[Enhancement]: There is no connection methods between `aws_cloudwatch_log_resource_policy` and `aws_cloudwatch_log_group`

[shieldnet]

Description

Problem

I have problem to adjust aws_cloudwatch_log_resource_policy to aws_cloudwatch_log_group to enable CloudWatch Logs with AWS Opensearch Service.

As you can see screenshot that I uploaded upper, we can enable Slow Search Logs and 3 other kinds of logs to monitoring AOS clusters.

However, there is no resources or methods for connecting CloudWatch Access Policy to specific CloudWatch Log Group.

Workaround, but not solution with terraform

• I found aws logs put-resouce-policy command from AWS CLI document

Conclusion

• I want to connect between aws_cloudwatch_log_resource_policy to aws_cloudwatch_log_group.
• But, I think harshicorp/aws does not support to make this kind of connection yet.

Affected Resource(s) and/or Data Source(s)

• aws_cloudwatch_log_resource_policy
• aws_cloudwatch_log_group

Potential Terraform Configuration

resource "aws_elasticsearch_domain" "service-log" {
  provider = aws.apne2
  ..
  log_publishing_options {
    enabled = true
    log_type = "ES_APPLICATION_LOGS"
    cloudwatch_log_group_arn = aws_cloudwatch_log_group.my_log_group.arn
    log_resource_policy = aws_cloudwatch_log_resource_policy.example.arn << # like this.
  }
}

resource "aws_cloudwatch_log_resource_policy" "example" {
  provider = aws.apne2

  policy_name = "example_policy"
  policy_document = {..}

}

References

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/put-resource-policy.html

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @shieldnet 👋 Thank you for taking the time to raise this! The aws_cloudwatch_log_resource_policy resource uses the PutResourcePolicy function that you linked to, so I believe that it is the resource that you're looking for. The "connection" between that resource and the aws_cloudwatch_log_group resource is set up via the policy that you specify in the aws_cloudwatch_log_resource_policy.policy_document argument.

An example very similar to that example you provided in the "Potential Terraform Configurations" section of this issue may be found on the aws_elasticsearch_domain resource documentation.

[justinretzolk]

Since we haven't heard back, I'm going to close this issue. If you're still having trouble, please feel free to open a new issue, referencing this one for context as needed.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.