[Enhancement]: Allow CloudWatch metric filters to access log group in different account (cross-account observability)

Description

Hi!

as described in this post I'd like to setup a monitoring account which basically collects data from different (source) accounts.

After setting up the sinks and enabling the monitoring account (using aws_oam_sink and aws_oam_link) I started creating the metric log filters and alarms:

resource "aws_cloudwatch_log_group" "cloudwatch_log_group" {
  # Deploy into management account
  provider          = aws.management-account
  name              = var.cloudWatchLogGroupName
  retention_in_days = var.cloudWatchLogRetentionDays
}

module "log_metric_filter" {
  for_each = { for alarm in var.alarms.alarms : alarm.AlarmName => alarm }
  source   = "terraform-aws-modules/cloudwatch/aws//modules/log-metric-filter"
  version  = "~> 3.0"

  # Deploy into security observability account
  providers = {
    aws = aws.observability-account
  }

  log_group_name = aws_cloudwatch_log_group.cloudwatch_log_group.name

  name = each.value.MetricName

  # Pattern is basically the filter
  pattern = each.value.FilterPattern

  metric_transformation_namespace = each.value.Namespace
  metric_transformation_name      = each.value.MetricName
}

As you can see the cloudwatch_log_group is created in the management account and the log metrics should be created in the observability account.

However, log_group_name (in the module log_metric_filter) doesn't support an ARN yet (only just a name). This means the log group has to be created in the same account (observability account) where the log metrics should be deployed to. But this is not the intended as I want to access the log group created in the management account.

Thanks for any hints for some workarounds.

Affected Resource(s) and/or Data Source(s)

terraform-aws-modules/cloudwatch/aws//modules/log-metric-filter

Potential Terraform Configuration

No response

hashicorp / terraform-provider-aws