Terraform:将cloudwatch日志订阅交付配置为lambda？

Question

我需要将我的cloudwatch日志发送到日志分析服务.

我已经在这里和这里跟着这些文章,并且手动工作,不用担心.

现在,我正在尝试使用Terraform(角色/策略,安全组,cloudwatch日志组,lambda以及从日志组触发lambda)自动执行所有这些操作.

但我无法弄清楚如何使用TF来配置AWS以从cloudwatch日志中触发lambda.

我可以通过执行以下操作手动将两个TF资源链接在一起(在Lambda Web控制台UI中):

• 进入lambda函数的"触发器"部分
• 点击"添加触发器"
• 从触发器类型列表中选择"cloudwatch logs"
• 选择我想要触发lambda的日志组
• 输入过滤器名称
• 将过滤器模式保留为空(意味着触发所有日志流)
• 确保选中"启用触发器"
• 单击"提交"按钮

完成后,lambda将显示在订阅列中的cloudwatch日志控制台上 - 显示为"Lambda(cloudwatch-sumologic-lambda)".

我尝试使用以下TF资源创建订阅:

resource "aws_cloudwatch_log_subscription_filter" "cloudwatch-sumologic-lambda-subscription" {
  name            = "cloudwatch-sumologic-lambda-subscription"
  role_arn        = "${aws_iam_role.jordi-waf-cloudwatch-lambda-role.arn}"
  log_group_name  = "${aws_cloudwatch_log_group.jordi-waf-int-app-loggroup.name}"
  filter_pattern  = "logtype test"
  destination_arn = "${aws_lambda_function.cloudwatch-sumologic-lambda.arn}"
}

但它失败了:

aws_cloudwatch_log_subscription_filter.cloudwatch-sumologic-lambda-subscription:InvalidParameterException:供应商lambda的destinationArn不能与roleArn一起使用

我找到了关于为预定事件设置类似事情的答案,但这似乎与我上面描述的控制台操作没有相同(控制台UI方法不会创建我能看到的事件/规则) ).

有人能给我一个关于我做错的指针吗？

Answer 1

我aws_cloudwatch_log_subscription_filter错误地定义了资源 - role_arn在这种情况下你不应该提供参数.

您还需要添加aws_lambda_permission资源(depends_on在过滤器上定义关系或TF可能以错误的顺序执行).

请注意,AWS lambda控制台UI会无形地为您添加lambda权限,因此请注意,aws_cloudwatch_log_subscription_filter如果您之前在控制台UI中执行了相同的操作,那么它将在没有权限资源的情况下工作.

必要的TF配置如下所示(最后两个资源是配置实际cloudwatch->lambda触发器的相关资源):

// intended for application logs (access logs, modsec, etc.)
resource "aws_cloudwatch_log_group" "test-app-loggroup" {
  name              = "test-app"
  retention_in_days = 90
}

resource "aws_security_group" "cloudwatch-sumologic-lambda-sg" {
  name = "cloudwatch-sumologic-lambda-sg"

  tags {
    Name = "cloudwatch-sumologic-lambda-sg"
  }

  description = "Security group for lambda to move logs from CWL to SumoLogic"
  vpc_id      = "${aws_vpc.dev-vpc.id}"
}

resource "aws_security_group_rule" "https-egress-cloudwatch-sumologic-to-internet" {
  type              = "egress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  security_group_id = "${aws_security_group.cloudwatch-sumologic-lambda-sg.id}"
  cidr_blocks       = ["0.0.0.0/0"]
}

resource "aws_iam_role" "test-cloudwatch-lambda-role" {
  name = "test-cloudwatch-lambda-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "test-cloudwatch-lambda-policy" {
  name = "test-cloudwatch-lambda-policy"
  role = "${aws_iam_role.test-cloudwatch-lambda-role.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CopiedFromTemplateAWSLambdaVPCAccessExecutionRole1",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CopiedFromTemplateAWSLambdaVPCAccessExecutionRole2",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:DeleteNetworkInterface"
      ],
      "Resource": "arn:aws:ec2:ap-southeast-2:${var.dev_vpc_account_id}:network-interface/*"
    },

    {
      "Sid": "CopiedFromTemplateAWSLambdaBasicExecutionRole1",
      "Effect": "Allow",
      "Action": "logs:CreateLogGroup",
      "Resource": "arn:aws:logs:ap-southeast-2:${var.dev_vpc_account_id}:*"
    },
    {
      "Sid": "CopiedFromTemplateAWSLambdaBasicExecutionRole2",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": [
    "arn:aws:logs:ap-southeast-2:${var.dev_vpc_account_id}:log-group:/aws/lambda/*"
      ]
    },

    {
      "Sid": "CopiedFromTemplateAWSLambdaAMIExecutionRole",
      "Effect": "Allow",
      "Action": [
         "ec2:DescribeImages"
      ],
      "Resource": "*"
    }


  ]
}
EOF
}

resource "aws_lambda_function" "cloudwatch-sumologic-lambda" {
  function_name    = "cloudwatch-sumologic-lambda"
  filename         = "${var.lambda_dir}/cloudwatchSumologicLambda.zip"
  source_code_hash = "${base64sha256(file("${var.lambda_dir}/cloudwatchSumologicLambda.zip"))}"
  handler          = "cloudwatchSumologic.handler"

  role        = "${aws_iam_role.test-cloudwatch-lambda-role.arn}"
  memory_size = "128"
  runtime     = "nodejs4.3"

  // set low because I'm concerned about cost-blowout in the case of mis-configuration
  timeout = "15"

  vpc_config = {
    subnet_ids         = ["${aws_subnet.dev-private-subnet.id}"]
    security_group_ids = ["${aws_security_group.cloudwatch-sumologic-lambda-sg.id}"]
  }
}

resource "aws_lambda_permission" "test-app-allow-cloudwatch" {
  statement_id  = "test-app-allow-cloudwatch"
  action        = "lambda:InvokeFunction"
  function_name = "${aws_lambda_function.cloudwatch-sumologic-lambda.arn}"
  principal     = "logs.ap-southeast-2.amazonaws.com"
  source_arn    = "${aws_cloudwatch_log_group.test-app-loggroup.arn}"
}

resource "aws_cloudwatch_log_subscription_filter" "test-app-cloudwatch-sumologic-lambda-subscription" {
  depends_on      = ["aws_lambda_permission.test-app-allow-cloudwatch"]
  name            = "cloudwatch-sumologic-lambda-subscription"
  log_group_name  = "${aws_cloudwatch_log_group.test-app-loggroup.name}"
  filter_pattern  = ""
  destination_arn = "${aws_lambda_function.cloudwatch-sumologic-lambda.arn}"
}

Answer 2

在与 Terraformv0.12.29和 AWS 提供商合作时，v3.1.0我遇到了一个奇怪的问题，我花了几个小时进行调试。

为了节省其他人一些宝贵的时间，我将分享它作为对已接受答案的补充。

cloudwatch 日志组 arn 的值：

${aws_cloudwatch_log_group.test-app-loggroup.arn}

未正确插入 -:*输出末尾缺少“ ”。

这导致以下错误：

创建 {the-calling-service} 时出错：InvalidCloudWatchLogsLogGroupArnException：检查日志组 ARN：{the-calling-service} 无法验证。

添加:*后缀解决了问题：

source_arn = "${aws_cloudwatch_log_group.test-app-loggroup.arn}:*" #<----Notice the :* postfix