tessl/golang-github-com-pulumi-pulumi-aws-sdk-v7
A Pulumi provider SDK for creating and managing Amazon Web Services (AWS) cloud resources in Go, providing strongly-typed resource classes and data sources for all major AWS services.
cloudwatch.mddocs/reference/monitoring/
Monitoring: CloudWatch and CloudTrail
This document covers the AWS monitoring services available in the Pulumi AWS Go SDK, including CloudWatch Metrics, Alarms, Logs, Dashboards, EventBridge, and CloudTrail.
Package Imports
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudwatch"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudtrail"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)CloudWatch
Available Functions
// Resource constructors
NewCompositeAlarm(ctx, name, args, opts) (*CompositeAlarm, error)
NewContributorInsightRule(ctx, name, args, opts) (*ContributorInsightRule, error)
NewContributorManagedInsightRule(ctx, name, args, opts) (*ContributorManagedInsightRule, error)
NewDashboard(ctx, name, args, opts) (*Dashboard, error)
NewEventApiDestination(ctx, name, args, opts) (*EventApiDestination, error)
NewEventArchive(ctx, name, args, opts) (*EventArchive, error)
NewEventBus(ctx, name, args, opts) (*EventBus, error)
NewEventBusPolicy(ctx, name, args, opts) (*EventBusPolicy, error)
NewEventConnection(ctx, name, args, opts) (*EventConnection, error)
NewEventEndpoint(ctx, name, args, opts) (*EventEndpoint, error)
NewEventPermission(ctx, name, args, opts) (*EventPermission, error)
NewEventRule(ctx, name, args, opts) (*EventRule, error)
NewEventTarget(ctx, name, args, opts) (*EventTarget, error)
NewInternetMonitor(ctx, name, args, opts) (*InternetMonitor, error)
NewLogAccountPolicy(ctx, name, args, opts) (*LogAccountPolicy, error)
NewLogAnomalyDetector(ctx, name, args, opts) (*LogAnomalyDetector, error)
NewLogDataProtectionPolicy(ctx, name, args, opts) (*LogDataProtectionPolicy, error)
NewLogDelivery(ctx, name, args, opts) (*LogDelivery, error)
NewLogDeliveryDestination(ctx, name, args, opts) (*LogDeliveryDestination, error)
NewLogDeliveryDestinationPolicy(ctx, name, args, opts) (*LogDeliveryDestinationPolicy, error)
NewLogDeliverySource(ctx, name, args, opts) (*LogDeliverySource, error)
NewLogDestination(ctx, name, args, opts) (*LogDestination, error)
NewLogDestinationPolicy(ctx, name, args, opts) (*LogDestinationPolicy, error)
NewLogGroup(ctx, name, args, opts) (*LogGroup, error)
NewLogIndexPolicy(ctx, name, args, opts) (*LogIndexPolicy, error)
NewLogMetricFilter(ctx, name, args, opts) (*LogMetricFilter, error)
NewLogResourcePolicy(ctx, name, args, opts) (*LogResourcePolicy, error)
NewLogStream(ctx, name, args, opts) (*LogStream, error)
NewLogSubscriptionFilter(ctx, name, args, opts) (*LogSubscriptionFilter, error)
NewLogTransformer(ctx, name, args, opts) (*LogTransformer, error)
NewMetricAlarm(ctx, name, args, opts) (*MetricAlarm, error)
NewMetricStream(ctx, name, args, opts) (*MetricStream, error)
NewQueryDefinition(ctx, name, args, opts) (*QueryDefinition, error)
// Data source lookups (selection)
GetCompositeAlarm(ctx, name, id, state, opts) (*CompositeAlarm, error)
GetDashboard(ctx, name, id, state, opts) (*Dashboard, error)
GetLogGroup(ctx, name, id, state, opts) (*LogGroup, error)
GetLogGroups(ctx, args, opts) (*GetLogGroupsResult, error)
GetMetricAlarm(ctx, name, id, state, opts) (*MetricAlarm, error)
GetEventBus(ctx, name, id, state, opts) (*EventBus, error)
GetEventRule(ctx, name, id, state, opts) (*EventRule, error)
GetLogDataProtectionPolicyDocument(ctx, args, opts) (*GetLogDataProtectionPolicyDocumentResult, error)cloudwatch.MetricAlarm
Provides a CloudWatch Metric Alarm that triggers actions based on metric thresholds or anomaly detection models.
