tailscale.LogstreamConfiguration

Tailscale v0.27.0, Feb 20 26

Tailscale v0.27.0 published on Friday, Feb 20, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-tailscale

Tailscale v0.27.0 published on Friday, Feb 20, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-tailscale

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as tailscale from "@pulumi/tailscale";

// Example configuration for a non-S3 logstreaming endpoint
const sampleLogstreamConfiguration = new tailscale.LogstreamConfiguration("sample_logstream_configuration", {
    logType: "configuration",
    destinationType: "panther",
    url: "https://example.com",
    token: "some-token",
});
// Example configuration for an AWS S3 logstreaming endpoint
const sampleLogstreamConfigurationS3 = new tailscale.LogstreamConfiguration("sample_logstream_configuration_s3", {
    logType: "configuration",
    destinationType: "s3",
    s3Bucket: tailscaleLogs.id,
    s3Region: "us-west-2",
    s3AuthenticationType: "rolearn",
    s3RoleArn: tailscaleLogsWriter.arn,
    s3ExternalId: prod.externalId,
});
// Example configuration for an S3-compatible logstreaming endpoint
const sampleLogstreamConfigurationS3Compatible = new tailscale.LogstreamConfiguration("sample_logstream_configuration_s3_compatible", {
    logType: "configuration",
    destinationType: "s3",
    url: "https://s3.example.com",
    s3Bucket: "example-bucket",
    s3Region: "us-west-2",
    s3AuthenticationType: "accesskey",
    s3AccessKeyId: "some-access-key",
    s3SecretAccessKey: "some-secret-key",
});
// Example configuration for a GCS logstreaming endpoint using workload identity
const sampleLogstreamConfigurationGcsWif = new tailscale.LogstreamConfiguration("sample_logstream_configuration_gcs_wif", {
    logType: "configuration",
    destinationType: "gcs",
    gcsBucket: "example-gcs-bucket",
    gcsCredentials: JSON.stringify({
        type: "external_account",
        audience: "//iam.googleapis.com/projects/12345678/locations/global/workloadIdentityPools/example-pool/providers/example-provider",
        subject_token_type: "urn:ietf:params:aws:token-type:aws4_request",
        service_account_impersonation_url: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/example@example.iam.gserviceaccount.com:generateAccessToken",
        token_url: "https://sts.googleapis.com/v1/token",
        credential_source: {
            environment_id: "aws1",
            region_url: "http://169.254.169.254/latest/meta-data/placement/availability-zone",
            url: "http://169.254.169.254/latest/meta-data/iam/security-credentials",
            regional_cred_verification_url: "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15",
            imdsv2_session_token_url: "http://169.254.169.254/latest/api/token",
        },
    }),
});

import pulumi
import json
import pulumi_tailscale as tailscale

# Example configuration for a non-S3 logstreaming endpoint
sample_logstream_configuration = tailscale.LogstreamConfiguration("sample_logstream_configuration",
    log_type="configuration",
    destination_type="panther",
    url="https://example.com",
    token="some-token")
# Example configuration for an AWS S3 logstreaming endpoint
sample_logstream_configuration_s3 = tailscale.LogstreamConfiguration("sample_logstream_configuration_s3",
    log_type="configuration",
    destination_type="s3",
    s3_bucket=tailscale_logs["id"],
    s3_region="us-west-2",
    s3_authentication_type="rolearn",
    s3_role_arn=tailscale_logs_writer["arn"],
    s3_external_id=prod["externalId"])
# Example configuration for an S3-compatible logstreaming endpoint
sample_logstream_configuration_s3_compatible = tailscale.LogstreamConfiguration("sample_logstream_configuration_s3_compatible",
    log_type="configuration",
    destination_type="s3",
    url="https://s3.example.com",
    s3_bucket="example-bucket",
    s3_region="us-west-2",
    s3_authentication_type="accesskey",
    s3_access_key_id="some-access-key",
    s3_secret_access_key="some-secret-key")
# Example configuration for a GCS logstreaming endpoint using workload identity
sample_logstream_configuration_gcs_wif = tailscale.LogstreamConfiguration("sample_logstream_configuration_gcs_wif",
    log_type="configuration",
    destination_type="gcs",
    gcs_bucket="example-gcs-bucket",
    gcs_credentials=json.dumps({
        "type": "external_account",
        "audience": "//iam.googleapis.com/projects/12345678/locations/global/workloadIdentityPools/example-pool/providers/example-provider",
        "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
        "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/example@example.iam.gserviceaccount.com:generateAccessToken",
        "token_url": "https://sts.googleapis.com/v1/token",
        "credential_source": {
            "environment_id": "aws1",
            "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
            "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
            "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15",
            "imdsv2_session_token_url": "http://169.254.169.254/latest/api/token",
        },
    }))

package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-tailscale/sdk/go/tailscale"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		// Example configuration for a non-S3 logstreaming endpoint
		_, err := tailscale.NewLogstreamConfiguration(ctx, "sample_logstream_configuration", &tailscale.LogstreamConfigurationArgs{
			LogType:         pulumi.String("configuration"),
			DestinationType: pulumi.String("panther"),
			Url:             pulumi.String("https://example.com"),
			Token:           pulumi.String("some-token"),
		})
		if err != nil {
			return err
		}
		// Example configuration for an AWS S3 logstreaming endpoint
		_, err = tailscale.NewLogstreamConfiguration(ctx, "sample_logstream_configuration_s3", &tailscale.LogstreamConfigurationArgs{
			LogType:              pulumi.String("configuration"),
			DestinationType:      pulumi.String("s3"),
			S3Bucket:             pulumi.Any(tailscaleLogs.Id),
			S3Region:             pulumi.String("us-west-2"),
			S3AuthenticationType: pulumi.String("rolearn"),
			S3RoleArn:            pulumi.Any(tailscaleLogsWriter.Arn),
			S3ExternalId:         pulumi.Any(prod.ExternalId),
		})
		if err != nil {
			return err
		}
		// Example configuration for an S3-compatible logstreaming endpoint
		_, err = tailscale.NewLogstreamConfiguration(ctx, "sample_logstream_configuration_s3_compatible", &tailscale.LogstreamConfigurationArgs{
			LogType:              pulumi.String("configuration"),
			DestinationType:      pulumi.String("s3"),
			Url:                  pulumi.String("https://s3.example.com"),
			S3Bucket:             pulumi.String("example-bucket"),
			S3Region:             pulumi.String("us-west-2"),
			S3AuthenticationType: pulumi.String("accesskey"),
			S3AccessKeyId:        pulumi.String("some-access-key"),
			S3SecretAccessKey:    pulumi.String("some-secret-key"),
		})
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"type":                              "external_account",
			"audience":                          "//iam.googleapis.com/projects/12345678/locations/global/workloadIdentityPools/example-pool/providers/example-provider",
			"subject_token_type":                "urn:ietf:params:aws:token-type:aws4_request",
			"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/example@example.iam.gserviceaccount.com:generateAccessToken",
			"token_url":                         "https://sts.googleapis.com/v1/token",
			"credential_source": map[string]interface{}{
				"environment_id":                 "aws1",
				"region_url":                     "http://169.254.169.254/latest/meta-data/placement/availability-zone",
				"url":                            "http://169.254.169.254/latest/meta-data/iam/security-credentials",
				"regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15",
				"imdsv2_session_token_url":       "http://169.254.169.254/latest/api/token",
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		// Example configuration for a GCS logstreaming endpoint using workload identity
		_, err = tailscale.NewLogstreamConfiguration(ctx, "sample_logstream_configuration_gcs_wif", &tailscale.LogstreamConfigurationArgs{
			LogType:         pulumi.String("configuration"),
			DestinationType: pulumi.String("gcs"),
			GcsBucket:       pulumi.String("example-gcs-bucket"),
			GcsCredentials:  pulumi.String(json0),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Tailscale = Pulumi.Tailscale;

