Terraform resource for managing an AWS Security Lake Data Lake.
resource "aws_securitylake_data_lake" "example" {
meta_store_manager_role_arn = aws_iam_role.meta_store_manager.arn
configuration {
region = "eu-west-1"
encryption_configuration {
kms_key_id = "S3_MANAGED_KEY"
}
lifecycle_configuration {
transition {
days = 31
storage_class = "STANDARD_IA"
}
transition {
days = 80
storage_class = "ONEZONE_IA"
}
expiration {
days = 300
}
}
}
}
resource "aws_securitylake_data_lake" "example" {
meta_store_manager_role_arn = aws_iam_role.meta_store_manager.arn
configuration {
region = "eu-west-1"
encryption_configuration {
kms_key_id = "S3_MANAGED_KEY"
}
}
}
The following arguments are required:
meta_store_manager_role_arn
- (Required) The Amazon Resource Name (ARN) used to create and update the AWS Glue table. This table contains partitions generated by the ingestion and normalization of AWS log sources and custom sources.configuration
- (Required) Specify the Region or Regions that will contribute data to the rollup region.tags
- (Optional) Key-value map of resource tags. If configured with a provider default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.Configurations support the following:
region
- (Required) The AWS Regions where Security Lake is automatically enabled.encryption_configuration
- (Optional) Provides encryption details of Amazon Security Lake object.lifecycle_configuration
- (Optional) Provides lifecycle details of Amazon Security Lake object.replication_configuration
- (Optional) Provides replication details of Amazon Security Lake object.Encryption Configuration support the following:
kms_key_id
- (Optional) The id of KMS encryption key used by Amazon Security Lake to encrypt the Security Lake object.Lifecycle Configuration support the following:
expiration
- (Optional) Provides data expiration details of Amazon Security Lake object.transition
- (Optional) Provides data storage transition details of Amazon Security Lake object.Expiration Configuration support the following:
days
- (Optional) Number of days before data expires in the Amazon Security Lake object.Transitions support the following:
days
- (Optional) Number of days before data transition to a different S3 Storage Class in the Amazon Security Lake object.storage_class
- (Optional) The range of storage classes that you can choose from based on the data access, resiliency, and cost requirements of your workloads.Replication Configuration support the following:
regions
- (Optional) Replication enables automatic, asynchronous copying of objects across Amazon S3 buckets. Amazon S3 buckets that are configured for object replication can be owned by the same AWS account or by different accounts. You can replicate objects to a single destination bucket or to multiple destination buckets. The destination buckets can be in different AWS Regions or within the same Region as the source bucket.role_arn
- (Optional) Replication settings for the Amazon S3 buckets. This parameter uses the AWS Identity and Access Management (IAM) role you created that is managed by Security Lake, to ensure the replication setting is correct.This resource exports the following attributes in addition to the arguments above:
arn
- ARN of the Data Lake.s3_bucket_arn
- The ARN for the Amazon Security Lake Amazon S3 bucket.tags_all
- A map of tags assigned to the resource, including those inherited from the provider default_tags
configuration block.create
- (Default 60m
)update
- (Default 180m
)delete
- (Default 90m
)In Terraform v1.5.0 and later, use an import
block to import Security Hub standards subscriptions using the standards subscription ARN. For example:
import {
to = aws_securitylake_data_lake.example
id = "arn:aws:securitylake:eu-west-1:123456789012:data-lake/default"
}
Using terraform import
, import Security Hub standards subscriptions using the standards subscription ARN. For example:
% terraform import aws_securitylake_data_lake.example arn:aws:securitylake:eu-west-1:123456789012:data-lake/default