Provides a CloudWatch Log Data Protection Policy resource.
Read more about protecting sensitive user data in the User Guide.
resource "aws_cloudwatch_log_group" "example" {
name = "example"
}
resource "aws_s3_bucket" "example" {
bucket = "example"
}
resource "aws_cloudwatch_log_data_protection_policy" "example" {
log_group_name = aws_cloudwatch_log_group.example.name
policy_document = jsonencode({
Name = "Example"
Version = "2021-06-01"
Statement = [
{
Sid = "Audit"
DataIdentifier = ["arn:aws:dataprotection::aws:data-identifier/EmailAddress"]
Operation = {
Audit = {
FindingsDestination = {
S3 = {
Bucket = aws_s3_bucket.example.bucket
}
}
}
}
},
{
Sid = "Redact"
DataIdentifier = ["arn:aws:dataprotection::aws:data-identifier/EmailAddress"]
Operation = {
Deidentify = {
MaskConfig = {}
}
}
}
]
})
}
This resource supports the following arguments:
log_group_name
- (Required) The name of the log group under which the log stream is to be created.policy_document
- (Required) Specifies the data protection policy in JSON. Read more at Data protection policy syntax.This resource exports no additional attributes.
In Terraform v1.5.0 and later, use an import
block to import this resource using the log_group_name
. For example:
import {
to = aws_cloudwatch_log_data_protection_policy.example
id = "my-log-group"
}
Using terraform import
, import this resource using the log_group_name
. For example:
% terraform import aws_cloudwatch_log_data_protection_policy.example my-log-group