Configure VPC flow logs for one or more VPCs. Supports creating a KMS key and S3 bucket or using an existing bucket. Useful when shipping flow logs to a separate account. Note that the KMS key and S3 bucket will need to have the appropriate policies in place to accept logs from another account. See terraform-aws-vpcflowlog-bucket for a suitable example.
Example:
module "vpcflowlogs" {
#source = "git::https://github.com/rhythmictech/terraform-aws-vpcflowlogs.git"
logging_bucket = "example-s3-access-logs-bucket"
region = "us-east-1"
tags = local.tags
vpc_ids = ["vpc-1234567890"]
}
Using an external key/bucket:
module "vpcflowlogs" {
#source = "git::https://github.com/rhythmictech/terraform-aws-vpcflowlogs.git"
create_bucket = false
create_kms_key = false
region = "us-east-1"
tags = local.tags
vpc_ids = ["vpc-1234567890"]
vpcflowlog_bucket = "example-s3-vpcflowlogs-bucket"
vpcflowlog_kms_key = "arn:aws:kms:us-east-1:123456789012:key/..."
}
| Name | Version |
|---|---|
| terraform | >= 0.13.4 |
| Name | Version |
|---|---|
| aws | 4.17.1 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.this | resource |
| aws_flow_log.cloudwatch | resource |
| aws_flow_log.s3 | resource |
| aws_iam_policy.this | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy_attachment.vpcflowlog-attach-localconfig-policy | resource |
| aws_kms_alias.this | resource |
| aws_kms_key.this | resource |
| aws_s3_bucket.this | resource |
| aws_s3_bucket_policy.vpcflowlog_bucket_policy | resource |
| aws_s3_bucket_public_access_block.this | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.assume | data source |
| aws_iam_policy_document.key | data source |
| aws_iam_policy_document.this | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| create_bucket | Create S3 bucket to receive VPC flow logs? vpcflowlog_bucket must be specified if this is false. |
bool |
true |
no |
| create_kms_key | Create KMS key to encrypt flow logs? vpcflowlog_kms_key must be specified if this is false. |
bool |
true |
no |
| kms_alias | KMS Key Alias for VPC flow log KMS key | string |
"vpcflowlog_key" |
no |
| log_to_cloudwatch | Should VPC flow logs be written to CloudWatch Logs | bool |
true |
no |
| log_to_s3 | Should VPC flow logs be written to S3 | bool |
true |
no |
| logging_bucket | S3 bucket to send request logs to the VPC flow log bucket to (required if create_bucket is true) |
string |
"" |
no |
| region | Region VPC flow logs will be sent to | string |
n/a | yes |
| tags | Tags to include on resources that support it | map(string) |
{} |
no |
| vpc_ids | List of VPCs to enable flow logging for | list(string) |
n/a | yes |
| vpcflowlog_bucket | S3 bucket to receive VPC flow logs (required it create_bucket is false) |
string |
"" |
no |
| vpcflowlog_kms_key | KMS key to use for VPC flow log encryption (required it create_kms_key is false) |
string |
"" |
no |
| Name | Description |
|---|---|
| kms_key_id | KMS key |
| s3_bucket_name | The name of the bucket flow logs are routing to |