get
suspend fun getLogDataProtectionPolicyDocument(argument: GetLogDataProtectionPolicyDocumentPlainArgs): GetLogDataProtectionPolicyDocumentResult
Generates a CloudWatch Log Group Data Protection Policy document in JSON format for use with the aws.cloudwatch.LogDataProtectionPolicy resource.
For more information about data protection policies, see the Help protect sensitive log data with masking.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = aws.cloudwatch.getLogDataProtectionPolicyDocument({
name: "Example",
statements: [
{
sid: "Audit",
dataIdentifiers: [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
],
operation: {
audit: {
findingsDestination: {
cloudwatchLogs: {
logGroup: audit.name,
},
firehose: {
deliveryStream: auditAwsKinesisFirehoseDeliveryStream.name,
},
s3: {
bucket: auditAwsS3Bucket.bucket,
},
},
},
},
},
{
sid: "Deidentify",
dataIdentifiers: [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
],
operation: {
deidentify: {
maskConfig: {},
},
},
},
],
});
const exampleLogDataProtectionPolicy = new aws.cloudwatch.LogDataProtectionPolicy("example", {
logGroupName: exampleAwsCloudwatchLogGroup.name,
policyDocument: example.then(example => example.json),
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
example = aws.cloudwatch.get_log_data_protection_policy_document(name="Example",
statements=[
{
"sid": "Audit",
"data_identifiers": [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
],
"operation": {
"audit": {
"findings_destination": {
"cloudwatch_logs": {
"log_group": audit["name"],
},
"firehose": {
"delivery_stream": audit_aws_kinesis_firehose_delivery_stream["name"],
},
"s3": {
"bucket": audit_aws_s3_bucket["bucket"],
},
},
},
},
},
{
"sid": "Deidentify",
"data_identifiers": [
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
],
"operation": {
"deidentify": {
"mask_config": {},
},
},
},
])
example_log_data_protection_policy = aws.cloudwatch.LogDataProtectionPolicy("example",
log_group_name=example_aws_cloudwatch_log_group["name"],
policy_document=example.json)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = Aws.CloudWatch.GetLogDataProtectionPolicyDocument.Invoke(new()
{
Name = "Example",
Statements = new[]
{
new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementInputArgs
{
Sid = "Audit",
DataIdentifiers = new[]
{
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
},
Operation = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationInputArgs
{
Audit = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationAuditInputArgs
{
FindingsDestination = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationInputArgs
{
CloudwatchLogs = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationCloudwatchLogsInputArgs
{
LogGroup = audit.Name,
},
Firehose = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationFirehoseInputArgs
{
DeliveryStream = auditAwsKinesisFirehoseDeliveryStream.Name,
},
S3 = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationS3InputArgs
{
Bucket = auditAwsS3Bucket.Bucket,
},
},
},
},
},
new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementInputArgs
{
Sid = "Deidentify",
DataIdentifiers = new[]
{
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
},
Operation = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationInputArgs
{
Deidentify = new Aws.CloudWatch.Inputs.GetLogDataProtectionPolicyDocumentStatementOperationDeidentifyInputArgs
{
MaskConfig = null,
},
},
},
},
});
var exampleLogDataProtectionPolicy = new Aws.CloudWatch.LogDataProtectionPolicy("example", new()
{
LogGroupName = exampleAwsCloudwatchLogGroup.Name,
PolicyDocument = example.Apply(getLogDataProtectionPolicyDocumentResult => getLogDataProtectionPolicyDocumentResult.Json),
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudwatch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := cloudwatch.GetLogDataProtectionPolicyDocument(ctx, &cloudwatch.GetLogDataProtectionPolicyDocumentArgs{
Name: "Example",
Statements: []cloudwatch.GetLogDataProtectionPolicyDocumentStatement{
{
Sid: pulumi.StringRef("Audit"),
DataIdentifiers: []string{
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
},
Operation: {
Audit: {
FindingsDestination: {
CloudwatchLogs: {
LogGroup: audit.Name,
},
Firehose: {
DeliveryStream: auditAwsKinesisFirehoseDeliveryStream.Name,
},
S3: {
Bucket: auditAwsS3Bucket.Bucket,
},
},
},
},
},
{
Sid: pulumi.StringRef("Deidentify"),
DataIdentifiers: []string{
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US",
},
Operation: {
Deidentify: {
MaskConfig: {},
