diff --git a/builtin/providers/aws/import_aws_cloudwatch_log_destination_policy_test.go b/builtin/providers/aws/import_aws_cloudwatch_log_destination_policy_test.go
new file mode 100644
index 000000000..f7c4a7f35
--- /dev/null
+++ b/builtin/providers/aws/import_aws_cloudwatch_log_destination_policy_test.go
@@ -0,0 +1,31 @@
+package aws
+
+import (
+ "testing"
+
+ "github.com/hashicorp/terraform/helper/acctest"
+ "github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccAWSCloudwatchLogDestinationPolicy_importBasic(t *testing.T) {
+ resourceName := "aws_cloudwatch_log_destination_policy.test"
+
+ rstring := acctest.RandString(5)
+
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ Providers: testAccProviders,
+ CheckDestroy: testAccCheckAWSCloudwatchLogDestinationPolicyDestroy,
+ Steps: []resource.TestStep{
+ resource.TestStep{
+ Config: testAccAWSCloudwatchLogDestinationPolicyConfig(rstring),
+ },
+
+ resource.TestStep{
+ ResourceName: resourceName,
+ ImportState: true,
+ ImportStateVerify: true,
+ },
+ },
+ })
+}
diff --git a/builtin/providers/aws/import_aws_cloudwatch_log_destination_test.go b/builtin/providers/aws/import_aws_cloudwatch_log_destination_test.go
new file mode 100644
index 000000000..b0c1d2535
--- /dev/null
+++ b/builtin/providers/aws/import_aws_cloudwatch_log_destination_test.go
@@ -0,0 +1,31 @@
+package aws
+
+import (
+ "testing"
+
+ "github.com/hashicorp/terraform/helper/acctest"
+ "github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccAWSCloudwatchLogDestination_importBasic(t *testing.T) {
+ resourceName := "aws_cloudwatch_log_destination.test"
+
+ rstring := acctest.RandString(5)
+
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ Providers: testAccProviders,
+ CheckDestroy: testAccCheckAWSCloudwatchLogDestinationDestroy,
+ Steps: []resource.TestStep{
+ resource.TestStep{
+ Config: testAccAWSCloudwatchLogDestinationConfig(rstring),
+ },
+
+ resource.TestStep{
+ ResourceName: resourceName,
+ ImportState: true,
+ ImportStateVerify: true,
+ },
+ },
+ })
+}
diff --git a/builtin/providers/aws/provider.go b/builtin/providers/aws/provider.go
index dca9a0c0e..8cd8cc432 100644
--- a/builtin/providers/aws/provider.go
+++ b/builtin/providers/aws/provider.go
@@ -232,6 +232,8 @@ func Provider() terraform.ResourceProvider {
"aws_cloudtrail": resourceAwsCloudTrail(),
"aws_cloudwatch_event_rule": resourceAwsCloudWatchEventRule(),
"aws_cloudwatch_event_target": resourceAwsCloudWatchEventTarget(),
+ "aws_cloudwatch_log_destination": resourceAwsCloudWatchLogDestination(),
+ "aws_cloudwatch_log_destination_policy": resourceAwsCloudWatchLogDestinationPolicy(),
"aws_cloudwatch_log_group": resourceAwsCloudWatchLogGroup(),
"aws_cloudwatch_log_metric_filter": resourceAwsCloudWatchLogMetricFilter(),
"aws_cloudwatch_log_stream": resourceAwsCloudWatchLogStream(),
diff --git a/builtin/providers/aws/resource_aws_cloudwatch_log_destination.go b/builtin/providers/aws/resource_aws_cloudwatch_log_destination.go
new file mode 100644
index 000000000..172630648
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_cloudwatch_log_destination.go
@@ -0,0 +1,150 @@
+package aws
+
+import (
+ "fmt"
+ "strings"
+ "time"
+
+ "github.com/aws/aws-sdk-go/aws"
+ "github.com/aws/aws-sdk-go/aws/awserr"
