Terraform: configuring cloudwatch log subscription delivery to lambda?
I need to ship my cloudwatch logs to a log analysis service.
I\'ve followed along with these articles here and here and got it working by hand, no worries.
-
I had the
aws_cloudwatch_log_subscription_filterresource defined incorrectly - you should not provide therole_arnargument in this situation.You also need to add an
aws_lambda_permissionresource (with adepends_onrelationship defined on the filter or TF may do it in the wrong order).Note that the AWS lambda console UI adds the lambda permission for you invisibly, so beware that the
aws_cloudwatch_log_subscription_filterwill work without the permission resource if you happen to have done the same action before in the console UI.The necessary TF config looks like this (the last two resources are the relevant ones for configuring the actual
cloudwatch->lambdatrigger):// intended for application logs (access logs, modsec, etc.) resource "aws_cloudwatch_log_group" "test-app-loggroup" { name = "test-app" retention_in_days = 90 } resource "aws_security_group" "cloudwatch-sumologic-lambda-sg" { name = "cloudwatch-sumologic-lambda-sg" tags { Name = "cloudwatch-sumologic-lambda-sg" } description = "Security group for lambda to move logs from CWL to SumoLogic" vpc_id = "${aws_vpc.dev-vpc.id}" } resource "aws_security_group_rule" "https-egress-cloudwatch-sumologic-to-internet" { type = "egress" from_port = 443 to_port = 443 protocol = "tcp" security_group_id = "${aws_security_group.cloudwatch-sumologic-lambda-sg.id}" cidr_blocks = ["0.0.0.0/0"] } resource "aws_iam_role" "test-cloudwatch-lambda-role" { name = "test-cloudwatch-lambda-role" assume_role_policy = <EDIT: Please note that the above TF code was written years ago, using version
0.11.x- it should still work but there may be better ways of doing things. Specifically, don't use an inline policy like this unless needed, use an aws_iam_policy_document instead - they're just way easier to maintain over time.
加载中...
- 热议问题