Docs Home
AWS v6.77.0 published on Wednesday, Apr 9, 2025 by Pulumi
aws.cloudwatch.LogDestinationPolicy
Explore with Pulumi AI
Provides a CloudWatch Logs destination policy resource.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const testDestination = new aws.cloudwatch.LogDestination("test_destination", {
name: "test_destination",
roleArn: iamForCloudwatch.arn,
targetArn: kinesisForCloudwatch.arn,
});
const testDestinationPolicy = aws.iam.getPolicyDocumentOutput({
statements: [{
effect: "Allow",
principals: [{
type: "AWS",
identifiers: ["123456789012"],
}],
actions: ["logs:PutSubscriptionFilter"],
resources: [testDestination.arn],
}],
});
const testDestinationPolicyLogDestinationPolicy = new aws.cloudwatch.LogDestinationPolicy("test_destination_policy", {
destinationName: testDestination.name,
accessPolicy: testDestinationPolicy.apply(testDestinationPolicy => testDestinationPolicy.json),
});
import pulumi
import pulumi_aws as aws
test_destination = aws.cloudwatch.LogDestination("test_destination",
name="test_destination",
role_arn=iam_for_cloudwatch["arn"],
target_arn=kinesis_for_cloudwatch["arn"])
test_destination_policy = aws.iam.get_policy_document_output(statements=[{
"effect": "Allow",
"principals": [{
"type": "AWS",
"identifiers": ["123456789012"],
}],
"actions": ["logs:PutSubscriptionFilter"],
"resources": [test_destination.arn],
}])
test_destination_policy_log_destination_policy = aws.cloudwatch.LogDestinationPolicy("test_destination_policy",
destination_name=test_destination.name,
access_policy=test_destination_policy.json)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudwatch"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
testDestination, err := cloudwatch.NewLogDestination(ctx, "test_destination", &cloudwatch.LogDestinationArgs{
Name: pulumi.String("test_destination"),
RoleArn: pulumi.Any(iamForCloudwatch.Arn),
TargetArn: pulumi.Any(kinesisForCloudwatch.Arn),
})
if err != nil {
return err
}
testDestinationPolicy := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Effect: pulumi.String("Allow"),
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Type: pulumi.String("AWS"),
Identifiers: pulumi.StringArray{
pulumi.String("123456789012"),
},
},
},
Actions: pulumi.StringArray{
pulumi.String("logs:PutSubscriptionFilter"),
},
Resources: pulumi.StringArray{
testDestination.Arn,
},
},
},
}, nil)
_, err = cloudwatch.NewLogDestinationPolicy(ctx, "test_destination_policy", &cloudwatch.LogDestinationPolicyArgs{
DestinationName: testDestination.Name,
AccessPolicy: pulumi.String(testDestinationPolicy.ApplyT(func(testDestinationPolicy iam.GetPolicyDocumentResult) (*string, error) {
return &testDestinationPolicy.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var testDestination = new Aws.CloudWatch.LogDestination("test_destination", new()
{
Name = "test_destination",
RoleArn = iamForCloudwatch.Arn,
TargetArn = kinesisForCloudwatch.Arn,
});
var testDestinationPolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "AWS",
Identifiers = new[]
{
"123456789012",
},
},
},
Actions = new[]
{
"logs:PutSubscriptionFilter",
},
Resources = new[]
{
testDestination.Arn,
},
},
},
});
var testDestinationPolicyLogDestinationPolicy = new Aws.CloudWatch.LogDestinationPolicy("test_destination_policy", new()
{
DestinationName = testDestination.Name,
AccessPolicy = testDestinationPolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogDestination;
import com.pulumi.aws.cloudwatch.LogDestinationArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.cloudwatch.LogDestinationPolicy;
import com.pulumi.aws.cloudwatch.LogDestinationPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var testDestination = new LogDestination("testDestination", LogDestinationArgs.builder()
.name("test_destination")
.roleArn(iamForCloudwatch.arn())
.targetArn(kinesisForCloudwatch.arn())
.build());
final var testDestinationPolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers("123456789012")
.build())
.actions("logs:PutSubscriptionFilter")
.resources(testDestination.arn())
.build())
.build());
var testDestinationPolicyLogDestinationPolicy = new LogDestinationPolicy("testDestinationPolicyLogDestinationPolicy", LogDestinationPolicyArgs.builder()
.destinationName(testDestination.name())
