when using sumologic_cloudwatch_source, fails with 'Invalid IAM role'

[sanjeevbadrinath]

Hi Team.. Thanks for the provider.

We are facing an issue while connecting the cloudwatch logs to sumologic.

Our terraform version: 0.11.13

resource "sumologic_cloudwatch_source" "terraform_cloudwatch_source" {
  name          = "AWS Cloudwatch Logs"
  description   = "Collect cloudwatch logs"
  category      = "aws/lambda"
  content_type  = "AwsCloudWatch"
  scan_interval = 300000
  paused        = false
  collector_id  = "${sumologic_collector.collector.id}"

  authentication {
    type = "AWSRoleBasedAuthentication"
    role_arn = "${aws_iam_role.sumologic_iam_role.arn}"
  }

  path {
    type = "CloudWatchPath"  
  }
}

IAM role what we have tried:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:GetLogEvents",
            "Resource": "arn:aws:logs:*:<account_id>:log-group:*:log-stream:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:ListTagsLogGroup",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:DescribeSubscriptionFilters",
                "logs:StartQuery",
                "logs:DescribeMetricFilters",
                "logs:FilterLogEvents",
                "logs:GetLogGroupFields"
            ],
            "Resource": "arn:aws:logs:*:<account_id>:log-group:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeQueries",
                "logs:DescribeExportTasks",
                "logs:GetLogRecord",
                "logs:GetQueryResults",
                "logs:StopQuery",
                "logs:TestMetricFilter",
                "logs:DescribeResourcePolicies",
                "logs:GetLogDelivery",
                "logs:DescribeDestinations",
                "logs:ListLogDeliveries"
            ],
            "Resource": "*"
        }
    ]
}

Error:

{
  "status" : 400,
  "id" : "6PBGC-1R7HG-P2KTO",
  "code" : "collectors.validation.fields.invalid",
  "message" : "Invalid IAM role: 'errorMessage=null'."
}

[vsinghal13]

Please try creating the AWS resources with the cloud formation template provided in the documentation. https://help.sumologic.com/03Send-Data/Collect-from-Other-Data-Sources/Amazon-CloudWatch-Logs#download-the-cloudformation-template

[ajbieber]

I am also experiencing the same issue as above, and creating the resource via cloud formation template is NOT an option for us. Is there any update on this issue? It should be noted that I have attempted the recommendation above of creating the IAM role via CloudFormation. After the role was created, I hardcoded the role_arn and still received the same error.

We have nearly identical code to the original poster above, and are experiencing the same error.

resource "sumologic_cloudwatch_source" "metrics_source" {
  name          = format(var.resource_name_pattern, "kinesis_metrics_source")
  content_type  = "AwsCloudWatch"
  category      = format(var.resource_name_pattern, "lambda-metrics")
  collector_id  = sumologic_collector.collector.id
  scan_interval = 300000
  paused        = false
  authentication {
    type     = "AWSRoleBasedAuthentication"
    role_arn = aws_iam_role.sumologic_cloudwatch_metrics_role.arn
  }
  path {
    type = "CloudWatchPath"
    tag_filters {
      type      = "TagFilters"
      namespace = "AWS/Lambda"
      tags      = []
    }
  }
}

resource "aws_iam_role_policy" "sumologic_cloudwatch_metrics_role_policy" {
  name   = format(var.resource_name_pattern, "sumologic-cloudwatch-metrics-role-policy")
  role   = aws_iam_role.sumologic_cloudwatch_metrics_role.id
  policy = data.aws_iam_policy_document.sumologic_cloudwatch_metrics_access_policy.json
}

resource "aws_iam_role" "sumologic_cloudwatch_metrics_role" {
  name               = format(var.resource_name_pattern, "sumologic-cloudwatch-metrics-role")
  assume_role_policy = data.aws_iam_policy_document.sumologic_cloudwatch_metrics_assumed_policy.json
  tags               = var.tags
}

data "aws_iam_policy_document" "sumologic_cloudwatch_metrics_access_policy" {
  policy_id = format(var.resource_name_pattern, "sumologic-cloudwatch-metrics-policy-id")
  statement {
    actions = [
      "cloudwatch:ListMetrics",
      "cloudwatch:GetMetricStatistics",
      "tag:GetResources"
    ]
    resources = ["*"]
  }
}

data "aws_iam_policy_document" "sumologic_cloudwatch_metrics_assumed_policy" {
  policy_id = format(var.resource_name_pattern, "sumologic-cloudwatch-metrics-assumed-policy-id")
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::926226587429:root"]
    }
    condition {
      test     = "StringEquals"
      values   = [var.sumologic_external_id]
      variable = "sts:ExternalId"
    }
  }
}

And when applying the changes we get the error:

Error: {
  "status" : 400,
  "id" : "A1GYE-8FW98-QPPR9",
  "code" : "collectors.validation.fields.invalid",
  "message" : "Invalid IAM role: 'errorMessage=null'."
}

  on ../../modules/sumo_logic/collectors.tf line 5, in resource "sumologic_cloudwatch_source" "metrics_source":
   5: resource "sumologic_cloudwatch_source" "metrics_source" {

Any and all help would be much appreciated!

[vsinghal13]

See the warning after Step 9: https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Amazon-Web-Services/Grant-Access-to-an-AWS-Product#IAM_Role

Also, please look at the AWS Eventual consistency page for the best practices: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency

[ajbieber]

Hi @vsinghal13, it the case above (after failure occurs the first time), the IAM role already exists in AWS. From my understanding, the eventual consistency should have no effect here.

As mentioned, I also tried hardcoding the arn of a previously existing IAM role, and still got the same error.