diff --git a/flowlogs/data.tf b/flowlogs/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/flowlogs/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/flowlogs/defaults.tf b/flowlogs/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/flowlogs/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/flowlogs/main.tf b/flowlogs/main.tf
new file mode 100644
index 0000000..509d5f6
--- /dev/null
+++ b/flowlogs/main.tf
@@ -0,0 +1,132 @@
+/*
+* # About aws-vpc-setup :: flowlogs
+*
+* This submodule creates VPC flow logs.  It creates one for private and one for public subnets.  Run this once
+* per VPC.  You will need to run the flow logs role once before (aws-vpc-setup/flowlogs-role)
+*
+* # Usage
+*
+* ```hcl
+* module "flowlog" {
+*   source               = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//flowlogs"
+*   vpc_id               = var.vpc_id
+*   vpc_full_name        = var.vpc_full_name
+*   account_alias        = "ma6-gov"
+*   public_subnets_ids   = module.subnets.public_subnets_ids
+*   private_subnets_ids  = module.subnets.private_subnets_ids
+*   flowlog_bucket_arn   = {flowlog-s3-bucket-arn}
+*   flowlog_role_arn     = {flowlog-role-arn}
+*
+*   # optional
+*   public_subnet_ids    = [ for s in module.subnets.public_subnets_ids : s.id ]
+*   private_subnet_ids   = [ for s in module.subnets.private_subnets_ids : s.id ]
+*   vpc_name             = var.vpc_name
+*   vpc_short_name       = var.vpc_short_name
+*
+*   tags = {}
+* }
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+
+  public_ids  = length(var.public_subnet_ids) > 0 ? var.public_subnet_ids : [for subnet in var.public_subnets_ids : subnet.id]
+  private_ids = length(var.private_subnet_ids) > 0 ? var.private_subnet_ids : [for subnet in var.private_subnets_ids : subnet.id]
+
+  splunk_account_alias = replace(var.account_alias, "do2", "do1")
+  flowlog_stream_name  = replace(aws_cloudwatch_log_group.flowlog.name, local._prefixes["log-group"], local._prefixes["log-stream"])
+}
+
+#---
+# flow logs:
+#   use s3 for flow logs, create two, one for the whole vpc, and one for just public
+#---
+resource "aws_flow_log" "flowlog_public" {
+  for_each             = toset(local.public_ids)
+  log_destination      = format("%v/%v-%v/", var.flowlog_bucket_arn, var.vpc_full_name, "public")
+  log_destination_type = "s3"
+  iam_role_arn         = var.flowlog_role_arn
+  traffic_type         = "ALL"
+  subnet_id            = each.key
+}
+
+# whole VPC
+resource "aws_flow_log" "flowlog" {
+  log_destination      = format("%v/%v/", var.flowlog_bucket_arn, var.vpc_full_name)
+  log_destination_type = "s3"
+  iam_role_arn         = var.flowlog_role_arn
+  traffic_type         = "ALL"
+  vpc_id               = var.vpc_id
+}
+
+#---
+# flowlog, cloudwatch
+#---
+resource "aws_cloudwatch_log_group" "flowlog" {
+  name = format("%v-%v", local._prefixes["log-group"], var.vpc_full_name)
+}
+
+resource "aws_flow_log" "flowlog_cloudwatch" {
+  log_destination = aws_cloudwatch_log_group.flowlog.arn
+  iam_role_arn    = var.flowlog_role_arn
+  traffic_type    = "ALL"
+  vpc_id          = var.vpc_id
+}
+
+resource "aws_kinesis_stream" "flowlog" {
+  name                = local.flowlog_stream_name
+  shard_count         = 1
+  retention_period    = 48
+  shard_level_metrics = ["IncomingBytes", "OutgoingBytes", "IncomingRecords", "OutgoingRecords"]
+  tags = merge(
+    local.base_tags,
+    local.tags,
+    tomap({ "Name" = local.flowlog_stream_name }),
+  )
+}
+
+# have to add the flowlog arn here to the policy used by flowlogs in common/{east,west}/flowlog.tf
+resource "aws_cloudwatch_log_subscription_filter" "flowlog" {
+  name            = local.flowlog_stream_name
+  role_arn        = var.flowlog_role_arn
+  log_group_name  = aws_cloudwatch_log_group.flowlog.name
+  destination_arn = aws_kinesis_stream.flowlog.arn
+  filter_pattern  = "[action=*]"
+  distribution    = "ByLogStream"
+}
+
+output "kinesis_flowlog_arn" {
+  description = "VPC Flowlog Kinesis stream ARN"
+  value       = aws_kinesis_stream.flowlog.arn
+}
+
+#---
+# generate splunk inputs file
+#---
+data "template_file" "splunk_flowlog_tasks_flowlog" {
+  template = file("${path.module}/templates/aws_kinesis_tasks.conf.tpl")
+  vars = {
+    account_id          = var.account_id
+    account_alias       = local.splunk_account_alias
+    region              = local.region
+    flowlog_name        = aws_cloudwatch_log_group.flowlog.name
+    flowlog_stream_name = local.flowlog_stream_name
+  }
+}
+
+resource "null_resource" "splunk_flowlog_tasks_flowlog" {
+  provisioner "local-exec" {
+    working_dir = path.root
+    command     = "test -d setup || mkdir setup"
+  }
+  provisioner "local-exec" {
+    working_dir = "${path.root}/setup"
+    command     = "echo '${data.template_file.splunk_flowlog_tasks_flowlog.rendered}' > aws_kinesis_tasks.${local.flowlog_stream_name}.conf"
+  }
+}
diff --git a/flowlogs/prefixes.tf b/flowlogs/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/flowlogs/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/flowlogs/templates/aws_kinesis_tasks.conf.tpl b/flowlogs/templates/aws_kinesis_tasks.conf.tpl
new file mode 100644
index 0000000..f4b5d42
--- /dev/null
+++ b/flowlogs/templates/aws_kinesis_tasks.conf.tpl
@@ -0,0 +1,9 @@
+[${account_alias}-flowlogs-${region}_${flowlog_name}]
+account = ${account_alias}
+format = CloudWatchLogs
+index = aws_vpc_flow_logs
+region = ${region}
+sourcetype = aws:cloudwatchlogs:vpcflow
+init_stream_position = LATEST
+stream_names = ${flowlog_stream_name}
+
diff --git a/flowlogs/variables.common.subnet_ids.tf b/flowlogs/variables.common.subnet_ids.tf
new file mode 120000
index 0000000..3d70185
--- /dev/null
+++ b/flowlogs/variables.common.subnet_ids.tf
@@ -0,0 +1 @@
+../common/variables.common.subnet_ids.tf
\ No newline at end of file
diff --git a/flowlogs/variables.common.tf b/flowlogs/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/flowlogs/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/flowlogs/variables.common.vpc.tf b/flowlogs/variables.common.vpc.tf
new file mode 120000
index 0000000..5e77d37
--- /dev/null
+++ b/flowlogs/variables.common.vpc.tf
@@ -0,0 +1 @@
+../common/variables.common.vpc.tf
\ No newline at end of file
diff --git a/flowlogs/variables.common.vpc_id.tf b/flowlogs/variables.common.vpc_id.tf
new file mode 120000
index 0000000..bc2e061
--- /dev/null
+++ b/flowlogs/variables.common.vpc_id.tf
@@ -0,0 +1 @@
+../common/variables.common.vpc_id.tf
\ No newline at end of file
diff --git a/flowlogs/version.tf b/flowlogs/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/flowlogs/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file