1. Packages
  2. AWS
  3. API Docs
  4. cloudwatch
  5. getLogDataProtectionPolicyDocument
AWS v6.55.0 published on Monday, Oct 7, 2024 by Pulumi

aws.cloudwatch.getLogDataProtectionPolicyDocument

Explore with Pulumi AI

aws logo
AWS v6.55.0 published on Monday, Oct 7, 2024 by Pulumi

    Generates a CloudWatch Log Group Data Protection Policy document in JSON format for use with the aws.cloudwatch.LogDataProtectionPolicy resource.

    For more information about data protection policies, see the Help protect sensitive log data with masking.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = aws.cloudwatch.getLogDataProtectionPolicyDocument({
        name: "Example",
        statements: [
            {
                sid: "Audit",
                dataIdentifiers: [
                    "arn:aws:dataprotection::aws:data-identifier/EmailAddress",
                    "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
                ],
                operation: {
                    audit: {
                        findingsDestination: {
                            cloudwatchLogs: {
                                logGroup: audit.name,
                            },
                            firehose: {
                                deliveryStream: auditAwsKinesisFirehoseDeliveryStream.name,
                            },
                            s3: {
                                bucket: auditAwsS3Bucket.bucket,
                            },
                        },
                    },
                },
            },
            {
                sid: "Deidentify",
                dataIdentifiers: [
                    "arn:aws:dataprotection::aws:data-identifier/EmailAddress",
                    "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
                ],
                operation: {
                    deidentify: {
                        maskConfig: {},
                    },
                },
            },
        ],
    });
    const exampleLogDataProtectionPolicy = new aws.cloudwatch.LogDataProtectionPolicy("example", {
        logGroupName: exampleAwsCloudwatchLogGroup.name,
        policyDocument: example.then(example => example.json),
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.cloudwatch.get_log_data_protection_policy_document(name="Example",
        statements=[
            {
                "sid": "Audit",
                "data_identifiers": [
                    "arn:aws:dataprotection::aws:data-identifier/EmailAddress",
                    "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
                ],
                "operation": {
                    "audit": {
                        "findings_destination": {
                            "cloudwatch_logs": {
                                "log_group": audit["name"],
                            },
                            "firehose": {
                                "delivery_stream": audit_aws_kinesis_firehose_delivery_stream["name"],
                            },
                            "s3": {
                                "bucket": audit_aws_s3_bucket["bucket"],
                            },
                        },
                    },
                },
            },
            {
                "sid": "Deidentify",
                "data_identifiers": [
                    "arn:aws:dataprotection::aws:data-identifier/EmailAddress",
                    "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
                ],
                "operation": {
                    "deidentify": {
                        "mask_config": {},
                    },
                },
            },
        ])
    example_log_data_protection_policy = aws.cloudwatch.LogDataProtectionPolicy("example",
        log_group_name=example_aws_cloudwatch_log_group["name"],
        policy_document=example.json)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudwatch"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := cloudwatch.GetLogDataProtectionPolicyDocument(ctx, &cloudwatch.GetLogDataProtectionPolicyDocumentArgs{
    			Name: "Example",
    			Statements: []cloudwatch.GetLogDataProtectionPolicyDocumentStatement{
    				{
    					Sid: pulumi.StringRef("Audit"),
    					DataIdentifiers: []string{
    						"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
    						"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
    					},
    					Operation: {
    						Audit: {
    							FindingsDestination: {
    								CloudwatchLogs: {
    									LogGroup: audit.Name,
    								},
    								Firehose: {
    									DeliveryStream: auditAwsKinesisFirehoseDeliveryStream.Name,
    								},
    								S3: {
    									Bucket: auditAwsS3Bucket.Bucket,
    								},
    							},
    						},
    					},
    				},
    				{
    					Sid: pulumi.StringRef("Deidentify"),
    					DataIdentifiers: []string{
    						"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
    						"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
    					},
    					Operation: {
    						Deidentify: {
    							MaskConfig: nil,
    						},
    					},
    				},
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = cloudwatch.NewLogDataProtectionPolicy(ctx, "example", &cloudwatch.LogDataProtectionPolicyArgs{
    			LogGroupName:   pulumi.Any(exampleAwsCloudwatchLogGroup.Name),
    			PolicyDocument: pulumi.String(example.Json),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = Aws.CloudWatch.GetLogDataProtectionPolicyDocument.Invoke(new()
        {
            Name = "Example",
            Statements = new[]
            {
                new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementInputArgs
                {
                    Sid = "Audit",
                    DataIdentifiers = new[]
                    {
                        "arn:aws:dataprotection::aws:data-identifier/EmailAddress",
                        "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
                    },
                    Operation = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationInputArgs
                    {
                        Audit = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationAuditInputArgs
                        {
                            FindingsDestination = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationInputArgs
                            {
                                CloudwatchLogs = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationCloudwatchLogsInputArgs
                                {
                                    LogGroup = audit.Name,
                                },
                                Firehose = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationFirehoseInputArgs
                                {
                                    DeliveryStream = auditAwsKinesisFirehoseDeliveryStream.Name,
                                },
                                S3 = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationS3InputArgs
                                {
                                    Bucket = auditAwsS3Bucket.Bucket,
                                },
                            },
                        },
                    },
                },
                new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementInputArgs
                {
                    Sid = "Deidentify",
                    DataIdentifiers = new[]
                    {
                        "arn:aws:dataprotection::aws:data-identifier/EmailAddress",
                        "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
                    },
                    Operation = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationInputArgs
                    {
                        Deidentify = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationDeidentifyInputArgs
                        {
                            MaskConfig = null,
                        },
                    },
                },
            },
        });
    
