{
  "typeName" : "AWS::EC2::FlowLog",
  "description" : "Specifies a VPC flow log, which enables you to capture IP traffic for a specific network interface, subnet, or VPC.",
  "sourceUrl" : "https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-ec2-flowlog.git",
  "definitions" : {
    "Tag" : {
      "type" : "object",
      "additionalProperties" : false,
      "properties" : {
        "Value" : {
          "type" : "string"
        },
        "Key" : {
          "type" : "string"
        }
      },
      "required" : [ "Value", "Key" ]
    }
  },
  "properties" : {
    "Id" : {
      "description" : "The Flow Log ID",
      "type" : "string"
    },
    "DeliverLogsPermissionArn" : {
      "description" : "The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.",
      "type" : "string"
    },
    "LogDestination" : {
      "description" : "Specifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType.",
      "type" : "string"
    },
    "LogDestinationType" : {
      "description" : "Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.",
      "type" : "string",
      "enum" : [ "cloud-watch-logs", "s3", "kinesis-data-firehose" ]
    },
    "LogFormat" : {
      "description" : "The fields to include in the flow log record, in the order in which they should appear.",
      "type" : "string"
    },
    "LogGroupName" : {
      "description" : "The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.",
      "type" : "string"
    },
    "MaxAggregationInterval" : {
      "description" : "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes).",
      "type" : "integer"
    },
    "ResourceId" : {
      "description" : "The ID of the subnet, network interface, or VPC for which you want to create a flow log.",
      "type" : "string"
    },
    "ResourceType" : {
      "description" : "The type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property.",
      "type" : "string",
      "enum" : [ "NetworkInterface", "Subnet", "VPC", "TransitGateway", "TransitGatewayAttachment" ]
    },
    "Tags" : {
      "description" : "The tags to apply to the flow logs.",
      "type" : "array",
      "uniqueItems" : false,
      "items" : {
        "$ref" : "#/definitions/Tag"
      }
    },
    "TrafficType" : {
      "description" : "The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.",
      "type" : "string",
      "enum" : [ "ACCEPT", "ALL", "REJECT" ]
    },
    "DestinationOptions" : {
      "type" : "object",
      "additionalProperties" : false,
      "properties" : {
        "FileFormat" : {
          "type" : "string",
          "enum" : [ "plain-text", "parquet" ]
        },
        "HiveCompatiblePartitions" : {
          "type" : "boolean"
        },
        "PerHourPartition" : {
          "type" : "boolean"
        }
      },
      "required" : [ "FileFormat", "HiveCompatiblePartitions", "PerHourPartition" ]
    }
  },
  "required" : [ "ResourceType", "ResourceId" ],
  "createOnlyProperties" : [ "/properties/DeliverLogsPermissionArn", "/properties/LogGroupName", "/properties/LogDestination", "/properties/ResourceId", "/properties/TrafficType", "/properties/LogDestinationType", "/properties/ResourceType", "/properties/LogFormat", "/properties/MaxAggregationInterval", "/properties/DestinationOptions" ],
  "readOnlyProperties" : [ "/properties/Id" ],
  "primaryIdentifier" : [ "/properties/Id" ],
  "handlers" : {
    "create" : {
      "permissions" : [ "ec2:CreateFlowLogs", "ec2:CreateTags", "iam:PassRole", "logs:CreateLogDelivery", "s3:GetBucketPolicy", "s3:PutBucketPolicy" ]
    },
    "read" : {
      "permissions" : [ "ec2:DescribeFlowLogs" ]
    },
    "update" : {
      "permissions" : [ "ec2:CreateTags", "ec2:DeleteTags", "ec2:DescribeFlowLogs" ]
    },
    "delete" : {
      "permissions" : [ "ec2:DeleteFlowLogs", "logs:DeleteLogDelivery" ]
    },
    "list" : {
      "permissions" : [ "ec2:DescribeFlowLogs" ]
    }
  },
  "additionalProperties" : false
}