Constructor
func NewMetricAlarm(ctx *pulumi.Context,
name string, args *MetricAlarmArgs, opts ...pulumi.ResourceOption) (*MetricAlarm, error)MetricAlarmArgs
type MetricAlarmArgs struct {
// Execute actions on alarm state changes. Default: true
ActionsEnabled pulumi.BoolPtrInput
// ARNs of actions to execute when transitioning to ALARM state (max 5 per state)
AlarmActions pulumi.ArrayInput
// Human-readable description for the alarm
AlarmDescription pulumi.StringPtrInput
// Comparison operator. Valid values:
// "GreaterThanOrEqualToThreshold", "GreaterThanThreshold",
// "LessThanThreshold", "LessThanOrEqualToThreshold",
// "LessThanLowerOrGreaterThanUpperThreshold",
// "LessThanLowerThreshold", "GreaterThanUpperThreshold"
ComparisonOperator pulumi.StringInput
// Number of data points that must breach to trigger the alarm
DatapointsToAlarm pulumi.IntPtrInput
// Metric dimensions (key-value map)
Dimensions pulumi.StringMapInput
// Behavior for alarms based on percentiles with insufficient data:
// "ignore" or "evaluate"
EvaluateLowSampleCountPercentiles pulumi.StringPtrInput
// Number of periods over which data is compared to the threshold (required)
EvaluationPeriods pulumi.IntInput
// Percentile statistic, e.g. "p99". Conflicts with Statistic
ExtendedStatistic pulumi.StringPtrInput
// ARNs of actions for INSUFFICIENT_DATA state transitions
InsufficientDataActions pulumi.ArrayInput
// Name of the metric (required unless using MetricQueries)
MetricName pulumi.StringPtrInput
// Metric math expressions (max 20). Conflicts with simple metric fields
MetricQueries MetricAlarmMetricQueryArrayInput
// Unique alarm name within the AWS account (required)
Name pulumi.StringPtrInput
// Metric namespace (required unless using MetricQueries)
Namespace pulumi.StringPtrInput
// ARNs of actions for OK state transitions
OkActions pulumi.ArrayInput
// Period in seconds: 10, 20, 30, or any multiple of 60
Period pulumi.IntPtrInput
// AWS region override
Region pulumi.StringPtrInput
// Statistic: "SampleCount", "Average", "Sum", "Minimum", "Maximum"
// Conflicts with ExtendedStatistic
Statistic pulumi.StringPtrInput
// Resource tags
Tags pulumi.StringMapInput
// Threshold value for comparison (required for static threshold alarms)
Threshold pulumi.Float64PtrInput
// ID of the ANOMALY_DETECTION_BAND function for anomaly-based alarms
ThresholdMetricId pulumi.StringPtrInput
// Missing data treatment: "missing", "ignore", "breaching", "notBreaching"
TreatMissingData pulumi.StringPtrInput
// Metric unit (e.g. "Percent", "Count", "Bytes")
Unit pulumi.StringPtrInput
}MetricAlarm Output Fields
type MetricAlarm struct {
pulumi.CustomResourceState
ActionsEnabled pulumi.BoolPtrOutput
AlarmActions pulumi.StringArrayOutput
AlarmDescription pulumi.StringPtrOutput
Arn pulumi.StringOutput // ARN of the CloudWatch Metric Alarm
ComparisonOperator pulumi.StringOutput
DatapointsToAlarm pulumi.IntPtrOutput
Dimensions pulumi.StringMapOutput
