FlowLogs Needs A Higher Level Construct

[chelma-amzn]

I'm using CDK v0.36, but the current version (v1.2) doesn't appear to different substantively on this point.

Basically, it looks like there isn't a higher level Construct for AWS Flow Logs, meaning all customers that want to use the feature must instantiate and configure the L1 construct, in basically the same way.

Consider the following sample code:

import ec2 = require('@aws-cdk/aws-ec2');
import iam = require('@aws-cdk/aws-iam');
import logs = require("@aws-cdk/aws-logs");

const logGroup = new logs.LogGroup(this, "LogGroupFlowLogs", {retention: logs.RetentionDays.THREE_MONTHS})

const flowLogRole = new iam.Role(this, 'RoleFlowLogs', {
    assumedBy: new iam.ServicePrincipal("vpc-flow-logs.amazonaws.com")
});

const policyStatement = new iam.PolicyStatement({
    actions: ["logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents"],
    resources: [logGroup.logGroupArn]
});
policyStatement.effect = iam.Effect.ALLOW;
flowLogRole.addToPolicy(policyStatement);

new ec2.CfnFlowLog(this, "FlowLog", {
    deliverLogsPermissionArn: flowLogRole.roleArn,
    logGroupName: logGroup.logGroupName,
    resourceId: this.vpc.vpcId,
    resourceType: "VPC",
    trafficType: "ALL"
});

[arnulfojr]

Hey y'all!

Is there any update on this feature?

[rix0rrr]

There is not. I will share that we are unlikely to implement it in the short term, so any progress would have to be made by external contributors.