+ "github.com/aws/aws-sdk-go/service/cloudwatchlogs"
+ "github.com/hashicorp/terraform/helper/resource"
+ "github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsCloudWatchLogDestination() *schema.Resource {
+ return &schema.Resource{
+ Create: resourceAwsCloudWatchLogDestinationPut,
+ Update: resourceAwsCloudWatchLogDestinationPut,
+ Read: resourceAwsCloudWatchLogDestinationRead,
+ Delete: resourceAwsCloudWatchLogDestinationDelete,
+
+ Importer: &schema.ResourceImporter{
+ State: func(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+ d.Set("name", d.Id())
+ return []*schema.ResourceData{d}, nil
+ },
+ },
+
+ Schema: map[string]*schema.Schema{
+ "name": &schema.Schema{
+ Type: schema.TypeString,
+ Required: true,
+ ForceNew: true,
+ },
+
+ "role_arn": &schema.Schema{
+ Type: schema.TypeString,
+ Required: true,
+ },
+
+ "target_arn": &schema.Schema{
+ Type: schema.TypeString,
+ Required: true,
+ },
+
+ "arn": &schema.Schema{
+ Type: schema.TypeString,
+ Computed: true,
+ },
+ },
+ }
+}
+
+func resourceAwsCloudWatchLogDestinationPut(d *schema.ResourceData, meta interface{}) error {
+ conn := meta.(*AWSClient).cloudwatchlogsconn
+
+ name := d.Get("name").(string)
+ role_arn := d.Get("role_arn").(string)
+ target_arn := d.Get("target_arn").(string)
+
+ params := &cloudwatchlogs.PutDestinationInput{
+ DestinationName: aws.String(name),
+ RoleArn: aws.String(role_arn),
+ TargetArn: aws.String(target_arn),
+ }
+
+ return resource.Retry(3*time.Minute, func() *resource.RetryError {
+ resp, err := conn.PutDestination(params)
+
+ if err == nil {
+ d.SetId(name)
+ d.Set("arn", *resp.Destination.Arn)
+ }
+
+ awsErr, ok := err.(awserr.Error)
+ if !ok {
+ return resource.RetryableError(err)
+ }
+
+ if awsErr.Code() == "InvalidParameterException" {
+ if strings.Contains(awsErr.Message(), "Could not deliver test message to specified") {
+ return resource.RetryableError(err)
+ }
+ return resource.NonRetryableError(err)
+ }
+
+ return resource.NonRetryableError(err)
+ })
+}
+
+func resourceAwsCloudWatchLogDestinationRead(d *schema.ResourceData, meta interface{}) error {
+ conn := meta.(*AWSClient).cloudwatchlogsconn
+ name := d.Get("name").(string)
+ destination, exists, err := lookupCloudWatchLogDestination(conn, name, nil)
+ if err != nil {
+ return err
+ }
+
+ if !exists {
+ d.SetId("")
+ return nil
+ }
+
+ d.SetId(name)
+ d.Set("arn", destination.Arn)
+ d.Set("role_arn", destination.RoleArn)
+ d.Set("target_arn", destination.TargetArn)
+
+ return nil
+}
+
+func resourceAwsCloudWatchLogDestinationDelete(d *schema.ResourceData, meta interface{}) error {
+ conn := meta.(*AWSClient).cloudwatchlogsconn
+
+ name := d.Get("name").(string)
+
+ params := &cloudwatchlogs.DeleteDestinationInput{
+ DestinationName: aws.String(name),
+ }
+ _, err := conn.DeleteDestination(params)
+ if err != nil {
+ return fmt.Errorf("Error deleting Destination with name %s", name)
+ }
+ d.SetId("")
+ return nil
+}
+
+func lookupCloudWatchLogDestination(conn *cloudwatchlogs.CloudWatchLogs,
+ name string, nextToken *string) (*cloudwatchlogs.Destination, bool, error) {
+ input := &cloudwatchlogs.DescribeDestinationsInput{
+ DestinationNamePrefix: aws.String(name),
+ NextToken: nextToken,
+ }
