Merge pull request #15 from ministryofjustice/additional-flowlog-fields

🔧 additional VPC flow log fields required for Cortex XSIAM

main.tf

@@ -37,6 +37,7 @@ resource "aws_flow_log" "vpc_log" {
   log_destination = aws_s3_bucket.flow_logs[count.index].arn
   traffic_type    = var.traffic_type
   vpc_id          = var.vpc_id
+  log_format      = var.log_format
 }
 
 resource "aws_flow_log" "subnet_log" {

variables.tf

@@ -27,4 +27,9 @@ variable "traffic_type" {
 variable "is_enabled" {
   description = "switch to enable/disable the module, defaults to false"
   default = false
+}
+
+variable "log_format" {
+  description = "Fields to include in the flow log record"
+  default = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${az-id} $${flow-direction} $${instance-id} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${sublocation-id} $${sublocation-type} $${subnet-id} $${tcp-flags} $${type} $${vpc-id}"
 }