Dow do I setup a cloudwatch subscription for log delivery to a lambda?

4,170 views
Skip to first unread message

shorn....@gmail.com

unread,
Jul 15, 2016, 3:22:42 AM7/15/16
to Terraform
I need to ship my cloudwatch logs to a log analysis service.
I'm following along with the below articles[1][2] and I actually got it working by hand (that is, clicking around in the AWS console creating the lambda etc.)

Now I'm trying to automate all this with Terraform (roles/policies, security groups, cloudwatch log group, lambda, and triggering the lambda from the log group).

But I'm stuck at the part where I tell AWS to trigger the lambda from the cloudwatch logs.

I can link the two TF resources together by hand by doing the following (in the Lambda web console UI):
- go into the lambda function's "Triggers" section
- click "Add Trigger"
- select "cloudwatch logs" from the list of trigger types
- select the log group I want to trigger the lambda
- enter a filter name
- leave the filter pattern empty (implying trigger on all log streams)
- make sure "enable trigger" is selected
- click the submit button

Once that's done, the lambda shows up on the cloudwatch logs console in the subscriptions column (show up as "Lambda (cloudwatch-sumologic-lambda)").

I can't figure out how I do this with TF though.
I've got the lambda and cloudwatch log groups created and they work fine.

I tried to create the subscription the following TF resource:
  resource "aws_cloudwatch_log_subscription_filter" "cloudwatch-sumologic-lambda-subscription" {
    name = "cloudwatch-sumologic-lambda-subscription"
    role_arn = "${aws_iam_role.jordi-waf-cloudwatch-lambda-role.arn}"
    filter_pattern = "logtype test"
    destination_arn = "${aws_lambda_function.cloudwatch-sumologic-lambda.arn}"
  }

But it fails with: "* aws_cloudwatch_log_subscription_filter.cloudwatch-sumologic-lambda-subscription: InvalidParameterException: destinationArn for vendor lambda cannot be used with roleArn"


Can someone give me a pointer on what I'm doing wrong please?


shorn....@gmail.com

unread,
Jul 18, 2016, 1:02:50 AM7/18/16
to Terraform
I had the subscription_filter resource misconfigured (should not have a "role_arn" argument in this situation).

If it's useful to anyone, the full cloudwatch/lambda Terraform configuration is available on StackOverflow: 
Reply all
Reply to author
Forward
0 new messages