return await Deployment.RunAsync(() => 
{
    // Example configuration for a non-S3 logstreaming endpoint
    var sampleLogstreamConfiguration = new Tailscale.LogstreamConfiguration("sample_logstream_configuration", new()
    {
        LogType = "configuration",
        DestinationType = "panther",
        Url = "https://example.com",
        Token = "some-token",
    });

    // Example configuration for an AWS S3 logstreaming endpoint
    var sampleLogstreamConfigurationS3 = new Tailscale.LogstreamConfiguration("sample_logstream_configuration_s3", new()
    {
        LogType = "configuration",
        DestinationType = "s3",
        S3Bucket = tailscaleLogs.Id,
        S3Region = "us-west-2",
        S3AuthenticationType = "rolearn",
        S3RoleArn = tailscaleLogsWriter.Arn,
        S3ExternalId = prod.ExternalId,
    });

    // Example configuration for an S3-compatible logstreaming endpoint
    var sampleLogstreamConfigurationS3Compatible = new Tailscale.LogstreamConfiguration("sample_logstream_configuration_s3_compatible", new()
    {
        LogType = "configuration",
        DestinationType = "s3",
        Url = "https://s3.example.com",
        S3Bucket = "example-bucket",
        S3Region = "us-west-2",
        S3AuthenticationType = "accesskey",
        S3AccessKeyId = "some-access-key",
        S3SecretAccessKey = "some-secret-key",
    });

    // Example configuration for a GCS logstreaming endpoint using workload identity
    var sampleLogstreamConfigurationGcsWif = new Tailscale.LogstreamConfiguration("sample_logstream_configuration_gcs_wif", new()
    {
        LogType = "configuration",
        DestinationType = "gcs",
        GcsBucket = "example-gcs-bucket",
        GcsCredentials = JsonSerializer.Serialize(new Dictionary<string, object?>
        {
            ["type"] = "external_account",
            ["audience"] = "//iam.googleapis.com/projects/12345678/locations/global/workloadIdentityPools/example-pool/providers/example-provider",
            ["subject_token_type"] = "urn:ietf:params:aws:token-type:aws4_request",
            ["service_account_impersonation_url"] = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/example@example.iam.gserviceaccount.com:generateAccessToken",
            ["token_url"] = "https://sts.googleapis.com/v1/token",
            ["credential_source"] = new Dictionary<string, object?>
            {
                ["environment_id"] = "aws1",
                ["region_url"] = "http://169.254.169.254/latest/meta-data/placement/availability-zone",
                ["url"] = "http://169.254.169.254/latest/meta-data/iam/security-credentials",
                ["regional_cred_verification_url"] = "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15",
                ["imdsv2_session_token_url"] = "http://169.254.169.254/latest/api/token",
            },
        }),
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.tailscale.LogstreamConfiguration;
import com.pulumi.tailscale.LogstreamConfigurationArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        // Example configuration for a non-S3 logstreaming endpoint
        var sampleLogstreamConfiguration = new LogstreamConfiguration("sampleLogstreamConfiguration", LogstreamConfigurationArgs.builder()
            .logType("configuration")
            .destinationType("panther")
            .url("https://example.com")
            .token("some-token")
            .build());

        // Example configuration for an AWS S3 logstreaming endpoint
        var sampleLogstreamConfigurationS3 = new LogstreamConfiguration("sampleLogstreamConfigurationS3", LogstreamConfigurationArgs.builder()
            .logType("configuration")
            .destinationType("s3")
            .s3Bucket(tailscaleLogs.id())
            .s3Region("us-west-2")
            .s3AuthenticationType("rolearn")
            .s3RoleArn(tailscaleLogsWriter.arn())
            .s3ExternalId(prod.externalId())
            .build());

        // Example configuration for an S3-compatible logstreaming endpoint
        var sampleLogstreamConfigurationS3Compatible = new LogstreamConfiguration("sampleLogstreamConfigurationS3Compatible", LogstreamConfigurationArgs.builder()
            .logType("configuration")
            .destinationType("s3")
            .url("https://s3.example.com")
            .s3Bucket("example-bucket")
            .s3Region("us-west-2")
            .s3AuthenticationType("accesskey")
            .s3AccessKeyId("some-access-key")
            .s3SecretAccessKey("some-secret-key")
            .build());