+ resp, err := conn.DescribeDestinations(input)
+ if err != nil {
+ return nil, true, err
+ }
+
+ for _, destination := range resp.Destinations {
+ if *destination.DestinationName == name {
+ return destination, true, nil
+ }
+ }
+
+ if resp.NextToken != nil {
+ return lookupCloudWatchLogDestination(conn, name, resp.NextToken)
+ }
+
+ return nil, false, nil
+}
diff --git a/builtin/providers/aws/resource_aws_cloudwatch_log_destination_policy.go b/builtin/providers/aws/resource_aws_cloudwatch_log_destination_policy.go
new file mode 100644
index 000000000..704dacf45
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_cloudwatch_log_destination_policy.go
@@ -0,0 +1,88 @@
+package aws
+
+import (
+ "fmt"
+
+ "github.com/hashicorp/terraform/helper/schema"
+
+ "github.com/aws/aws-sdk-go/aws"
+ "github.com/aws/aws-sdk-go/service/cloudwatchlogs"
+)
+
+func resourceAwsCloudWatchLogDestinationPolicy() *schema.Resource {
+ return &schema.Resource{
+ Create: resourceAwsCloudWatchLogDestinationPolicyPut,
+ Update: resourceAwsCloudWatchLogDestinationPolicyPut,
+ Read: resourceAwsCloudWatchLogDestinationPolicyRead,
+ Delete: resourceAwsCloudWatchLogDestinationPolicyDelete,
+
+ Importer: &schema.ResourceImporter{
+ State: func(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+ d.Set("destination_name", d.Id())
+ return []*schema.ResourceData{d}, nil
+ },
+ },
+
+ Schema: map[string]*schema.Schema{
+ "destination_name": &schema.Schema{
+ Type: schema.TypeString,
+ Required: true,
+ ForceNew: true,
+ },
+
+ "access_policy": &schema.Schema{
+ Type: schema.TypeString,
+ Required: true,
+ },
+ },
+ }
+}
+
+func resourceAwsCloudWatchLogDestinationPolicyPut(d *schema.ResourceData, meta interface{}) error {
+ conn := meta.(*AWSClient).cloudwatchlogsconn
+
+ destination_name := d.Get("destination_name").(string)
+ access_policy := d.Get("access_policy").(string)
+
+ params := &cloudwatchlogs.PutDestinationPolicyInput{
+ DestinationName: aws.String(destination_name),
+ AccessPolicy: aws.String(access_policy),
+ }
+
+ _, err := conn.PutDestinationPolicy(params)
+
+ if err != nil {
+ return fmt.Errorf("Error creating DestinationPolicy with destination_name %s: %#v", destination_name, err)
+ }
+
+ d.SetId(destination_name)
+ return resourceAwsCloudWatchLogDestinationPolicyRead(d, meta)
+}
+
+func resourceAwsCloudWatchLogDestinationPolicyRead(d *schema.ResourceData, meta interface{}) error {
+ conn := meta.(*AWSClient).cloudwatchlogsconn
+ destination_name := d.Get("destination_name").(string)
+ destination, exists, err := lookupCloudWatchLogDestination(conn, destination_name, nil)
+ if err != nil {
+ return err
+ }
+
+ if !exists {
+ d.SetId("")
+ return nil
+ }
+
+ if destination.AccessPolicy != nil {
+ d.SetId(destination_name)
+ d.Set("access_policy", *destination.AccessPolicy)
+ } else {
+ d.SetId("")
+ }
+
+ return nil
+}
+
+func resourceAwsCloudWatchLogDestinationPolicyDelete(d *schema.ResourceData, meta interface{}) error {
+ d.SetId("")
+ return nil
+}
diff --git a/builtin/providers/aws/resource_aws_cloudwatch_log_destination_policy_test.go b/builtin/providers/aws/resource_aws_cloudwatch_log_destination_policy_test.go
new file mode 100644
index 000000000..c1ba60fc1