        var exampleLogDataProtectionPolicy = new Aws.CloudWatch.LogDataProtectionPolicy("example", new()
        {
            LogGroupName = exampleAwsCloudwatchLogGroup.Name,
            PolicyDocument = example.Apply(getLogDataProtectionPolicyDocumentResult => getLogDataProtectionPolicyDocumentResult.Json),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.cloudwatch.CloudwatchFunctions;
    import com.pulumi.aws.cloudwatch.inputs.GetLogDataProtectionPolicyDocumentArgs;
    import com.pulumi.aws.cloudwatch.LogDataProtectionPolicy;
    import com.pulumi.aws.cloudwatch.LogDataProtectionPolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var example = CloudwatchFunctions.getLogDataProtectionPolicyDocument(GetLogDataProtectionPolicyDocumentArgs.builder()
                .name("Example")
                .statements(            
                    GetLogDataProtectionPolicyDocumentStatementArgs.builder()
                        .sid("Audit")
                        .dataIdentifiers(                    
                            "arn:aws:dataprotection::aws:data-identifier/EmailAddress",
                            "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US")
                        .operation(GetLogDataProtectionPolicyDocumentStatementOperationArgs.builder()
                            .audit(GetLogDataProtectionPolicyDocumentStatementOperationAuditArgs.builder()
                                .findingsDestination(GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationArgs.builder()
                                    .cloudwatchLogs(GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationCloudwatchLogsArgs.builder()
                                        .logGroup(audit.name())
                                        .build())
                                    .firehose(GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationFirehoseArgs.builder()
                                        .deliveryStream(auditAwsKinesisFirehoseDeliveryStream.name())
                                        .build())
                                    .s3(GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationS3Args.builder()
                                        .bucket(auditAwsS3Bucket.bucket())
                                        .build())
                                    .build())
                                .build())
                            .build())
                        .build(),
                    GetLogDataProtectionPolicyDocumentStatementArgs.builder()
                        .sid("Deidentify")
                        .dataIdentifiers(                    
                            "arn:aws:dataprotection::aws:data-identifier/EmailAddress",
                            "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US")
                        .operation(GetLogDataProtectionPolicyDocumentStatementOperationArgs.builder()
                            .deidentify(GetLogDataProtectionPolicyDocumentStatementOperationDeidentifyArgs.builder()
                                .maskConfig()
                                .build())
                            .build())
                        .build())
                .build());
    
            var exampleLogDataProtectionPolicy = new LogDataProtectionPolicy("exampleLogDataProtectionPolicy", LogDataProtectionPolicyArgs.builder()
                .logGroupName(exampleAwsCloudwatchLogGroup.name())
                .policyDocument(example.applyValue(getLogDataProtectionPolicyDocumentResult -> getLogDataProtectionPolicyDocumentResult.json()))
                .build());
    
        }
    }
    
    resources:
      exampleLogDataProtectionPolicy:
        type: aws:cloudwatch:LogDataProtectionPolicy
        name: example
        properties:
          logGroupName: ${exampleAwsCloudwatchLogGroup.name}
          policyDocument: ${example.json}
    variables:
      example:
        fn::invoke:
          Function: aws:cloudwatch:getLogDataProtectionPolicyDocument
          Arguments:
            name: Example
            statements:
              - sid: Audit
                dataIdentifiers:
                  - arn:aws:dataprotection::aws:data-identifier/EmailAddress
                  - arn:aws:dataprotection::aws:data-identifier/DriversLicense-US
                operation:
                  audit:
                    findingsDestination:
                      cloudwatchLogs:
                        logGroup: ${audit.name}
                      firehose:
                        deliveryStream: ${auditAwsKinesisFirehoseDeliveryStream.name}
                      s3:
                        bucket: ${auditAwsS3Bucket.bucket}
              - sid: Deidentify
                dataIdentifiers:
                  - arn:aws:dataprotection::aws:data-identifier/EmailAddress
                  - arn:aws:dataprotection::aws:data-identifier/DriversLicense-US
                operation:
                  deidentify:
                    maskConfig: {}
    

    Using getLogDataProtectionPolicyDocument

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getLogDataProtectionPolicyDocument(args: GetLogDataProtectionPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetLogDataProtectionPolicyDocumentResult>
    function getLogDataProtectionPolicyDocumentOutput(args: GetLogDataProtectionPolicyDocumentOutputArgs, opts?: InvokeOptions): Output<GetLogDataProtectionPolicyDocumentResult>
    def get_log_data_protection_policy_document(description: Optional[str] = None,
                                                name: Optional[str] = None,
                                                statements: Optional[Sequence[GetLogDataProtectionPolicyDocumentStatement]] = None,
                                                version: Optional[str] = None,
                                                opts: Optional[InvokeOptions] = None) -> GetLogDataProtectionPolicyDocumentResult
    def get_log_data_protection_policy_document_output(description: Optional[pulumi.Input[str]] = None,
                                                name: Optional[pulumi.Input[str]] = None,
                                                statements: Optional[pulumi.Input[Sequence[pulumi.Input[GetLogDataProtectionPolicyDocumentStatementArgs]]]] = None,
                                                version: Optional[pulumi.Input[str]] = None,
                                                opts: Optional[InvokeOptions] = None) -> Output[GetLogDataProtectionPolicyDocumentResult]
    func GetLogDataProtectionPolicyDocument(ctx *Context, args *GetLogDataProtectionPolicyDocumentArgs, opts ...InvokeOption) (*GetLogDataProtectionPolicyDocumentResult, error)
    func GetLogDataProtectionPolicyDocumentOutput(ctx *Context, args *GetLogDataProtectionPolicyDocumentOutputArgs, opts ...InvokeOption) GetLogDataProtectionPolicyDocumentResultOutput

    > Note: This function is named GetLogDataProtectionPolicyDocument in the Go SDK.

    public static class GetLogDataProtectionPolicyDocument 
    {
        public static Task<GetLogDataProtectionPolicyDocumentResult> InvokeAsync(GetLogDataProtectionPolicyDocumentArgs args, InvokeOptions? opts = null)
        public static Output<GetLogDataProtectionPolicyDocumentResult> Invoke(GetLogDataProtectionPolicyDocumentInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetLogDataProtectionPolicyDocumentResult> getLogDataProtectionPolicyDocument(GetLogDataProtectionPolicyDocumentArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: aws:cloudwatch/getLogDataProtectionPolicyDocument:getLogDataProtectionPolicyDocument
      arguments:
        # arguments dictionary

    The following arguments are supported:

    Name string
    The name of the data protection policy document.
    Statements List<GetLogDataProtectionPolicyDocumentStatement>

    Configures the data protection policy.

    There must be exactly two statements: the first with an audit operation, and the second with a deidentify operation.