        // Example configuration for a GCS logstreaming endpoint using workload identity
        var sampleLogstreamConfigurationGcsWif = new LogstreamConfiguration("sampleLogstreamConfigurationGcsWif", LogstreamConfigurationArgs.builder()
            .logType("configuration")
            .destinationType("gcs")
            .gcsBucket("example-gcs-bucket")
            .gcsCredentials(serializeJson(
                jsonObject(
                    jsonProperty("type", "external_account"),
                    jsonProperty("audience", "//iam.googleapis.com/projects/12345678/locations/global/workloadIdentityPools/example-pool/providers/example-provider"),
                    jsonProperty("subject_token_type", "urn:ietf:params:aws:token-type:aws4_request"),
                    jsonProperty("service_account_impersonation_url", "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/example@example.iam.gserviceaccount.com:generateAccessToken"),
                    jsonProperty("token_url", "https://sts.googleapis.com/v1/token"),
                    jsonProperty("credential_source", jsonObject(
                        jsonProperty("environment_id", "aws1"),
                        jsonProperty("region_url", "http://169.254.169.254/latest/meta-data/placement/availability-zone"),
                        jsonProperty("url", "http://169.254.169.254/latest/meta-data/iam/security-credentials"),
                        jsonProperty("regional_cred_verification_url", "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"),
                        jsonProperty("imdsv2_session_token_url", "http://169.254.169.254/latest/api/token")
                    ))
                )))
            .build());

    }
}

resources:
  # Example configuration for a non-S3 logstreaming endpoint
  sampleLogstreamConfiguration:
    type: tailscale:LogstreamConfiguration
    name: sample_logstream_configuration
    properties:
      logType: configuration
      destinationType: panther
      url: https://example.com
      token: some-token
  # Example configuration for an AWS S3 logstreaming endpoint
  sampleLogstreamConfigurationS3:
    type: tailscale:LogstreamConfiguration
    name: sample_logstream_configuration_s3
    properties:
      logType: configuration
      destinationType: s3
      s3Bucket: ${tailscaleLogs.id}
      s3Region: us-west-2
      s3AuthenticationType: rolearn
      s3RoleArn: ${tailscaleLogsWriter.arn}
      s3ExternalId: ${prod.externalId}
  # Example configuration for an S3-compatible logstreaming endpoint
  sampleLogstreamConfigurationS3Compatible:
    type: tailscale:LogstreamConfiguration
    name: sample_logstream_configuration_s3_compatible
    properties:
      logType: configuration
      destinationType: s3
      url: https://s3.example.com
      s3Bucket: example-bucket
      s3Region: us-west-2
      s3AuthenticationType: accesskey
      s3AccessKeyId: some-access-key
      s3SecretAccessKey: some-secret-key
  # Example configuration for a GCS logstreaming endpoint using workload identity
  sampleLogstreamConfigurationGcsWif:
    type: tailscale:LogstreamConfiguration
    name: sample_logstream_configuration_gcs_wif
    properties:
      logType: configuration
      destinationType: gcs
      gcsBucket: example-gcs-bucket
      gcsCredentials:
        fn::toJSON:
          type: external_account
          audience: //iam.googleapis.com/projects/12345678/locations/global/workloadIdentityPools/example-pool/providers/example-provider
          subject_token_type: urn:ietf:params:aws:token-type:aws4_request
          service_account_impersonation_url: https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/example@example.iam.gserviceaccount.com:generateAccessToken
          token_url: https://sts.googleapis.com/v1/token
          credential_source:
            environment_id: aws1
            region_url: http://169.254.169.254/latest/meta-data/placement/availability-zone
            url: http://169.254.169.254/latest/meta-data/iam/security-credentials
            regional_cred_verification_url: https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15
            imdsv2_session_token_url: http://169.254.169.254/latest/api/token

Create LogstreamConfiguration Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new LogstreamConfiguration(name: string, args: LogstreamConfigurationArgs, opts?: CustomResourceOptions);

@overload
def LogstreamConfiguration(resource_name: str,
                           args: LogstreamConfigurationArgs,
                           opts: Optional[ResourceOptions] = None)

@overload
def LogstreamConfiguration(resource_name: str,
                           opts: Optional[ResourceOptions] = None,
                           log_type: Optional[str] = None,
                           destination_type: Optional[str] = None,
                           s3_authentication_type: Optional[str] = None,
                           s3_key_prefix: Optional[str] = None,
                           gcs_key_prefix: Optional[str] = None,
                           gcs_scopes: Optional[Sequence[str]] = None,
                           gcs_bucket: Optional[str] = None,
                           s3_access_key_id: Optional[str] = None,
                           compression_format: Optional[str] = None,
                           s3_bucket: Optional[str] = None,
                           s3_external_id: Optional[str] = None,
                           gcs_credentials: Optional[str] = None,
                           s3_region: Optional[str] = None,
                           s3_role_arn: Optional[str] = None,
                           s3_secret_access_key: Optional[str] = None,
                           token: Optional[str] = None,
                           upload_period_minutes: Optional[int] = None,
                           url: Optional[str] = None,
                           user: Optional[str] = None)

func NewLogstreamConfiguration(ctx *Context, name string, args LogstreamConfigurationArgs, opts ...ResourceOption) (*LogstreamConfiguration, error)

public LogstreamConfiguration(string name, LogstreamConfigurationArgs args, CustomResourceOptions? opts = null)

public LogstreamConfiguration(String name, LogstreamConfigurationArgs args)
public LogstreamConfiguration(String name, LogstreamConfigurationArgs args, CustomResourceOptions options)

type: tailscale:LogstreamConfiguration
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args LogstreamConfigurationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args LogstreamConfigurationArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args LogstreamConfigurationArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args LogstreamConfigurationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args LogstreamConfigurationArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var logstreamConfigurationResource = new Tailscale.LogstreamConfiguration("logstreamConfigurationResource", new()
{
    LogType = "string",
    DestinationType = "string",
    S3AuthenticationType = "string",
    S3KeyPrefix = "string",
    GcsKeyPrefix = "string",
    GcsScopes = new[]
    {
        "string",
    },
    GcsBucket = "string",
    S3AccessKeyId = "string",
    CompressionFormat = "string",
    S3Bucket = "string",
    S3ExternalId = "string",
    GcsCredentials = "string",
    S3Region = "string",
    S3RoleArn = "string",
    S3SecretAccessKey = "string",
    Token = "string",
    UploadPeriodMinutes = 0,
    Url = "string",
    User = "string",
});

example, err := tailscale.NewLogstreamConfiguration(ctx, "logstreamConfigurationResource", &tailscale.LogstreamConfigurationArgs{
	LogType:              pulumi.String("string"),
	DestinationType:      pulumi.String("string"),
	S3AuthenticationType: pulumi.String("string"),
	S3KeyPrefix:          pulumi.String("string"),
	GcsKeyPrefix:         pulumi.String("string"),
	GcsScopes: pulumi.StringArray{
		pulumi.String("string"),
	},
	GcsBucket:           pulumi.String("string"),
	S3AccessKeyId:       pulumi.String("string"),
	CompressionFormat:   pulumi.String("string"),
	S3Bucket:            pulumi.String("string"),
	S3ExternalId:        pulumi.String("string"),
	GcsCredentials:      pulumi.String("string"),
	S3Region:            pulumi.String("string"),
	S3RoleArn:           pulumi.String("string"),
	S3SecretAccessKey:   pulumi.String("string"),
	Token:               pulumi.String("string"),
	UploadPeriodMinutes: pulumi.Int(0),
	Url:                 pulumi.String("string"),
	User:                pulumi.String("string"),
})

