Docs Home
Packages
AWS v6.54.0 published on Friday, Sep 27, 2024 by Pulumi
aws.cloudwatch.LogAccountPolicy
Explore with Pulumi AI
Provides a CloudWatch Log Account Policy resource.
Example Usage
Account Data Protection Policy
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const dataProtection = new aws.cloudwatch.LogAccountPolicy("data_protection", {
policyName: "data-protection",
policyType: "DATA_PROTECTION_POLICY",
policyDocument: JSON.stringify({
Name: "DataProtection",
Version: "2021-06-01",
Statement: [
{
Sid: "Audit",
DataIdentifier: ["arn:aws:dataprotection::aws:data-identifier/EmailAddress"],
Operation: {
Audit: {
FindingsDestination: {},
},
},
},
{
Sid: "Redact",
DataIdentifier: ["arn:aws:dataprotection::aws:data-identifier/EmailAddress"],
Operation: {
Deidentify: {
MaskConfig: {},
},
},
},
],
}),
});
import pulumi
import json
import pulumi_aws as aws
data_protection = aws.cloudwatch.LogAccountPolicy("data_protection",
policy_name="data-protection",
policy_type="DATA_PROTECTION_POLICY",
policy_document=json.dumps({
"Name": "DataProtection",
"Version": "2021-06-01",
"Statement": [
{
"Sid": "Audit",
"DataIdentifier": ["arn:aws:dataprotection::aws:data-identifier/EmailAddress"],
"Operation": {
"Audit": {
"FindingsDestination": {},
},
},
},
{
"Sid": "Redact",
"DataIdentifier": ["arn:aws:dataprotection::aws:data-identifier/EmailAddress"],
"Operation": {
"Deidentify": {
"MaskConfig": {},
},
},
},
],
}))
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudwatch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Name": "DataProtection",
"Version": "2021-06-01",
"Statement": []interface{}{
map[string]interface{}{
"Sid": "Audit",
"DataIdentifier": []string{
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
},
"Operation": map[string]interface{}{
"Audit": map[string]interface{}{
"FindingsDestination": nil,
},
},
},
map[string]interface{}{
"Sid": "Redact",
"DataIdentifier": []string{
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
},
"Operation": map[string]interface{}{
"Deidentify": map[string]interface{}{
"MaskConfig": nil,
},
},
},
},
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = cloudwatch.NewLogAccountPolicy(ctx, "data_protection", &cloudwatch.LogAccountPolicyArgs{
PolicyName: pulumi.String("data-protection"),
PolicyType: pulumi.String("DATA_PROTECTION_POLICY"),
PolicyDocument: pulumi.String(json0),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var dataProtection = new Aws.CloudWatch.LogAccountPolicy("data_protection", new()
{
PolicyName = "data-protection",
PolicyType = "DATA_PROTECTION_POLICY",
PolicyDocument = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["Name"] = "DataProtection",
["Version"] = "2021-06-01",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Sid"] = "Audit",
["DataIdentifier"] = new[]
{
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
},
["Operation"] = new Dictionary<string, object?>
{
["Audit"] = new Dictionary<string, object?>
{
["FindingsDestination"] = new Dictionary<string, object?>
{
},
},
},
},
new Dictionary<string, object?>
{
["Sid"] = "Redact",
["DataIdentifier"] = new[]
{
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
},
["Operation"] = new Dictionary<string, object?>
{
["Deidentify"] = new Dictionary<string, object?>
{
["MaskConfig"] = new Dictionary<string, object?>
{
},
},
},
},
},
}),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogAccountPolicy;
import com.pulumi.aws.cloudwatch.LogAccountPolicyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var dataProtection = new LogAccountPolicy("dataProtection", LogAccountPolicyArgs.builder()
.policyName("data-protection")
.policyType("DATA_PROTECTION_POLICY")
.policyDocument(serializeJson(
jsonObject(
jsonProperty("Name", "DataProtection"),
jsonProperty("Version", "2021-06-01"),
jsonProperty("Statement", jsonArray(
jsonObject(
jsonProperty("Sid", "Audit"),
jsonProperty("DataIdentifier", jsonArray("arn:aws:dataprotection::aws:data-identifier/EmailAddress")),
jsonProperty("Operation", jsonObject(
jsonProperty("Audit", jsonObject(
jsonProperty("FindingsDestination", jsonObject(
))
))
))
),
jsonObject(
jsonProperty("Sid", "Redact"),
jsonProperty("DataIdentifier", jsonArray("arn:aws:dataprotection::aws:data-identifier/EmailAddress")),
jsonProperty("Operation", jsonObject(
jsonProperty("Deidentify", jsonObject(
jsonProperty("MaskConfig", jsonObject(
))
))
))
)
))
)))
.build());
}
}
resources:
dataProtection:
type: aws:cloudwatch:LogAccountPolicy
name: data_protection
properties:
policyName: data-protection
policyType: DATA_PROTECTION_POLICY
policyDocument:
fn::toJSON:
Name: DataProtection
Version: 2021-06-01
Statement:
- Sid: Audit
DataIdentifier:
- arn:aws:dataprotection::aws:data-identifier/EmailAddress
Operation:
Audit:
FindingsDestination: {}
- Sid: Redact
DataIdentifier:
- arn:aws:dataprotection::aws:data-identifier/EmailAddress
Operation:
Deidentify:
MaskConfig: {}
Subscription Filter Policy
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const subscriptionFilter = new aws.cloudwatch.LogAccountPolicy("subscription_filter", {
policyName: "subscription-filter",
policyType: "SUBSCRIPTION_FILTER_POLICY",
policyDocument: JSON.stringify({
DestinationArn: test.arn,
FilterPattern: "test",
}),
selectionCriteria: "LogGroupName NOT IN [\"excluded_log_group_name\"]",
});
import pulumi
import json
import pulumi_aws as aws
subscription_filter = aws.cloudwatch.LogAccountPolicy("subscription_filter",
policy_name="subscription-filter",
policy_type="SUBSCRIPTION_FILTER_POLICY",
policy_document=json.dumps({
"DestinationArn": test["arn"],
"FilterPattern": "test",
}),
selection_criteria="LogGroupName NOT IN [\"excluded_log_group_name\"]")
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudwatch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
tmpJSON0, err := json.Marshal(map[string]interface{}{
"DestinationArn": test.Arn,
"FilterPattern": "test",
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = cloudwatch.NewLogAccountPolicy(ctx, "subscription_filter", &cloudwatch.LogAccountPolicyArgs{
PolicyName: pulumi.String("subscription-filter"),
PolicyType: pulumi.String("SUBSCRIPTION_FILTER_POLICY"),
PolicyDocument: pulumi.String(json0),
SelectionCriteria: pulumi.String("LogGroupName NOT IN [\"excluded_log_group_name\"]"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var subscriptionFilter = new Aws.CloudWatch.LogAccountPolicy("subscription_filter", new()
{
PolicyName = "subscription-filter",
PolicyType = "SUBSCRIPTION_FILTER_POLICY",
PolicyDocument = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["DestinationArn"] = test.Arn,
["FilterPattern"] = "test",
}),
SelectionCriteria = "LogGroupName NOT IN [\"excluded_log_group_name\"]",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogAccountPolicy;
import com.pulumi.aws.cloudwatch.LogAccountPolicyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var subscriptionFilter = new LogAccountPolicy("subscriptionFilter", LogAccountPolicyArgs.builder()
.policyName("subscription-filter")
.policyType("SUBSCRIPTION_FILTER_POLICY")
.policyDocument(serializeJson(
jsonObject(
jsonProperty("DestinationArn", test.arn()),
jsonProperty("FilterPattern", "test")
)))
.selectionCriteria("LogGroupName NOT IN [\"excluded_log_group_name\"]")
.build());
}
}
resources:
subscriptionFilter:
type: aws:cloudwatch:LogAccountPolicy
name: subscription_filter
properties:
policyName: subscription-filter
policyType: SUBSCRIPTION_FILTER_POLICY
policyDocument:
fn::toJSON:
DestinationArn: ${test.arn}
FilterPattern: test
selectionCriteria: LogGroupName NOT IN ["excluded_log_group_name"]
Create LogAccountPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new LogAccountPolicy(name: string, args: LogAccountPolicyArgs, opts?: CustomResourceOptions);@overload
def LogAccountPolicy(resource_name: str,
args: LogAccountPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def LogAccountPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
policy_document: Optional[str] = None,
policy_name: Optional[str] = None,
policy_type: Optional[str] = None,
scope: Optional[str] = None,
selection_criteria: Optional[str] = None)func NewLogAccountPolicy(ctx *Context, name string, args LogAccountPolicyArgs, opts ...ResourceOption) (*LogAccountPolicy, error)public LogAccountPolicy(string name, LogAccountPolicyArgs args, CustomResourceOptions? opts = null)
public LogAccountPolicy(String name, LogAccountPolicyArgs args)
public LogAccountPolicy(String name, LogAccountPolicyArgs args, CustomResourceOptions options)
type: aws:cloudwatch:LogAccountPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args LogAccountPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args LogAccountPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args LogAccountPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args LogAccountPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args LogAccountPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var logAccountPolicyResource = new Aws.CloudWatch.LogAccountPolicy("logAccountPolicyResource", new()
