terraform-aws-eventbridge
terraform-aws-eventbridge copied to clipboard
CloudWatch target needs resource-based permission
Is your request related to a problem? Please describe.
When EventBridge has CloudWatch target - it is not work at all without next resource-based policy for CloudWatch Group:
- https://aws.amazon.com/premiumsupport/knowledge-center/cloudwatch-log-group-eventbridge/
- https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-resource-based.html#eb-cloudwatchlogs-permissions
{
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Principal": {
"Service": ["events.amazonaws.com", "delivery.logs.amazonaws.com"]
},
"Resource": "arn:aws:logs:region:account:log-group:/aws/events/*:*",
"Sid": "TrustEventsToStoreLogEvent"
}
],
"Version": "2012-10-17"
}
Policy above automatically created when adding an EventBridge target via AWS Management Console. Should we add creation of this policy by terraform-aws-eventbridge module ?
Describe the solution you'd like.
Add creation of needed policy by using aws_cloudwatch_log_resource_policy resource in the module.
Describe alternatives you've considered.
Managing separately outside of module
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
This issue was automatically closed because of stale in 10 days
I would like this feature. Took me a while to trace this down... Based on the module interface, I expected the Cloudwatch log target to work.
I'm going to lock this issue because it has been closed for 30 days β³. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.