var logstreamConfigurationResource = new LogstreamConfiguration("logstreamConfigurationResource", LogstreamConfigurationArgs.builder()
    .logType("string")
    .destinationType("string")
    .s3AuthenticationType("string")
    .s3KeyPrefix("string")
    .gcsKeyPrefix("string")
    .gcsScopes("string")
    .gcsBucket("string")
    .s3AccessKeyId("string")
    .compressionFormat("string")
    .s3Bucket("string")
    .s3ExternalId("string")
    .gcsCredentials("string")
    .s3Region("string")
    .s3RoleArn("string")
    .s3SecretAccessKey("string")
    .token("string")
    .uploadPeriodMinutes(0)
    .url("string")
    .user("string")
    .build());

logstream_configuration_resource = tailscale.LogstreamConfiguration("logstreamConfigurationResource",
    log_type="string",
    destination_type="string",
    s3_authentication_type="string",
    s3_key_prefix="string",
    gcs_key_prefix="string",
    gcs_scopes=["string"],
    gcs_bucket="string",
    s3_access_key_id="string",
    compression_format="string",
    s3_bucket="string",
    s3_external_id="string",
    gcs_credentials="string",
    s3_region="string",
    s3_role_arn="string",
    s3_secret_access_key="string",
    token="string",
    upload_period_minutes=0,
    url="string",
    user="string")

const logstreamConfigurationResource = new tailscale.LogstreamConfiguration("logstreamConfigurationResource", {
    logType: "string",
    destinationType: "string",
    s3AuthenticationType: "string",
    s3KeyPrefix: "string",
    gcsKeyPrefix: "string",
    gcsScopes: ["string"],
    gcsBucket: "string",
    s3AccessKeyId: "string",
    compressionFormat: "string",
    s3Bucket: "string",
    s3ExternalId: "string",
    gcsCredentials: "string",
    s3Region: "string",
    s3RoleArn: "string",
    s3SecretAccessKey: "string",
    token: "string",
    uploadPeriodMinutes: 0,
    url: "string",
    user: "string",
});

type: tailscale:LogstreamConfiguration
properties:
    compressionFormat: string
    destinationType: string
    gcsBucket: string
    gcsCredentials: string
    gcsKeyPrefix: string
    gcsScopes:
        - string
    logType: string
    s3AccessKeyId: string
    s3AuthenticationType: string
    s3Bucket: string
    s3ExternalId: string
    s3KeyPrefix: string
    s3Region: string
    s3RoleArn: string
    s3SecretAccessKey: string
    token: string
    uploadPeriodMinutes: 0
    url: string
    user: string

LogstreamConfiguration Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The LogstreamConfiguration resource accepts the following input properties:

DestinationType string: The type of SIEM platform to stream to. Valid values are axiom, cribl, datadog, elastic, gcs, panther, splunk, and s3.
LogType string: The type of logs to stream. Valid values are configuration (configuration audit logs) and network (network flow logs).
CompressionFormat string: The compression algorithm used for logs. Valid values are none, zstd or gzip. Defaults to none.
GcsBucket string: The name of the GCS bucket
GcsCredentials string: The encoded string of JSON that is used to authenticate for workload identity in GCS
GcsKeyPrefix string: The GCS key prefix for the bucket
GcsScopes List<string>: The GCS scopes needed to be able to write in the bucket
S3AccessKeyId string: The S3 access key ID. Required if destinationtype is s3 and s3authentication_type is 'accesskey'.
S3AuthenticationType string: The type of authentication to use for S3. Required if destination_type is s3. Valid values are accesskey and rolearn. Tailscale recommends using rolearn.
S3Bucket string: The S3 bucket name. Required if destination_type is 's3'.
S3ExternalId string: The AWS External ID that Tailscale supplies when authenticating using role-based authentication. Required if destinationtype is 's3' and s3authenticationtype is 'rolearn'. This can be obtained via the tailscaleawsexternalid resource.
S3KeyPrefix string: An optional S3 key prefix to prepend to the auto-generated S3 key name.
S3Region string: The region in which the S3 bucket is located. Required if destination_type is 's3'.
S3RoleArn string: ARN of the AWS IAM role that Tailscale should assume when using role-based authentication. Required if destinationtype is 's3' and s3authentication_type is 'rolearn'.
S3SecretAccessKey string: The S3 secret access key. Required if destinationtype is 's3' and s3authentication_type is 'accesskey'.
Token string: The token/password with which log streams to this endpoint should be authenticated, required unless destination_type is 's3'.
UploadPeriodMinutes int: An optional number of minutes to wait in between uploading new logs. If the quantity of logs does not fit within a single upload, multiple uploads will be made.
Url string: The URL to which log streams are being posted. If destination_type is 's3' and you want to use the official Amazon S3 endpoint, leave this empty.
User string: The username with which log streams to this endpoint are authenticated. Only required if destination_type is 'elastic', defaults to 'user' if not set.

