hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.86k stars 9.21k forks source link

aws_cloudwatch_event_target - cloudwatch log target, role_arn should be required #20519

Open fraserc182 opened 3 years ago

fraserc182 commented 3 years ago

Community Note

Terraform CLI and Terraform AWS Provider Version

Terraform - V1.0.1 AWS Provider - 3.50.0

Affected Resource(s)

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_cloudwatch_event_rule" "securityhub_eventbridge_rule" {
  name        = "SecurityHub-Findings-Rule"
  description = "Captures all securityhub findings"

  event_pattern = <<EOF
{
  "source": ["aws.securityhub"],
  "detail-type": ["Security Hub Findings - Imported"]
}
EOF
}

resource "aws_cloudwatch_event_target" "securityhub_cloudwatch_target" {
  rule      = aws_cloudwatch_event_rule.securityhub_eventbridge_rule.name
  target_id = "SecurityHubToCloudwatch"
  arn       = aws_cloudwatch_log_group.securityhub_findings_log_group.arn
}

Expected Behavior

Create eventbridge rule and have the ability to deliver to the cloudwatch log group specified.

Actual Behavior

Eventbridge rule is created but each invocation receives "FailedInvocation" error message. Reading the documentation (https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-resource-based.html#eb-cloudwatchlogs-permissions) it specifically states the following:

CloudWatch Logs must include a resource-based policy that enables EventBridge to write to CloudWatch Logs. If you use the AWS Management Console to add CloudWatch Logs as the target of a rule, the resource-based policy is created automatically. If you use the AWS CLI to add the target, and the policy doesn't already exist, you must create it.

But the resource states the role_arn is optional and allows you to create the target without specifying a role that has the ability to do the above.

Steps to Reproduce

Create an eventbridge rule and target that specifies a cloudwatch log group as the target. Do not specify a role_arn.

Important Factoids

no

References

gdavison commented 1 year ago

Hi @fraserc182. The resource-based policy that the AWS documentation refers to is configured using a aws_cloudwatch_log_resource_policy resource, not using the role_arn parameter on the aws_cloudwatch_event_target.

See the CloudWatch Logs example in the aws_cloudwatch_event_target documentation at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target#cloudwatch-log-group-usage