Query: vpc_flow_logs_enabled

with vpcs as (
  select
    arn,
    account_id,
    region,
    owner_id,
    vpc_id,
    tags,
    _ctx
  from
    aws_vpc
  order by
    vpc_id
),
flowlogs as (
  select
    resource_id,
    account_id,
    region
  from
    aws_vpc_flow_log
  order by
    resource_id
)
select
  v.arn as resource,
  case
    when v.account_id <> v.owner_id then 'skip'
    when f.resource_id is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when v.account_id <> v.owner_id then v.vpc_id || ' is a shared VPC.'
    when f.resource_id is not null then v.vpc_id || ' flow logging enabled.'
    else v.vpc_id || ' flow logging disabled.'
  end as reason,
  v.region,
  v.account_id
from
  vpcs as v
  left join flowlogs as f on v.vpc_id = f.resource_id;