我正在使用下面的IAM角色,使用lambda函数将cloudwatch日志推送到ES。由于Lambda函数的调用错误,未将日志推送到ES。我似乎无法找出明显的原因。
# IAM Role for Lambda function to be able to write to ES
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda_test"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
# Lambda function
resource "aws_lambda_function" "demo_lambda" {
function_name = "demo_lambda_test"
handler = "index.handler"
runtime = "nodejs4.3"
filename = "function.zip"
source_code_hash = "${base64sha256(file("function.zip"))}"
role = "${aws_iam_role.iam_for_lambda.arn}"
}
# Create a ES cluster
resource "aws_elasticsearch_domain" "es" {
domain_name = "cloudwatch-lambda-es"
elasticsearch_version = "5.1"
cluster_config {
instance_type = "t2.small.elasticsearch"
instance_count = 1
}
ebs_options {
ebs_enabled = true
volume_size = 10
}
advanced_options {
"rest.action.multi.allow_explicit_index" = "true"
}
access_policies = <<CONFIG
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Principal": "*",
"Effect": "Allow",
"Condition": {
"IpAddress": {"aws:SourceIp": ["00.00.00.01/32"]}
}
}
]
}
CONFIG
snapshot_options {
automated_snapshot_start_hour = 23
}
tags {
Domain = "TestDomain"
}
}
# Access policy for the IAM role for Lambda to permit writing to ES
resource "aws_iam_role_policy" "cloudwatch_logs_lambda" {
role = "${aws_iam_role.iam_for_lambda.name}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [ "es:*" ],
"Effect": "Allow",
"Resource": ["${aws_elasticsearch_domain.es.arn}/streaming-logs/*"]
},
{
"Effect": "Allow",
"Action": "es:ESHttpPost",
"Resource": "arn:aws:es:*:*:*"
}
]
}
EOF
}
resource "aws_lambda_permission" "test-app-allow-cloudwatch" {
statement_id = "test-app-allow-cloudwatch"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.demo_lambda.arn}"
principal = "logs.us-east-1.amazonaws.com"
source_account = "xxxxxxxxxxx"
source_arn = "arn:aws:logs:us-east-1:xxxxxxxxx:log-group:example.log:*"
}
resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter" {
depends_on = ["aws_lambda_permission.test-app-allow-cloudwatch"]
name = "cloudwatch_lambdafunction_es_logfilter"
log_group_name = "example.log"
filter_pattern = ""
destination_arn = "${aws_lambda_function.demo_lambda.arn}"
}
最佳答案
问题在于Lambda函数,其中ES的端点配置错误。许可都很好。
关于elasticsearch - IAM将Cloudwatch日志推送到Elasticsearch的角色和策略,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/44275174/