Create AWS Cloudwatch log group and give explicit access to it #40
Conversation
|
Now that I think about it we could probably do away with the |
…reating the log group
iam.tf
Outdated
| "logs:CreateLogStream", | ||
| "logs:PutLogEvents", | ||
| ] | ||
|
|
||
| resources = ["arn:aws:logs:*:*:*"] | ||
| resources = ["${aws_cloudwatch_log_group.lambda.arn}"] |
There was a problem hiding this comment.
I think these permissions need a slight update, based on the docs the ARN format for log streams would be: arn:aws:logs:region:account-id:log-group:log_group_name:log-stream:log-stream-name
| resources = ["${aws_cloudwatch_log_group.lambda.arn}"] | |
| resources = ["${aws_cloudwatch_log_group.lambda.arn}:log-stream:*"] |
There was a problem hiding this comment.
I investigated this a bit and found that when referencing the arn of aws_cloudwatch_log_group Terraform injects a wildcard already:
$ terraform version
Terraform v0.12.7
+ provider.aws v2.31.0
resource "aws_cloudwatch_log_group" "lambda" {
arn = "arn:aws:logs:us-west-2:0000000000:log-group:/aws/lambda/notify_slack:*"
id = "/aws/lambda/notify_slack"
name = "/aws/lambda/notify_slack"
retention_in_days = 30
tags = {}
}
It still works (the lambda can still log to new log streams) even when appending :log-stream:*. Not sure which syntax would be better to use....
antonbabenko
changed the title
|
Thanks, @lalanza808 and @mwarkentin for this PR! I've just released v2.3.0 with this feature. Please let me know if something is not working as expected. |
|
Nice, thanks for the finishing touches and pushing it through. Will upgrade my project now! |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Description
The resources deployed by this module mimics the experience when creating Lambda functions in the console. The function gets created with an IAM role attached which allows it to put logs and create groups/streams anywhere; even places it's not supposed to. When the function creates the log group with it's built-in permissions this happens outside of Terraform. When you destroy the module a log group will remain and become stale because it's never tracked by Terraform's state in this way.
This PR adds a Cloudwatch Logs group and adds an explicit dependency on the function so that it will only be created when the log group is made (to prevent a race condition). It also adjusts the policy of the function to explicitly allow only log events on the Terraform managed log group.