EvaluateLowSampleCountPercentiles pulumi.StringOutput
EvaluationPeriods pulumi.IntOutput
ExtendedStatistic pulumi.StringPtrOutput
InsufficientDataActions pulumi.StringArrayOutput
MetricName pulumi.StringPtrOutput
MetricQueries MetricAlarmMetricQueryArrayOutput
Name pulumi.StringOutput
Namespace pulumi.StringPtrOutput
OkActions pulumi.StringArrayOutput
Period pulumi.IntPtrOutput
Region pulumi.StringOutput
Statistic pulumi.StringPtrOutput
Tags pulumi.StringMapOutput
TagsAll pulumi.StringMapOutput
Threshold pulumi.Float64PtrOutput
ThresholdMetricId pulumi.StringPtrOutput
TreatMissingData pulumi.StringPtrOutput
Unit pulumi.StringPtrOutput
}Lookup
func GetMetricAlarm(ctx *pulumi.Context,
name string, id pulumi.IDInput, state *MetricAlarmState,
opts ...pulumi.ResourceOption) (*MetricAlarm, error)Example: Basic CPU Alarm
_, err := cloudwatch.NewMetricAlarm(ctx, "cpuAlarm", &cloudwatch.MetricAlarmArgs{
Name: pulumi.String("high-cpu-utilization"),
ComparisonOperator: pulumi.String("GreaterThanOrEqualToThreshold"),
EvaluationPeriods: pulumi.Int(2),
MetricName: pulumi.String("CPUUtilization"),
Namespace: pulumi.String("AWS/EC2"),
Period: pulumi.Int(120),
Statistic: pulumi.String("Average"),
Threshold: pulumi.Float64(80),
AlarmDescription: pulumi.String("CPU utilization exceeds 80%"),
AlarmActions: pulumi.Array{
snsTopic.Arn,
},
OkActions: pulumi.Array{
snsTopic.Arn,
},
Dimensions: pulumi.StringMap{
"InstanceId": ec2Instance.ID(),
},
TreatMissingData: pulumi.String("notBreaching"),
})Example: Metric Math Expression Alarm
_, err := cloudwatch.NewMetricAlarm(ctx, "errorRateAlarm", &cloudwatch.MetricAlarmArgs{
Name: pulumi.String("high-error-rate"),
ComparisonOperator: pulumi.String("GreaterThanOrEqualToThreshold"),
EvaluationPeriods: pulumi.Int(2),
Threshold: pulumi.Float64(10),
AlarmDescription: pulumi.String("Request error rate has exceeded 10%"),
MetricQueries: cloudwatch.MetricAlarmMetricQueryArray{
&cloudwatch.MetricAlarmMetricQueryArgs{
Id: pulumi.String("e1"),
Expression: pulumi.String("m2/m1*100"),
Label: pulumi.String("Error Rate"),
ReturnData: pulumi.Bool(true),
},
&cloudwatch.MetricAlarmMetricQueryArgs{
Id: pulumi.String("m1"),
Metric: &cloudwatch.MetricAlarmMetricQueryMetricArgs{
MetricName: pulumi.String("RequestCount"),
Namespace: pulumi.String("AWS/ApplicationELB"),
Period: pulumi.Int(120),
Stat: pulumi.String("Sum"),
},
},
&cloudwatch.MetricAlarmMetricQueryArgs{
Id: pulumi.String("m2"),
Metric: &cloudwatch.MetricAlarmMetricQueryMetricArgs{
MetricName: pulumi.String("HTTPCode_ELB_5XX_Count"),
Namespace: pulumi.String("AWS/ApplicationELB"),
Period: pulumi.Int(120),
Stat: pulumi.String("Sum"),
},
},
},
})cloudwatch.CompositeAlarm
A composite alarm combines multiple alarms using a logical expression (AND/OR/NOT) to reduce alarm noise.
Note: A composite alarm cannot be destroyed while other composite alarms depend on it. Use
dependsOnand two-stage updates to manage cyclic dependencies.
