-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ec2): flow logs from TransitGateway and TransitGatewayAttachment #28605
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request
. Additionally, if clarification is needed add Clarification Request
to a comment.
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Validation of maxAggregationInterval
might be a good idea in this PR.
Also, it might be good to comment the description for the validation in the doc of the maxAggregationInterval
parameter (and add unit tests for it).
--max-aggregation-interval has a default value of 60, and is the only accepted value for transit gateway resource types. An error is returned if you try to pass any other value. This limit applies only to transit gateway resource types.
https://docs.aws.amazon.com/vpc/latest/tgw/working-with-flow-logs.html
This parameter must be 60 seconds for transit gateway resource types.
And this PR title |
Co-authored-by: k.goto <[email protected]>
@go-to-k I've implemented validation of Therefore, when the target is TransitGateway, we allow |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I've made a few more adjustment comments.
Co-authored-by: k.goto <[email protected]>
Co-authored-by: k.goto <[email protected]>
Co-authored-by: k.goto <[email protected]>
Co-authored-by: k.goto <[email protected]>
Co-authored-by: k.goto <[email protected]>
Co-authored-by: k.goto <[email protected]>
Co-authored-by: k.goto <[email protected]>
Co-authored-by: k.goto <[email protected]>
Co-authored-by: k.goto <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work @badmintoncryer, looks good overall, just a few minor comments to address.
@@ -800,6 +829,17 @@ export class FlowLog extends FlowLogBase { | |||
}).join(' '); | |||
} | |||
|
|||
let trafficType: FlowLogTrafficType | undefined = props.trafficType ?? FlowLogTrafficType.ALL; | |||
if (props.resourceType.resourceType === 'TransitGateway' || props.resourceType.resourceType === 'TransitGatewayAttachment') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you create constants or enums for the resourceType
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@paulhcsun
I agree with creating an enum!
However, in the existing code, a resourceType
defined as a string is already being used. Along with defining the enum, is it okay to also modify the FlowLogResourceType
's ResourceType
variable and the methods fromSubnet()
, fromVpc()
, and fromNetworkInterfaceId()
?
export enum ResourceType {
TRANSIT_GATEWAY = 'transitGateway',
...
}
export abstract class FlowLogResourceType {
public static fromSubnet(subnet: ISubnet): FlowLogResourceType {
return {
resourceType: ResourceType.SUBNET,
resourceId: subnet.subnetId,
};
}
...
/**
* The type of resource to attach a flow log to.
*/
public abstract resourceType: ResourceType;
...
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah I see. I believe it should be safe to make that change for FlowLogResourceType
's ResourceType
as I see something similar being done with the FlowLogDestinationType
enum in FlowLogDestination
but let me double check that it won't create any backwards compatibility issues and get back to you.
I'm okay with approving this PR as other parts of the code are defining resourceType
with a string. Updating resourceType
to an enum can be addressed in a separate PR if you're interested, otherwise I can make that change once I've confirmed it's safe.
/**
* The available destination types for Flow Logs
*/
export enum FlowLogDestinationType {
/**
* Send flow logs to CloudWatch Logs Group
*/
CLOUD_WATCH_LOGS = 'cloud-watch-logs',
...
}
export abstract class FlowLogDestination {
/**
* Use CloudWatch logs as the destination
*/
public static toCloudWatchLogs(logGroup?: logs.ILogGroup, iamRole?: iam.IRole): FlowLogDestination {
return new CloudWatchLogsDestination({
logDestinationType: FlowLogDestinationType.CLOUD_WATCH_LOGS,
...
});
}
...
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@paulhcsun I see! I may be create PR for that later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@badmintoncryer I don't think doing so would be safe so I would hold off on that for now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kaizencc Understood. Thank you for the additional information.
Co-authored-by: paulhcsun <[email protected]>
Pull request has been modified.
Co-authored-by: paulhcsun <[email protected]>
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work @badmintoncryer!
And thanks for the review @go-to-k!
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
I have enabled the configuration of flow logs for TransitGateway and TransitGatewayAttachment.
Create flow logs from TransitGateway:
Create flowlogs from TransitGatewayAttachment:
Since
trafficType
cannot be set for flow logs related to TransitGateway resources, I have also added error handling for this.Closes #27222.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license