DestinationType string: The type of SIEM platform to stream to. Valid values are axiom, cribl, datadog, elastic, gcs, panther, splunk, and s3.
LogType string: The type of logs to stream. Valid values are configuration (configuration audit logs) and network (network flow logs).
CompressionFormat string: The compression algorithm used for logs. Valid values are none, zstd or gzip. Defaults to none.
GcsBucket string: The name of the GCS bucket
GcsCredentials string: The encoded string of JSON that is used to authenticate for workload identity in GCS
GcsKeyPrefix string: The GCS key prefix for the bucket
GcsScopes []string: The GCS scopes needed to be able to write in the bucket
S3AccessKeyId string: The S3 access key ID. Required if destinationtype is s3 and s3authentication_type is 'accesskey'.
S3AuthenticationType string: The type of authentication to use for S3. Required if destination_type is s3. Valid values are accesskey and rolearn. Tailscale recommends using rolearn.
S3Bucket string: The S3 bucket name. Required if destination_type is 's3'.
S3ExternalId string: The AWS External ID that Tailscale supplies when authenticating using role-based authentication. Required if destinationtype is 's3' and s3authenticationtype is 'rolearn'. This can be obtained via the tailscaleawsexternalid resource.
S3KeyPrefix string: An optional S3 key prefix to prepend to the auto-generated S3 key name.
S3Region string: The region in which the S3 bucket is located. Required if destination_type is 's3'.
S3RoleArn string: ARN of the AWS IAM role that Tailscale should assume when using role-based authentication. Required if destinationtype is 's3' and s3authentication_type is 'rolearn'.
S3SecretAccessKey string: The S3 secret access key. Required if destinationtype is 's3' and s3authentication_type is 'accesskey'.
Token string: The token/password with which log streams to this endpoint should be authenticated, required unless destination_type is 's3'.
UploadPeriodMinutes int: An optional number of minutes to wait in between uploading new logs. If the quantity of logs does not fit within a single upload, multiple uploads will be made.
Url string: The URL to which log streams are being posted. If destination_type is 's3' and you want to use the official Amazon S3 endpoint, leave this empty.
User string: The username with which log streams to this endpoint are authenticated. Only required if destination_type is 'elastic', defaults to 'user' if not set.

destinationType String: The type of SIEM platform to stream to. Valid values are axiom, cribl, datadog, elastic, gcs, panther, splunk, and s3.
logType String: The type of logs to stream. Valid values are configuration (configuration audit logs) and network (network flow logs).
compressionFormat String: The compression algorithm used for logs. Valid values are none, zstd or gzip. Defaults to none.
gcsBucket String: The name of the GCS bucket
gcsCredentials String: The encoded string of JSON that is used to authenticate for workload identity in GCS
gcsKeyPrefix String: The GCS key prefix for the bucket
gcsScopes List<String>: The GCS scopes needed to be able to write in the bucket
s3AccessKeyId String: The S3 access key ID. Required if destinationtype is s3 and s3authentication_type is 'accesskey'.
s3AuthenticationType String: The type of authentication to use for S3. Required if destination_type is s3. Valid values are accesskey and rolearn. Tailscale recommends using rolearn.
s3Bucket String: The S3 bucket name. Required if destination_type is 's3'.
s3ExternalId String: The AWS External ID that Tailscale supplies when authenticating using role-based authentication. Required if destinationtype is 's3' and s3authenticationtype is 'rolearn'. This can be obtained via the tailscaleawsexternalid resource.
s3KeyPrefix String: An optional S3 key prefix to prepend to the auto-generated S3 key name.
s3Region String: The region in which the S3 bucket is located. Required if destination_type is 's3'.
s3RoleArn String: ARN of the AWS IAM role that Tailscale should assume when using role-based authentication. Required if destinationtype is 's3' and s3authentication_type is 'rolearn'.
s3SecretAccessKey String: The S3 secret access key. Required if destinationtype is 's3' and s3authentication_type is 'accesskey'.
token String: The token/password with which log streams to this endpoint should be authenticated, required unless destination_type is 's3'.
uploadPeriodMinutes Integer: An optional number of minutes to wait in between uploading new logs. If the quantity of logs does not fit within a single upload, multiple uploads will be made.
url String: The URL to which log streams are being posted. If destination_type is 's3' and you want to use the official Amazon S3 endpoint, leave this empty.
user String: The username with which log streams to this endpoint are authenticated. Only required if destination_type is 'elastic', defaults to 'user' if not set.

destinationType string: The type of SIEM platform to stream to. Valid values are axiom, cribl, datadog, elastic, gcs, panther, splunk, and s3.
logType string: The type of logs to stream. Valid values are configuration (configuration audit logs) and network (network flow logs).
compressionFormat string: The compression algorithm used for logs. Valid values are none, zstd or gzip. Defaults to none.
gcsBucket string: The name of the GCS bucket
gcsCredentials string: The encoded string of JSON that is used to authenticate for workload identity in GCS
gcsKeyPrefix string: The GCS key prefix for the bucket
gcsScopes string[]: The GCS scopes needed to be able to write in the bucket
s3AccessKeyId string: The S3 access key ID. Required if destinationtype is s3 and s3authentication_type is 'accesskey'.
s3AuthenticationType string: The type of authentication to use for S3. Required if destination_type is s3. Valid values are accesskey and rolearn. Tailscale recommends using rolearn.
s3Bucket string: The S3 bucket name. Required if destination_type is 's3'.
s3ExternalId string: The AWS External ID that Tailscale supplies when authenticating using role-based authentication. Required if destinationtype is 's3' and s3authenticationtype is 'rolearn'. This can be obtained via the tailscaleawsexternalid resource.
s3KeyPrefix string: An optional S3 key prefix to prepend to the auto-generated S3 key name.
s3Region string: The region in which the S3 bucket is located. Required if destination_type is 's3'.
s3RoleArn string: ARN of the AWS IAM role that Tailscale should assume when using role-based authentication. Required if destinationtype is 's3' and s3authentication_type is 'rolearn'.
s3SecretAccessKey string: The S3 secret access key. Required if destinationtype is 's3' and s3authentication_type is 'accesskey'.
token string: The token/password with which log streams to this endpoint should be authenticated, required unless destination_type is 's3'.
uploadPeriodMinutes number: An optional number of minutes to wait in between uploading new logs. If the quantity of logs does not fit within a single upload, multiple uploads will be made.
url string: The URL to which log streams are being posted. If destination_type is 's3' and you want to use the official Amazon S3 endpoint, leave this empty.
user string: The username with which log streams to this endpoint are authenticated. Only required if destination_type is 'elastic', defaults to 'user' if not set.