.accessPolicy(testDestinationPolicy.applyValue(_testDestinationPolicy -> _testDestinationPolicy.json()))
.build());
}
}
resources:
testDestination:
type: aws:cloudwatch:LogDestination
name: test_destination
properties:
name: test_destination
roleArn: ${iamForCloudwatch.arn}
targetArn: ${kinesisForCloudwatch.arn}
testDestinationPolicyLogDestinationPolicy:
type: aws:cloudwatch:LogDestinationPolicy
name: test_destination_policy
properties:
destinationName: ${testDestination.name}
accessPolicy: ${testDestinationPolicy.json}
variables:
testDestinationPolicy:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
principals:
- type: AWS
identifiers:
- '123456789012'
actions:
- logs:PutSubscriptionFilter
resources:
- ${testDestination.arn}
Create LogDestinationPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new LogDestinationPolicy(name: string, args: LogDestinationPolicyArgs, opts?: CustomResourceOptions);@overload
def LogDestinationPolicy(resource_name: str,
args: LogDestinationPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def LogDestinationPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
access_policy: Optional[str] = None,
destination_name: Optional[str] = None,
force_update: Optional[bool] = None)func NewLogDestinationPolicy(ctx *Context, name string, args LogDestinationPolicyArgs, opts ...ResourceOption) (*LogDestinationPolicy, error)public LogDestinationPolicy(string name, LogDestinationPolicyArgs args, CustomResourceOptions? opts = null)public LogDestinationPolicy(String name, LogDestinationPolicyArgs args)
public LogDestinationPolicy(String name, LogDestinationPolicyArgs args, CustomResourceOptions options)
type: aws:cloudwatch:LogDestinationPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name
This property is required. string - The unique name of the resource.
- args
This property is required. LogDestinationPolicyArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name
This property is required. str - The unique name of the resource.
- args
This property is required. LogDestinationPolicyArgs - The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. LogDestinationPolicyArgs - The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. LogDestinationPolicyArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name
This property is required. String - The unique name of the resource.
- args
This property is required. LogDestinationPolicyArgs - The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var logDestinationPolicyResource = new Aws.CloudWatch.LogDestinationPolicy("logDestinationPolicyResource", new()
{
AccessPolicy = "string",
DestinationName = "string",
ForceUpdate = false,
});
example, err := cloudwatch.NewLogDestinationPolicy(ctx, "logDestinationPolicyResource", &cloudwatch.LogDestinationPolicyArgs{
AccessPolicy: pulumi.String("string"),
DestinationName: pulumi.String("string"),
ForceUpdate: pulumi.Bool(false),
})
var logDestinationPolicyResource = new LogDestinationPolicy("logDestinationPolicyResource", LogDestinationPolicyArgs.builder()
.accessPolicy("string")
.destinationName("string")
.forceUpdate(false)
.build());
log_destination_policy_resource = aws.cloudwatch.LogDestinationPolicy("logDestinationPolicyResource",
access_policy="string",
destination_name="string",
force_update=False)
const logDestinationPolicyResource = new aws.cloudwatch.LogDestinationPolicy("logDestinationPolicyResource", {
accessPolicy: "string",
destinationName: "string",
forceUpdate: false,
});
type: aws:cloudwatch:LogDestinationPolicy
properties:
accessPolicy: string
destinationName: string
forceUpdate: false
LogDestinationPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The LogDestinationPolicy resource accepts the following input properties:
- Access
Policy This property is required. string - The policy document. This is a JSON formatted string.
- Destination
Name stringThis property is required. 
Changes to this property will trigger replacement. - A name for the subscription filter
- Force
Update bool - Specify true if you are updating an existing destination policy to grant permission to an organization ID instead of granting permission to individual AWS accounts.
- Access
Policy This property is required. string - The policy document. This is a JSON formatted string.
