1 回答
- 最新
- 投票最多
- 评论最多
1
Hi Issac,
It seems like the issue is with the permissions related to the Cloudwatch Logs (Subscription Filter) from your source account.
Before that, please make sure you have followed the steps mentioned in this documentation, and correctly configured Source and Destination Accounts: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions-Firehose.html
Regarding the permission issue, please check if you have attached the IAM Role to the Subscription Filter, which is required when destination policy has an "Organizational condition".
Try referring to the below sample code, and use it in your Terraform code:
# CloudWatch Log IAM Role and policy (For Subscription Filter)
resource "aws_iam_role" "cwl_role" {
name = "logfilter-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "logs.amazonaws.com"
}
}
]
})
}
resource "aws_iam_policy" "cwl_policy" {
name = "logfilter-policy"
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = "logs:PutLogEvents",
Resource = [
"arn:aws:logs:${var.region}:${var.account_id}:log-group:*"
]
}
]
})
}
resource "aws_iam_role_policy_attachment" "cwl_policy_attachment" {
policy_arn = aws_iam_policy.cwl_policy.arn
role = aws_iam_role.cwl_role.name
}
resource "aws_cloudwatch_log_subscription_filter" "cwl_firehose_subsfilter" {
name = "logfilter"
... ... ...
role_arn = aws_iam_role.cwl_role.arn # Use the role in the subscription filter
}
Please let me know if this solves the issue.
Thanks,
Atul
已回答 8 个月前
相关内容
AWS 官方已更新 2 年前- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
Thanks for your response. It worked like a charm! I couldn't find any document mentioning this as a required configuration for Subscription Filter. But anyways, thank you so much!