Constructor
func NewCompositeAlarm(ctx *pulumi.Context,
name string, args *CompositeAlarmArgs, opts ...pulumi.ResourceOption) (*CompositeAlarm, error)CompositeAlarmArgs
type CompositeAlarmArgs struct {
// Execute actions on alarm state changes. Default: true
ActionsEnabled pulumi.BoolPtrInput
// Suppressor alarm configuration
ActionsSuppressor CompositeAlarmActionsSuppressorPtrInput
// ARNs of actions for ALARM state (max 5)
AlarmActions pulumi.StringArrayInput
// Human-readable description
AlarmDescription pulumi.StringPtrInput
// Unique alarm name within the region (required)
AlarmName pulumi.StringInput
// Logical alarm rule expression (max 10240 chars), e.g.:
// "ALARM(alarm1) OR ALARM(alarm2)"
AlarmRule pulumi.StringInput
// ARNs of actions for INSUFFICIENT_DATA state (max 5)
InsufficientDataActions pulumi.StringArrayInput
// ARNs of actions for OK state (max 5)
OkActions pulumi.StringArrayInput
// AWS region override
Region pulumi.StringPtrInput
// Resource tags (max 50)
Tags pulumi.StringMapInput
}CompositeAlarm Output Fields
type CompositeAlarm struct {
pulumi.CustomResourceState
ActionsEnabled pulumi.BoolPtrOutput
ActionsSuppressor CompositeAlarmActionsSuppressorPtrOutput
AlarmActions pulumi.StringArrayOutput
AlarmDescription pulumi.StringPtrOutput
AlarmName pulumi.StringOutput
AlarmRule pulumi.StringOutput
Arn pulumi.StringOutput // ARN of the composite alarm
InsufficientDataActions pulumi.StringArrayOutput
OkActions pulumi.StringArrayOutput
Region pulumi.StringOutput
Tags pulumi.StringMapOutput
TagsAll pulumi.StringMapOutput
}Example: Composite Alarm
_, err := cloudwatch.NewCompositeAlarm(ctx, "serviceHealthAlarm", &cloudwatch.CompositeAlarmArgs{
AlarmName: pulumi.String("service-health"),
AlarmDescription: pulumi.String("Service is unhealthy when both CPU and error rate are high"),
AlarmRule: pulumi.Sprintf("ALARM(%v) AND ALARM(%v)",
cpuAlarm.Name, errorAlarm.Name),
AlarmActions: pulumi.StringArray{
pagerdutyTopic.Arn,
},
OkActions: pulumi.StringArray{
pagerdutyTopic.Arn,
},
})cloudwatch.LogGroup
Manages a CloudWatch Logs log group. Supports retention policies, KMS encryption, and deletion protection.
Constructor
func NewLogGroup(ctx *pulumi.Context,
name string, args *LogGroupArgs, opts ...pulumi.ResourceOption) (*LogGroup, error)LogGroupArgs
type LogGroupArgs struct {
// Enable deletion protection. Default: false
// Once enabled, must be explicitly set to false to disable
DeletionProtectionEnabled pulumi.BoolPtrInput
// KMS CMK ARN for encrypting log data
KmsKeyId pulumi.StringPtrInput
// Log group class: "STANDARD", "INFREQUENT_ACCESS", or "DELIVERY"
// If "DELIVERY", RetentionInDays is forced to 2
LogGroupClass pulumi.StringPtrInput
// Log group name. Conflicts with NamePrefix
Name pulumi.StringPtrInput
// Unique name prefix. Conflicts with Name
NamePrefix pulumi.StringPtrInput
// AWS region override
Region pulumi.StringPtrInput
// Retention in days. Valid values: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150,
// 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, 3653, 0
// 0 = never expire
RetentionInDays pulumi.IntPtrInput
// If true, skip deletion on destroy (remove from state only)
SkipDestroy pulumi.BoolPtrInput
// Resource tags
Tags pulumi.StringMapInput
}LogGroup Output Fields
type LogGroup struct {
pulumi.CustomResourceState
Arn pulumi.StringOutput // ARN without ":*" suffix
DeletionProtectionEnabled pulumi.BoolOutput
KmsKeyId pulumi.StringPtrOutput
LogGroupClass pulumi.StringOutput
Name pulumi.StringOutput
NamePrefix pulumi.StringOutput
Region pulumi.StringOutput
RetentionInDays pulumi.IntPtrOutput
SkipDestroy pulumi.BoolPtrOutput
Tags pulumi.StringMapOutput
TagsAll pulumi.StringMapOutput
}Lookup
func GetLogGroup(ctx *pulumi.Context,
name string, id pulumi.IDInput, state *LogGroupState,
opts ...pulumi.ResourceOption) (*LogGroup, error)Data source args for looking up an existing log group:
// Use cloudwatch.LookupLogGroup with:
// Required: Name string
// Returns: Arn, KmsKeyId, RetentionInDays, TagsExample: Application Log Group
logGroup, err := cloudwatch.NewLogGroup(ctx, "appLogs", &cloudwatch.LogGroupArgs{
Name: pulumi.String("/aws/app/my-service"),
RetentionInDays: pulumi.Int(30),
KmsKeyId: kmsKey.Arn,
Tags: pulumi.StringMap{
"Application": pulumi.String("my-service"),
"Environment": pulumi.String("production"),
},
})GetLogDataProtectionPolicyDocumentArgs
type GetLogDataProtectionPolicyDocumentArgs struct {
// Optional configuration block
Configuration *GetLogDataProtectionPolicyDocumentConfiguration
// Optional description
Description *string
// Policy document name (required)
Name string
// Policy statements (must be exactly two:
// first with "audit" operation, second with "deidentify" operation)
Statements []GetLogDataProtectionPolicyDocumentStatement
// Optional policy version
Version *string
}cloudwatch.Dashboard
Provides a CloudWatch Dashboard resource for visualizing metrics and logs.