{
PolicyDocument = "string",
PolicyName = "string",
PolicyType = "string",
Scope = "string",
SelectionCriteria = "string",
});
example, err := cloudwatch.NewLogAccountPolicy(ctx, "logAccountPolicyResource", &cloudwatch.LogAccountPolicyArgs{
PolicyDocument: pulumi.String("string"),
PolicyName: pulumi.String("string"),
PolicyType: pulumi.String("string"),
Scope: pulumi.String("string"),
SelectionCriteria: pulumi.String("string"),
})
var logAccountPolicyResource = new LogAccountPolicy("logAccountPolicyResource", LogAccountPolicyArgs.builder()
.policyDocument("string")
.policyName("string")
.policyType("string")
.scope("string")
.selectionCriteria("string")
.build());
log_account_policy_resource = aws.cloudwatch.LogAccountPolicy("logAccountPolicyResource",
policy_document="string",
policy_name="string",
policy_type="string",
scope="string",
selection_criteria="string")
const logAccountPolicyResource = new aws.cloudwatch.LogAccountPolicy("logAccountPolicyResource", {
policyDocument: "string",
policyName: "string",
policyType: "string",
scope: "string",
selectionCriteria: "string",
});
type: aws:cloudwatch:LogAccountPolicy
properties:
policyDocument: string
policyName: string
policyType: string
scope: string
selectionCriteria: string
LogAccountPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The LogAccountPolicy resource accepts the following input properties:
- Policy
Document string - Text of the account policy. Refer to the AWS docs for more information.
- Policy
Name string - Name of the account policy.
- Policy
Type string - Type of account policy. Either
DATA_PROTECTION_POLICYorSUBSCRIPTION_FILTER_POLICY. You can have one account policy per type in an account. - Scope string
- Currently defaults to and only accepts the value:
ALL. - Selection
Criteria string - Criteria for applying a subscription filter policy to a selection of log groups. The only allowable criteria selector is
LogGroupName NOT IN [].
- Policy
Document string - Text of the account policy. Refer to the AWS docs for more information.
- Policy
Name string - Name of the account policy.
- Policy
Type string - Type of account policy. Either
DATA_PROTECTION_POLICYorSUBSCRIPTION_FILTER_POLICY. You can have one account policy per type in an account. - Scope string
- Currently defaults to and only accepts the value:
ALL. - Selection
Criteria string - Criteria for applying a subscription filter policy to a selection of log groups. The only allowable criteria selector is
LogGroupName NOT IN [].
- policy
Document String - Text of the account policy. Refer to the AWS docs for more information.
- policy
Name String - Name of the account policy.
- policy
Type String - Type of account policy. Either
DATA_PROTECTION_POLICYorSUBSCRIPTION_FILTER_POLICY. You can have one account policy per type in an account. - scope String
- Currently defaults to and only accepts the value:
ALL. - selection
Criteria String - Criteria for applying a subscription filter policy to a selection of log groups. The only allowable criteria selector is
LogGroupName NOT IN [].
- policy
Document string - Text of the account policy. Refer to the AWS docs for more information.
- policy
Name string - Name of the account policy.
- policy
Type string - Type of account policy. Either
DATA_PROTECTION_POLICYorSUBSCRIPTION_FILTER_POLICY. You can have one account policy per type in an account. - scope string
- Currently defaults to and only accepts the value:
ALL. - selection
Criteria string - Criteria for applying a subscription filter policy to a selection of log groups. The only allowable criteria selector is
LogGroupName NOT IN [].
- policy_
document str - Text of the account policy. Refer to the AWS docs for more information.
- policy_
name str - Name of the account policy.
- policy_
type str - Type of account policy. Either
DATA_PROTECTION_POLICYorSUBSCRIPTION_FILTER_POLICY. You can have one account policy per type in an account. - scope str
- Currently defaults to and only accepts the value:
ALL. - selection_
criteria str - Criteria for applying a subscription filter policy to a selection of log groups. The only allowable criteria selector is
LogGroupName NOT IN [].
- policy
Document String - Text of the account policy. Refer to the AWS docs for more information.
- policy
Name String - Name of the account policy.
