Resource: awsS3BucketLogging
Provides an S3 bucket (server access) logging resource. For more information, see Logging requests using server access logging in the AWS S3 User Guide.
\~> Note: Amazon S3 supports server access logging, AWS CloudTrail, or a combination of both. Refer to the Logging options for Amazon S3 to decide which method meets your requirements.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketExample = new aws.s3Bucket.S3Bucket(this, "example", {
bucket: "my-tf-example-bucket",
});
const awsS3BucketLogBucket = new aws.s3Bucket.S3Bucket(this, "log_bucket", {
bucket: "my-tf-log-bucket",
});
const awsS3BucketAclExample = new aws.s3BucketAcl.S3BucketAcl(
this,
"example_2",
{
acl: "private",
bucket: awsS3BucketExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketAclExample.overrideLogicalId("example");
new aws.s3BucketAcl.S3BucketAcl(this, "log_bucket_acl", {
acl: "log-delivery-write",
bucket: awsS3BucketLogBucket.id,
});
const awsS3BucketLoggingExample = new aws.s3BucketLogging.S3BucketLoggingA(
this,
"example_4",
{
bucket: awsS3BucketExample.id,
targetBucket: awsS3BucketLogBucket.id,
targetPrefix: "log/",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketLoggingExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
bucket
- (Required, Forces new resource) Name of the bucket.expectedBucketOwner
- (Optional, Forces new resource) Account ID of the expected bucket owner.targetBucket
- (Required) Name of the bucket where you want Amazon S3 to store server access logs.targetPrefix
- (Required) Prefix for all log object keys.targetGrant
- (Optional) Set of configuration blocks with information for granting permissions. See below.
targetGrant
The targetGrant
configuration block supports the following arguments:
grantee
- (Required) Configuration block for the person being granted permissions. See below.permission
- (Required) Logging permissions assigned to the grantee for the bucket. Valid values:FULL_CONTROL
,read
,write
.
grantee
The grantee
configuration block supports the following arguments:
emailAddress
- (Optional) Email address of the grantee. See Regions and Endpoints for supported AWS regions where this argument can be specified.id
- (Optional) Canonical user ID of the grantee.type
- (Required) Type of grantee. Valid values:canonicalUser
,amazonCustomerByEmail
,group
.uri
- (Optional) URI of the grantee group.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- Thebucket
orbucket
andexpectedBucketOwner
separated by a comma (,
) if the latter is provided.
Import
S3 bucket logging can be imported in one of two ways.
If the owner (account ID) of the source bucket is the same account used to configure the Terraform AWS Provider, the S3 bucket logging resource should be imported using the bucket
e.g.,
If the owner (account ID) of the source bucket differs from the account used to configure the Terraform AWS Provider, the S3 bucket logging resource should be imported using the bucket
and expectedBucketOwner
separated by a comma (,
) e.g.,