Constructor
func NewDashboard(ctx *pulumi.Context,
name string, args *DashboardArgs, opts ...pulumi.ResourceOption) (*Dashboard, error)DashboardArgs
type DashboardArgs struct {
// Dashboard body JSON defining widgets and layout (required)
DashboardBody pulumi.StringInput
// Dashboard name (required)
DashboardName pulumi.StringInput
// AWS region override
Region pulumi.StringPtrInput
}Dashboard Output Fields
type Dashboard struct {
pulumi.CustomResourceState
DashboardArn pulumi.StringOutput // ARN of the dashboard
DashboardBody pulumi.StringOutput
DashboardName pulumi.StringOutput
Region pulumi.StringOutput
}Example: Dashboard with Metric Widget
import "encoding/json"
dashboardBody, _ := json.Marshal(map[string]interface{}{
"widgets": []interface{}{
map[string]interface{}{
"type": "metric",
"x": 0,
"y": 0,
"width": 12,
"height": 6,
"properties": map[string]interface{}{
"metrics": [][]string{
{"AWS/EC2", "CPUUtilization", "InstanceId", "i-012345"},
},
"period": 300,
"stat": "Average",
"region": "us-east-1",
"title": "EC2 Instance CPU",
},
},
map[string]interface{}{
"type": "alarm",
"x": 12,
"y": 0,
"width": 6,
"height": 6,
"properties": map[string]interface{}{
"title": "Alarms",
"alarms": []string{"arn:aws:cloudwatch:us-east-1:123456789012:alarm:my-alarm"},
},
},
},
})
_, err := cloudwatch.NewDashboard(ctx, "mainDashboard", &cloudwatch.DashboardArgs{
DashboardName: pulumi.String("production-overview"),
DashboardBody: pulumi.String(string(dashboardBody)),
})cloudwatch.EventRule
Provides an EventBridge Rule resource. EventBridge was formerly known as CloudWatch Events.
Constructor
func NewEventRule(ctx *pulumi.Context,
name string, args *EventRuleArgs, opts ...pulumi.ResourceOption) (*EventRule, error)EventRuleArgs
type EventRuleArgs struct {
// Description of the rule
Description pulumi.StringPtrInput
// Event bus name or ARN. Default: "default"
EventBusName pulumi.StringPtrInput
// Event pattern JSON (required if ScheduleExpression is not set)
// Max size: 2048 chars (adjustable to 4096 via service quota)
EventPattern pulumi.StringPtrInput
// Delete managed rules created by AWS. Default: false
ForceDestroy pulumi.BoolPtrInput
// Deprecated: Use State instead
IsEnabled pulumi.BoolPtrInput
// Rule name. Conflicts with NamePrefix
Name pulumi.StringPtrInput
// Unique name prefix (max 38 chars). Conflicts with Name
NamePrefix pulumi.StringPtrInput
// AWS region override
Region pulumi.StringPtrInput
// IAM role ARN for target invocation
RoleArn pulumi.StringPtrInput
// Schedule expression, e.g. "cron(0 20 * * ? *)" or "rate(5 minutes)"
// Required if EventPattern is not set. Only works on default event bus
ScheduleExpression pulumi.StringPtrInput
// Rule state: "DISABLED", "ENABLED",
// or "ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS"
// Default: "ENABLED". Conflicts with IsEnabled
State pulumi.StringPtrInput
// Resource tags
Tags pulumi.StringMapInput
}EventRule Output Fields
type EventRule struct {
pulumi.CustomResourceState
Arn pulumi.StringOutput // ARN of the EventBridge rule
Description pulumi.StringPtrOutput
EventBusName pulumi.StringPtrOutput
EventPattern pulumi.StringPtrOutput
ForceDestroy pulumi.BoolPtrOutput
IsEnabled pulumi.BoolPtrOutput // Deprecated
Name pulumi.StringOutput
NamePrefix pulumi.StringOutput
Region pulumi.StringOutput
RoleArn pulumi.StringPtrOutput
ScheduleExpression pulumi.StringPtrOutput
State pulumi.StringPtrOutput
Tags pulumi.StringMapOutput
TagsAll pulumi.StringMapOutput
}Lookup
func GetEventRule(ctx *pulumi.Context,
name string, id pulumi.IDInput, state *EventRuleState,
opts ...pulumi.ResourceOption) (*EventRule, error)cloudwatch.EventTarget
Configures a target for an EventBridge rule. Supports Lambda, SQS, SNS, ECS, Step Functions, API Gateway, Batch, and more.
Constructor
func NewEventTarget(ctx *pulumi.Context,
name string, args *EventTargetArgs, opts ...pulumi.ResourceOption) (*EventTarget, error)EventTargetArgs (key fields)
type EventTargetArgs struct {
// ARN of the target resource (required)
Arn pulumi.StringInput
// AppSync GraphQL API mutation target
AppsyncTarget EventTargetAppsyncTargetPtrInput
// AWS Batch job target
BatchTarget EventTargetBatchTargetPtrInput
// Dead letter queue configuration
DeadLetterConfig EventTargetDeadLetterConfigPtrInput
// ECS task target
EcsTarget EventTargetEcsTargetPtrInput
// Event bus name or ARN. Default: "default"
EventBusName pulumi.StringPtrInput
// Delete managed rules. Default: false
ForceDestroy pulumi.BoolPtrInput
// API Gateway target
HttpTarget EventTargetHttpTargetPtrInput
// JSON input passed directly to the target. Conflicts with InputPath/InputTransformer
Input pulumi.StringPtrInput
// JSONPath expression to extract part of the event
InputPath pulumi.StringPtrInput
// Input transformer to reshape event data
InputTransformer EventTargetInputTransformerPtrInput
// Kinesis stream target
KinesisTarget EventTargetKinesisTargetPtrInput
// AWS region override
Region pulumi.StringPtrInput
// Retry policy for failed invocations
RetryPolicy EventTargetRetryPolicyPtrInput
// Name of the EventBridge rule (required)
Rule pulumi.StringInput
// IAM role ARN for sending events to the target
RoleArn pulumi.StringPtrInput
// SSM Run Command targets
RunCommandTargets EventTargetRunCommandTargetArrayInput
// SageMaker pipeline target
SagemakerPipelineTarget EventTargetSagemakerPipelineTargetPtrInput
// SQS FIFO queue configuration
SqsTarget EventTargetSqsTargetPtrInput
// Unique target ID within the rule (default: random)
TargetId pulumi.StringPtrInput
}Example: EventBridge Rule with SNS Target
import "encoding/json"
patternJSON, _ := json.Marshal(map[string]interface{}{
"detail-type": []string{"AWS Console Sign In via CloudTrail"},
})
rule, _ := cloudwatch.NewEventRule(ctx, "signInMonitor", &cloudwatch.EventRuleArgs{
Name: pulumi.String("capture-console-signin"),
Description: pulumi.String("Capture AWS Console sign-in events"),
EventPattern: pulumi.String(string(patternJSON)),
})
_, err := cloudwatch.NewEventTarget(ctx, "signInAlert", &cloudwatch.EventTargetArgs{
Rule: rule.Name,
TargetId: pulumi.String("NotifySNS"),
Arn: alertTopic.Arn,
})Example: Scheduled EventBridge Rule
rule, _ := cloudwatch.NewEventRule(ctx, "dailyReport", &cloudwatch.EventRuleArgs{
Name: pulumi.String("daily-report-generator"),
ScheduleExpression: pulumi.String("cron(0 8 * * ? *)"),
Description: pulumi.String("Generate daily report at 8 AM UTC"),
})
_, err := cloudwatch.NewEventTarget(ctx, "reportLambda", &cloudwatch.EventTargetArgs{
Rule: rule.Name,
TargetId: pulumi.String("ReportGeneratorLambda"),
Arn: reportLambda.Arn,
})CloudTrail
Available Functions
// Resource constructors
NewEventDataStore(ctx, name, args, opts) (*EventDataStore, error)
NewOrganizationDelegatedAdminAccount(ctx, name, args, opts) (*OrganizationDelegatedAdminAccount, error)
NewTrail(ctx, name, args, opts) (*Trail, error)
// Data source lookups
GetEventDataStore(ctx, name, id, state, opts) (*EventDataStore, error)
GetOrganizationDelegatedAdminAccount(ctx, name, id, state, opts) (*OrganizationDelegatedAdminAccount, error)
GetServiceAccount(ctx, args, opts) (*GetServiceAccountResult, error)
GetTrail(ctx, name, id, state, opts) (*Trail, error)cloudtrail.Trail
Provides a CloudTrail resource that logs AWS API calls to S3 and optionally CloudWatch Logs.
