Resource: awsRoute53QueryLog
Provides a Route53 query logging configuration resource.
\~> NOTE: There are restrictions on the configuration of query logging. Notably, the CloudWatch log group must be in the usEast1
region, a permissive CloudWatch log resource policy must be in place, and the Route53 hosted zone must be public. See Configuring Logging for DNS Queries for additional details.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsUsEast1 = new aws.provider.AwsProvider(this, "aws", {
alias: "us-east-1",
region: "us-east-1",
});
const awsRoute53ZoneExampleCom = new aws.route53Zone.Route53Zone(
this,
"example_com",
{
name: "example.com",
}
);
const dataAwsIamPolicyDocumentRoute53QueryLoggingPolicy =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
this,
"route53-query-logging-policy",
{
statement: [
{
actions: ["logs:CreateLogStream", "logs:PutLogEvents"],
principals: [
{
identifiers: ["route53.amazonaws.com"],
type: "Service",
},
],
resources: ["arn:aws:logs:*:*:log-group:/aws/route53/*"],
},
],
}
);
const awsCloudwatchLogGroupAwsRoute53ExampleCom =
new aws.cloudwatchLogGroup.CloudwatchLogGroup(
this,
"aws_route53_example_com",
{
name: `/aws/route53/\${${awsRoute53ZoneExampleCom.name}}`,
provider: `\${${awsUsEast1.fqn}}`,
retentionInDays: 30,
}
);
const awsCloudwatchLogResourcePolicyRoute53QueryLoggingPolicy =
new aws.cloudwatchLogResourcePolicy.CloudwatchLogResourcePolicy(
this,
"route53-query-logging-policy_4",
{
policyDocument: dataAwsIamPolicyDocumentRoute53QueryLoggingPolicy.json,
policyName: "route53-query-logging-policy",
provider: `\${${awsUsEast1.fqn}}`,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCloudwatchLogResourcePolicyRoute53QueryLoggingPolicy.overrideLogicalId(
"route53-query-logging-policy"
);
const awsRoute53QueryLogExampleCom = new aws.route53QueryLog.Route53QueryLog(
this,
"example_com_5",
{
cloudwatchLogGroupArn: awsCloudwatchLogGroupAwsRoute53ExampleCom.arn,
depends_on: [
`\${${awsCloudwatchLogResourcePolicyRoute53QueryLoggingPolicy.fqn}}`,
],
zoneId: awsRoute53ZoneExampleCom.zoneId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRoute53QueryLogExampleCom.overrideLogicalId("example_com");
Argument Reference
The following arguments are supported:
cloudwatchLogGroupArn
- (Required) CloudWatch log group ARN to send query logs.zoneId
- (Required) Route53 hosted zone ID to enable query logs.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
arn
- The Amazon Resource Name (ARN) of the Query Logging Config.id
- The query logging configuration ID
Import
Route53 query logging configurations can be imported using their ID, e.g.,