1

我正在使用以下 IAM 角色使用 lambda 函数将 cloudwatch 日志推送到 ES。由于 Lambda 函数的调用错误,日志没有推送到 ES。我似乎无法弄清楚明显的原因。

# IAM Role for Lambda function to be able to write to ES
resource "aws_iam_role" "iam_for_lambda" {
     name = "iam_for_lambda_test"

     assume_role_policy = <<EOF
{
     "Version": "2012-10-17",
     "Statement": [
       {
         "Action": "sts:AssumeRole",
         "Principal": {
           "Service": "lambda.amazonaws.com"
         },
         "Effect": "Allow",
         "Sid": ""
       }
     ]
}
EOF
}

# Lambda function
resource "aws_lambda_function" "demo_lambda" {
       function_name = "demo_lambda_test"
       handler = "index.handler"
       runtime = "nodejs4.3"
       filename = "function.zip"
       source_code_hash = "${base64sha256(file("function.zip"))}"
       role = "${aws_iam_role.iam_for_lambda.arn}"
}

# Create a ES cluster
resource "aws_elasticsearch_domain" "es" {
     domain_name           = "cloudwatch-lambda-es"
     elasticsearch_version = "5.1"
     cluster_config {
       instance_type = "t2.small.elasticsearch"
       instance_count = 1
     }
     ebs_options {
       ebs_enabled = true
       volume_size = 10
     }

     advanced_options {
       "rest.action.multi.allow_explicit_index" = "true"
     }

     access_policies = <<CONFIG
{
       "Version": "2012-10-17",
       "Statement": [
           {
               "Action": "es:*",
               "Principal": "*",
               "Effect": "Allow",
               "Condition": {
                   "IpAddress": {"aws:SourceIp": ["00.00.00.01/32"]}
               }
           }
       ]
}
CONFIG

     snapshot_options {
       automated_snapshot_start_hour = 23
     }

     tags {
       Domain = "TestDomain"
     }
}


# Access policy for the IAM role for Lambda to permit writing to ES
resource "aws_iam_role_policy" "cloudwatch_logs_lambda" {
     role = "${aws_iam_role.iam_for_lambda.name}"

     policy = <<EOF
{
       "Version": "2012-10-17",
       "Statement": [
           {
               "Action": [ "es:*" ],
               "Effect": "Allow",
               "Resource": ["${aws_elasticsearch_domain.es.arn}/streaming-logs/*"]
           },
           {
               "Effect": "Allow",
               "Action": "es:ESHttpPost",
               "Resource": "arn:aws:es:*:*:*"
           }
        ]
}
EOF
}

resource "aws_lambda_permission" "test-app-allow-cloudwatch" {
     statement_id = "test-app-allow-cloudwatch"
     action = "lambda:InvokeFunction"
     function_name = "${aws_lambda_function.demo_lambda.arn}"
     principal = "logs.us-east-1.amazonaws.com"
     source_account = "xxxxxxxxxxx"
     source_arn = "arn:aws:logs:us-east-1:xxxxxxxxx:log-group:example.log:*"
}

resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter" {
     depends_on = ["aws_lambda_permission.test-app-allow-cloudwatch"]
     name            = "cloudwatch_lambdafunction_es_logfilter"
     log_group_name  = "example.log"
     filter_pattern  = ""
     destination_arn = "${aws_lambda_function.demo_lambda.arn}"
}
4

1 回答 1

0

问题在于 Lambda 函数的 ES 端点配置错误。许可一切都好。

于 2017-06-02T04:25:17.540 回答