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_cloudwatch_log_destination_policy_test.go
@@ -0,0 +1,164 @@
+package aws
+
+import (
+ "fmt"
+ "testing"
+
+ "github.com/aws/aws-sdk-go/service/cloudwatchlogs"
+ "github.com/hashicorp/terraform/helper/acctest"
+ "github.com/hashicorp/terraform/helper/resource"
+ "github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSCloudwatchLogDestinationPolicy_basic(t *testing.T) {
+ var destination cloudwatchlogs.Destination
+
+ rstring := acctest.RandString(5)
+
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ Providers: testAccProviders,
+ CheckDestroy: testAccCheckAWSCloudwatchLogDestinationPolicyDestroy,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccAWSCloudwatchLogDestinationPolicyConfig(rstring),
+ Check: resource.ComposeTestCheckFunc(
+ testAccCheckAWSCloudwatchLogDestinationPolicyExists("aws_cloudwatch_log_destination_policy.test", &destination),
+ ),
+ },
+ },
+ })
+}
+
+func testAccCheckAWSCloudwatchLogDestinationPolicyDestroy(s *terraform.State) error {
+ conn := testAccProvider.Meta().(*AWSClient).cloudwatchlogsconn
+
+ for _, rs := range s.RootModule().Resources {
+ if rs.Type != "aws_cloudwatch_log_destination_policy" {
+ continue
+ }
+ _, exists, err := lookupCloudWatchLogDestination(conn, rs.Primary.ID, nil)
+ if err != nil {
+ return nil
+ }
+
+ if exists {
+ return fmt.Errorf("Bad: Destination Policy still exists: %q", rs.Primary.ID)
+ }
+ }
+
+ return nil
+
+}
+
+func testAccCheckAWSCloudwatchLogDestinationPolicyExists(n string, d *cloudwatchlogs.Destination) resource.TestCheckFunc {
+ return func(s *terraform.State) error {
+ rs, ok := s.RootModule().Resources[n]
+ if !ok {
+ return fmt.Errorf("Not found: %s", n)
+ }
+
+ conn := testAccProvider.Meta().(*AWSClient).cloudwatchlogsconn
+ destination, exists, err := lookupCloudWatchLogDestination(conn, rs.Primary.ID, nil)
+ if err != nil {
+ return err
+ }
+ if !exists || destination.AccessPolicy == nil {
+ return fmt.Errorf("Bad: Destination Policy %q does not exist", rs.Primary.ID)
+ }
+
+ *d = *destination
+
+ return nil
+ }
+}
+
+func testAccAWSCloudwatchLogDestinationPolicyConfig(rstring string) string {
+ return fmt.Sprintf(`
+resource "aws_kinesis_stream" "test" {
+ name = "RootAccess_%s"
+ shard_count = 1
+}
+
+data "aws_region" "current" {
+ current = true
+}
+
+data "aws_iam_policy_document" "role" {
+ statement {
+ effect = "Allow"
+ principals = {
+ type = "Service"
+ identifiers = [
+ "logs.${data.aws_region.current.name}.amazonaws.com"
+ ]
+ }
+ actions = [
+ "sts:AssumeRole",
+ ]
+ }
+}
+
+resource "aws_iam_role" "test" {
+ name = "CWLtoKinesisRole_%s"
+ assume_role_policy = "${data.aws_iam_policy_document.role.json}"
+}
+
+data "aws_iam_policy_document" "policy" {
+ statement {
+ effect = "Allow"
+ actions = [
+ "kinesis:PutRecord",
+ ]
+ resources = [
+ "${aws_kinesis_stream.test.arn}"
+ ]
+ }
+ statement {
+ effect = "Allow"
+ actions = [
+ "iam:PassRole"
+ ]
+ resources = [
+ "${aws_iam_role.test.arn}"
+ ]
+ }
+}
+
+resource "aws_iam_role_policy" "test" {
+ name = "Permissions-Policy-For-CWL_%s"
+ role = "${aws_iam_role.test.id}"
+ policy = "${data.aws_iam_policy_document.policy.json}"
+}
+
+resource "aws_cloudwatch_log_destination" "test" {
+ name = "testDestination_%s"
