I need to ship my cloudwatch logs to a log analysis service.
I'm following along with the below articles[1][2] and I actually got it working by hand (that is, clicking around in the AWS console creating the lambda etc.)
Now I'm trying to automate all this with Terraform (roles/policies, security groups, cloudwatch log group, lambda, and triggering the lambda from the log group).
But I'm stuck at the part where I tell AWS to trigger the lambda from the cloudwatch logs.
I can link the two TF resources together by hand by doing the following (in the Lambda web console UI):
- go into the lambda function's "Triggers" section
- click "Add Trigger"
- select "cloudwatch logs" from the list of trigger types
- select the log group I want to trigger the lambda
- enter a filter name
- leave the filter pattern empty (implying trigger on all log streams)
- make sure "enable trigger" is selected
- click the submit button
Once that's done, the lambda shows up on the cloudwatch logs console in the subscriptions column (show up as "Lambda (cloudwatch-sumologic-lambda)").
I can't figure out how I do this with TF though.
I've got the lambda and cloudwatch log groups created and they work fine.
I tried to create the subscription the following TF resource:
resource "aws_cloudwatch_log_subscription_filter" "cloudwatch-sumologic-lambda-subscription" {
name = "cloudwatch-sumologic-lambda-subscription"
role_arn = "${aws_iam_role.jordi-waf-cloudwatch-lambda-role.arn}"
filter_pattern = "logtype test"
destination_arn = "${aws_lambda_function.cloudwatch-sumologic-lambda.arn}"
}
But it fails with: "* aws_cloudwatch_log_subscription_filter.cloudwatch-sumologic-lambda-subscription: InvalidParameterException: destinationArn for vendor lambda cannot be used with roleArn"
Can someone give me a pointer on what I'm doing wrong please?