Data Source: aws_cloudwatch_log_data_protection_policy_document

Generates a CloudWatch Log Group Data Protection Policy document in JSON format for use with the aws_cloudwatch_log_data_protection_policy resource.

Example Usage

resource "aws_cloudwatch_log_data_protection_policy" "example" {
  log_group_name  = aws_cloudwatch_log_group.example.name
  policy_document = data.aws_cloudwatch_log_data_protection_policy_document.example.json
}

data "aws_cloudwatch_log_data_protection_policy_document" "example" {
  name = "Example"

  statement {
    sid = "Audit"

    data_identifiers = [
      "arn:aws:dataprotection::aws:data-identifier/EmailAddress",
      "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
    ]

    operation {
      audit {
        findings_destination {
          cloudwatch_logs {
            log_group = aws_cloudwatch_log_group.audit.name
          }
          firehose {
            delivery_stream = aws_kinesis_firehose_delivery_stream.audit.name
          }
          s3 {
            bucket = aws_s3_bucket.audit.bucket
          }
        }
      }
    }
  }

  statement {
    sid = "Deidentify"

    data_identifiers = [
      "arn:aws:dataprotection::aws:data-identifier/EmailAddress",
      "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
    ]

    operation {
      deidentify {
        mask_config {}
      }
    }
  }
}

Argument Reference

The following arguments are required:

The following arguments are optional:

statement Configuration Block

operation Configuration Block

audit Configuration Block
findings_destination Configuration Block
cloudwatch_logs Configuration Block
firehose Configuration Block
s3 Configuration Block
deidentify Configuration Block

Attribute Reference

This data source exports the following attributes in addition to the arguments above: