Open fraserc182 opened 3 years ago
Hi @fraserc182. The resource-based policy that the AWS documentation refers to is configured using a aws_cloudwatch_log_resource_policy
resource, not using the role_arn
parameter on the aws_cloudwatch_event_target
.
See the CloudWatch Logs example in the aws_cloudwatch_event_target
documentation at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target#cloudwatch-log-group-usage
Community Note
Terraform CLI and Terraform AWS Provider Version
Terraform - V1.0.1 AWS Provider - 3.50.0
Affected Resource(s)
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Expected Behavior
Create eventbridge rule and have the ability to deliver to the cloudwatch log group specified.
Actual Behavior
Eventbridge rule is created but each invocation receives "FailedInvocation" error message. Reading the documentation (https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-resource-based.html#eb-cloudwatchlogs-permissions) it specifically states the following:
CloudWatch Logs must include a resource-based policy that enables EventBridge to write to CloudWatch Logs. If you use the AWS Management Console to add CloudWatch Logs as the target of a rule, the resource-based policy is created automatically. If you use the AWS CLI to add the target, and the policy doesn't already exist, you must create it.
But the resource states the role_arn is optional and allows you to create the target without specifying a role that has the ability to do the above.
Steps to Reproduce
Create an eventbridge rule and target that specifies a cloudwatch log group as the target. Do not specify a role_arn.
Important Factoids
no
References