The AWS::Logs::LogGroup
resource specifies a log group. A log group defines common properties for log streams, such as their retention and access control rules. Each log stream must belong to one log group.
You can create up to 1,000,000 log groups per Region per account. You must use the following guidelines when naming a log group:
To create Amazon CloudWatch log group with retention
resource "awscc_logs_log_group" "my_log_group" {
log_group_name = "my-log-group"
retention_in_days = 7
}
To create Amazon CloudWatch log group encrypted with KMS key
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
resource "awscc_logs_log_group" "my_log_group" {
log_group_name = "my-log-group"
retention_in_days = 7
kms_key_id = awscc_kms_key.my_key.arn
}
resource "awscc_kms_key" "my_key" {
description = "KMS key for my log group"
key_policy = jsonencode({
Version = "2012-10-17"
Id = "key-default-1"
Statement = [
{
Sid = "Enable IAM User Permissions"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
}
Action = "kms:*"
Resource = "*"
},
{
Sid = "Allow Service CloudWatchLogGroup"
Effect = "Allow"
Principal = {
Service = "logs.${data.aws_region.current.name}.amazonaws.com"
}
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:Describe",
"kms:GenerateDataKey*"
]
Resource = "*",
Condition = {
ArnEquals = {
"kms:EncryptionContext:aws:logs:arn" = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:my-log-group"
}
}
}
]
})
}
To create Amazon CloudWatch log group encrypted with data protection policy
data "aws_caller_identity" "current" {}
resource "awscc_logs_log_group" "example" {
log_group_name = "my-log-group"
data_protection_policy = jsonencode({
"Name" : "data-protection-policy",
"Description" : "test description",
"Version" : "2021-06-01",
"Statement" : [
{
"Sid" : "audit-policy test",
"DataIdentifier" : [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
],
"Operation" : {
"Audit" : {
"FindingsDestination" : {
"CloudWatchLogs" : {
"LogGroup" : "${awscc_logs_log_group.finding.id}"
}
}
}
}
},
{
"Sid" : "redact-policy",
"DataIdentifier" : [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
],
"Operation" : {
"Deidentify" : {
"MaskConfig" : {}
}
}
}
]
})
}
resource "awscc_logs_log_group" "finding" {
log_group_name = "my-log-group-finding"
}
data_protection_policy
(String) Creates a data protection policy and assigns it to the log group. A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks.
For more information, including a list of types of data that can be audited and masked, see Protect sensitive log data with masking.kms_key_id
(String) The Amazon Resource Name (ARN) of the KMS key to use when encrypting log data.
To associate an KMS key with the log group, specify the ARN of that KMS key here. If you do so, ingested data is encrypted using this key. This association is stored as long as the data encrypted with the KMS key is still within CWL. This enables CWL to decrypt this data whenever it is requested.
If you attempt to associate a KMS key with the log group but the KMS key doesn't exist or is deactivated, you will receive an InvalidParameterException
error.
Log group data is always encrypted in CWL. If you omit this key, the encryption does not use KMS. For more information, see Encrypt log data in usinglog_group_class
(String) Specifies the log group class for this log group. There are two classes:
Standard
log class supports all CWL features.Infrequent Access
log class supports a subset of CWL features and incurs lower costs.For details about the features supported by each class, see Log classes
log_group_name
(String) The name of the log group. If you don't specify a name, CFNlong generates a unique ID for the log group.retention_in_days
(Number) The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and 3653.
To set a log group so that its log events do not expire, use DeleteRetentionPolicy.tags
(Attributes Set) An array of key-value pairs to apply to the log group.
For more information, see Tag. (see below for nested schema)arn
(String)id
(String) Uniquely identifies the resource.tags
Required:
key
(String)value
(String)Import is supported using the following syntax:
$ terraform import awscc_logs_log_group.example <resource ID>