+ target_arn = "${aws_kinesis_stream.test.arn}"
+ role_arn = "${aws_iam_role.test.arn}"
+ depends_on = ["aws_iam_role_policy.test"]
+}
+
+data "aws_iam_policy_document" "access" {
+ statement {
+ effect = "Allow"
+ principals = {
+ type = "AWS"
+ identifiers = [
+ "000000000000"
+ ]
+ }
+ actions = [
+ "logs:PutSubscriptionFilter"
+ ]
+ resources = [
+ "${aws_cloudwatch_log_destination.test.arn}"
+ ]
+ }
+}
+
+resource "aws_cloudwatch_log_destination_policy" "test" {
+ destination_name = "${aws_cloudwatch_log_destination.test.name}"
+ access_policy = "${data.aws_iam_policy_document.access.json}"
+}
+`, rstring, rstring, rstring, rstring)
+}
diff --git a/builtin/providers/aws/resource_aws_cloudwatch_log_destination_test.go b/builtin/providers/aws/resource_aws_cloudwatch_log_destination_test.go
new file mode 100644
index 000000000..2996122fe
--- /dev/null
+++ b/builtin/providers/aws/resource_aws_cloudwatch_log_destination_test.go
@@ -0,0 +1,164 @@
+package aws
+
+import (
+ "fmt"
+ "testing"
+
+ "github.com/aws/aws-sdk-go/service/cloudwatchlogs"
+ "github.com/hashicorp/terraform/helper/acctest"
+ "github.com/hashicorp/terraform/helper/resource"
+ "github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSCloudwatchLogDestination_basic(t *testing.T) {
+ var destination cloudwatchlogs.Destination
+
+ rstring := acctest.RandString(5)
+
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ Providers: testAccProviders,
+ CheckDestroy: testAccCheckAWSCloudwatchLogDestinationDestroy,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccAWSCloudwatchLogDestinationConfig(rstring),
+ Check: resource.ComposeTestCheckFunc(
+ testAccCheckAWSCloudwatchLogDestinationExists("aws_cloudwatch_log_destination.test", &destination),
+ ),
+ },
+ },
+ })
+}
+
+func testAccCheckAWSCloudwatchLogDestinationDestroy(s *terraform.State) error {
+ conn := testAccProvider.Meta().(*AWSClient).cloudwatchlogsconn
+
+ for _, rs := range s.RootModule().Resources {
+ if rs.Type != "aws_cloudwatch_log_destination" {
+ continue
+ }
+ _, exists, err := lookupCloudWatchLogDestination(conn, rs.Primary.ID, nil)
+ if err != nil {
+ return nil
+ }
+
+ if exists {
+ return fmt.Errorf("Bad: Destination still exists: %q", rs.Primary.ID)
+ }
+ }
+
+ return nil
+
+}
+
+func testAccCheckAWSCloudwatchLogDestinationExists(n string, d *cloudwatchlogs.Destination) resource.TestCheckFunc {
+ return func(s *terraform.State) error {
+ rs, ok := s.RootModule().Resources[n]
+ if !ok {
+ return fmt.Errorf("Not found: %s", n)
+ }
+
+ conn := testAccProvider.Meta().(*AWSClient).cloudwatchlogsconn
+ destination, exists, err := lookupCloudWatchLogDestination(conn, rs.Primary.ID, nil)
+ if err != nil {
+ return err
+ }
+ if !exists {
+ return fmt.Errorf("Bad: Destination %q does not exist", rs.Primary.ID)
+ }
+
+ *d = *destination
+
+ return nil
+ }
+}
+
+func testAccAWSCloudwatchLogDestinationConfig(rstring string) string {
+ return fmt.Sprintf(`
+resource "aws_kinesis_stream" "test" {
+ name = "RootAccess_%s"
+ shard_count = 1
+}
+
+data "aws_region" "current" {
+ current = true
+}
+
+data "aws_iam_policy_document" "role" {
+ statement {
+ effect = "Allow"
+ principals = {
+ type = "Service"
+ identifiers = [