    The following arguments are optional:

    Description string
    Version string
    Name string
    The name of the data protection policy document.
    Statements []GetLogDataProtectionPolicyDocumentStatement

    Configures the data protection policy.

    There must be exactly two statements: the first with an audit operation, and the second with a deidentify operation.

    The following arguments are optional:

    Description string
    Version string
    name String
    The name of the data protection policy document.
    statements List<GetLogDataProtectionPolicyDocumentStatement>

    Configures the data protection policy.

    There must be exactly two statements: the first with an audit operation, and the second with a deidentify operation.

    The following arguments are optional:

    description String
    version String
    name string
    The name of the data protection policy document.
    statements GetLogDataProtectionPolicyDocumentStatement[]

    Configures the data protection policy.

    There must be exactly two statements: the first with an audit operation, and the second with a deidentify operation.

    The following arguments are optional:

    description string
    version string
    name str
    The name of the data protection policy document.
    statements Sequence[GetLogDataProtectionPolicyDocumentStatement]

    Configures the data protection policy.

    There must be exactly two statements: the first with an audit operation, and the second with a deidentify operation.

    The following arguments are optional:

    description str
    version str
    name String
    The name of the data protection policy document.
    statements List<Property Map>

    Configures the data protection policy.

    There must be exactly two statements: the first with an audit operation, and the second with a deidentify operation.

    The following arguments are optional:

    description String
    version String

    getLogDataProtectionPolicyDocument Result

    The following output properties are available:

    Id string
    The provider-assigned unique ID for this managed resource.
    Json string
    Standard JSON policy document rendered based on the arguments above.
    Name string
    Statements List<GetLogDataProtectionPolicyDocumentStatement>
    Description string
    Version string
    Id string
    The provider-assigned unique ID for this managed resource.
    Json string
    Standard JSON policy document rendered based on the arguments above.
    Name string
    Statements []GetLogDataProtectionPolicyDocumentStatement
    Description string
    Version string
    id String
    The provider-assigned unique ID for this managed resource.
    json String
    Standard JSON policy document rendered based on the arguments above.
    name String
    statements List<GetLogDataProtectionPolicyDocumentStatement>
    description String
    version String
    id string
    The provider-assigned unique ID for this managed resource.
    json string
    Standard JSON policy document rendered based on the arguments above.
    name string
    statements GetLogDataProtectionPolicyDocumentStatement[]
    description string
    version string
    id str
    The provider-assigned unique ID for this managed resource.
    json str
    Standard JSON policy document rendered based on the arguments above.
    name str
    statements Sequence[GetLogDataProtectionPolicyDocumentStatement]
    description str
    version str
    id String
    The provider-assigned unique ID for this managed resource.
    json String
    Standard JSON policy document rendered based on the arguments above.
    name String
    statements List<Property Map>
    description String
    version String

    Supporting Types

    GetLogDataProtectionPolicyDocumentStatement

    DataIdentifiers List<string>
    Set of at least 1 sensitive data identifiers that you want to mask. Read more in Types of data that you can protect.
    Operation GetLogDataProtectionPolicyDocumentStatementOperation
    Configures the data protection operation applied by this statement.
    Sid string
    Name of this statement.
    DataIdentifiers []string
    Set of at least 1 sensitive data identifiers that you want to mask. Read more in Types of data that you can protect.
    Operation GetLogDataProtectionPolicyDocumentStatementOperation
    Configures the data protection operation applied by this statement.
    Sid string
    Name of this statement.
    dataIdentifiers List<String>
    Set of at least 1 sensitive data identifiers that you want to mask. Read more in Types of data that you can protect.
    operation GetLogDataProtectionPolicyDocumentStatementOperation
    Configures the data protection operation applied by this statement.
    sid String
    Name of this statement.
    dataIdentifiers string[]
    Set of at least 1 sensitive data identifiers that you want to mask. Read more in Types of data that you can protect.
    operation GetLogDataProtectionPolicyDocumentStatementOperation
    Configures the data protection operation applied by this statement.
    sid string
    Name of this statement.
    data_identifiers Sequence[str]
    Set of at least 1 sensitive data identifiers that you want to mask. Read more in Types of data that you can protect.
    operation GetLogDataProtectionPolicyDocumentStatementOperation
    Configures the data protection operation applied by this statement.
    sid str
    Name of this statement.
    dataIdentifiers List<String>
    Set of at least 1 sensitive data identifiers that you want to mask. Read more in Types of data that you can protect.
    operation Property Map
    Configures the data protection operation applied by this statement.
    sid String
    Name of this statement.

