Module: cloudwatch-flow-logs
Terraform module for enabling flow logs for vpc and subnets.
Usage
module "flow_logs" {
source = "git::https://github.com/cloudposse/terraform-aws-cloudwatch-flow-logs.git?ref=master"
vpc_id = "${var.vpc_id}"
namespace = "${var.namespace}"
stage = "${var.stage}"
}
Requirements
No requirements.
Providers
| Name | Version |
|---|---|
| aws | n/a |
Modules
| Name | Source | Version |
|---|---|---|
| kinesis_label | git::https://github.com/cloudposse/terraform-null-label.git | tags/0.3.1 |
| log_group_label | git::https://github.com/cloudposse/terraform-null-label.git | tags/0.3.1 |
| subnet_label | git::https://github.com/cloudposse/terraform-null-label.git | tags/0.3.1 |
| subscription_filter_label | git::https://github.com/cloudposse/terraform-null-label.git | tags/0.3.1 |
| vpc_label | git::https://github.com/cloudposse/terraform-null-label.git | tags/0.3.1 |
Resources
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.default | resource |
| aws_cloudwatch_log_subscription_filter.default | resource |
| aws_flow_log.eni | resource |
| aws_flow_log.subnets | resource |
| aws_flow_log.vpc | resource |
| aws_iam_role.kinesis | resource |
| aws_iam_role.log | resource |
| aws_iam_role_policy.kinesis | resource |
| aws_iam_role_policy.log | resource |
| aws_kinesis_stream.default | resource |
| aws_iam_policy_document.kinesis | data source |
| aws_iam_policy_document.kinesis_assume | data source |
| aws_iam_policy_document.log | data source |
| aws_iam_policy_document.log_assume | data source |
| aws_region.default | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| attributes | Additional attributes (e.g. policy or role) | list(string) | [] | no |
| delimiter | Delimiter to be used between name, namespace, stage, etc. | string | "-" | no |
| enabled | Set to false to prevent the module from creating anything | string | "true" | no |
| encryption_type | GUID for the customer-managed KMS key to use for encryption. The only acceptable values are NONE or KMS | string | "NONE" | no |
| eni_ids | IDs of ENIs | list(string) | [] | no |
| filter_pattern | Valid CloudWatch Logs filter pattern for subscribing to a filtered stream of log events | string | "[version, account, eni, source, destination, srcport, destport, protocol, packets, bytes, windowstart, windowend, action, flowlogstatus]" | no |
| kms_key_id | ID of KMS key | string | "" | no |
| name | Name (e.g. bastion or db) | string | "" | no |
| namespace | Namespace (e.g. cp or cloudposse) | string | n/a | yes |
| region | AWS region | string | "" | no |
| retention_in_days | Number of days you want to retain log events in the log group | string | "30" | no |
| retention_period | Length of time data records are accessible after they are added to the stream | string | "48" | no |
| shard_count | Number of shards that the stream will use | string | "1" | no |
| shard_level_metrics | List of shard-level CloudWatch metrics which can be enabled for the stream | list | | no |
| stage | Stage (e.g. prod, dev, staging) | string | n/a | yes |
| subnet_ids | IDs of subnets | list(string) | [] | no |
| tags | Additional tags (e.g. map(BusinessUnit,XYZ) | map(string) | {} | no |
| traffic_type | Type of traffic to capture. Valid values: ACCEPT,REJECT, ALL | string | "ALL" | no |
| vpc_id | ID of VPC | any | n/a | yes |
Outputs
| Name | Description |
|---|---|
| eni_flow_ids | Flow Log IDs of ENIs |
| kinesis_arn | Kinesis Stream ARN |
| kinesis_id | Kinesis Stream ID |
| kinesis_name | Kinesis Stream name |
| kinesis_shard_count | Kinesis Stream Shard count |
| log_group_arn | ARN of the log group |
| subnet_flow_ids | Flow Log IDs of subnets |
| vpc_flow_id | VPC Flow Log ID |