From 2fe0563bfca624bd8d473341948eaff29f6c8a50 Mon Sep 17 00:00:00 2001
From: Ky <ky.truong@digital.justice.gov.uk>
Date: Thu, 3 Oct 2024 15:17:43 +0100
Subject: [PATCH] :wrench:additional flowlog fields required for Cortex XSIAM

---
 main.tf      | 1 +
 variables.tf | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/main.tf b/main.tf
index 0a7e2bc..82318b3 100644
--- a/main.tf
+++ b/main.tf
@@ -37,6 +37,7 @@ resource "aws_flow_log" "vpc_log" {
   log_destination = aws_s3_bucket.flow_logs[count.index].arn
   traffic_type    = var.traffic_type
   vpc_id          = var.vpc_id
+  log_format      = var.log_format
 }
 
 resource "aws_flow_log" "subnet_log" {
diff --git a/variables.tf b/variables.tf
index 1a901d0..a164216 100644
--- a/variables.tf
+++ b/variables.tf
@@ -27,4 +27,9 @@ variable "traffic_type" {
 variable "is_enabled" {
   description = "switch to enable/disable the module, defaults to false"
   default = false
+}
+
+variable "log_format" {
+  description = "Fields to include in the flow log record"
+  default = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${az-id} $${flow-direction} $${instance-id} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${sublocation-id} $${sublocation-type} $${subnet-id} $${tcp-flags} $${type} $${vpc-id}"
 }
\ No newline at end of file