aws_cloudwatch_log_group Resource
Use the aws_cloudwatch_log_group InSpec audit resource to test properties of a single AWS CloudWatch Log Group.
For additional information, including details on parameters and properties, see the AWS documentation on CloudWatch Logs.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
Ensure that an aws_cloudwatch_log_group exists
describe aws_cloudwatch_log_group('my_log_group') do
it { should exist }
end
describe aws_cloudwatch_log_group(log_group_name: 'my_log_group') do
it { should exist }
end
Parameters
log_group_name(required)This resource accepts a single parameter, the log group name which uniquely identifies the CloudWatch Log Group. This can be passed either as a string or as a
log_group_name: 'value'key-value entry in a hash.limit(optional)This resource accepts a single parameter, an integer representing the number of results allowed to return. If not passed, in, this defaults to
1, which will only return the first match to thelog_group_name. This can be passed as alimit: 'value'key-value entry in a hash.
Properties
retention_in_days- The number of days to retain the log events in the specified log group.
kms_key_id- The Amazon Resource Name (ARN) of the CMK to use when encrypting log data.
tags- The tags for the log group.
Examples
Test tags on the CloudWatch Log Group.
describe aws_cloudwatch_log_group('my_log_group') do
its('tags') { should include(:Environment => 'env-name',
:Name => 'my_log_group')}
end
AWS Permissions
Your Principal will need the CloudWatchLogs:Client:DescribeLogGroupsResponse and CloudWatchLogs:Client:ListTagsLogGroupResponse actions with Effect set to Allow.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon CloudWatch Logs.