-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
provider/aws: cloudwatch_logs_subscription_filter resource #5996
Conversation
de0ea2a
to
0bfd781
Compare
Hi @joshmyers thanks so much for the PR, on trying to start reviewing this, I ran the tests and got the following:
Please can you have a look at these? Thanks Paul |
0bfd781
to
719c93e
Compare
@stack72 I've fixed up the tests and rebased
|
Hi @joshmyers this all looks good - there is 1 issue that we see in a few places right now
This is due to IAM eventual consistency issues. I will speak to some of HC team about that before I merge I will keep you informed Paul |
@stack72 I can't reproduce this locally but I guess it is intermittent. Would be great to get this merged as we are using our fork of TF and have fallen behind a few releases. |
@stack72 Good talk last night, was hoping to catch up with you after but it went on longer than expected. Is there any update on this? |
Hi @joshmyers Glad you enjoyed the talk. I haven't been able to reproduce this error again so this is good to merge Thanks for all the work here :) Paul |
Hello friends –
Unfortunately, I am not a IAM / Policy Guru, can anyone shed some light on what we're missing here in the config? resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter" {
name = "test_lambdafunction_logfilter"
log_group_name = "example_lambda_name"
filter_pattern = "logtype test"
destination_arn = "${aws_lambda_function.test_lambdafunction.arn}"
}
resource "aws_lambda_function" "test_lambdafunction" {
filename = "test-fixtures/lambdatest.zip"
function_name = "example_lambda_name"
role = "${aws_iam_role.iam_for_lambda.arn}"
handler = "exports.handler"
}
resource "aws_cloudwatch_log_group" "logs" {
name = "example_lambda_name"
retention_in_days = 1
}
resource "aws_lambda_permission" "allow_cloudwatch_logs" {
statement_id = "AllowExecutionFromCloudWatchLogs"
action = "lambda:*"
function_name = "${aws_lambda_function.test_lambdafunction.arn}"
principal = "logs.eu-west-1.amazonaws.com"
}
resource "aws_iam_role" "iam_for_lambda" {
name = "test_lambdafuntion_iam_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy" "test_lambdafunction_iam_policy" {
name = "test_lambdafunction_iam_policy"
role = "${aws_iam_role.iam_for_lambda.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1441111030000",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"*"
]
}
]
}
EOF
} |
@catsby I originally thought this would be YAIAMECI™ (yet another IAM eventual consistency issue), but probably not this time. I took the exact config you pasted above, just changed
All of our acceptance tests run in |
Oh no! Hard coded string :( my AWS creds have a default of region of eu-west so I didn't even notice that. Doh! |
@radeksimko BRILLIANT thank you :) |
Hi folks, just seen this.While writing tests I saw others which used a hardcoded string so I did the same. I thought it doesn't feel right but didn't get picked up. Apologies! |
@joshmyers no worries! (sorry for the very late reply) |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Instead of #4813