Tip: For a multi-region trail, this resource must be in the home region of the trail. Tip: For an organization trail, this resource must be in the master account of the organization.
Constructor
func NewTrail(ctx *pulumi.Context,
name string, args *TrailArgs, opts ...pulumi.ResourceOption) (*Trail, error)TrailArgs
type TrailArgs struct {
// Advanced event selectors for data event logging. Conflicts with EventSelectors
AdvancedEventSelectors TrailAdvancedEventSelectorArrayInput
// Log group ARN for CloudWatch Logs delivery (must include ":*" wildcard)
CloudWatchLogsGroupArn pulumi.StringPtrInput
// IAM role ARN for CloudWatch Logs delivery
CloudWatchLogsRoleArn pulumi.StringPtrInput
// Enable log file integrity validation. Default: false
EnableLogFileValidation pulumi.BoolPtrInput
// Enable/disable CloudTrail logging. Default: true
EnableLogging pulumi.BoolPtrInput
// Event selectors for data event logging. Conflicts with AdvancedEventSelectors
EventSelectors TrailEventSelectorArrayInput
// Log IAM global service events (e.g. IAM). Default: true
IncludeGlobalServiceEvents pulumi.BoolPtrInput
// Anomaly detection insight selectors
InsightSelectors TrailInsightSelectorArrayInput
// Log events in all regions. Default: false
IsMultiRegionTrail pulumi.BoolPtrInput
// Log events for all accounts in the organization. Default: false
IsOrganizationTrail pulumi.BoolPtrInput
// KMS key ARN for encrypting CloudTrail logs
KmsKeyId pulumi.StringPtrInput
// Trail name (required)
Name pulumi.StringPtrInput
// AWS region override
Region pulumi.StringPtrInput
// S3 bucket name for log delivery (required)
S3BucketName pulumi.StringInput
// S3 key prefix for log files
S3KeyPrefix pulumi.StringPtrInput
// SNS topic ARN for log file delivery notifications
SnsTopicName pulumi.StringPtrInput
// Resource tags
Tags pulumi.StringMapInput
}Trail Output Fields
type Trail struct {
pulumi.CustomResourceState
AdvancedEventSelectors TrailAdvancedEventSelectorArrayOutput
Arn pulumi.StringOutput // ARN of the trail
CloudWatchLogsGroupArn pulumi.StringPtrOutput
CloudWatchLogsRoleArn pulumi.StringPtrOutput
EnableLogFileValidation pulumi.BoolPtrOutput
EnableLogging pulumi.BoolPtrOutput
EventSelectors TrailEventSelectorArrayOutput
HomeRegion pulumi.StringOutput // Region the trail was created in
IncludeGlobalServiceEvents pulumi.BoolPtrOutput
InsightSelectors TrailInsightSelectorArrayOutput
IsMultiRegionTrail pulumi.BoolPtrOutput
IsOrganizationTrail pulumi.BoolPtrOutput
KmsKeyId pulumi.StringPtrOutput
Name pulumi.StringOutput
Region pulumi.StringOutput
S3BucketName pulumi.StringOutput
S3KeyPrefix pulumi.StringPtrOutput
SnsTopicArn pulumi.StringOutput
SnsTopicName pulumi.StringPtrOutput
Tags pulumi.StringMapOutput
TagsAll pulumi.StringMapOutput
}Example: CloudTrail with CloudWatch Logs Integration
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudtrail"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudwatch"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/s3"
)
// S3 bucket for CloudTrail logs
trailBucket, _ := s3.NewBucket(ctx, "trailBucket", &s3.BucketArgs{
Bucket: pulumi.String("my-cloudtrail-logs"),
