Terraform-provider-aws: Issue in creating the aws_cloudwatch_log_subscription_filter for lambda function

Created on 13 Aug 2020 · 2Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I'am upgrading from v12 to v13 and having this issue when running apply

Error: Error creating Cloudwatch log subscription filter: InvalidParameterException: Could not execute the lambda function. Make sure you have given CloudWatch Logs permission to execute your function.

New or Affected Resource(s)

aws_cloudwatch_log_subscription_filter
aws_lambda_permission

Potential Terraform Configuration

"data “aws_lambda_function” “logdna” {
function_name = “logdna_${var.environment}_cloudwatch”
}

resource “aws_cloudwatch_log_group” “default” {
name = “/ecs/${var.service_id}”
retention_in_days = “14”
}

resource "aws_cloudwatch_log_subscription_filter" "default" {
  count           = var.stream_logs == true ? 1 : 0
  name            = "${var.service_id}_logfilter"
  log_group_name  = aws_cloudwatch_log_group.default.name
  filter_pattern  = ""
  destination_arn = data.aws_lambda_function.logdna.arn

  depends_on = ["aws_lambda_permission.default"]
}

resource “aws_lambda_permission” “default” {
statement_id = “AllowExecutionFrom-service”
action = “lambda:InvokeFunction”
function_name = “logdna_${var.environment}_cloudwatch”
principal = “logs.ca-central-1.amazonaws.com”
source_arn = aws_cloudwatch_log_group.default.arn
}

enhancement needs-triage serviccloudwatch serviccloudwatchlogs serviclambda

Source

jpdentone

👍4

Most helpful comment

We use this workaround to support 2.x and 3.x aws providers:

resource "aws_lambda_permission" "cloudwatch_logs" {
  count = var.logfilter_destination_arn != "" ? 1 : 0

  action        = "lambda:InvokeFunction"
  function_name = var.logfilter_destination_arn
  principal     = "logs.${data.aws_region.current.name}.amazonaws.com"
  // workaround for https://github.com/terraform-providers/terraform-provider-aws/issues/14630
  // in aws provider 3.x 'aws_cloudwatch_log_group.lambda.arn' interpolates to something like 'arn:aws:logs:eu-west-1:000000000000:log-group:/aws/lambda/my-group'
  // but we need 'arn:aws:logs:eu-west-1:000000000000:log-group:/aws/lambda/my-group:*'
  source_arn = length(regexall(":\\*$", aws_cloudwatch_log_group.lambda.arn)) == 1 ? aws_cloudwatch_log_group.lambda.arn : "${aws_cloudwatch_log_group.lambda.arn}:*"
}

resource "aws_cloudwatch_log_subscription_filter" "cloudwatch_logs_to_es" {
  count      = var.logfilter_destination_arn != "" ? 1 : 0
  depends_on = [aws_lambda_permission.cloudwatch_logs]

  name            = "elasticsearch-stream-filter"
  log_group_name  = aws_cloudwatch_log_group.lambda.name
  filter_pattern  = ""
  destination_arn = var.logfilter_destination_arn
  distribution    = "ByLogStream"
}

moritzzimmer on 25 Sep 2020

❤2 👍2

All 2 comments

We experience the same issue, although it seems like it's related to the aws provider version.

Creating a aws_cloudwatch_log_subscription_filter using terraform ~> 0.13 and hashicorp/aws provider ~> 2.1 is successful, but fails with the mentioned error message when upgrading to ~> 3.1.

Interestingly, it's possible to create a log_subscription_filter with version ~> 3.1 by changing the source_arn of the aws_lambda_permission to "${aws_cloudwatch_log_group.default.arn}:*".
But this workaround then fails in version ~> 2.1 of the aws provider with the same error message.

moritzzimmer on 26 Aug 2020

❤1 👍1

We use this workaround to support 2.x and 3.x aws providers:

resource "aws_lambda_permission" "cloudwatch_logs" {
  count = var.logfilter_destination_arn != "" ? 1 : 0

  action        = "lambda:InvokeFunction"
  function_name = var.logfilter_destination_arn
  principal     = "logs.${data.aws_region.current.name}.amazonaws.com"
  // workaround for https://github.com/terraform-providers/terraform-provider-aws/issues/14630
  // in aws provider 3.x 'aws_cloudwatch_log_group.lambda.arn' interpolates to something like 'arn:aws:logs:eu-west-1:000000000000:log-group:/aws/lambda/my-group'
  // but we need 'arn:aws:logs:eu-west-1:000000000000:log-group:/aws/lambda/my-group:*'
  source_arn = length(regexall(":\\*$", aws_cloudwatch_log_group.lambda.arn)) == 1 ? aws_cloudwatch_log_group.lambda.arn : "${aws_cloudwatch_log_group.lambda.arn}:*"
}

resource "aws_cloudwatch_log_subscription_filter" "cloudwatch_logs_to_es" {
  count      = var.logfilter_destination_arn != "" ? 1 : 0
  depends_on = [aws_lambda_permission.cloudwatch_logs]

  name            = "elasticsearch-stream-filter"
  log_group_name  = aws_cloudwatch_log_group.lambda.name
  filter_pattern  = ""
  destination_arn = var.logfilter_destination_arn
  distribution    = "ByLogStream"
}

moritzzimmer on 25 Sep 2020

❤2 👍2

Was this page helpful?

0 / 5 - 0 ratings