},
},
},
},
}, nil)
if err != nil {
return err
}
_, err = cloudwatch.NewLogDataProtectionPolicy(ctx, "example", &cloudwatch.LogDataProtectionPolicyArgs{
LogGroupName: pulumi.Any(exampleAwsCloudwatchLogGroup.Name),
PolicyDocument: pulumi.String(example.Json),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.CloudwatchFunctions;
import com.pulumi.aws.cloudwatch.inputs.GetLogDataProtectionPolicyDocumentArgs;
import com.pulumi.aws.cloudwatch.LogDataProtectionPolicy;
import com.pulumi.aws.cloudwatch.LogDataProtectionPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var example = CloudwatchFunctions.getLogDataProtectionPolicyDocument(GetLogDataProtectionPolicyDocumentArgs.builder()
.name("Example")
.statements(
GetLogDataProtectionPolicyDocumentStatementArgs.builder()
.sid("Audit")
.dataIdentifiers(
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US")
.operation(GetLogDataProtectionPolicyDocumentStatementOperationArgs.builder()
.audit(GetLogDataProtectionPolicyDocumentStatementOperationAuditArgs.builder()
.findingsDestination(GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationArgs.builder()
.cloudwatchLogs(GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationCloudwatchLogsArgs.builder()
.logGroup(audit.name())
.build())
.firehose(GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationFirehoseArgs.builder()
.deliveryStream(auditAwsKinesisFirehoseDeliveryStream.name())
.build())
.s3(GetLogDataProtectionPolicyDocumentStatementOperationAuditFindingsDestinationS3Args.builder()
.bucket(auditAwsS3Bucket.bucket())
.build())
.build())
.build())
.build())
.build(),
GetLogDataProtectionPolicyDocumentStatementArgs.builder()
.sid("Deidentify")
.dataIdentifiers(
"arn:aws:dataprotection::aws:data-identifier/EmailAddress",
"arn:aws:dataprotection::aws:data-identifier/DriversLicense-US")
.operation(GetLogDataProtectionPolicyDocumentStatementOperationArgs.builder()
.deidentify(GetLogDataProtectionPolicyDocumentStatementOperationDeidentifyArgs.builder()
.maskConfig(GetLogDataProtectionPolicyDocumentStatementOperationDeidentifyMaskConfigArgs.builder()
.build())
.build())
.build())
.build())
.build());
var exampleLogDataProtectionPolicy = new LogDataProtectionPolicy("exampleLogDataProtectionPolicy", LogDataProtectionPolicyArgs.builder()
.logGroupName(exampleAwsCloudwatchLogGroup.name())
.policyDocument(example.json())
.build());
}
}Content copied to clipboard
resources:
exampleLogDataProtectionPolicy:
type: aws:cloudwatch:LogDataProtectionPolicy
name: example
properties:
logGroupName: ${exampleAwsCloudwatchLogGroup.name}
policyDocument: ${example.json}
variables:
example:
fn::invoke:
function: aws:cloudwatch:getLogDataProtectionPolicyDocument
arguments:
name: Example
statements:
- sid: Audit
dataIdentifiers:
- arn:aws:dataprotection::aws:data-identifier/EmailAddress
- arn:aws:dataprotection::aws:data-identifier/DriversLicense-US
operation:
audit:
findingsDestination:
cloudwatchLogs:
logGroup: ${audit.name}
firehose:
deliveryStream: ${auditAwsKinesisFirehoseDeliveryStream.name}
s3:
bucket: ${auditAwsS3Bucket.bucket}
- sid: Deidentify
dataIdentifiers:
- arn:aws:dataprotection::aws:data-identifier/EmailAddress
- arn:aws:dataprotection::aws:data-identifier/DriversLicense-US
operation:
deidentify:
maskConfig: {}Content copied to clipboard
Return
A collection of values returned by getLogDataProtectionPolicyDocument.
Parameters
argument
A collection of arguments for invoking getLogDataProtectionPolicyDocument.
suspend fun getLogDataProtectionPolicyDocument(configuration: GetLogDataProtectionPolicyDocumentConfiguration? = null, description: String? = null, name: String, statements: List<GetLogDataProtectionPolicyDocumentStatement>, version: String? = null): GetLogDataProtectionPolicyDocumentResult
Return
A collection of values returned by getLogDataProtectionPolicyDocument.
Parameters
configuration
description
name
The name of the data protection policy document.
statements
Configures the data protection policy.
There must be exactly two statements: the first with an
auditoperation, and the second with adeidentifyoperation. The following arguments are optional:
version
See also
suspend fun getLogDataProtectionPolicyDocument(argument: suspend GetLogDataProtectionPolicyDocumentPlainArgsBuilder.() -> Unit): GetLogDataProtectionPolicyDocumentResult
Return
A collection of values returned by getLogDataProtectionPolicyDocument.
Parameters
argument
Builder for com.pulumi.aws.cloudwatch.kotlin.inputs.GetLogDataProtectionPolicyDocumentPlainArgs.