Add support for custom Flow Logs format

[sshvetsov]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS has announced support for custom VPC Flow Logs format, which now allows to inclusion of additional metadata fields like vpc-id, subnet-id, instance-id, tcp-flags, type, pkt-srcaddr, pkt-dstaddr in Amazon Virtual Private Cloud (Amazon VPC) flow logs to better understand network flows.

Usage of additional metadata fields like vpc-id, subnet-id, Transmission Control Protocol (TCP) bitmask reduce the number of computations and look-ups required to extract meaningful information from the log data. For example, you can use TCP bitmask to identify the resource initiating at TCP connection. Similarly, you can use the packet source and destination IP fields to identify the source resource and the intended target of a connection passing through a network interface attached to NAT Gateway or an AWS Transit Gateway.

New or Affected Resource(s)

• aws_flow_log

Potential Terraform Configuration

resource "aws_flow_log" "example" {
  log_destination      = "${aws_s3_bucket.example.arn}"
  log_destination_type = "s3"
  traffic_type    = "ALL"
  vpc_id          = "${aws_vpc.example.id}"
  log_format      = "$${version} $${vpc-id} $${subnet-id} $${instance-id} $${interface-id} $${account-id} $${type} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${pkt-srcaddr} $${pkt-dstaddr} $${protocol} $${bytes} $${packets} $${start} $${end} $${action} $${tcp-flags} $${log-status}"
}

Note: the use of ${} in flow log configuration format conflicts with Terraform variable interpolation syntax, so there may be a need to use different symbols to denote log metadata attributes and escape them like I did in the above example.

References

• https://aws.amazon.com/about-aws/whats-new/2019/09/now-add-additional-metadata-to-amazon-vpc-flow-logs/
• https://aws.amazon.com/blogs/aws/learn-from-your-vpc-flow-logs-with-additional-meta-data/
• https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records

[bflad]

Support for the new log_format argument in the aws_flow_log resource has been merged and will release with version 2.34.0 of the Terraform AWS Provider, tomorrow. Thanks to @nebi-frame for the implementation. 👍

[bflad]

This has been released in version 2.34.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[jgard]

Could you also update the doc with an example of the format required here?

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!