account_policies

Creates, updates, deletes or gets an account_policy resource or lists account_policies in a region

Overview

Name	`account_policies`
Type	Resource
Description	The AWS::Logs::AccountPolicy resource specifies a CloudWatch Logs AccountPolicy.
Id	`awscc.logs.account_policies`

Fields

get (all properties)
list (identifiers only)

Name	Datatype	Description
`account_id`	`string`	User account id
`policy_name`	`string`	The name of the account policy
`policy_document`	`string`	The body of the policy document you want to use for this topic. You can only add one policy per PolicyType. The policy must be in JSON string format. Length Constraints: Maximum length of 30720
`policy_type`	`string`	Type of the policy.
`scope`	`string`	Scope for policy application
`selection_criteria`	`string`	Log group selection criteria to apply policy only to a subset of log groups. SelectionCriteria string can be up to 25KB and cloudwatchlogs determines the length of selectionCriteria by using its UTF-8 bytes
`region`	`string`	AWS region.

Name	Datatype	Description
`account_id`	`string`	User account id
`policy_name`	`string`	The name of the account policy
`policy_type`	`string`	Type of the policy.
`region`	`string`	AWS region.

For more information, see AWS::Logs::AccountPolicy.

Methods

Name	Resource	Accessible by	Required Params
`create_resource`	`account_policies`	`INSERT`	`PolicyName, PolicyType, PolicyDocument, region`
`delete_resource`	`account_policies`	`DELETE`	`Identifier, region`
`update_resource`	`account_policies`	`UPDATE`	`Identifier, PatchDocument, region`
`list_resources`	`account_policies_list_only`	`SELECT`	`region`
`get_resource`	`account_policies`	`SELECT`	`Identifier, region`

`SELECT` examples

get (all properties)
list (identifiers only)

Gets all properties from an individual account_policy.

SELECT
  region,
  account_id,
  policy_name,
  policy_document,
  policy_type,
  scope,
  selection_criteria
FROM awscc.logs.account_policies
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ account_id }}|{{ policy_type }}|{{ policy_name }}';

Lists all account_policies in a region.

SELECT
  region,
  account_id,
  policy_type,
  policy_name
FROM awscc.logs.account_policies_list_only
WHERE
  region = '{{ region }}';

`INSERT` example

Use the following StackQL query and manifest file to create a new account_policy resource, using stack-deploy.

Required Properties
All Properties
Manifest

/*+ create */
INSERT INTO awscc.logs.account_policies (
  PolicyName,
  PolicyDocument,
  PolicyType,
  region
)
SELECT
  '{{ policy_name }}',
  '{{ policy_document }}',
  '{{ policy_type }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

/*+ create */
INSERT INTO awscc.logs.account_policies (
  PolicyName,
  PolicyDocument,
  PolicyType,
  Scope,
  SelectionCriteria,
  region
)
SELECT
  '{{ policy_name }}',
  '{{ policy_document }}',
  '{{ policy_type }}',
  '{{ scope }}',
  '{{ selection_criteria }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
  value: '{{ vars.AWS_REGION }}'
resources:
- name: account_policy
  props:
    - name: policy_name
      value: '{{ policy_name }}'
    - name: policy_document
      value: '{{ policy_document }}'
    - name: policy_type
      value: '{{ policy_type }}'
    - name: scope
      value: '{{ scope }}'
    - name: selection_criteria
      value: '{{ selection_criteria }}'

`UPDATE` example

Use the following StackQL query and manifest file to update a account_policy resource, using stack-deploy.

/*+ update */
UPDATE awscc.logs.account_policies
SET PatchDocument = string('{{ {
    "PolicyDocument": policy_document,
    "Scope": scope,
    "SelectionCriteria": selection_criteria
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ account_id }}|{{ policy_type }}|{{ policy_name }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

`DELETE` example

/*+ delete */
DELETE FROM awscc.logs.account_policies
WHERE
  Identifier = '{{ account_id }}|{{ policy_type }}|{{ policy_name }}' AND
  region = '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

Parameter	Description
`ClientToken`	A unique identifier to ensure the idempotency of the resource request. This allows the provider to accurately distinguish between retries and new requests. A client token is valid for 36 hours once used. After that, a resource request with the same client token is treated as a new request. If you do not specify a client token, one is generated for inclusion in the request.
`RoleArn`	The ARN of the IAM role used to perform this resource operation. The role specified must have the permissions required for this operation. If you do not specify a role, a temporary session is created using your AWS user credentials.
`TypeVersionId`	For private resource types, the type version to use in this resource operation. If you do not specify a resource version, the default version is used.

Permissions

To operate on the account_policies resource, the following permissions are required:

Create
Read
Update
Delete
List

logs:PutAccountPolicy,
logs:PutIndexPolicy,
logs:PutDataProtectionPolicy,
logs:DescribeAccountPolicies,
logs:CreateLogDelivery,
s3:REST.PUT.OBJECT,
firehose:TagDeliveryStream,
logs:PutSubscriptionFilter,
logs:DeleteSubscriptionFilter,
logs:PutTransformer,
logs:PutMetricExtractionPolicy,
iam:PassRole

logs:DescribeAccountPolicies,
logs:GetTransformer,
logs:GetMetricExtractionPolicy

logs:PutAccountPolicy,
logs:PutIndexPolicy,
logs:PutDataProtectionPolicy,
logs:DescribeAccountPolicies,
logs:DeleteAccountPolicy,
logs:DeleteIndexPolicy,
logs:DeleteDataProtectionPolicy,
logs:CreateLogDelivery,
logs:PutSubscriptionFilter,
logs:DeleteSubscriptionFilter,
logs:PutTransformer,
logs:DeleteTransformer,
logs:PutMetricExtractionPolicy,
logs:DeleteMetricExtractionPolicy,
s3:REST.PUT.OBJECT,
firehose:TagDeliveryStream,
iam:PassRole

logs:DeleteAccountPolicy,
logs:DeleteIndexPolicy,
logs:DeleteDataProtectionPolicy,
logs:DescribeAccountPolicies,
logs:DeleteSubscriptionFilter,
logs:DeleteTransformer,
logs:DeleteMetricExtractionPolicy,
iam:PassRole

logs:DescribeAccountPolicies,
logs:GetTransformer,
logs:GetMetricExtractionPolicy

Overview​

Fields​

Methods​

SELECT examples​

INSERT example​

UPDATE example​

DELETE example​

Additional Parameters​

Permissions​