flowlog setting add MaxAggregationInterval

aws · Sep 18, 2022 · 635978d · 635978d
1 parent ce27789
commit 635978d
Show file tree

Hide file tree

Showing 19 changed files with 4,699 additions and 2 deletions.
diff --git a/packages/@aws-cdk/aws-ec2/README.md b/packages/@aws-cdk/aws-ec2/README.md
@@ -1314,8 +1314,10 @@ vpc.addFlowLog('FlowLogS3', {
   destination: ec2.FlowLogDestination.toS3()
 });
 
+// Only reject traffic and interval every minute.
 vpc.addFlowLog('FlowLogCloudWatch', {
-  trafficType: ec2.FlowLogTrafficType.REJECT
+  trafficType: ec2.FlowLogTrafficType.REJECT,
+  maxAggregationInterval: FlowLogMaxAggregationInterval.ONE_MINUTE,
 });
 ```
 

diff --git a/packages/@aws-cdk/aws-ec2/lib/vpc-flow-logs.ts b/packages/@aws-cdk/aws-ec2/lib/vpc-flow-logs.ts
@@ -383,6 +383,24 @@ class CloudWatchLogsDestination extends FlowLogDestination {
   }
 }
 
+/**
+ * The maximum interval of time during which a flow of packets
+ * is captured and aggregated into a flow log record.
+ *
+ */
+export enum FlowLogMaxAggregationInterval {
+  /**
+   * 1 minute (60 seconds)
+   */
+  ONE_MINUTE = 60,
+
+  /**
+   * 10 minutes (600 seconds)
+   */
+  TEN_MINUTES = 600,
+
+}
+
 /**
  * Options to add a flow log to a VPC
  */
@@ -401,6 +419,14 @@ export interface FlowLogOptions {
    * @default FlowLogDestinationType.toCloudWatchLogs()
    */
   readonly destination?: FlowLogDestination;
+
+  /**
+   * The maximum interval of time during which a flow of packets is captured
+   * and aggregated into a flow log record.
+   *
+   * @default FlowLogMaxAggregationInterval.TEN_MINUTES
+   */
+  readonly maxAggregationInterval?: FlowLogMaxAggregationInterval;
 }
 
 /**
@@ -501,6 +527,7 @@ export class FlowLog extends FlowLogBase {
       deliverLogsPermissionArn: this.iamRole ? this.iamRole.roleArn : undefined,
       logDestinationType: destinationConfig.logDestinationType,
       logGroupName: this.logGroup ? this.logGroup.logGroupName : undefined,
+      maxAggregationInterval: props.maxAggregationInterval,
       resourceId: props.resourceType.resourceId,
       resourceType: props.resourceType.resourceType,
       trafficType: props.trafficType

diff --git a/packages/@aws-cdk/aws-ec2/test/integ.vpc-flow-logs-interval.ts b/packages/@aws-cdk/aws-ec2/test/integ.vpc-flow-logs-interval.ts
@@ -0,0 +1,79 @@
+import { PolicyStatement, Effect, ServicePrincipal } from '@aws-cdk/aws-iam';
+import * as s3 from '@aws-cdk/aws-s3';
+import { App, RemovalPolicy, Stack, StackProps } from '@aws-cdk/core';
+import { IntegTest } from '@aws-cdk/integ-tests';
+import { FlowLog, FlowLogDestination, FlowLogResourceType, Vpc, FlowLogMaxAggregationInterval } from '../lib';
+
+const app = new App();
+
+
+class TestStack extends Stack {
+  constructor(scope: App, id: string, props?: StackProps) {
+    super(scope, id, props);
+
+    const vpc = new Vpc(this, 'VPC');
+
+    new FlowLog(this, 'FlowLogsCW', {
+      resourceType: FlowLogResourceType.fromVpc(vpc),
+      maxAggregationInterval: FlowLogMaxAggregationInterval.TEN_MINUTES,
+    });
+
+    vpc.addFlowLog('FlowLogsS3', {
+      destination: FlowLogDestination.toS3(),
+      maxAggregationInterval: FlowLogMaxAggregationInterval.ONE_MINUTE,
+    });
+
+    const bucket = new s3.Bucket(this, 'Bucket', {
+      removalPolicy: RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+    });
+    bucket.addToResourcePolicy(new PolicyStatement({
+      effect: Effect.ALLOW,
+      principals: [new ServicePrincipal('delivery.logs.amazonaws.com')],
+      actions: ['s3:PutObject'],
+      resources: [bucket.arnForObjects(`AWSLogs/${this.account}/*`)],
+      conditions: {
+        StringEquals: {
+          's3:x-amz-acl': 'bucket-owner-full-control',
+          'aws:SourceAccount': this.account,
+        },
+        ArnLike: {
+          'aws:SourceArn': this.formatArn({
+            service: 'logs',
+            resource: '*',
+          }),
+        },
+      },
+    }));
+    bucket.addToResourcePolicy(new PolicyStatement({
+      effect: Effect.ALLOW,
+      principals: [new ServicePrincipal('delivery.logs.amazonaws.com')],
+      actions: ['s3:GetBucketAcl', 's3:ListBucket'],
+      resources: [bucket.bucketArn],
+      conditions: {
+        StringEquals: {
+          'aws:SourceAccount': this.account,
+        },
+        ArnLike: {
+          'aws:SourceArn': this.formatArn({
+            service: 'logs',
+            resource: '*',
+          }),
+        },
+      },
+    }));
+
+    vpc.addFlowLog('FlowLogsS3KeyPrefix', {
+      destination: FlowLogDestination.toS3(bucket, 'prefix/'),
+    });
+  }
+}
+
+
+new IntegTest(app, 'FlowLogs', {
+  testCases: [
+    new TestStack(app, 'FlowLogsTestStack'),
+  ],
+});
+
+app.synth();
diff --git a/...vpc-flow-logs-interval.integ.snapshot/FlowLogsDefaultTestDeployAssert6AFD1854.assets.json b/...vpc-flow-logs-interval.integ.snapshot/FlowLogsDefaultTestDeployAssert6AFD1854.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "FlowLogsDefaultTestDeployAssert6AFD1854.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...c-flow-logs-interval.integ.snapshot/FlowLogsDefaultTestDeployAssert6AFD1854.template.json b/...c-flow-logs-interval.integ.snapshot/FlowLogsDefaultTestDeployAssert6AFD1854.template.json
@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...ws-cdk/aws-ec2/test/vpc-flow-logs-interval.integ.snapshot/FlowLogsFeatureFlag.assets.json b/...ws-cdk/aws-ec2/test/vpc-flow-logs-interval.integ.snapshot/FlowLogsFeatureFlag.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "69731f7ae982e377a617d06d1920c7fbeb360543d6b5f3da47406c123317a645": {
+      "source": {
+        "path": "FlowLogsFeatureFlag.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "69731f7ae982e377a617d06d1920c7fbeb360543d6b5f3da47406c123317a645.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}