New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS::Events::Rule targetting Cloudwatch logs #351
Comments
The resource policy is part of CloudWatch Logs, so this request is essentially the same as #249. As a workaround, I think you should be able to create an IAM role with permission to deliver to CloudWatch Logs, and give that role to the target. |
The problem is that even if I create such a role and give it as "RoleArn" it won't get used. Only way to make it work is with resource policy on Cloudwatch. Tried with:
And the Lambda wouldn't fire either without the permission:
|
When you set that up, can you verify with |
It doesn't look it is set on the target:
I used the following template snippet:
|
Ah, if you put it on the role it should show up in CFNRule:
Type: AWS::Events::Rule
Properties:
EventPattern:
source:
- "aws.states"
Targets:
- Id: 'CloudwatchLogsTarget'
RoleArn: !GetAtt CFNTargetRole.Arn
Arn: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${CFNLogGroup}"
- Id: 'LambdaTarget'
Arn: !GetAtt EventsFunction.Arn |
You cannot put it there. I tried - cloudformation complains that RoleArn is not supported for Cloudwatch (nor for Lambda). However it is required if targetting eventbus on another account. So this is why it's pretty confusing when it is possible to also provide it in properties and also on individual targets. |
Wow, that's kind of a mess. |
I am having the same issue. Any workaround available? Thank you very much for any advice. |
Same issue here. Does anyone have an AWS CLI script as workaround? |
Same here. Would really prefer having the support for it in CloudFormation. |
Not sure if this is exactly the same issue, but I have played around with this for a bit and the whole thing only seems to work when the LogGroupName starts with /aws/events/ This definition just works in my tests: RuleSecurityScans:
Type: AWS::Events::Rule
Properties:
Description: ""
EventPattern:
{
"detail-type": [
"ECR Image Scan"
],
"source": [
"aws.ecr"
]
}
State: ENABLED
RoleArn: !GetAtt RoleCWLogsDelivery.Arn
Targets:
-
Arn: !GetAtt LogGroupScanFindings.Arn
Id: LogGroup
RoleCWLogsDelivery:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: events.amazonaws.com
Action: 'sts:AssumeRole'
Policies:
- PolicyName: "AllowLogging"
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: "Allow"
Action:
- 'logs:*
Resource: "*"
LogGroupScanFindings:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: /aws/events/SamImageScanFindings
RetentionInDays: 30 |
To add a bit of context to @shotty1's comment, you can't even use the CloudWatch Events console to send events to a "custom" log group. I have several log groups in my account and the only one the console will allow me to configure is the "TESTING" one (/aws/events/TESTING). My CFN template tried to configure it to put events to the "/lh/securityhub/events" log group; that's where the "hub/events" snipped comes from in the text box. tl;dr I think this might be a CloudWatch Event Rules problem and not really a CFN problem. |
I created L2 CDK construct for using CW as a target for EventBridge. I used a custom resource as a workaround so my Log Group would accept logs sent from EventBridge. This can be translated to CF:
|
Do we need an iam role if we are using /aws/events as the prefix? |
@josjaf No, we don't need any IAM role. I just changed my log group name from |
Hi folks - a quick update as CloudWatch Logs now supports setting a log group resource policy via CloudFormation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-resourcepolicy.html This CloudFormation template shows and example of setting up an EventBridge event bus, a rule, and a CloudWatch Logs target, with a resource policy that accepts events from the created EventBridge rule. There is no need to provide an IAM role on the rule.
|
Hi @nickste, I'm not able to get that policy document to work with the condition on SourceArn. I noticed that if I add a target in the AWS console, a policy document named "TrustEventsToStoreLogEvents" gets created with a resource that ends with ":log-group:/aws/events/:" and no condition on a specific rule. So if I have that in my account, policy documents like in your example appear to work but they stop as soon as I delete that implicitly created policy. |
I had the same issue as @jdiamond. I tried hardcoding the resources, adding a wildcard, using Condition StringLike with aws:PrincipalArn and could not get it to work. The example on the AWS documentation doesn't include a SourceArn, so I will assume it just doesn't work currently https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-resource-based.html. The following policy worked:
|
I created a rule and provided a log group as the target, without creating a log group resource policy, and it worked. The event rule was able to write to the log group just fine. Is a log groups resource policy automatically created if one is not provided? |
@piersf If you ever used the console to create a log group target, it created a resource policy for you. |
@jdiamond im sorry, I forgot to mention that I created the above using CloudFormation. |
@piersf Yeah, but I'm guessing maybe you created one in the console in the past. The first time I tried to use CloudFormation, it appeared to work because I had the resource policy created by the console but it didn't work in an account without that policy. You can check your account to see if you already have a policy that allows your rule to work. |
just create a loggroup with the name "/aws/events/groupname" and it will work fine & also set policy logs:* |
It turns out that the UI will create a resource based (or more like service based IMO) policy that contains wild card in resource name in a region. Using {
"policyName": "TrustEventsToStoreLogEvents",
"policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"TrustEventsToStoreLogEvent\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"delivery.logs.amazonaws.com\",\"events.amazonaws.com\"]},\"Action\":[\"logs:CreateLogStream\",\"logs:PutLogEvents\"],\"Resource\":\"arn:aws:logs:ap-southeast-1:<YOUR_ACCOUNT>:log-group:/aws/events/*:*\"}]}",
"lastUpdatedTime": 1642662488316
} Watch out the log group name, |
1. Delivering events to Cloudwatch logs with Cloudformation
Interesting discovery with Cloudformation and Eventbridge. As a very simple way of reproducing the problem here is a template snippet. Consider the following:
This is very straight forward way to tell that you would like to route all events from Step Functions to both Cloudwatch logs and also to custom lambda-function. Note the "AWS::Lambda::Permission" that is needed in order to invoke Lambda function. In other words the target needs to have resource policy that allows Eventbridge service to deliver the events.
This works partially. Lambda will get triggered but nothing is delivered to Cloudwatch logs. If you create this via UI it works because console does some magic behind the scenes. The magic in this case is the resource based policy for Cloudwatch.
This is told also on documentation: https://docs.aws.amazon.com/eventbridge/latest/userguide/resource-based-policies-eventbridge.html
"If you use the AWS Management Console to add CloudWatch Logs as the target of a rule, this policy is created automatically. If you use the AWS CLI to add the target, you must create this policy if it doesn't exist."
There is no way to add resource based policies for cloudwatch via cloudformation, you are forced to create custom resource if you want to do it. For Lambda it works because you can create AWS::Lambda::Permission via Cloudformation. Cloudwatch resource policy you cannot. Only way of creating those is via CLI, API or Consoles 'behind the scenes' magic.
So the question is whether there is upcoming support to natively doing this? If you are trying to automate this it's either custom resource for Cloudformation which introduces additional complexity since you have to create your custom resource in different stack. Other option is to use CLi but then your pipeline/automation process is littered with CLI here, cloudformation there - not very hygienic solution.
The text was updated successfully, but these errors were encountered: