stackoom
  简体   繁体   中英

How to define Resource Policy for CloudWatch Logs with CloudFormation?

 原文  2018-03-12 18:20:08       amazon-web-services/ amazon-cloudformation/ amazon-cloudwatchlogs

Question

When I configure DNS Query Logging with Route53, I can create a resource policy for Route53 to log to my log group. I can confirm this policy with the cli aws logs describe-resource-policies and see something like:

{
  "resourcePolicies": [
    {
        "policyName": "test-logging-policy", 
        "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"route53.amazonaws.com\"},\"Action\":[\"logs:CreateLogStream\",\"logs:PutLogEvents\"],\"Resource\":\"arn:aws:logs:us-east-1:xxxxxx:log-group:test-route53*\"}]}", 
        "lastUpdatedTime": 1520865407511
    }
  ]
}

The cli also has a put-resource-policy to create one of these. I also see that Terraform has a resource aws_cloudwatch_log_resource_policy which does the same.

So the question: How do I do this with CloudFormation???

2 answers

solution1
 3 ACCPTED  2018-03-13 18:58:40

You can't use the CloudWatch console to create or edit a resource policy. You must use the CloudWatch API, one of the AWS SDKs, or the AWS CLI.

There is no Cloudformation support for creating a resource policy right now, but you create a custom lambda resource to do this.

https://gist.github.com/sudharsans/cf9c52d7c78a81818a4a47872982bd76

CloudFormation Custom resource: 

  AddResourcePolicy:
    Type: Custom::AddResourcePolicy
    Version: '1.0'
    Properties:
      ServiceToken: arn:aws:lambda:us-east-1:872673965194:function:test-lambda-deploy-Lambda-15R963QKCI80A
      CloudWatchLogsLogGroupArn: !GetAtt LogGroup.Arn
      PolicyName: "testpolicy"

lambda: 

import cfnresponse
import boto3
def PutPolicy(arn,policyname):
    response = client.put_resource_policy(
      policyName=policyname,
      policyDocument="....",
    )
    return

def handler(event, context):
    ......
        if event['RequestType'] == "Delete":
            DeletePolicy(PolicyName)
        if event['RequestType'] == "Create":
            PutPolicy(CloudWatchLogsLogGroupArn,PolicyName)
        responseData['Data'] = "SUCCESS"
        status=cfnresponse.SUCCESS
     .....

solution2
 0  2022-04-06 13:03:51

4 years later, this still doesn't seem to work through Cloudformation although there is apparently support for this included now

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to reference a resource ARN in a cloudformation policy document ? (yaml) Add resource policy for API in CloudFormation template? Unable to define Math Expression for Cloudwatch Alarm in a Cloudformation Template How to filter AWS CloudWatch logs using cli Cloudformation Cloudwatch InputTemplate Formatting How to add AWS managed policy through CloudFormation How do I create CloudWatch Alarms for DocumentDB in Cloudformation How to use the --profile option with "aws logs" command for the CloudWatch Logs Agent? How to Include/Reference Multiple Resource files in CloudFormation? How can I check if a resource was created by CloudFormation?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM