AWSTemplateFormatVersion: "2010-09-09"
Description: Persist CloudWatch Logs Insights queries from <repo link>

Parameters:
  ElasticInterfaceId:
    Type: String
    Description: Elastic Network Interface to query
  LogGroupName:
    Type: String
    Description: Log Group to query

Resources:
  cwivpcqry:
    Type: AWS::Logs::QueryDefinition
    Properties:
      Name: !Sub "vpc/flowlogs-query/${ElasticInterfaceId}"
      LogGroupNames:
        - !Ref LogGroupName
      QueryString: !Sub |
        fields @timestamp,@message
        | stats count(*) as HitCount by dstPort, srcAddr as Source, dstAddr as Destination
        | filter interfaceId="${ElasticInterfaceId}"
        | filter dstPort="80" or dstPort="443" or dstPort="22" or dstPort="25"
        | sort HitCount desc