    GetLogDataProtectionPolicyDocumentStatementOperation

    Audit GetLogDataProtectionPolicyDocumentStatementOperationAudit
    Configures the detection of sensitive data.
    Deidentify GetLogDataProtectionPolicyDocumentStatementOperationDeidentify

    Configures the masking of sensitive data.

    Every policy statement must specify exactly one operation.

    Audit GetLogDataProtectionPolicyDocumentStatementOperationAudit
    Configures the detection of sensitive data.
    Deidentify GetLogDataProtectionPolicyDocumentStatementOperationDeidentify

    Configures the masking of sensitive data.

    Every policy statement must specify exactly one operation.

    audit GetLogDataProtectionPolicyDocumentStatementOperationAudit
    Configures the detection of sensitive data.
    deidentify GetLogDataProtectionPolicyDocumentStatementOperationDeidentify

    Configures the masking of sensitive data.

    Every policy statement must specify exactly one operation.

    audit GetLogDataProtectionPolicyDocumentStatementOperationAudit
    Configures the detection of sensitive data.
    deidentify GetLogDataProtectionPolicyDocumentStatementOperationDeidentify

    Configures the masking of sensitive data.

    Every policy statement must specify exactly one operation.

    audit GetLogDataProtectionPolicyDocumentStatementOperationAudit
    Configures the detection of sensitive data.
    deidentify GetLogDataProtectionPolicyDocumentStatementOperationDeidentify

    Configures the masking of sensitive data.

    Every policy statement must specify exactly one operation.

    audit Property Map
    Configures the detection of sensitive data.
    deidentify Property Map

    Configures the masking of sensitive data.

    Every policy statement must specify exactly one operation.

    GetLogDataProtectionPolicyDocumentStatementOperationAudit

    findingsDestination Property Map
    Configures destinations to send audit findings to.

    GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestination

    cloudwatchLogs Property Map
    Configures CloudWatch Logs as a findings destination.
    firehose Property Map
    Configures Kinesis Firehose as a findings destination.
    s3 Property Map
    Configures S3 as a findings destination.

    GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationCloudwatchLogs

    LogGroup string
    Name of the CloudWatch Log Group to send findings to.
    LogGroup string
    Name of the CloudWatch Log Group to send findings to.
    logGroup String
    Name of the CloudWatch Log Group to send findings to.
    logGroup string
    Name of the CloudWatch Log Group to send findings to.
    log_group str
    Name of the CloudWatch Log Group to send findings to.
    logGroup String
    Name of the CloudWatch Log Group to send findings to.

    GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationFirehose

    DeliveryStream string
    Name of the Kinesis Firehose Delivery Stream to send findings to.
    DeliveryStream string
    Name of the Kinesis Firehose Delivery Stream to send findings to.
    deliveryStream String
    Name of the Kinesis Firehose Delivery Stream to send findings to.
    deliveryStream string
    Name of the Kinesis Firehose Delivery Stream to send findings to.
    delivery_stream str
    Name of the Kinesis Firehose Delivery Stream to send findings to.
    deliveryStream String
    Name of the Kinesis Firehose Delivery Stream to send findings to.

    GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationS3

    Bucket string
    Name of the S3 Bucket to send findings to.
    Bucket string
    Name of the S3 Bucket to send findings to.
    bucket String
    Name of the S3 Bucket to send findings to.
    bucket string
    Name of the S3 Bucket to send findings to.
    bucket str
    Name of the S3 Bucket to send findings to.
    bucket String
    Name of the S3 Bucket to send findings to.

    GetLogDataProtectionPolicyDocumentStatementOperationDeidentify

    maskConfig Property Map
    An empty object that configures masking.

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo
    AWS v6.55.0 published on Monday, Oct 7, 2024 by Pulumi