- policy
Type String - Type of account policy. Either
DATA_PROTECTION_POLICYorSUBSCRIPTION_FILTER_POLICY. You can have one account policy per type in an account. - scope String
- Currently defaults to and only accepts the value:
ALL. - selection
Criteria String - Criteria for applying a subscription filter policy to a selection of log groups. The only allowable criteria selector is
LogGroupName NOT IN [].
Outputs
All input properties are implicitly available as output properties. Additionally, the LogAccountPolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing LogAccountPolicy Resource
Get an existing LogAccountPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: LogAccountPolicyState, opts?: CustomResourceOptions): LogAccountPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
policy_document: Optional[str] = None,
policy_name: Optional[str] = None,
policy_type: Optional[str] = None,
scope: Optional[str] = None,
selection_criteria: Optional[str] = None) -> LogAccountPolicyfunc GetLogAccountPolicy(ctx *Context, name string, id IDInput, state *LogAccountPolicyState, opts ...ResourceOption) (*LogAccountPolicy, error)public static LogAccountPolicy Get(string name, Input<string> id, LogAccountPolicyState? state, CustomResourceOptions? opts = null)public static LogAccountPolicy get(String name, Output<String> id, LogAccountPolicyState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Policy
Document string - Text of the account policy. Refer to the AWS docs for more information.
- Policy
Name string - Name of the account policy.
- Policy
Type string - Type of account policy. Either
DATA_PROTECTION_POLICYorSUBSCRIPTION_FILTER_POLICY. You can have one account policy per type in an account. - Scope string
- Currently defaults to and only accepts the value:
ALL. - Selection
Criteria string - Criteria for applying a subscription filter policy to a selection of log groups. The only allowable criteria selector is
LogGroupName NOT IN [].
- Policy
Document string - Text of the account policy. Refer to the AWS docs for more information.
- Policy
Name string - Name of the account policy.
- Policy
Type string - Type of account policy. Either
DATA_PROTECTION_POLICYorSUBSCRIPTION_FILTER_POLICY. You can have one account policy per type in an account. - Scope string
- Currently defaults to and only accepts the value:
ALL. - Selection
Criteria string - Criteria for applying a subscription filter policy to a selection of log groups. The only allowable criteria selector is
LogGroupName NOT IN [].
- policy
Document String - Text of the account policy. Refer to the AWS docs for more information.
- policy
Name String - Name of the account policy.
- policy
Type String - Type of account policy. Either
DATA_PROTECTION_POLICYorSUBSCRIPTION_FILTER_POLICY. You can have one account policy per type in an account. - scope String
- Currently defaults to and only accepts the value:
ALL. - selection
Criteria String - Criteria for applying a subscription filter policy to a selection of log groups. The only allowable criteria selector is
LogGroupName NOT IN [].
- policy
Document string - Text of the account policy. Refer to the AWS docs for more information.
- policy
Name string - Name of the account policy.
- policy
Type string - Type of account policy. Either
DATA_PROTECTION_POLICYorSUBSCRIPTION_FILTER_POLICY. You can have one account policy per type in an account. - scope string
- Currently defaults to and only accepts the value:
ALL. - selection
Criteria string - Criteria for applying a subscription filter policy to a selection of log groups. The only allowable criteria selector is
LogGroupName NOT IN [].
- policy_
document str - Text of the account policy. Refer to the AWS docs for more information.
- policy_
name str - Name of the account policy.
- policy_
type str - Type of account policy. Either
DATA_PROTECTION_POLICYorSUBSCRIPTION_FILTER_POLICY. You can have one account policy per type in an account. - scope str
- Currently defaults to and only accepts the value:
ALL. - selection_
criteria str - Criteria for applying a subscription filter policy to a selection of log groups. The only allowable criteria selector is
LogGroupName NOT IN [].
- policy
Document String - Text of the account policy. Refer to the AWS docs for more information.
- policy
Name String - Name of the account policy.
- policy
Type String - Type of account policy. Either
DATA_PROTECTION_POLICYorSUBSCRIPTION_FILTER_POLICY. You can have one account policy per type in an account. - scope String
- Currently defaults to and only accepts the value:
ALL. - selection
Criteria String - Criteria for applying a subscription filter policy to a selection of log groups. The only allowable criteria selector is
LogGroupName NOT IN [].
Import
Using pulumi import, import this resource using the policy_name and policy_type separated by :. For example:
$ pulumi import aws:cloudwatch/logAccountPolicy:LogAccountPolicy example "my-account-policy:SUBSCRIPTION_FILTER_POLICY"
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.