search

dougmoscrop / serverless-plugin-log-subscription

Other
39 stars 20 forks source link

Example Role ARN? #22

Closed Sparticuz closed 3 years ago

Sparticuz commented 3 years ago

Following the steps here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html#FirehoseExample steps, 9, 10, and 11. I ended up with the following.

# This allows CloudWatch Logs to push data to Kinesis Firehose, will need !GetAtt CloudwatchLogsToFirehoseRole.Arn later
  CloudwatchLogsToFirehoseRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: !Join
                  - "."
                  - - "logs"
                    - !Ref "AWS::Region"
                    - "amazonaws.com"
            Action: "sts:AssumeRole"

  # This is the policy to attach the role
  PermissionsPolicyForCWL:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: Permissions-Policy-For-CWL
      PolicyDocument:
        Statement:
          - Effect: Allow
            Action:
              - "firehose:*"
            Resource:
              - !Join
                - ":"
                - - !GetAtt KinesisFirehoseDeliveryStream.Arn
                  - "*"
      Roles:
        - !Ref CloudwatchLogsToFirehoseRole

I'm not able to get it to forward the messages from CWL to Kinesis firehose though. Am I missing something?

Sparticuz commented 3 years ago

It looks like I had the wrong resource in the permissions policy for cwl. The following is working for me

# This allows CloudWatch Logs to push data to Kinesis Firehose, will need !GetAtt CloudwatchLogsToFirehoseRole.Arn later
  CloudwatchLogsToFirehoseRole:
    Type: 'AWS::IAM::Role'
    Properties:
      Description: 'This is the role to attach your Log Group subscriptions to.'
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - !Join
                  - .
                  - - logs
                    - !Ref 'AWS::Region'
                    - amazonaws.com
            Action: 'sts:AssumeRole'
  # This is the policy to attach the role
  PermissionsPolicyForCWL:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: PermissionsPolicyForCWL
      PolicyDocument:
        Statement:
          - Effect: Allow
            Action:
              - 'firehose:*'
            Resource:
              - !GetAtt KinesisFirehoseDeliveryStream.Arn
      Roles:
        - !Ref CloudwatchLogsToFirehoseRole
dougmoscrop commented 3 years ago

You're not the only person to get bit by this, perhaps another plugin, like serverless-plugin-logs-destination or something would be a nice way to package up some of these concerns. In general these things are deployed in separate accounts and therefore separate stacks/service, hence separate plugins would be the way I'd go about it.