ForceDestroy: pulumi.Bool(true),
})
// CloudWatch log group for CloudTrail
trailLogGroup, _ := cloudwatch.NewLogGroup(ctx, "trailLogs", &cloudwatch.LogGroupArgs{
Name: pulumi.String("/aws/cloudtrail/my-trail"),
RetentionInDays: pulumi.Int(90),
})
// CloudTrail trail
trail, err := cloudtrail.NewTrail(ctx, "mainTrail", &cloudtrail.TrailArgs{
Name: pulumi.String("main-trail"),
S3BucketName: trailBucket.ID(),
IncludeGlobalServiceEvents: pulumi.Bool(true),
IsMultiRegionTrail: pulumi.Bool(true),
EnableLogFileValidation: pulumi.Bool(true),
CloudWatchLogsGroupArn: pulumi.Sprintf("%v:*", trailLogGroup.Arn),
CloudWatchLogsRoleArn: trailRole.Arn,
Tags: pulumi.StringMap{
"Environment": pulumi.String("production"),
},
})Example: Multi-Region Trail with S3 Data Events
trail, err := cloudtrail.NewTrail(ctx, "fullAuditTrail", &cloudtrail.TrailArgs{
Name: pulumi.String("full-audit-trail"),
S3BucketName: auditBucket.ID(),
IsMultiRegionTrail: pulumi.Bool(true),
IncludeGlobalServiceEvents: pulumi.Bool(true),
EnableLogFileValidation: pulumi.Bool(true),
KmsKeyId: kmsKey.Arn,
EventSelectors: cloudtrail.TrailEventSelectorArray{
&cloudtrail.TrailEventSelectorArgs{
ReadWriteType: pulumi.String("All"),
IncludeManagementEvents: pulumi.Bool(true),
DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
&cloudtrail.TrailEventSelectorDataResourceArgs{
Type: pulumi.String("AWS::S3::Object"),
Values: pulumi.StringArray{
pulumi.String("arn:aws:s3:::"),
},
},
},
},
},
})Common Monitoring Patterns
Alarm on Lambda Error Rate
lambdaErrorAlarm, _ := cloudwatch.NewMetricAlarm(ctx, "lambdaErrors", &cloudwatch.MetricAlarmArgs{
Name: pulumi.String("lambda-error-rate"),
ComparisonOperator: pulumi.String("GreaterThanThreshold"),
EvaluationPeriods: pulumi.Int(1),
MetricName: pulumi.String("Errors"),
Namespace: pulumi.String("AWS/Lambda"),
Period: pulumi.Int(60),
Statistic: pulumi.String("Sum"),
Threshold: pulumi.Float64(0),
TreatMissingData: pulumi.String("notBreaching"),
Dimensions: pulumi.StringMap{
"FunctionName": myLambda.Name,
},
AlarmActions: pulumi.Array{oncallTopic.Arn},
})Log Metric Filter + Alarm
// Create a metric filter for application errors
filter, _ := cloudwatch.NewLogMetricFilter(ctx, "errorFilter", &cloudwatch.LogMetricFilterArgs{
Name: pulumi.String("application-errors"),
Pattern: pulumi.String("[timestamp, requestId, level=ERROR, ...]"),
LogGroupName: appLogGroup.Name,
MetricTransformation: &cloudwatch.LogMetricFilterMetricTransformationArgs{
Name: pulumi.String("ApplicationErrors"),
Namespace: pulumi.String("MyApp/Logs"),
Value: pulumi.String("1"),
},
})
// Alarm on the custom metric
_, err := cloudwatch.NewMetricAlarm(ctx, "appErrorAlarm", &cloudwatch.MetricAlarmArgs{
Name: pulumi.String("app-error-count"),
ComparisonOperator: pulumi.String("GreaterThanThreshold"),
EvaluationPeriods: pulumi.Int(1),
MetricName: pulumi.String("ApplicationErrors"),
Namespace: pulumi.String("MyApp/Logs"),
Period: pulumi.Int(300),
Statistic: pulumi.String("Sum"),
Threshold: pulumi.Float64(5),
AlarmActions: pulumi.Array{alertTopic.Arn},
})Install with Tessl CLI
npx tessl i tessl/golang-github-com-pulumi-pulumi-aws-sdk-v7docs