+ "logs.${data.aws_region.current.name}.amazonaws.com"
+ ]
+ }
+ actions = [
+ "sts:AssumeRole",
+ ]
+ }
+}
+
+resource "aws_iam_role" "test" {
+ name = "CWLtoKinesisRole_%s"
+ assume_role_policy = "${data.aws_iam_policy_document.role.json}"
+}
+
+data "aws_iam_policy_document" "policy" {
+ statement {
+ effect = "Allow"
+ actions = [
+ "kinesis:PutRecord",
+ ]
+ resources = [
+ "${aws_kinesis_stream.test.arn}"
+ ]
+ }
+ statement {
+ effect = "Allow"
+ actions = [
+ "iam:PassRole"
+ ]
+ resources = [
+ "${aws_iam_role.test.arn}"
+ ]
+ }
+}
+
+resource "aws_iam_role_policy" "test" {
+ name = "Permissions-Policy-For-CWL_%s"
+ role = "${aws_iam_role.test.id}"
+ policy = "${data.aws_iam_policy_document.policy.json}"
+}
+
+resource "aws_cloudwatch_log_destination" "test" {
+ name = "testDestination_%s"
+ target_arn = "${aws_kinesis_stream.test.arn}"
+ role_arn = "${aws_iam_role.test.arn}"
+ depends_on = ["aws_iam_role_policy.test"]
+}
+
+data "aws_iam_policy_document" "access" {
+ statement {
+ effect = "Allow"
+ principals = {
+ type = "AWS"
+ identifiers = [
+ "000000000000"
+ ]
+ }
+ actions = [
+ "logs:PutSubscriptionFilter"
+ ]
+ resources = [
+ "${aws_cloudwatch_log_destination.test.arn}"
+ ]
+ }
+}
+
+resource "aws_cloudwatch_log_destination_policy" "test" {
+ destination_name = "${aws_cloudwatch_log_destination.test.name}"
+ access_policy = "${data.aws_iam_policy_document.access.json}"
+}
+`, rstring, rstring, rstring, rstring)
+}
diff --git a/builtin/providers/aws/resource_aws_cloudwatch_log_subscription_filter.go b/builtin/providers/aws/resource_aws_cloudwatch_log_subscription_filter.go
index 479a78dba..4d17859d5 100644
--- a/builtin/providers/aws/resource_aws_cloudwatch_log_subscription_filter.go
+++ b/builtin/providers/aws/resource_aws_cloudwatch_log_subscription_filter.go
@@ -4,6 +4,7 @@ import (
"bytes"
"fmt"
"log"
+ "strings"
"time"
"github.com/aws/aws-sdk-go/aws"
@@ -56,7 +57,7 @@ func resourceAwsCloudwatchLogSubscriptionFilterCreate(d *schema.ResourceData, me
params := getAwsCloudWatchLogsSubscriptionFilterInput(d)
log.Printf("[DEBUG] Creating SubscriptionFilter %#v", params)
- return resource.Retry(30*time.Second, func() *resource.RetryError {
+ return resource.Retry(3*time.Minute, func() *resource.RetryError {
_, err := conn.PutSubscriptionFilter(¶ms)
if err == nil {
@@ -71,6 +72,9 @@ func resourceAwsCloudwatchLogSubscriptionFilterCreate(d *schema.ResourceData, me
if awsErr.Code() == "InvalidParameterException" {
log.Printf("[DEBUG] Caught message: %q, code: %q: Retrying", awsErr.Message(), awsErr.Code())
+ if strings.Contains(awsErr.Message(), "Could not deliver test message to specified") {
+ return resource.RetryableError(err)
+ }
resource.NonRetryableError(err)
}
diff --git a/website/source/docs/providers/aws/r/cloudwatch_log_destination.html.markdown b/website/source/docs/providers/aws/r/cloudwatch_log_destination.html.markdown
new file mode 100644
index 000000000..d1b1e9238
--- /dev/null
+++ b/website/source/docs/providers/aws/r/cloudwatch_log_destination.html.markdown
@@ -0,0 +1,43 @@
+---
+layout: "aws"
+page_title: "AWS: aws_cloudwatch_log_destination"
+sidebar_current: "docs-aws-resource-cloudwatch-log-destination"
+description: |-
+ Provides a CloudWatch Logs destination.
