Skip to content

Resource: awsDirectoryServiceLogSubscription

Provides a Log subscription for AWS Directory Service that pushes logs to cloudwatch.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsCloudwatchLogGroupExample =
  new aws.cloudwatchLogGroup.CloudwatchLogGroup(this, "example", {
    name: "/aws/directoryservice/${aws_directory_service_directory.example.id}",
    retentionInDays: 14,
  });
const awsDirectoryServiceLogSubscriptionExample =
  new aws.directoryServiceLogSubscription.DirectoryServiceLogSubscription(
    this,
    "example_1",
    {
      directoryId: "${aws_directory_service_directory.example.id}",
      logGroupName: awsCloudwatchLogGroupExample.name,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsDirectoryServiceLogSubscriptionExample.overrideLogicalId("example");
const dataAwsIamPolicyDocumentAdLogPolicy =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "ad-log-policy",
    {
      statement: [
        {
          actions: ["logs:CreateLogStream", "logs:PutLogEvents"],
          effect: "Allow",
          principals: [
            {
              identifiers: ["ds.amazonaws.com"],
              type: "Service",
            },
          ],
          resources: [`\${${awsCloudwatchLogGroupExample.arn}}:*`],
        },
      ],
    }
  );
const awsCloudwatchLogResourcePolicyAdLogPolicy =
  new aws.cloudwatchLogResourcePolicy.CloudwatchLogResourcePolicy(
    this,
    "ad-log-policy_3",
    {
      policyDocument: dataAwsIamPolicyDocumentAdLogPolicy.json,
      policyName: "ad-log-policy",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCloudwatchLogResourcePolicyAdLogPolicy.overrideLogicalId("ad-log-policy");

Argument Reference

The following arguments are supported:

  • directoryId - (Required) ID of directory.
  • logGroupName - (Required) Name of the cloudwatch log group to which the logs should be published. The log group should be already created and the directory service principal should be provided with required permission to create stream and publish logs. Changing this value would delete the current subscription and create a new one. A directory can only have one log subscription at a time.

Attributes Reference

No additional attributes are exported.

Import

Directory Service Log Subscriptions can be imported using the directory id, e.g.,

$ terraform import aws_directory_service_log_subscription.msad d-1234567890