1 Answer
- Newest
- Most votes
- Most comments
1
Hi Issac,
It seems like the issue is with the permissions related to the Cloudwatch Logs (Subscription Filter) from your source account.
Before that, please make sure you have followed the steps mentioned in this documentation, and correctly configured Source and Destination Accounts: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions-Firehose.html
Regarding the permission issue, please check if you have attached the IAM Role to the Subscription Filter, which is required when destination policy has an "Organizational condition".
Try referring to the below sample code, and use it in your Terraform code:
# CloudWatch Log IAM Role and policy (For Subscription Filter)
resource "aws_iam_role" "cwl_role" {
name = "logfilter-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "logs.amazonaws.com"
}
}
]
})
}
resource "aws_iam_policy" "cwl_policy" {
name = "logfilter-policy"
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = "logs:PutLogEvents",
Resource = [
"arn:aws:logs:${var.region}:${var.account_id}:log-group:*"
]
}
]
})
}
resource "aws_iam_role_policy_attachment" "cwl_policy_attachment" {
policy_arn = aws_iam_policy.cwl_policy.arn
role = aws_iam_role.cwl_role.name
}
resource "aws_cloudwatch_log_subscription_filter" "cwl_firehose_subsfilter" {
name = "logfilter"
... ... ...
role_arn = aws_iam_role.cwl_role.arn # Use the role in the subscription filter
}
Please let me know if this solves the issue.
Thanks,
Atul
answered 7 months ago
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
Thanks for your response. It worked like a charm! I couldn't find any document mentioning this as a required configuration for Subscription Filter. But anyways, thank you so much!