+---
+
+# aws\_cloudwatch\_log\_destination
+
+Provides a CloudWatch Logs destination resource.
+
+## Example Usage
+
+```
+resource "aws_cloudwatch_log_destination" "test_destination" {
+ name = "test_destination"
+ role_arn = "${aws_iam_role.iam_for_cloudwatch.arn}"
+ target_arn = "${aws_kinesis_stream.kinesis_for_cloudwatch.arn}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required) A name for the log destination
+* `role_arn` - (Required) The ARN of an IAM role that grants Amazon CloudWatch Logs permissions to put data into the target
+* `target_arn` - (Required) The ARN of the target Amazon Kinesis stream or Amazon Lambda resource for the destination
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `arn` - The Amazon Resource Name (ARN) specifying the log destination.
+
+## Import
+
+CloudWatch Logs destinations can be imported using the `name`, e.g.
+
+```
+$ terraform import aws_cloudwatch_log_destination.test_destination test_destination
+```
diff --git a/website/source/docs/providers/aws/r/cloudwatch_log_destination_policy.html.markdown b/website/source/docs/providers/aws/r/cloudwatch_log_destination_policy.html.markdown
new file mode 100644
index 000000000..452e254dd
--- /dev/null
+++ b/website/source/docs/providers/aws/r/cloudwatch_log_destination_policy.html.markdown
@@ -0,0 +1,63 @@
+---
+layout: "aws"
+page_title: "AWS: aws_cloudwatch_log_destination_policy"
+sidebar_current: "docs-aws-resource-cloudwatch-log-destination-policy"
+description: |-
+ Provides a CloudWatch Logs destination policy.
+---
+
+# aws\_cloudwatch\_log\_destination\_policy
+
+Provides a CloudWatch Logs destination policy resource.
+
+## Example Usage
+
+```
+resource "aws_cloudwatch_log_destination" "test_destination" {
+ name = "test_destination"
+ role_arn = "${aws_iam_role.iam_for_cloudwatch.arn}"
+ target_arn = "${aws_kinesis_stream.kinesis_for_cloudwatch.arn}"
+}
+
+data "aws_iam_policy_document" "test_destination_policy" {
+ statement {
+ effect = "Allow"
+
+ principals = {
+ type = "AWS"
+
+ identifiers = [
+ "123456789012",
+ ]
+ }
+
+ actions = [
+ "logs:PutSubscriptionFilter",
+ ]
+
+ resources = [
+ "${aws_cloudwatch_log_destination.test_destination.arn}",
+ ]
+ }
+}
+
+resource "aws_cloudwatch_log_destination_policy" "test_destination_policy" {
+ destination_name = "${aws_cloudwatch_log_destination.test_destination.name}"
+ access_policy = "${data.aws_iam_policy_document.test_destination_policy.json}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `destination_name` - (Required) A name for the subscription filter
+* `access_policy` - (Required) The policy document. This is a JSON formatted string.
+
+## Import
+
+CloudWatch Logs destination policies can be imported using the `destination_name`, e.g.
+
+```
+$ terraform import aws_cloudwatch_log_destination_policy.test_destination_policy test_destination
+```
diff --git a/website/source/layouts/aws.erb b/website/source/layouts/aws.erb
index faeb43b2d..00214771f 100644
--- a/website/source/layouts/aws.erb
+++ b/website/source/layouts/aws.erb
@@ -231,6 +231,14 @@
aws_cloudwatch_event_target
+ >
+ aws_cloudwatch_log_destination
+
+
+ >
+ aws_cloudwatch_log_destination_policy
+
+
>
aws_cloudwatch_log_group