Skip to content

Resource: awsCloudwatchLogResourcePolicy

Provides a resource to manage a CloudWatch log resource policy.

Example Usage

Elasticsearch Log Publishing

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsIamPolicyDocumentElasticsearchLogPublishingPolicy =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "elasticsearch-log-publishing-policy",
    {
      statement: [
        {
          actions: [
            "logs:CreateLogStream",
            "logs:PutLogEvents",
            "logs:PutLogEventsBatch",
          ],
          principals: [
            {
              identifiers: ["es.amazonaws.com"],
              type: "Service",
            },
          ],
          resources: ["arn:aws:logs:*"],
        },
      ],
    }
  );
const awsCloudwatchLogResourcePolicyElasticsearchLogPublishingPolicy =
  new aws.cloudwatchLogResourcePolicy.CloudwatchLogResourcePolicy(
    this,
    "elasticsearch-log-publishing-policy_1",
    {
      policyDocument:
        dataAwsIamPolicyDocumentElasticsearchLogPublishingPolicy.json,
      policyName: "elasticsearch-log-publishing-policy",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCloudwatchLogResourcePolicyElasticsearchLogPublishingPolicy.overrideLogicalId(
  "elasticsearch-log-publishing-policy"
);

Route53 Query Logging

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsIamPolicyDocumentRoute53QueryLoggingPolicy =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "route53-query-logging-policy",
    {
      statement: [
        {
          actions: ["logs:CreateLogStream", "logs:PutLogEvents"],
          principals: [
            {
              identifiers: ["route53.amazonaws.com"],
              type: "Service",
            },
          ],
          resources: ["arn:aws:logs:*:*:log-group:/aws/route53/*"],
        },
      ],
    }
  );
const awsCloudwatchLogResourcePolicyRoute53QueryLoggingPolicy =
  new aws.cloudwatchLogResourcePolicy.CloudwatchLogResourcePolicy(
    this,
    "route53-query-logging-policy_1",
    {
      policyDocument: dataAwsIamPolicyDocumentRoute53QueryLoggingPolicy.json,
      policyName: "route53-query-logging-policy",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCloudwatchLogResourcePolicyRoute53QueryLoggingPolicy.overrideLogicalId(
  "route53-query-logging-policy"
);

Argument Reference

The following arguments are supported:

  • policyDocument - (Required) Details of the resource policy, including the identity of the principal that is enabled to put logs to this account. This is formatted as a JSON string. Maximum length of 5120 characters.
  • policyName - (Required) Name of the resource policy.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The name of the CloudWatch log resource policy

Import

CloudWatch log resource policies can be imported using the policy name, e.g.,

$ terraform import aws_cloudwatch_log_resource_policy.MyPolicy MyPolicy