hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.82k stars 9.16k forks source link

When creating resource "aws_cloudwatch_log_subscription_filter", expected permissions required should not include "logs:DesribeLogGroups". #12124

Open ghost opened 4 years ago

ghost commented 4 years ago

This issue was originally opened by @haleoanodon as hashicorp/terraform#24182. It was migrated here as a result of the provider split. The original body of the issue is below.


Terraform Version

0.12.21

Terraform Configuration Files

resource "aws_cloudwatch_log_subscription_filter" "log_subscription_filter" {
    name = "..."
    log_group_name = "/aws/lambda/debuggingexample"
    filter_pattern  = "\"Task timed out\""
    destination_arn = "..."
}

Debug Output

Crash Output

Expected Behavior

Expected adding a subscription filter should require the specific log group to add it to.

Actual Behavior

In addition to requiring the specific log group to add it to, terraform requires listing all the log groups

Steps to Reproduce

terraform init terraform plan terraform apply

Additional Context

References

justinretzolk commented 3 years ago

Hey @haleoanodon 👋 Thank you for taking the time to file this issue! Given that there's been a number of AWS provider releases since you initially filed it, can you confirm whether or not you're still experiencing this behavior?

ljluestc commented 1 month ago

resource "aws_cloudwatch_log_subscription_filter" "log_subscription_filter" {
  name            = "my_log_subscription_filter"
  log_group_name  = "/aws/lambda/debuggingexample"
  filter_pattern  = "\"Task timed out\""
  destination_arn = "arn:aws:lambda:us-west-2:123456789012:function:myLambdaFunction"  # Replace with your destination ARN

  # Add any optional parameters here
  # role_arn = "arn:aws:iam::123456789012:role/myRole"  # Uncomment if you need to specify a role
}