Terraform - 创建 Cloudwatch 日志订阅过滤器时出错：InvalidParameterException

Question

我目前遇到以下错误 -

错误：创建 Cloudwatch 日志订阅过滤器时出错：InvalidParameterException：无法执行 lambda 函数。确保您已授予 CloudWatch Logs 执行您的函数的权限。

data "aws_iam_role" "example" {
    name = "notification_lambda_role"
}

module "lambda_function_existing_package_s3" {
        source = "terraform-aws-modules/lambda/aws"

        function_name = "rr-snowplow-lambda-function-test"
        description   = "My awesome lambda function"
        handler       = "lambda_function.lambda_handler"
        runtime       = "python3.8"

        create_role = false
        lambda_role = data.aws_iam_role.example.arn

        create_package      = false
        s3_existing_package = {
                bucket = aws_s3_bucket.snowplow_error_log_lambda_source_bucket.id
                key    = aws_s3_bucket_object.snowplow_error_log_processor_zip.id
        }
}

resource "aws_cloudwatch_log_group" "test-app-loggroup" {
  name              = "test-app"
  retention_in_days = 90
}


resource "aws_lambda_permission" "allow_cloudwatch" {
  action        = "lambda:InvokeFunction"
  function_name = module.lambda_function_existing_package_s3.lambda_function_name
  principal     = "events.amazonaws.com"
  source_arn    = format("%s:*",aws_cloudwatch_log_group.test-app-loggroup.arn)
}

resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter" {
  name            = "test_lambdafunction_logfilter"
  log_group_name  = "/rr/snowplow/e2-dev"
  filter_pattern  = "ERROR"
  destination_arn = module.lambda_function_existing_package_s3.lambda_function_arn
  depends_on = [ aws_lambda_permission.allow_cloudwatch ]

地形版本：0.13.7

当我使用管理控制台创建订阅过滤器时一切正常，但是当我尝试通过 terraform 执行此操作时它不起作用。这里有什么问题？

Answer 1

events.amazonaws.com 用于 CloudWatch 事件，而不是日志。对于日志，您需要 logs.region.amazonaws.com。有关所需权限的详细信息，请查看subscription docs。

另外，您授予test-app 的权限，但您订阅的是/rr/snowplow/e2-dev。