import * as pulumi from "@pulumi/pulumi"; /** * The logstreamConfiguration resource allows you to configure streaming configuration or network flow logs to a supported security information and event management (SIEM) system. See https://tailscale.com/kb/1255/log-streaming for more information. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as tailscale from "@pulumi/tailscale"; * * // Example configuration for a non-S3 logstreaming endpoint * const sampleLogstreamConfiguration = new tailscale.LogstreamConfiguration("sample_logstream_configuration", { * logType: "configuration", * destinationType: "panther", * url: "https://example.com", * token: "some-token", * }); * // Example configuration for an AWS S3 logstreaming endpoint * const sampleLogstreamConfigurationS3 = new tailscale.LogstreamConfiguration("sample_logstream_configuration_s3", { * logType: "configuration", * destinationType: "s3", * s3Bucket: tailscaleLogs.id, * s3Region: "us-west-2", * s3AuthenticationType: "rolearn", * s3RoleArn: tailscaleLogsWriter.arn, * s3ExternalId: prod.externalId, * }); * // Example configuration for an S3-compatible logstreaming endpoint * const sampleLogstreamConfigurationS3Compatible = new tailscale.LogstreamConfiguration("sample_logstream_configuration_s3_compatible", { * logType: "configuration", * destinationType: "s3", * url: "https://s3.example.com", * s3Bucket: "example-bucket", * s3Region: "us-west-2", * s3AuthenticationType: "accesskey", * s3AccessKeyId: "some-access-key", * s3SecretAccessKey: "some-secret-key", * }); * // Example configuration for a GCS logstreaming endpoint using workload identity * const sampleLogstreamConfigurationGcsWif = new tailscale.LogstreamConfiguration("sample_logstream_configuration_gcs_wif", { * logType: "configuration", * destinationType: "gcs", * gcsBucket: "example-gcs-bucket", * gcsCredentials: JSON.stringify({ * type: "external_account", * audience: "//iam.googleapis.com/projects/12345678/locations/global/workloadIdentityPools/example-pool/providers/example-provider", * subject_token_type: "urn:ietf:params:aws:token-type:aws4_request", * service_account_impersonation_url: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/example@example.iam.gserviceaccount.com:generateAccessToken", * token_url: "https://sts.googleapis.com/v1/token", * credential_source: { * environment_id: "aws1", * region_url: "http://169.254.169.254/latest/meta-data/placement/availability-zone", * url: "http://169.254.169.254/latest/meta-data/iam/security-credentials", * regional_cred_verification_url: "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15", * imdsv2_session_token_url: "http://169.254.169.254/latest/api/token", * }, * }), * }); * ``` * * ## Import * * The `pulumi import` command can be used, for example: * * Logstream configuration can be imported using the logstream configuration id, e.g., * * ```sh * $ pulumi import tailscale:index/logstreamConfiguration:LogstreamConfiguration sample_logstream_configuration 123456789 * ``` */ export declare class LogstreamConfiguration extends pulumi.CustomResource { /** * Get an existing LogstreamConfiguration resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: LogstreamConfigurationState, opts?: pulumi.CustomResourceOptions): LogstreamConfiguration; /** * Returns true if the given object is an instance of LogstreamConfiguration. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is LogstreamConfiguration; /** * The compression algorithm used for logs. Valid values are `none`, `zstd` or `gzip`. Defaults to `none`. */ readonly compressionFormat: pulumi.Output; /** * The type of SIEM platform to stream to. Valid values are `axiom`, `cribl`, `datadog`, `elastic`, `gcs`, `panther`, `splunk`, and `s3`. */ readonly destinationType: pulumi.Output; /** * The name of the GCS bucket */ readonly gcsBucket: pulumi.Output; /** * The encoded string of JSON that is used to authenticate for workload identity in GCS */ readonly gcsCredentials: pulumi.Output; /** * The GCS key prefix for the bucket */ readonly gcsKeyPrefix: pulumi.Output; /** * The GCS scopes needed to be able to write in the bucket */ readonly gcsScopes: pulumi.Output; /** * The