description |
|---|---|
| arn | The ARN of the Flow Log. |
| cloudwatch_arn | A map of CloudWatch log group attributes. |
| cloudwatch_iam_policy | A map of CloudWatch IAM policy attributes. |
| cloudwatch_iam_role | A map of CloudWatch IAM role attributes. |
| id | The ID of the Flow Log. |
| tags_all | A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block. |
| vpc_flow_logs_all | A map of VPC Flow Log attributes. |