- Destination
Name stringThis property is required. Changes to this property will trigger replacement. - A name for the subscription filter
- Force
Update bool - Specify true if you are updating an existing destination policy to grant permission to an organization ID instead of granting permission to individual AWS accounts.
- access
Policy This property is required. String - The policy document. This is a JSON formatted string.
- destination
Name StringThis property is required. Changes to this property will trigger replacement. - A name for the subscription filter
- force
Update Boolean - Specify true if you are updating an existing destination policy to grant permission to an organization ID instead of granting permission to individual AWS accounts.
- access
Policy This property is required. string - The policy document. This is a JSON formatted string.
- destination
Name stringThis property is required. Changes to this property will trigger replacement. - A name for the subscription filter
- force
Update boolean - Specify true if you are updating an existing destination policy to grant permission to an organization ID instead of granting permission to individual AWS accounts.
- access_
policy This property is required. str - The policy document. This is a JSON formatted string.
- destination_
name strThis property is required. Changes to this property will trigger replacement. - A name for the subscription filter
- force_
update bool - Specify true if you are updating an existing destination policy to grant permission to an organization ID instead of granting permission to individual AWS accounts.
- access
Policy This property is required. String - The policy document. This is a JSON formatted string.
- destination
Name StringThis property is required. Changes to this property will trigger replacement. - A name for the subscription filter
- force
Update Boolean - Specify true if you are updating an existing destination policy to grant permission to an organization ID instead of granting permission to individual AWS accounts.
Outputs
All input properties are implicitly available as output properties. Additionally, the LogDestinationPolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing LogDestinationPolicy Resource
Get an existing LogDestinationPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: LogDestinationPolicyState, opts?: CustomResourceOptions): LogDestinationPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access_policy: Optional[str] = None,
destination_name: Optional[str] = None,
force_update: Optional[bool] = None) -> LogDestinationPolicyfunc GetLogDestinationPolicy(ctx *Context, name string, id IDInput, state *LogDestinationPolicyState, opts ...ResourceOption) (*LogDestinationPolicy, error)public static LogDestinationPolicy Get(string name, Input<string> id, LogDestinationPolicyState? state, CustomResourceOptions? opts = null)public static LogDestinationPolicy get(String name, Output<String> id, LogDestinationPolicyState state, CustomResourceOptions options)resources: _: type: aws:cloudwatch:LogDestinationPolicy get: id: ${id}- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Access
Policy string - The policy document. This is a JSON formatted string.
- Destination
Name - A name for the subscription filter
- Force
Update bool - Specify true if you are updating an existing destination policy to grant permission to an organization ID instead of granting permission to individual AWS accounts.
- Access
Policy string - The policy document. This is a JSON formatted string.
- Destination
Name - A name for the subscription filter
- Force
Update bool - Specify true if you are updating an existing destination policy to grant permission to an organization ID instead of granting permission to individual AWS accounts.
- access
Policy String - The policy document. This is a JSON formatted string.
- destination
Name - A name for the subscription filter
- force
Update Boolean - Specify true if you are updating an existing destination policy to grant permission to an organization ID instead of granting permission to individual AWS accounts.
- access
Policy string - The policy document. This is a JSON formatted string.
- destination
Name - A name for the subscription filter
- force
Update boolean - Specify true if you are updating an existing destination policy to grant permission to an organization ID instead of granting permission to individual AWS accounts.
- access_
policy str - The policy document. This is a JSON formatted string.
- destination_
name - A name for the subscription filter
- force_
update bool - Specify true if you are updating an existing destination policy to grant permission to an organization ID instead of granting permission to individual AWS accounts.
- access
Policy String - The policy document. This is a JSON formatted string.
- destination
Name - A name for the subscription filter
- force
Update Boolean - Specify true if you are updating an existing destination policy to grant permission to an organization ID instead of granting permission to individual AWS accounts.
Import
Using pulumi import, import CloudWatch Logs destination policies using the destination_name. For example:
$ pulumi import aws:cloudwatch/logDestinationPolicy:LogDestinationPolicy test_destination_policy test_destination
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.