[英]Write AWS Lambda Logs to CloudWatch Log Group with Terraform
我正在嘗試將 lambda function 的日志寫入由 terraform 創建的 CloudWatch 日志組。
這是 lambda 政策 json -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1580216411252",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogDelivery",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:*"
}
]
}
這是 lambda 承擔政策 json -
{
"Version": "2012-10-17",
"Statement": [{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}]
}
我已將其添加到 lambda.tf 文件中 -
resource "aws_cloudwatch_log_group" "example" {
name = "/test/logs/${var.lambda_function_name}"
}
雖然 CloudWatch 日志組 '/test/logs/${var.lambda_function_name}' 是通過 terraform 創建的,但我無法將 lambda function 的日志寫入該組。
如果我將 lambda 政策 json 更改為此 -
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Stmt1580204738067",
"Action": "logs:*",
"Effect": "Allow",
"Resource": "*"
}]
}
然后它會自動將日志存儲在 /aws/lambda/ 目錄中。
我如何確保將 lambda 日志寫入我創建的 CloudWatch 日志組中,而不是寫入由 lambda 本身創建的 /aws/lambda/ 組中?
如果您希望 Terraform 管理 CloudWatch 日志組,您必須提前使用 Lambda 函數將用於其日志組的確切名稱創建日志組。 您根本無法更改名稱。 然后在您的 Terraform 中,您需要使日志組成為 Lambda 函數的依賴項,以確保 Terraform 有機會在 Lambda 自動創建日志組之前創建它。
僅將日志組作為依賴項添加到 lambda 是不夠的。 您還必須將 IAM 策略附加到 lambda 角色。
步驟如下:
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
}
resource "aws_iam_policy" "function_logging_policy" {
name = "function-logging-policy"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
Action : [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
Effect : "Allow",
Resource : "arn:aws:logs:*:*:*"
}
]
})
}
resource "aws_iam_role_policy_attachment" "function_logging_policy_attachment" {
role = aws_iam_role.iam_for_lambda.id
policy_arn = aws_iam_policy.function_logging_policy.arn
}
resource "aws_cloudwatch_log_group" "lambda_log_group" {
name = "/aws/lambda/${var.lambda.function_name}"
retention_in_days = 7
lifecycle {
prevent_destroy = false
}
}
resource "aws_lambda_function" "lambda_function" {
filename = "../${var.lambda.function_filename}"
function_name = "${var.lambda.function_name}"
role = aws_iam_role.iam_for_lambda.arn
handler = "${var.lambda.handler}"
layers = [aws_lambda_layer_version.lambda_layer.arn]
depends_on = [aws_cloudwatch_log_group.lambda_log_group]
source_code_hash = filebase64sha256("../${var.lambda.function_filename}")
runtime = "python3.9"
}
IAM 策略創建和附件來自這篇文章,rest 來自我為我工作的個人項目。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.