Changes to Tableau Cloud Activity Log Due to Hyperforce Migration

Action Required Before the Maintenance Start Date

Review the changes listed below to prevent interruptions in your Tableau Activity Log data replication to your AWS S3 bucket after the Hyperforce migration. These changes are required to be completed before the scheduled Maintenance Start Date in the table below to prevent interruptions in your Activity Log data replication to your S3 bucket:

• Changes to AWS S3 Policies
  Customers will need to update the policy on their S3 buckets to allow the new Hyperforce Identity and Access Management (IAM) Role permission to write Activity Log data to their buckets. The previous policy allowing access for the older role should be left in place until after the maintenance to ensure service continuity. The new IAM roles are now region-specific; see table below for more details. See an example at the end of this document.
  
  

  • If you are using a VPC to restrict access to your S3 bucket, please ensure you’ve also updated the S3 policy to ensure that requests from the IAM Roles below are not denied. See an example at the end of this document.
    

• Changes to AWS KMS Policies
  Customers with S3 replication enabled and who are encrypting items in the target S3 bucket will also need to update the policy on the KMS key used to allow the new Hyperforce IAM Role permission to continue receiving Activity Log data in their buckets. As with the S3 policy, the old role should not be removed until after the maintenance. 

Action Required After the Maintenance Window

These actions should be taken after the migration window completes to ensure full functionality and adjust to the new folder structure and event properties.

• Re-Enable Activity Log
  After the maintenance, Activity Log will be disabled in the Settings page for your site. Ensure that you have re-enabled it as documented here. You will need to provide your AWS S3 bucket details again.

• Verify Event File Delivery
  After you have re-enabled Activity Log in Site Settings, perform several actions (e.g. login, access a dashboard, publish, logout) on your Tableau Cloud site and verify that your S3 bucket is receiving new event files in the appropriate folders. Wait 15 minutes to ensure the events have sufficient time to propagate.

Other Important Changes To Be Aware Of

You should carefully review the changes listed below that will occur after the Tableau Cloud Activity log data to Hyperforce migration to ensure that any integrations or use cases you have for this data continue to function.

• Data Gap During Maintenance - Between the time that the maintenance window begins and when you re-enable Activity Log after the maintenance window, you should expect auditing gaps in event logs written to your S3 bucket. If needed, these logs can be restored by downloading them using the new REST API endpoints, and copying them to your S3 bucket.

• Changes to Folder Structure
  The organization/structure of files in the site-level events S3 bucket is changing. Below is a comparison of the old and new structure that customers will see replicated to their S3 buckets. Depending on the systems ingesting this data, some re-mapping work may be required in advance to ensure continuity.

• New Event Property - A new eventProcessedTime property will be present in all newly-written Activity Log events. This represents the approximate timestamp of when the event record was made available externally. You may wish to update systems ingesting this data to account for this new property.

When is this change being implemented?

The table below provides the Hyperforce migration schedule for the Tableau Cloud Activity log data per pod and region, along with the new IAM Roles that should be used for each region. Be sure to bookmark this knowledge article and check it regularly for the latest information, including any unexpected schedule changes.