我有两个帐户prod和prod-support。在prod-support帐户中,我创建了一个跨帐户角色,并附加了一个策略来授予对prod帐户的访问权限,如下所示。我已经在prod-support帐户中创建了kinesis流,并且处于活动状态。
现在我正在尝试在prod帐户中创建一个cloudwatch订阅,以便从cloudwatch日志(prod)重定向日志 - > kinesis(prod-support)帐户。
provider "aws" {
region = "${var.aws_region}"
assume_role {
role_arn = "arn:aws:iam::111111111:role/deployment_role"
}
}
resource "aws_iam_role_policy" "tf_CWL_to_kinesis_policy" {
name = "tf_CWL_to_kinesis_policy"
role = "${aws_iam_role.tf_CWL_to_kinesis_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::22222222:role/CrossAccountRole"
},
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:PutRecord",
"kinesis:PutRecords",
"kinesis:GetShardIterator",
"kinesis:GetRecords"
],
"Resource": "arn:aws:kinesis:${var.aws_region}:22222222:stream/tf_CWL_to_kinesis_stream"
}
]
}EOF
}
resource "aws_iam_role" "tf_CWL_to_kinesis_role" {
name = "tf_CWL_to_kinesis_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"AWS":"111111111"
},
"Effect": "Allow"
}
]
}EOF
}
resource "aws_cloudwatch_log_subscription_filter" "tf_CWL_to_kinesis_subscrp_filter" {
name = "tf_CWL_to_kinesis_subscrp_filter",
role_arn = "${aws_iam_role.tf_CWL_to_kinesis_role.arn}"
log_group_name = "/aws/lambda/egad-diagnostics-result-sender-lambda"
filter_pattern = ""
destination_arn = "arn:aws:kinesis:${var.aws_region}:2222222222:stream/tf_CWL_to_kinesis_stream"
depends_on = ["aws_iam_role.tf_CWL_to_kinesis_role"]
}
这里需要注意的事情。
上面的脚本试图在prod-support帐户中访问kinesis流,但它无法访问它。
任何想法