awscc_logs_log_group (Resource)

The AWS::Logs::LogGroup resource specifies a log group. A log group defines common properties for log streams, such as their retention and access control rules. Each log stream must belong to one log group. You can create up to 1,000,000 log groups per Region per account. You must use the following guidelines when naming a log group:

Example Usage

Basic example

To create Amazon CloudWatch log group with retention

resource "awscc_logs_log_group" "my_log_group" {
  log_group_name    = "my-log-group"
  retention_in_days = 7
}

Log group with KMS key

To create Amazon CloudWatch log group encrypted with KMS key

data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

resource "awscc_logs_log_group" "my_log_group" {
  log_group_name    = "my-log-group"
  retention_in_days = 7
  kms_key_id        = awscc_kms_key.my_key.arn
}

resource "awscc_kms_key" "my_key" {
  description = "KMS key for my log group"
  key_policy = jsonencode({
    Version = "2012-10-17"
    Id      = "key-default-1"
    Statement = [
      {
        Sid    = "Enable IAM User Permissions"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        }
        Action   = "kms:*"
        Resource = "*"
      },
      {
        Sid    = "Allow Service CloudWatchLogGroup"
        Effect = "Allow"
        Principal = {
          Service = "logs.${data.aws_region.current.name}.amazonaws.com"
        }
        Action = [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt*",
          "kms:Describe",
          "kms:GenerateDataKey*"
        ]
        Resource = "*",
        Condition = {
          ArnEquals = {
            "kms:EncryptionContext:aws:logs:arn" = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:my-log-group"
          }
        }
      }
    ]
  })
}

Log group with data protection

To create Amazon CloudWatch log group encrypted with data protection policy

data "aws_caller_identity" "current" {}

resource "awscc_logs_log_group" "example" {
  log_group_name = "my-log-group"

  data_protection_policy = jsonencode({
    "Name" : "data-protection-policy",
    "Description" : "test description",
    "Version" : "2021-06-01",
    "Statement" : [
      {
        "Sid" : "audit-policy test",
        "DataIdentifier" : [
          "arn:aws:dataprotection::aws:data-identifier/EmailAddress",
          "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"  
        ],
        "Operation" : {
          "Audit" : {
            "FindingsDestination" : {
              "CloudWatchLogs" : {
                "LogGroup" : "${awscc_logs_log_group.finding.id}"
              }
            }
          }
        }
      },
      {
        "Sid" : "redact-policy",
        "DataIdentifier" : [
          "arn:aws:dataprotection::aws:data-identifier/EmailAddress",
          "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
        ],
        "Operation" : {
          "Deidentify" : {
            "MaskConfig" : {}
          }
        }
      }
    ]
  })
}

resource "awscc_logs_log_group" "finding" {
  log_group_name = "my-log-group-finding"
}

Schema

Optional

Read-Only

Nested Schema for tags

Required:

Import

Import is supported using the following syntax:

$ terraform import awscc_logs_log_group.example <resource ID>