1. 首頁
  2. 問答
  3. IAM將Cloudwatch日誌推送到Elasticsearch的角色和策略

IAM將Cloudwatch日誌推送到Elasticsearch的角色和策略

2017-05-31 123 views
0

我使用下面的IAM角色將cloudwatch日誌使用lambda函數推送到ES。由於Lambda函數的調用錯誤,日誌不會被推送到ES。我似乎無法弄清楚顯而易見的原因。IAM將Cloudwatch日誌推送到Elasticsearch的角色和策略

# IAM Role for Lambda function to be able to write to ES 
resource "aws_iam_role" "iam_for_lambda" { 
    name = "iam_for_lambda_test" 

    assume_role_policy = <<EOF 
{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
     "Action": "sts:AssumeRole", 
     "Principal": { 
      "Service": "lambda.amazonaws.com" 
     }, 
     "Effect": "Allow", 
     "Sid": "" 
     } 
    ] 
} 
EOF 
} 

# Lambda function 
resource "aws_lambda_function" "demo_lambda" { 
     function_name = "demo_lambda_test" 
     handler = "index.handler" 
     runtime = "nodejs4.3" 
     filename = "function.zip" 
     source_code_hash = "${base64sha256(file("function.zip"))}" 
     role = "${aws_iam_role.iam_for_lambda.arn}" 
} 

# Create a ES cluster 
resource "aws_elasticsearch_domain" "es" { 
    domain_name   = "cloudwatch-lambda-es" 
    elasticsearch_version = "5.1" 
    cluster_config { 
     instance_type = "t2.small.elasticsearch" 
     instance_count = 1 
    } 
    ebs_options { 
     ebs_enabled = true 
     volume_size = 10 
    } 

    advanced_options { 
     "rest.action.multi.allow_explicit_index" = "true" 
    } 

    access_policies = <<CONFIG 
{ 
     "Version": "2012-10-17", 
     "Statement": [ 
      { 
       "Action": "es:*", 
       "Principal": "*", 
       "Effect": "Allow", 
       "Condition": { 
        "IpAddress": {"aws:SourceIp": ["00.00.00.01/32"]} 
       } 
      } 
     ] 
} 
CONFIG 

    snapshot_options { 
     automated_snapshot_start_hour = 23 
    } 

    tags { 
     Domain = "TestDomain" 
    } 
} 


# Access policy for the IAM role for Lambda to permit writing to ES 
resource "aws_iam_role_policy" "cloudwatch_logs_lambda" { 
    role = "${aws_iam_role.iam_for_lambda.name}" 

    policy = <<EOF 
{ 
     "Version": "2012-10-17", 
     "Statement": [ 
      { 
       "Action": [ "es:*" ], 
       "Effect": "Allow", 
       "Resource": ["${aws_elasticsearch_domain.es.arn}/streaming-logs/*"] 
      }, 
      { 
       "Effect": "Allow", 
       "Action": "es:ESHttpPost", 
       "Resource": "arn:aws:es:*:*:*" 
      } 
     ] 
} 
EOF 
} 

resource "aws_lambda_permission" "test-app-allow-cloudwatch" { 
    statement_id = "test-app-allow-cloudwatch" 
    action = "lambda:InvokeFunction" 
    function_name = "${aws_lambda_function.demo_lambda.arn}" 
    principal = "logs.us-east-1.amazonaws.com" 
    source_account = "xxxxxxxxxxx" 
    source_arn = "arn:aws:logs:us-east-1:xxxxxxxxx:log-group:example.log:*" 
} 

resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter" { 
    depends_on = ["aws_lambda_permission.test-app-allow-cloudwatch"] 
    name   = "cloudwatch_lambdafunction_es_logfilter" 
    log_group_name = "example.log" 
    filter_pattern = "" 
    destination_arn = "${aws_lambda_function.demo_lambda.arn}" 
}

來源

2017-05-31 Bond

回答

0

問題出在Lambda函數中,ES的端點被錯誤配置。許可是很好的。

來源

2017-06-02 04:25:17 Bond

相關問題

 相關問題