type of logs to stream. Valid values are `configuration` (configuration audit logs) and `network` (network flow logs). */ readonly logType: pulumi.Output; /** * The S3 access key ID. Required if destination*type is s3 and s3*authentication_type is 'accesskey'. */ readonly s3AccessKeyId: pulumi.Output; /** * The type of authentication to use for S3. Required if destinationType is `s3`. Valid values are `accesskey` and `rolearn`. Tailscale recommends using `rolearn`. */ readonly s3AuthenticationType: pulumi.Output; /** * The S3 bucket name. Required if destinationType is 's3'. */ readonly s3Bucket: pulumi.Output; /** * The AWS External ID that Tailscale supplies when authenticating using role-based authentication. Required if destination*type is 's3' and s3*authentication*type is 'rolearn'. This can be obtained via the tailscale*aws*external*id resource. */ readonly s3ExternalId: pulumi.Output; /** * An optional S3 key prefix to prepend to the auto-generated S3 key name. */ readonly s3KeyPrefix: pulumi.Output; /** * The region in which the S3 bucket is located. Required if destinationType is 's3'. */ readonly s3Region: pulumi.Output; /** * ARN of the AWS IAM role that Tailscale should assume when using role-based authentication. Required if destination*type is 's3' and s3*authentication_type is 'rolearn'. */ readonly s3RoleArn: pulumi.Output; /** * The S3 secret access key. Required if destination*type is 's3' and s3*authentication_type is 'accesskey'. */ readonly s3SecretAccessKey: pulumi.Output; /** * The token/password with which log streams to this endpoint should be authenticated, required unless destinationType is 's3'. */ readonly token: pulumi.Output; /** * An optional number of minutes to wait in between uploading new logs. If the quantity of logs does not fit within a single upload, multiple uploads will be made. */ readonly uploadPeriodMinutes: pulumi.Output; /** * The URL to which log streams are being posted. If destinationType is 's3' and you want to use the official Amazon S3 endpoint, leave this empty. */ readonly url: pulumi.Output; /** * The username with which log streams to this endpoint are authenticated. Only required if destinationType is 'elastic', defaults to 'user' if not set. */ readonly user: pulumi.Output; /** * Create a LogstreamConfiguration resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: LogstreamConfigurationArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering LogstreamConfiguration resources. */ export interface LogstreamConfigurationState { /** * The compression algorithm used for logs. Valid values are `none`, `zstd` or `gzip`. Defaults to `none`. */ compressionFormat?: pulumi.Input; /** * The type of SIEM platform to stream to. Valid values are `axiom`, `cribl`, `datadog`, `elastic`, `gcs`, `panther`, `splunk`, and `s3`. */ destinationType?: pulumi.Input; /** * The name of the GCS bucket */ gcsBucket?: pulumi.Input; /** * The encoded string of JSON that is used to authenticate for workload identity in GCS */ gcsCredentials?: pulumi.Input; /** * The GCS key prefix for the bucket */ gcsKeyPrefix?: pulumi.Input; /** * The GCS scopes needed to be able to write in the bucket */ gcsScopes?: pulumi.Input[]>; /** * The type of logs to stream. Valid values are `configuration` (configuration audit logs) and `network` (network flow logs). */ logType?: pulumi.Input; /** * The S3 access key ID. Required if destination*type is s3 and s3*authentication_type is 'accesskey'. */ s3AccessKeyId?: pulumi.Input; /** * The type of authentication to use for S3. Required if destinationType is `s3`. Valid values are `accesskey` and `rolearn`. Tailscale recommends using `rolearn`. */ s3AuthenticationType?: pulumi.Input; /** * The S3 bucket name. Required if destinationType is 's3'. */ s3Bucket?: pulumi.Input; /** * The AWS External ID that Tailscale supplies when authenticating using role-based authentication. Required if destination*type is 's3' and s3*authentication*type is 'rolearn'. This can be obtained via the tailscale*aws*external*id resource. */ s3ExternalId?: pulumi.Input; /** * An optional S3 key prefix to prepend to the auto-generated S3 key name. */ s3KeyPrefix?: