Module: cloudwatch-flow-logs
Terraform module for enabling flow logs for vpc and subnets.
Usage
module "flow_logs" {
source = "git::https://github.com/cloudposse/terraform-aws-cloudwatch-flow-logs.git?ref=master"
vpc_id = "${var.vpc_id}"
namespace = "${var.namespace}"
stage = "${var.stage}"
}
Variables
Required Variables
vpc_id(any) requiredID of VPC
Optional Variables
encryption_type(string) optionalGUID for the customer-managed KMS key to use for encryption. The only acceptable values are NONE or KMS
Default value:
"NONE"eni_ids(list(string)) optionalIDs of ENIs
Default value:
[ ]filter_pattern(string) optionalValid CloudWatch Logs filter pattern for subscribing to a filtered stream of log events
Default value:
"[version, account, eni, source, destination, srcport, destport, protocol, packets, bytes, windowstart, windowend, action, flowlogstatus]"kms_key_id(string) optionalID of KMS key
Default value:
""region(string) optionalAWS region
Default value:
""retention_in_days(string) optionalNumber of days you want to retain log events in the log group
Default value:
"30"retention_period(string) optionalLength of time data records are accessible after they are added to the stream
Default value:
"48"shard_count(string) optionalNumber of shards that the stream will use
Default value:
"1"shard_level_metrics(list) optionalList of shard-level CloudWatch metrics which can be enabled for the stream
Default value:
[
"IncomingBytes",
"OutgoingBytes"
]subnet_ids(list(string)) optionalIDs of subnets
Default value:
[ ]traffic_type(string) optionalType of traffic to capture. Valid values: ACCEPT,REJECT, ALL
Default value:
"ALL"
Context Variables
The following variables are defined in the context.tf file of this module and part of the terraform-null-label pattern.
context.tf file of this module and part of the terraform-null-label pattern.namespace(string) requiredNamespace (e.g.
cporcloudposse)
Required: YesDefault value: ``
stage(string) requiredStage (e.g.
prod,dev,staging)
Required: YesDefault value: ``
attributes(list(string)) optionalAdditional attributes (e.g.
policyorrole)
Required: NoDefault value:
[ ]delimiter(string) optionalDelimiter to be used between
name,namespace,stage, etc.
Required: NoDefault value:
"-"enabled(string) optionalSet to false to prevent the module from creating anything
Required: NoDefault value:
"true"name(string) optionalName (e.g.
bastionordb)
Required: NoDefault value:
""tags(map(string)) optionalAdditional tags (e.g. map(
BusinessUnit,XYZ)
Required: NoDefault value:
{ }
Outputs
eni_flow_idsFlow Log IDs of ENIs
kinesis_arnKinesis Stream ARN
kinesis_idKinesis Stream ID
kinesis_nameKinesis Stream name
kinesis_shard_countKinesis Stream Shard count
log_group_arnARN of the log group
subnet_flow_idsFlow Log IDs of subnets
vpc_flow_idVPC Flow Log ID
Dependencies
Providers
aws
Modules
| Name | Version | Source | Description |
|---|---|---|---|
kinesis_label | tags/0.3.1 | git::https://github.com/cloudposse/terraform-null-label.git | n/a |
log_group_label | tags/0.3.1 | git::https://github.com/cloudposse/terraform-null-label.git | n/a |
subnet_label | tags/0.3.1 | git::https://github.com/cloudposse/terraform-null-label.git | n/a |
subscription_filter_label | tags/0.3.1 | git::https://github.com/cloudposse/terraform-null-label.git | n/a |
vpc_label | tags/0.3.1 | git::https://github.com/cloudposse/terraform-null-label.git | n/a |
Resources
The following resources are used by this module:
aws_cloudwatch_log_group.default(resource)aws_cloudwatch_log_subscription_filter.default(resource)aws_flow_log.eni(resource)aws_flow_log.subnets(resource)aws_flow_log.vpc(resource)aws_iam_role.kinesis(resource)aws_iam_role.log(resource)aws_iam_role_policy.kinesis(resource)aws_iam_role_policy.log(resource)aws_kinesis_stream.default(resource)
Data Sources
The following data sources are used by this module:
aws_iam_policy_document.kinesis(data source)aws_iam_policy_document.kinesis_assume(data source)aws_iam_policy_document.log(data source)aws_iam_policy_document.log_assume(data source)aws_region.default(data source)