Skip to content

Resource: awsS3BucketLogging

Provides an S3 bucket (server access) logging resource. For more information, see Logging requests using server access logging in the AWS S3 User Guide.

\~> Note: Amazon S3 supports server access logging, AWS CloudTrail, or a combination of both. Refer to the Logging options for Amazon S3 to decide which method meets your requirements.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketExample = new aws.s3Bucket.S3Bucket(this, "example", {
  bucket: "my-tf-example-bucket",
});
const awsS3BucketLogBucket = new aws.s3Bucket.S3Bucket(this, "log_bucket", {
  bucket: "my-tf-log-bucket",
});
const awsS3BucketAclExample = new aws.s3BucketAcl.S3BucketAcl(
  this,
  "example_2",
  {
    acl: "private",
    bucket: awsS3BucketExample.id,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketAclExample.overrideLogicalId("example");
new aws.s3BucketAcl.S3BucketAcl(this, "log_bucket_acl", {
  acl: "log-delivery-write",
  bucket: awsS3BucketLogBucket.id,
});
const awsS3BucketLoggingExample = new aws.s3BucketLogging.S3BucketLoggingA(
  this,
  "example_4",
  {
    bucket: awsS3BucketExample.id,
    targetBucket: awsS3BucketLogBucket.id,
    targetPrefix: "log/",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketLoggingExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • bucket - (Required, Forces new resource) Name of the bucket.
  • expectedBucketOwner - (Optional, Forces new resource) Account ID of the expected bucket owner.
  • targetBucket - (Required) Name of the bucket where you want Amazon S3 to store server access logs.
  • targetPrefix - (Required) Prefix for all log object keys.
  • targetGrant - (Optional) Set of configuration blocks with information for granting permissions. See below.

targetGrant

The targetGrant configuration block supports the following arguments:

  • grantee - (Required) Configuration block for the person being granted permissions. See below.
  • permission - (Required) Logging permissions assigned to the grantee for the bucket. Valid values: FULL_CONTROL, read, write.

grantee

The grantee configuration block supports the following arguments:

  • emailAddress - (Optional) Email address of the grantee. See Regions and Endpoints for supported AWS regions where this argument can be specified.
  • id - (Optional) Canonical user ID of the grantee.
  • type - (Required) Type of grantee. Valid values: canonicalUser, amazonCustomerByEmail, group.
  • uri - (Optional) URI of the grantee group.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The bucket or bucket and expectedBucketOwner separated by a comma (,) if the latter is provided.

Import

S3 bucket logging can be imported in one of two ways.

If the owner (account ID) of the source bucket is the same account used to configure the Terraform AWS Provider, the S3 bucket logging resource should be imported using the bucket e.g.,

$ terraform import aws_s3_bucket_logging.example bucket-name

If the owner (account ID) of the source bucket differs from the account used to configure the Terraform AWS Provider, the S3 bucket logging resource should be imported using the bucket and expectedBucketOwner separated by a comma (,) e.g.,

$ terraform import aws_s3_bucket_logging.example bucket-name,123456789012