我正在使用下面的IAM角色,使用lambda函数将cloudwatch日志推送到ES。由于Lambda函数的调用错误,未将日志推送到ES。我似乎无法找出明显的原因。

# IAM Role for Lambda function to be able to write to ES
resource "aws_iam_role" "iam_for_lambda" {
     name = "iam_for_lambda_test"

     assume_role_policy = <<EOF
{
     "Version": "2012-10-17",
     "Statement": [
       {
         "Action": "sts:AssumeRole",
         "Principal": {
           "Service": "lambda.amazonaws.com"
         },
         "Effect": "Allow",
         "Sid": ""
       }
     ]
}
EOF
}

# Lambda function
resource "aws_lambda_function" "demo_lambda" {
       function_name = "demo_lambda_test"
       handler = "index.handler"
       runtime = "nodejs4.3"
       filename = "function.zip"
       source_code_hash = "${base64sha256(file("function.zip"))}"
       role = "${aws_iam_role.iam_for_lambda.arn}"
}

# Create a ES cluster
resource "aws_elasticsearch_domain" "es" {
     domain_name           = "cloudwatch-lambda-es"
     elasticsearch_version = "5.1"
     cluster_config {
       instance_type = "t2.small.elasticsearch"
       instance_count = 1
     }
     ebs_options {
       ebs_enabled = true
       volume_size = 10
     }

     advanced_options {
       "rest.action.multi.allow_explicit_index" = "true"
     }

     access_policies = <<CONFIG
{
       "Version": "2012-10-17",
       "Statement": [
           {
               "Action": "es:*",
               "Principal": "*",
               "Effect": "Allow",
               "Condition": {
                   "IpAddress": {"aws:SourceIp": ["00.00.00.01/32"]}
               }
           }
       ]
}
CONFIG

     snapshot_options {
       automated_snapshot_start_hour = 23
     }

     tags {
       Domain = "TestDomain"
     }
}


# Access policy for the IAM role for Lambda to permit writing to ES
resource "aws_iam_role_policy" "cloudwatch_logs_lambda" {
     role = "${aws_iam_role.iam_for_lambda.name}"

     policy = <<EOF
{
       "Version": "2012-10-17",
       "Statement": [
           {
               "Action": [ "es:*" ],
               "Effect": "Allow",
               "Resource": ["${aws_elasticsearch_domain.es.arn}/streaming-logs/*"]
           },
           {
               "Effect": "Allow",
               "Action": "es:ESHttpPost",
               "Resource": "arn:aws:es:*:*:*"
           }
        ]
}
EOF
}

resource "aws_lambda_permission" "test-app-allow-cloudwatch" {
     statement_id = "test-app-allow-cloudwatch"
     action = "lambda:InvokeFunction"
     function_name = "${aws_lambda_function.demo_lambda.arn}"
     principal = "logs.us-east-1.amazonaws.com"
     source_account = "xxxxxxxxxxx"
     source_arn = "arn:aws:logs:us-east-1:xxxxxxxxx:log-group:example.log:*"
}

resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter" {
     depends_on = ["aws_lambda_permission.test-app-allow-cloudwatch"]
     name            = "cloudwatch_lambdafunction_es_logfilter"
     log_group_name  = "example.log"
     filter_pattern  = ""
     destination_arn = "${aws_lambda_function.demo_lambda.arn}"
}

最佳答案

问题在于Lambda函数,其中ES的端点配置错误。许可都很好。

关于elasticsearch - IAM将Cloudwatch日志推送到Elasticsearch的角色和策略,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/44275174/

10-13 07:48