Resource: aws_cloudwatch_log_data_protection_policy

Provides a CloudWatch Log Data Protection Policy resource.

Read more about protecting sensitive user data in the User Guide.

Example Usage

resource "aws_cloudwatch_log_group" "example" {
  name = "example"
}

resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_cloudwatch_log_data_protection_policy" "example" {
  log_group_name = aws_cloudwatch_log_group.example.name

  policy_document = jsonencode({
    Name    = "Example"
    Version = "2021-06-01"

    Statement = [
      {
        Sid            = "Audit"
        DataIdentifier = ["arn:aws:dataprotection::aws:data-identifier/EmailAddress"]
        Operation = {
          Audit = {
            FindingsDestination = {
              S3 = {
                Bucket = aws_s3_bucket.example.bucket
              }
            }
          }
        }
      },
      {
        Sid            = "Redact"
        DataIdentifier = ["arn:aws:dataprotection::aws:data-identifier/EmailAddress"]
        Operation = {
          Deidentify = {
            MaskConfig = {}
          }
        }
      }
    ]
  })
}

Argument Reference

This resource supports the following arguments:

Attribute Reference

This resource exports no additional attributes.

Import

In Terraform v1.5.0 and later, use an import block to import this resource using the log_group_name. For example:

import {
  to = aws_cloudwatch_log_data_protection_policy.example
  id = "my-log-group"
}

Using terraform import, import this resource using the log_group_name. For example:

% terraform import aws_cloudwatch_log_data_protection_policy.example my-log-group