Dow do I setup a cloudwatch subscription for log delivery to a lambda?

4,170 views

Skip to first unread message

shorn....@gmail.com

unread,

Jul 15, 2016, 3:22:42 AM7/15/16

to Terraform

I need to ship my cloudwatch logs to a log analysis service.

I'm following along with the below articles[1][2] and I actually got it working by hand (that is, clicking around in the AWS console creating the lambda etc.)

Now I'm trying to automate all this with Terraform (roles/policies, security groups, cloudwatch log group, lambda, and triggering the lambda from the log group).

But I'm stuck at the part where I tell AWS to trigger the lambda from the cloudwatch logs.

I can link the two TF resources together by hand by doing the following (in the Lambda web console UI):

- go into the lambda function's "Triggers" section

- click "Add Trigger"

- select "cloudwatch logs" from the list of trigger types

- select the log group I want to trigger the lambda

- enter a filter name

- leave the filter pattern empty (implying trigger on all log streams)

- make sure "enable trigger" is selected

- click the submit button

Once that's done, the lambda shows up on the cloudwatch logs console in the subscriptions column (show up as "Lambda (cloudwatch-sumologic-lambda)").

I can't figure out how I do this with TF though.

I've got the lambda and cloudwatch log groups created and they work fine.

I tried to create the subscription the following TF resource:

resource "aws_cloudwatch_log_subscription_filter" "cloudwatch-sumologic-lambda-subscription" {

name = "cloudwatch-sumologic-lambda-subscription"

role_arn = "${aws_iam_role.jordi-waf-cloudwatch-lambda-role.arn}"

log_group_name = "${aws_cloudwatch_log_group.jordi-waf-int-app-loggroup.name}"

filter_pattern = "logtype test"

destination_arn = "${aws_lambda_function.cloudwatch-sumologic-lambda.arn}"

}

But it fails with: "* aws_cloudwatch_log_subscription_filter.cloudwatch-sumologic-lambda-subscription: InvalidParameterException: destinationArn for vendor lambda cannot be used with roleArn"

Can someone give me a pointer on what I'm doing wrong please?

[1]: https://github.com/SumoLogic/sumologic-aws-lambda/tree/master/cloudwatchlogs

[2]: https://jambr.co.uk/2016/05/17/aws-lambda-logs-into-sumologic/

shorn....@gmail.com

unread,

Jul 18, 2016, 1:02:50 AM7/18/16

to Terraform

I had the subscription_filter resource misconfigured (should not have a "role_arn" argument in this situation).

If it's useful to anyone, the full cloudwatch/lambda Terraform configuration is available on StackOverflow: