我有以下与terraform一起使用的json文件,用于执行以下操作:
这个想法是要自动创建这些日志组/记录,这样我就不必每天进入CloudWatch并创建一个新的日志了。
main.tf:
provider "aws" {
access_key = "foo"
secret_key = "foo"
region = "us-east-1"
}
resource "aws_lambda_function" "greet_lambda" {
filename = "greet_lambda.py.zip"
function_name = "greet_lambda"
role = aws_iam_role.iam_for_lambda.arn
handler = "greet_lambda.lambda_handler"
depends_on = [aws_iam_role_policy_attachment.lambda_logs]
runtime = "python3.7"
environment {
variables = {greeting = "Hi"}
}
}
resource "aws_cloudwatch_log_group" "greet_lambda" {
name = "/aws/lambda/greet_lambda"
}
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
assume_role_policy = file("iam_for_lambda.json")
}
resource "aws_iam_policy" "lambda_logging" {
name = "lambda_logging"
path = "/"
description = "IAM policy for logging from a lambda"
policy = file("lambda_policy.json")
}
resource "aws_iam_role_policy_attachment" "lambda_logs" {
role = aws_iam_role.iam_for_lambda.name
policy_arn = aws_iam_policy.lambda_logging.arn
depends_on = [aws_iam_role.iam_for_lambda, aws_iam_policy.lambda_logging]
}
lambda_policy.json
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:003618259171:log-group:/aws/lambda/greet_lambda:*",
"Effect": "Allow"
}
]
}
iam_for_lambda:
{
"Version": "2012-10-17",
"Statement": [{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
问题:一切似乎都正确部署,但是当调用lambda函数时,不会在日志组内自动创建日志流。
答案 0 :(得分:0)
这是我最终制作的有效代码:
main.tf:
provider "aws" {
access_key = ""
secret_key = ""
region = ""
}
resource "aws_lambda_function" "greet_lambda" {
filename = "greet_lambda.py.zip"
function_name = "greet_lambda"
role = "${aws_iam_role.iam_for_lambda.arn}"
handler = "greet_lambda.lambda_handler"
depends_on = ["aws_iam_role_policy_attachment.lambda_logs", "aws_cloudwatch_log_group.example"]
source_code_hash = "${filebase64sha256("greet_lambda.py.zip")}"
runtime = "python3.7"
environment {
variables = {greeting = "Hi"}
}
}
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_cloudwatch_log_group" "example" {
name = "/aws/lambda/greet_lambda"
retention_in_days = 14
}
resource "aws_iam_policy" "lambda_logging" {
name = "lambda_logging"
path = "/"
description = "IAM policy for logging from a lambda"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "lambda_logs" {
role = "${aws_iam_role.iam_for_lambda.name}"
policy_arn = "${aws_iam_policy.lambda_logging.arn}"
}