This page documents the language specification for the aws package. If you're looking for help working with the inputs, outputs, or functions of aws resources in a Pulumi program, please see the resource documentation for examples and API reference.
cloudtrail¶
This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.
- class
pulumi_aws.cloudtrail.AwaitableGetServiceAccountResult(arn=None, id=None, region=None)¶
- class
pulumi_aws.cloudtrail.GetServiceAccountResult(arn=None, id=None, region=None)¶ A collection of values returned by getServiceAccount.
arn= None¶The ARN of the AWS CloudTrail service account in the selected region.
id= None¶The provider-assigned unique ID for this managed resource.
- class
pulumi_aws.cloudtrail.Trail(resource_name, opts=None, cloud_watch_logs_group_arn=None, cloud_watch_logs_role_arn=None, enable_log_file_validation=None, enable_logging=None, event_selectors=None, include_global_service_events=None, is_multi_region_trail=None, is_organization_trail=None, kms_key_id=None, name=None, s3_bucket_name=None, s3_key_prefix=None, sns_topic_name=None, tags=None, __props__=None, __name__=None, __opts__=None)¶ Provides a CloudTrail resource.
NOTE: For a multi-region trail, this resource must be in the home region of the trail.
NOTE: For an organization trail, this resource must be in the master account of the organization.
import pulumi import pulumi_aws as aws current = aws.get_caller_identity() foo = aws.s3.Bucket("foo", force_destroy=True, policy=f"""{{ "Version": "2012-10-17", "Statement": [ {{ "Sid": "AWSCloudTrailAclCheck", "Effect": "Allow", "Principal": {{ "Service": "cloudtrail.amazonaws.com" }}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::tf-test-trail" }}, {{ "Sid": "AWSCloudTrailWrite", "Effect": "Allow", "Principal": {{ "Service": "cloudtrail.amazonaws.com" }}, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::tf-test-trail/prefix/AWSLogs/{current.account_id}/*", "Condition": {{ "StringEquals": {{ "s3:x-amz-acl": "bucket-owner-full-control" }} }} }} ] }} """) foobar = aws.cloudtrail.Trail("foobar", include_global_service_events=False, s3_bucket_name=foo.id, s3_key_prefix="prefix")
import pulumi import pulumi_aws as aws example = aws.cloudtrail.Trail("example", event_selectors=[{ "dataResource": [{ "type": "AWS::Lambda::Function", "values": ["arn:aws:lambda"], }], "includeManagementEvents": True, "readWriteType": "All", }])
import pulumi import pulumi_aws as aws example = aws.cloudtrail.Trail("example", event_selectors=[{ "dataResource": [{ "type": "AWS::S3::Object", "values": ["arn:aws:s3:::"], }], "includeManagementEvents": True, "readWriteType": "All", }])
import pulumi import pulumi_aws as aws important_bucket = aws.s3.get_bucket(bucket="important-bucket") example = aws.cloudtrail.Trail("example", event_selectors=[{ "dataResource": [{ "type": "AWS::S3::Object", "values": [f"{important_bucket.arn}/"], }], "includeManagementEvents": True, "readWriteType": "All", }])
- Parameters
resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
cloud_watch_logs_group_arn (pulumi.Input[str]) – Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.
cloud_watch_logs_role_arn (pulumi.Input[str]) – Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
enable_log_file_validation (pulumi.Input[bool]) – Specifies whether log file integrity validation is enabled. Defaults to
false.enable_logging (pulumi.Input[bool]) – Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.event_selectors (pulumi.Input[list]) – Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.
include_global_service_events (pulumi.Input[bool]) – Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.is_multi_region_trail (pulumi.Input[bool]) – Specifies whether the trail is created in the current region or in all regions. Defaults to
false.is_organization_trail (pulumi.Input[bool]) – Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.kms_key_id (pulumi.Input[str]) – Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.
name (pulumi.Input[str]) – Specifies the name of the trail.
s3_bucket_name (pulumi.Input[str]) – Specifies the name of the S3 bucket designated for publishing log files.
s3_key_prefix (pulumi.Input[str]) – Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.
sns_topic_name (pulumi.Input[str]) – Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
tags (pulumi.Input[dict]) – A map of tags to assign to the trail
The event_selectors object supports the following:
dataResources(pulumi.Input[list]) - Specifies logging data events. Fields documented below.type(pulumi.Input[str]) - The resource type in which you want to log data events. You can specify only the following value: “AWS::S3::Object”, “AWS::Lambda::Function”values(pulumi.Input[list]) - A list of ARN for the specified S3 buckets and object prefixes..
includeManagementEvents(pulumi.Input[bool]) - Specify if you want your event selector to include management events for your trail.readWriteType(pulumi.Input[str]) - Specify if you want your trail to log read-only events, write-only events, or all. By default, the value is All. You can specify only the following value: “ReadOnly”, “WriteOnly”, “All”. Defaults toAll.
arn: pulumi.Output[str] = None¶The Amazon Resource Name of the trail.
cloud_watch_logs_group_arn: pulumi.Output[str] = None¶Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.
cloud_watch_logs_role_arn: pulumi.Output[str] = None¶Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
enable_log_file_validation: pulumi.Output[bool] = None¶Specifies whether log file integrity validation is enabled. Defaults to
false.
