如何解决通过 CloudFormation 创建 AWS::Logs::SubscriptionFilter 时,供应商 Firehose 的 destinationArn 不能与 roleArn 一起使用
无法创建 AWS::Logs::SubscriptionFilter 资源的我的 CloudFormation 模板:
{
"Resources": {
"Bucket83908E77": {
"Type": "AWS::S3::Bucket","UpdateReplacePolicy": "Delete","DeletionPolicy": "Delete"
},"MyFirehoseServiceRoleFD019CCC": {
"Type": "AWS::IAM::Role","Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole","Effect": "Allow","Principal": {
"Service": "firehose.amazonaws.com"
}
}
],"Version": "2012-10-17"
}
}
},"MyFirehoseS3DestinationRoleDE043A9B": {
"Type": "AWS::IAM::Role","MyFirehoseS3DestinationRoleDefaultPolicyF2D4C970": {
"Type": "AWS::IAM::Policy","Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:Getobject*","s3:GetBucket*","s3:List*","s3:DeleteObject*","s3:PutObject","s3:Abort*"
],"Resource": [
{
"Fn::GetAtt": [
"Bucket83908E77","Arn"
]
},{
"Fn::Join": [
"",[
{
"Fn::GetAtt": [
"Bucket83908E77","Arn"
]
},"/*"
]
]
}
]
},{
"Action": [
"logs:CreateLogStream","logs:PutLogEvents"
],"Resource": {
"Fn::GetAtt": [
"MyFirehoseLogGroupE92127AD","Arn"
]
}
}
],"Version": "2012-10-17"
},"PolicyName": "MyFirehoseS3DestinationRoleDefaultPolicyF2D4C970","Roles": [
{
"Ref": "MyFirehoseS3DestinationRoleDE043A9B"
}
]
}
},"MyFirehoseLogGroupE92127AD": {
"Type": "AWS::Logs::LogGroup","Properties": {
"RetentionInDays": 731
},"UpdateReplacePolicy": "Retain","DeletionPolicy": "Retain"
},"MyFirehoseLogGroups3Destination06C9B080": {
"Type": "AWS::Logs::LogStream","Properties": {
"LogGroupName": {
"Ref": "MyFirehoseLogGroupE92127AD"
}
},"MyFirehoseFCA2F9D3": {
"Type": "AWS::KinesisFirehose::DeliveryStream","Properties": {
"DeliveryStreamType": "DirectPut","ExtendedS3DestinationConfiguration": {
"BucketARN": {
"Fn::GetAtt": [
"Bucket83908E77","Arn"
]
},"CloudWatchLoggingOptions": {
"Enabled": true,"LogGroupName": {
"Ref": "MyFirehoseLogGroupE92127AD"
},"LogStreamName": {
"Ref": "MyFirehoseLogGroups3Destination06C9B080"
}
},"RoleARN": {
"Fn::GetAtt": [
"MyFirehoseS3DestinationRoleDE043A9B","Arn"
]
}
}
},"DependsOn": [
"MyFirehoseS3DestinationRoleDefaultPolicyF2D4C970"
]
},"MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehose30DECEBA": {
"Type": "AWS::IAM::Role","Principal": {
"Service": {
"Fn::Join": [
"",[
"logs.",{
"Ref": "AWS::Region"
},".amazonaws.com"
]
]
}
}
}
],"MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehoseDefaultPolicyF5730531": {
"Type": "AWS::IAM::Policy","Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"firehose:PutRecord","firehose:PutRecordBatch"
],"Resource": {
"Fn::GetAtt": [
"MyFirehoseFCA2F9D3","PolicyName": "MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehoseDefaultPolicyF5730531","Roles": [
{
"Ref": "MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehose30DECEBA"
}
]
}
},"LogGroupF5B46931": {
"Type": "AWS::Logs::LogGroup","Subscription391C9821": {
"Type": "AWS::Logs::SubscriptionFilter","Properties": {
"DestinationArn": {
"Fn::GetAtt": [
"MyFirehoseFCA2F9D3","Arn"
]
},"FilterPattern": "","LogGroupName": {
"Ref": "LogGroupF5B46931"
},"RoleArn": {
"Fn::GetAtt": [
"MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehose30DECEBA","Arn"
]
}
}
}
}
}
隐秘的错误信息:
Subscription (Subscription391C9821) destinationArn for vendor firehose cannot be used with roleArn (Service: AWSLogs; Status Code: 400; Error Code: InvalidParameterException; Request ID: 0e598426-5fcb-4fde-b9d3-11b14c129eb6; Proxy: null)
堆栈名称为 cdk-logs-destination-firehose-to-s3。
解决方法
显然,CloudWatch Logs 中存在一个错误,其中包含字符串 destination 的目标 ARN 被拒绝创建订阅。
解决方法是从堆栈名称中删除 destination 子字符串。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
