Terraform: configuring cloudwatch log subscription delivery to lambda?

Question

I need to ship my cloudwatch logs to a log analysis service.

I\'ve followed along with these articles here and here and got it working by hand, no worries.

Answer 1

Working with Terraform v0.12.29 and AWS provider v3.1.0 I encountered a strange issue which cost me a few hours of debugging.

In order to save others some valuable time I'll share it as a complementary to the accepted answer.

The value of the cloudwatch log group arn:

${aws_cloudwatch_log_group.test-app-loggroup.arn}

Isn't being interpolated correctly - there is a missing ":*" at the end of the output.

This leads to the error below:

Error creating {the-calling-service}: InvalidCloudWatchLogsLogGroupArnException: Check the log group ARN: {the-calling-service} can't validate it.

Adding a :* postfix solved the issue:

source_arn = "${aws_cloudwatch_log_group.test-app-loggroup.arn}:*" #<----Notice the :* postfix