destination_type str: The type of SIEM platform to stream to. Valid values are axiom, cribl, datadog, elastic, gcs, panther, splunk, and s3.
log_type str: The type of logs to stream. Valid values are configuration (configuration audit logs) and network (network flow logs).
compression_format str: The compression algorithm used for logs. Valid values are none, zstd or gzip. Defaults to none.
gcs_bucket str: The name of the GCS bucket
gcs_credentials str: The encoded string of JSON that is used to authenticate for workload identity in GCS
gcs_key_prefix str: The GCS key prefix for the bucket
gcs_scopes Sequence[str]: The GCS scopes needed to be able to write in the bucket
s3_access_key_id str: The S3 access key ID. Required if destinationtype is s3 and s3authentication_type is 'accesskey'.
s3_authentication_type str: The type of authentication to use for S3. Required if destination_type is s3. Valid values are accesskey and rolearn. Tailscale recommends using rolearn.
s3_bucket str: The S3 bucket name. Required if destination_type is 's3'.
s3_external_id str: The AWS External ID that Tailscale supplies when authenticating using role-based authentication. Required if destinationtype is 's3' and s3authenticationtype is 'rolearn'. This can be obtained via the tailscaleawsexternalid resource.
s3_key_prefix str: An optional S3 key prefix to prepend to the auto-generated S3 key name.
s3_region str: The region in which the S3 bucket is located. Required if destination_type is 's3'.
s3_role_arn str: ARN of the AWS IAM role that Tailscale should assume when using role-based authentication. Required if destinationtype is 's3' and s3authentication_type is 'rolearn'.
s3_secret_access_key str: The S3 secret access key. Required if destinationtype is 's3' and s3authentication_type is 'accesskey'.
token str: The token/password with which log streams to this endpoint should be authenticated, required unless destination_type is 's3'.
upload_period_minutes int: An optional number of minutes to wait in between uploading new logs. If the quantity of logs does not fit within a single upload, multiple uploads will be made.
url str: The URL to which log streams are being posted. If destination_type is 's3' and you want to use the official Amazon S3 endpoint, leave this empty.
user str: The username with which log streams to this endpoint are authenticated. Only required if destination_type is 'elastic', defaults to 'user' if not set.

destinationType String: The type of SIEM platform to stream to. Valid values are axiom, cribl, datadog, elastic, gcs, panther, splunk, and s3.
logType String: The type of logs to stream. Valid values are configuration (configuration audit logs) and network (network flow logs).
compressionFormat String: The compression algorithm used for logs. Valid values are none, zstd or gzip. Defaults to none.
gcsBucket String: The name of the GCS bucket
gcsCredentials String: The encoded string of JSON that is used to authenticate for workload identity in GCS
gcsKeyPrefix String: The GCS key prefix for the bucket
gcsScopes List<String>: The GCS scopes needed to be able to write in the bucket
s3AccessKeyId String: The S3 access key ID. Required if destinationtype is s3 and s3authentication_type is 'accesskey'.
s3AuthenticationType String: The type of authentication to use for S3. Required if destination_type is s3. Valid values are accesskey and rolearn. Tailscale recommends using rolearn.
s3Bucket String: The S3 bucket name. Required if destination_type is 's3'.
s3ExternalId String: The AWS External ID that Tailscale supplies when authenticating using role-based authentication. Required if destinationtype is 's3' and s3authenticationtype is 'rolearn'. This can be obtained via the tailscaleawsexternalid resource.
s3KeyPrefix String: An optional S3 key prefix to prepend to the auto-generated S3 key name.
s3Region String: The region in which the S3 bucket is located. Required if destination_type is 's3'.
s3RoleArn String: ARN of the AWS IAM role that Tailscale should assume when using role-based authentication. Required if destinationtype is 's3' and s3authentication_type is 'rolearn'.
s3SecretAccessKey String: The S3 secret access key. Required if destinationtype is 's3' and s3authentication_type is 'accesskey'.
token String: The token/password with which log streams to this endpoint should be authenticated, required unless destination_type is 's3'.
uploadPeriodMinutes Number: An optional number of minutes to wait in between uploading new logs. If the quantity of logs does not fit within a single upload, multiple uploads will be made.
url String: The URL to which log streams are being posted. If destination_type is 's3' and you want to use the official Amazon S3 endpoint, leave this empty.
user String: The username with which log streams to this endpoint are authenticated. Only required if destination_type is 'elastic', defaults to 'user' if not set.

Outputs

All input properties are implicitly available as output properties. Additionally, the LogstreamConfiguration resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing LogstreamConfiguration Resource

Get an existing LogstreamConfiguration resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: LogstreamConfigurationState, opts?: CustomResourceOptions): LogstreamConfiguration

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        compression_format: Optional[str] = None,
        destination_type: Optional[str] = None,
        gcs_bucket: Optional[str] = None,
        gcs_credentials: Optional[str] = None,
        gcs_key_prefix: Optional[str] = None,
        gcs_scopes: Optional[Sequence[str]] = None,
        log_type: Optional[str] = None,
        s3_access_key_id: Optional[str] = None,
        s3_authentication_type: Optional[str] = None,
        s3_bucket: Optional[str] = None,
        s3_external_id: Optional[str] = None,
        s3_key_prefix: Optional[str] = None,
        s3_region: Optional[str] = None,
        s3_role_arn: Optional[str] = None,
        s3_secret_access_key: Optional[str] = None,
        token: Optional[str] = None,
        upload_period_minutes: Optional[int] = None,
        url: Optional[str] = None,
        user: Optional[str] = None) -> LogstreamConfiguration

func GetLogstreamConfiguration(ctx *Context, name string, id IDInput, state *LogstreamConfigurationState, opts ...ResourceOption) (*LogstreamConfiguration, error)

public static LogstreamConfiguration Get(string name, Input<string> id, LogstreamConfigurationState? state, CustomResourceOptions? opts = null)

public static LogstreamConfiguration get(String name, Output<String> id, LogstreamConfigurationState state, CustomResourceOptions options)

resources:  _:    type: tailscale:LogstreamConfiguration    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

CompressionFormat string: The compression algorithm used for logs. Valid values are none, zstd or gzip. Defaults to none.
DestinationType string: The type of SIEM platform to stream to. Valid values are axiom, cribl, datadog, elastic, gcs, panther, splunk, and s3.
GcsBucket string: The name of the GCS bucket
GcsCredentials string: The encoded string of JSON that is used to authenticate for workload identity in GCS
GcsKeyPrefix string: The GCS key prefix for the bucket
GcsScopes List<string>: The GCS scopes needed to be able to write in the bucket
LogType string: The type of logs to stream. Valid values are configuration (configuration audit logs) and network (network flow logs).
S3AccessKeyId string: The S3 access key ID. Required if destinationtype is s3 and s3authentication_type is 'accesskey'.
S3AuthenticationType string: The type of authentication to use for S3. Required if destination_type is s3. Valid values are accesskey and rolearn. Tailscale recommends using rolearn.
S3Bucket string: The S3 bucket name. Required if destination_type is 's3'.
S3ExternalId string: The AWS External ID that Tailscale supplies when authenticating using role-based authentication. Required if destinationtype is 's3' and s3authenticationtype is 'rolearn'. This can be obtained via the tailscaleawsexternalid resource.
S3KeyPrefix string: An optional S3 key prefix to prepend to the auto-generated S3 key name.
S3Region string: The region in which the S3 bucket is located. Required if destination_type is 's3'.
S3RoleArn string: ARN of the AWS IAM role that Tailscale should assume when using role-based authentication. Required if destinationtype is 's3' and s3authentication_type is 'rolearn'.
S3SecretAccessKey string: The S3 secret access key. Required if destinationtype is 's3' and s3authentication_type is 'accesskey'.
Token string: The token/password with which log streams to this endpoint should be authenticated, required unless destination_type is 's3'.
UploadPeriodMinutes int: An optional number of minutes to wait in between uploading new logs. If the quantity of logs does not fit within a single upload, multiple uploads will be made.
Url string: The URL to which log streams are being posted. If destination_type is 's3' and you want to use the official Amazon S3 endpoint, leave this empty.
User string: The username with which log streams to this endpoint are authenticated. Only required if destination_type is 'elastic', defaults to 'user' if not set.