enable_logging: pulumi.Output[bool] = None¶Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.
event_selectors: pulumi.Output[list] = None¶Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.
dataResources(list) - Specifies logging data events. Fields documented below.type(str) - The resource type in which you want to log data events. You can specify only the following value: “AWS::S3::Object”, “AWS::Lambda::Function”values(list) - A list of ARN for the specified S3 buckets and object prefixes..
includeManagementEvents(bool) - Specify if you want your event selector to include management events for your trail.readWriteType(str) - Specify if you want your trail to log read-only events, write-only events, or all. By default, the value is All. You can specify only the following value: “ReadOnly”, “WriteOnly”, “All”. Defaults toAll.
home_region: pulumi.Output[str] = None¶The region in which the trail was created.
include_global_service_events: pulumi.Output[bool] = None¶Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.
is_multi_region_trail: pulumi.Output[bool] = None¶Specifies whether the trail is created in the current region or in all regions. Defaults to
false.
is_organization_trail: pulumi.Output[bool] = None¶Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.
kms_key_id: pulumi.Output[str] = None¶Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.
name: pulumi.Output[str] = None¶Specifies the name of the trail.
s3_bucket_name: pulumi.Output[str] = None¶Specifies the name of the S3 bucket designated for publishing log files.
s3_key_prefix: pulumi.Output[str] = None¶Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.
sns_topic_name: pulumi.Output[str] = None¶Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
A map of tags to assign to the trail
- static
get(resource_name, id, opts=None, arn=None, cloud_watch_logs_group_arn=None, cloud_watch_logs_role_arn=None, enable_log_file_validation=None, enable_logging=None, event_selectors=None, home_region=None, include_global_service_events=None, is_multi_region_trail=None, is_organization_trail=None, kms_key_id=None, name=None, s3_bucket_name=None, s3_key_prefix=None, sns_topic_name=None, tags=None)¶ Get an existing Trail resource’s state with the given name, id, and optional extra properties used to qualify the lookup.
- Parameters
resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
arn (pulumi.Input[str]) – The Amazon Resource Name of the trail.
cloud_watch_logs_group_arn (pulumi.Input[str]) – Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.
cloud_watch_logs_role_arn (pulumi.Input[str]) – Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
enable_log_file_validation (pulumi.Input[bool]) – Specifies whether log file integrity validation is enabled. Defaults to
false.enable_logging (pulumi.Input[bool]) – Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.event_selectors (pulumi.Input[list]) –
Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.
home_region (pulumi.Input[str]) – The region in which the trail was created.
include_global_service_events (pulumi.Input[bool]) – Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.is_multi_region_trail (pulumi.Input[bool]) – Specifies whether the trail is created in the current region or in all regions. Defaults to
false.is_organization_trail (pulumi.Input[bool]) – Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.kms_key_id (pulumi.Input[str]) – Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.
name (pulumi.Input[str]) – Specifies the name of the trail.
s3_bucket_name (pulumi.Input[str]) – Specifies the name of the S3 bucket designated for publishing log files.
s3_key_prefix (pulumi.Input[str]) – Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.
sns_topic_name (pulumi.Input[str]) – Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
tags (pulumi.Input[dict]) – A map of tags to assign to the trail
The event_selectors object supports the following:
dataResources(pulumi.Input[list]) - Specifies logging data events. Fields documented below.type(pulumi.Input[str]) - The resource type in which you want to log data events. You can specify only the following value: “AWS::S3::Object”, “AWS::Lambda::Function”values(pulumi.Input[list]) - A list of ARN for the specified S3 buckets and object prefixes..
includeManagementEvents(pulumi.Input[bool]) - Specify if you want your event selector to include management events for your trail.readWriteType(pulumi.Input[str]) - Specify if you want your trail to log read-only events, write-only events, or all. By default, the value is All. You can specify only the following value: “ReadOnly”, “WriteOnly”, “All”. Defaults toAll.
translate_output_property(prop)¶Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.
- Parameters
prop (str) – A property name.
- Returns
A potentially transformed property name.
- Return type
str
translate_input_property(prop)¶Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.
- Parameters
prop (str) – A property name.
- Returns
A potentially transformed property name.
- Return type
str
pulumi_aws.cloudtrail.get_service_account(region=None, opts=None)¶Use this data source to get the Account ID of the AWS CloudTrail Service Account in a given region for the purpose of allowing CloudTrail to store trail data in S3.
import pulumi import pulumi_aws as aws main = aws.cloudtrail.get_service_account() bucket = aws.s3.Bucket("bucket", force_destroy=True, policy=f"""{{ "Version": "2008-10-17", "Statement": [ {{ "Sid": "Put bucket policy needed for trails", "Effect": "Allow", "Principal": {{ "AWS": "{main.arn}" }}, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::tf-cloudtrail-logging-test-bucket/*" }}, {{ "Sid": "Get bucket policy needed for trails", "Effect": "Allow", "Principal": {{ "AWS": "{main.arn}" }}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::tf-cloudtrail-logging-test-bucket" }} ] }} """)
- Parameters
region (str) – Name of the region whose AWS CloudTrail account ID is desired. Defaults to the region from the AWS provider configuration.