1回答
- 新しい順
- 投票が多い順
- コメントが多い順
1
Hi Issac,
It seems like the issue is with the permissions related to the Cloudwatch Logs (Subscription Filter) from your source account.
Before that, please make sure you have followed the steps mentioned in this documentation, and correctly configured Source and Destination Accounts: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions-Firehose.html
Regarding the permission issue, please check if you have attached the IAM Role to the Subscription Filter, which is required when destination policy has an "Organizational condition".
Try referring to the below sample code, and use it in your Terraform code:
# CloudWatch Log IAM Role and policy (For Subscription Filter)
resource "aws_iam_role" "cwl_role" {
name = "logfilter-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "logs.amazonaws.com"
}
}
]
})
}
resource "aws_iam_policy" "cwl_policy" {
name = "logfilter-policy"
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = "logs:PutLogEvents",
Resource = [
"arn:aws:logs:${var.region}:${var.account_id}:log-group:*"
]
}
]
})
}
resource "aws_iam_role_policy_attachment" "cwl_policy_attachment" {
policy_arn = aws_iam_policy.cwl_policy.arn
role = aws_iam_role.cwl_role.name
}
resource "aws_cloudwatch_log_subscription_filter" "cwl_firehose_subsfilter" {
name = "logfilter"
... ... ...
role_arn = aws_iam_role.cwl_role.arn # Use the role in the subscription filter
}
Please let me know if this solves the issue.
Thanks,
Atul
回答済み 8ヶ月前
Thanks for your response. It worked like a charm! I couldn't find any document mentioning this as a required configuration for Subscription Filter. But anyways, thank you so much!