CompressionFormat string: The compression algorithm used for logs. Valid values are none, zstd or gzip. Defaults to none.
DestinationType string: The type of SIEM platform to stream to. Valid values are axiom, cribl, datadog, elastic, gcs, panther, splunk, and s3.
GcsBucket string: The name of the GCS bucket
GcsCredentials string: The encoded string of JSON that is used to authenticate for workload identity in GCS
GcsKeyPrefix string: The GCS key prefix for the bucket
GcsScopes []string: The GCS scopes needed to be able to write in the bucket
LogType string: The type of logs to stream. Valid values are configuration (configuration audit logs) and network (network flow logs).
S3AccessKeyId string: The S3 access key ID. Required if destinationtype is s3 and s3authentication_type is 'accesskey'.
S3AuthenticationType string: The type of authentication to use for S3. Required if destination_type is s3. Valid values are accesskey and rolearn. Tailscale recommends using rolearn.
S3Bucket string: The S3 bucket name. Required if destination_type is 's3'.
S3ExternalId string: The AWS External ID that Tailscale supplies when authenticating using role-based authentication. Required if destinationtype is 's3' and s3authenticationtype is 'rolearn'. This can be obtained via the tailscaleawsexternalid resource.
S3KeyPrefix string: An optional S3 key prefix to prepend to the auto-generated S3 key name.
S3Region string: The region in which the S3 bucket is located. Required if destination_type is 's3'.
S3RoleArn string: ARN of the AWS IAM role that Tailscale should assume when using role-based authentication. Required if destinationtype is 's3' and s3authentication_type is 'rolearn'.
S3SecretAccessKey string: The S3 secret access key. Required if destinationtype is 's3' and s3authentication_type is 'accesskey'.
Token string: The token/password with which log streams to this endpoint should be authenticated, required unless destination_type is 's3'.
UploadPeriodMinutes int: An optional number of minutes to wait in between uploading new logs. If the quantity of logs does not fit within a single upload, multiple uploads will be made.
Url string: The URL to which log streams are being posted. If destination_type is 's3' and you want to use the official Amazon S3 endpoint, leave this empty.
User string: The username with which log streams to this endpoint are authenticated. Only required if destination_type is 'elastic', defaults to 'user' if not set.

compressionFormat String: The compression algorithm used for logs. Valid values are none, zstd or gzip. Defaults to none.
destinationType String: The type of SIEM platform to stream to. Valid values are axiom, cribl, datadog, elastic, gcs, panther, splunk, and s3.
gcsBucket String: The name of the GCS bucket
gcsCredentials String: The encoded string of JSON that is used to authenticate for workload identity in GCS
gcsKeyPrefix String: The GCS key prefix for the bucket
gcsScopes List<String>: The GCS scopes needed to be able to write in the bucket
logType String: The type of logs to stream. Valid values are configuration (configuration audit logs) and network (network flow logs).
s3AccessKeyId String: The S3 access key ID. Required if destinationtype is s3 and s3authentication_type is 'accesskey'.
s3AuthenticationType String: The type of authentication to use for S3. Required if destination_type is s3. Valid values are accesskey and rolearn. Tailscale recommends using rolearn.
s3Bucket String: The S3 bucket name. Required if destination_type is 's3'.
s3ExternalId String: The AWS External ID that Tailscale supplies when authenticating using role-based authentication. Required if destinationtype is 's3' and s3authenticationtype is 'rolearn'. This can be obtained via the tailscaleawsexternalid resource.
s3KeyPrefix String: An optional S3 key prefix to prepend to the auto-generated S3 key name.
s3Region String: The region in which the S3 bucket is located. Required if destination_type is 's3'.
s3RoleArn String: ARN of the AWS IAM role that Tailscale should assume when using role-based authentication. Required if destinationtype is 's3' and s3authentication_type is 'rolearn'.
s3SecretAccessKey String: The S3 secret access key. Required if destinationtype is 's3' and s3authentication_type is 'accesskey'.
token String: The token/password with which log streams to this endpoint should be authenticated, required unless destination_type is 's3'.
uploadPeriodMinutes Integer: An optional number of minutes to wait in between uploading new logs. If the quantity of logs does not fit within a single upload, multiple uploads will be made.
url String: The URL to which log streams are being posted. If destination_type is 's3' and you want to use the official Amazon S3 endpoint, leave this empty.
user String: The username with which log streams to this endpoint are authenticated. Only required if destination_type is 'elastic', defaults to 'user' if not set.