pulumi.Input; /** * The region in which the S3 bucket is located. Required if destinationType is 's3'. */ s3Region?: pulumi.Input; /** * ARN of the AWS IAM role that Tailscale should assume when using role-based authentication. Required if destination*type is 's3' and s3*authentication_type is 'rolearn'. */ s3RoleArn?: pulumi.Input; /** * The S3 secret access key. Required if destination*type is 's3' and s3*authentication_type is 'accesskey'. */ s3SecretAccessKey?: pulumi.Input; /** * The token/password with which log streams to this endpoint should be authenticated, required unless destinationType is 's3'. */ token?: pulumi.Input; /** * An optional number of minutes to wait in between uploading new logs. If the quantity of logs does not fit within a single upload, multiple uploads will be made. */ uploadPeriodMinutes?: pulumi.Input; /** * The URL to which log streams are being posted. If destinationType is 's3' and you want to use the official Amazon S3 endpoint, leave this empty. */ url?: pulumi.Input; /** * The username with which log streams to this endpoint are authenticated. Only required if destinationType is 'elastic', defaults to 'user' if not set. */ user?: pulumi.Input; } /** * The set of arguments for constructing a LogstreamConfiguration resource. */ export interface LogstreamConfigurationArgs { /** * The compression algorithm used for logs. Valid values are `none`, `zstd` or `gzip`. Defaults to `none`. */ compressionFormat?: pulumi.Input; /** * The type of SIEM platform to stream to. Valid values are `axiom`, `cribl`, `datadog`, `elastic`, `gcs`, `panther`, `splunk`, and `s3`. */ destinationType: pulumi.Input; /** * The name of the GCS bucket */ gcsBucket?: pulumi.Input; /** * The encoded string of JSON that is used to authenticate for workload identity in GCS */ gcsCredentials?: pulumi.Input; /** * The GCS key prefix for the bucket */ gcsKeyPrefix?: pulumi.Input; /** * The GCS scopes needed to be able to write in the bucket */ gcsScopes?: pulumi.Input[]>; /** * The type of logs to stream. Valid values are `configuration` (configuration audit logs) and `network` (network flow logs). */ logType: pulumi.Input; /** * The S3 access key ID. Required if destination*type is s3 and s3*authentication_type is 'accesskey'. */ s3AccessKeyId?: pulumi.Input; /** * The type of authentication to use for S3. Required if destinationType is `s3`. Valid values are `accesskey` and `rolearn`. Tailscale recommends using `rolearn`. */ s3AuthenticationType?: pulumi.Input; /** * The S3 bucket name. Required if destinationType is 's3'. */ s3Bucket?: pulumi.Input; /** * The AWS External ID that Tailscale supplies when authenticating using role-based authentication. Required if destination*type is 's3' and s3*authentication*type is 'rolearn'. This can be obtained via the tailscale*aws*external*id resource. */ s3ExternalId?: pulumi.Input; /** * An optional S3 key prefix to prepend to the auto-generated S3 key name. */ s3KeyPrefix?: pulumi.Input; /** * The region in which the S3 bucket is located. Required if destinationType is 's3'. */ s3Region?: pulumi.Input; /** * ARN of the AWS IAM role that Tailscale should assume when using role-based authentication. Required if destination*type is 's3' and s3*authentication_type is 'rolearn'. */ s3RoleArn?: pulumi.Input; /** * The S3 secret access key. Required if destination*type is 's3' and s3*authentication_type is 'accesskey'. */ s3SecretAccessKey?: pulumi.Input; /** * The token/password with which log streams to this endpoint should be authenticated, required unless destinationType is 's3'. */ token?: pulumi.Input; /** * An optional number of minutes to wait in between uploading new logs. If the quantity of logs does not fit within a single upload, multiple uploads will be made. */ uploadPeriodMinutes?: pulumi.Input; /** * The URL to which log streams are being posted. If destinationType is 's3' and you want to use the official Amazon S3 endpoint, leave this empty. */ url?: pulumi.Input; /** * The username with which log streams to this endpoint are authenticated. Only required if destinationType is 'elastic', defaults to 'user' if not set. */ user?: pulumi.Input; }