Generates a CloudWatch Log Group Data Protection Policy document in JSON format for use with the aws_cloudwatch_log_data_protection_policy
resource.
resource "aws_cloudwatch_log_data_protection_policy" "example" {
log_group_name = aws_cloudwatch_log_group.example.name
policy_document = data.aws_cloudwatch_log_data_protection_policy_document.example.json
}
data "aws_cloudwatch_log_data_protection_policy_document" "example" {
name = "Example"
statement {
sid = "Audit"
data_identifiers = [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
]
operation {
audit {
findings_destination {
cloudwatch_logs {
log_group = aws_cloudwatch_log_group.audit.name
}
firehose {
delivery_stream = aws_kinesis_firehose_delivery_stream.audit.name
}
s3 {
bucket = aws_s3_bucket.audit.bucket
}
}
}
}
}
statement {
sid = "Deidentify"
data_identifiers = [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
]
operation {
deidentify {
mask_config {}
}
}
}
}
The following arguments are required:
name
- (Required) The name of the data protection policy document.statement
- (Required) Configures the data protection policy.The following arguments are optional:
description
- (Optional)version
- (Optional)data_identifiers
- (Required) Set of at least 1 sensitive data identifiers that you want to mask. Read more in Types of data that you can protect.operation
- (Required) Configures the data protection operation applied by this statement.sid
- (Optional) Name of this statement.audit
- (Optional) Configures the detection of sensitive data.deidentify
- (Optional) Configures the masking of sensitive data.findings_destination
- (Required) Configures destinations to send audit findings to.cloudwatch_logs
- (Optional) Configures CloudWatch Logs as a findings destination.firehose
- (Optional) Configures Kinesis Firehose as a findings destination.s3
- (Optional) Configures S3 as a findings destination.log_group
- (Required) Name of the CloudWatch Log Group to send findings to.delivery_stream
- (Required) Name of the Kinesis Firehose Delivery Stream to send findings to.bucket
- (Required) Name of the S3 Bucket to send findings to.mask_config
- (Required) An empty object that configures masking.This data source exports the following attributes in addition to the arguments above:
json
- Standard JSON policy document rendered based on the arguments above.