compressionFormat string: The compression algorithm used for logs. Valid values are none, zstd or gzip. Defaults to none.
destinationType string: The type of SIEM platform to stream to. Valid values are axiom, cribl, datadog, elastic, gcs, panther, splunk, and s3.
gcsBucket string: The name of the GCS bucket
gcsCredentials string: The encoded string of JSON that is used to authenticate for workload identity in GCS
gcsKeyPrefix string: The GCS key prefix for the bucket
gcsScopes string[]: The GCS scopes needed to be able to write in the bucket
logType string: The type of logs to stream. Valid values are configuration (configuration audit logs) and network (network flow logs).
s3AccessKeyId string: The S3 access key ID. Required if destinationtype is s3 and s3authentication_type is 'accesskey'.
s3AuthenticationType string: The type of authentication to use for S3. Required if destination_type is s3. Valid values are accesskey and rolearn. Tailscale recommends using rolearn.
s3Bucket string: The S3 bucket name. Required if destination_type is 's3'.
s3ExternalId string: The AWS External ID that Tailscale supplies when authenticating using role-based authentication. Required if destinationtype is 's3' and s3authenticationtype is 'rolearn'. This can be obtained via the tailscaleawsexternalid resource.
s3KeyPrefix string: An optional S3 key prefix to prepend to the auto-generated S3 key name.
s3Region string: The region in which the S3 bucket is located. Required if destination_type is 's3'.
s3RoleArn string: ARN of the AWS IAM role that Tailscale should assume when using role-based authentication. Required if destinationtype is 's3' and s3authentication_type is 'rolearn'.
s3SecretAccessKey string: The S3 secret access key. Required if destinationtype is 's3' and s3authentication_type is 'accesskey'.
token string: The token/password with which log streams to this endpoint should be authenticated, required unless destination_type is 's3'.
uploadPeriodMinutes number: An optional number of minutes to wait in between uploading new logs. If the quantity of logs does not fit within a single upload, multiple uploads will be made.
url string: The URL to which log streams are being posted. If destination_type is 's3' and you want to use the official Amazon S3 endpoint, leave this empty.
user string: The username with which log streams to this endpoint are authenticated. Only required if destination_type is 'elastic', defaults to 'user' if not set.

compression_format str: The compression algorithm used for logs. Valid values are none, zstd or gzip. Defaults to none.
destination_type str: The type of SIEM platform to stream to. Valid values are axiom, cribl, datadog, elastic, gcs, panther, splunk, and s3.
gcs_bucket str: The name of the GCS bucket
gcs_credentials str: The encoded string of JSON that is used to authenticate for workload identity in GCS
gcs_key_prefix str: The GCS key prefix for the bucket
gcs_scopes Sequence[str]: The GCS scopes needed to be able to write in the bucket
log_type str: The type of logs to stream. Valid values are configuration (configuration audit logs) and network (network flow logs).
s3_access_key_id str: The S3 access key ID. Required if destinationtype is s3 and s3authentication_type is 'accesskey'.
s3_authentication_type str: The type of authentication to use for S3. Required if destination_type is s3. Valid values are accesskey and rolearn. Tailscale recommends using rolearn.
s3_bucket str: The S3 bucket name. Required if destination_type is 's3'.
s3_external_id str: The AWS External ID that Tailscale supplies when authenticating using role-based authentication. Required if destinationtype is 's3' and s3authenticationtype is 'rolearn'. This can be obtained via the tailscaleawsexternalid resource.
s3_key_prefix str: An optional S3 key prefix to prepend to the auto-generated S3 key name.
s3_region str: The region in which the S3 bucket is located. Required if destination_type is 's3'.
s3_role_arn str: ARN of the AWS IAM role that Tailscale should assume when using role-based authentication. Required if destinationtype is 's3' and s3authentication_type is 'rolearn'.
s3_secret_access_key str: The S3 secret access key. Required if destinationtype is 's3' and s3authentication_type is 'accesskey'.
token str: The token/password with which log streams to this endpoint should be authenticated, required unless destination_type is 's3'.
upload_period_minutes int: An optional number of minutes to wait in between uploading new logs. If the quantity of logs does not fit within a single upload, multiple uploads will be made.
url str: The URL to which log streams are being posted. If destination_type is 's3' and you want to use the official Amazon S3 endpoint, leave this empty.
user str: The username with which log streams to this endpoint are authenticated. Only required if destination_type is 'elastic', defaults to 'user' if not set.

compressionFormat String: The compression algorithm used for logs. Valid values are none, zstd or gzip. Defaults to none.
destinationType String: The type of SIEM platform to stream to. Valid values are axiom, cribl, datadog, elastic, gcs, panther, splunk, and s3.
gcsBucket String: The name of the GCS bucket
gcsCredentials String: The encoded string of JSON that is used to authenticate for workload identity in GCS
gcsKeyPrefix String: The GCS key prefix for the bucket
gcsScopes List<String>: The GCS scopes needed to be able to write in the bucket
logType String: The type of logs to stream. Valid values are configuration (configuration audit logs) and network (network flow logs).
s3AccessKeyId String: The S3 access key ID. Required if destinationtype is s3 and s3authentication_type is 'accesskey'.
s3AuthenticationType String: The type of authentication to use for S3. Required if destination_type is s3. Valid values are accesskey and rolearn. Tailscale recommends using rolearn.
s3Bucket String: The S3 bucket name. Required if destination_type is 's3'.
s3ExternalId String: The AWS External ID that Tailscale supplies when authenticating using role-based authentication. Required if destinationtype is 's3' and s3authenticationtype is 'rolearn'. This can be obtained via the tailscaleawsexternalid resource.
s3KeyPrefix String: An optional S3 key prefix to prepend to the auto-generated S3 key name.
s3Region String: The region in which the S3 bucket is located. Required if destination_type is 's3'.
s3RoleArn String: ARN of the AWS IAM role that Tailscale should assume when using role-based authentication. Required if destinationtype is 's3' and s3authentication_type is 'rolearn'.
s3SecretAccessKey String: The S3 secret access key. Required if destinationtype is 's3' and s3authentication_type is 'accesskey'.
token String: The token/password with which log streams to this endpoint should be authenticated, required unless destination_type is 's3'.
uploadPeriodMinutes Number: An optional number of minutes to wait in between uploading new logs. If the quantity of logs does not fit within a single upload, multiple uploads will be made.
url String: The URL to which log streams are being posted. If destination_type is 's3' and you want to use the official Amazon S3 endpoint, leave this empty.
user String: The username with which log streams to this endpoint are authenticated. Only required if destination_type is 'elastic', defaults to 'user' if not set.

Import

The pulumi import command can be used, for example:

Logstream configuration can be imported using the logstream configuration id, e.g.,

$ pulumi import tailscale:index/logstreamConfiguration:LogstreamConfiguration sample_logstream_configuration 123456789

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: tailscale pulumi/pulumi-tailscale
License: Apache-2.0
Notes: This Pulumi package is based on the tailscale Terraform Provider.

Tailscale v0.27.0 published on Friday, Feb 20, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-tailscale

tailscale.LogstreamConfiguration

On this page

On this page

Example Usage

Create LogstreamConfiguration Resource

Constructor syntax

Parameters

Constructor example

LogstreamConfiguration Resource Properties

Inputs

Outputs

Look up Existing LogstreamConfiguration Resource

Import

Package Details

On this page

On this page