通过 CloudFormation 创建 AWS::Logs::SubscriptionFilter 时,供应商 firehose 的 destinationArn 不能与 roleArn 一起使用

destinationArn for vendor firehose cannot be used with roleArn when creating AWS::Logs::SubscriptionFilter via CloudFormation

我的 CloudFormation 模板无法创建 AWS::Logs::SubscriptionFilter 资源:

{
  "Resources": {
    "Bucket83908E77": {
      "Type": "AWS::S3::Bucket",
      "UpdateReplacePolicy": "Delete",
      "DeletionPolicy": "Delete"
    },
    "MyFirehoseServiceRoleFD019CCC": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "firehose.amazonaws.com"
              }
            }
          ],
          "Version": "2012-10-17"
        }
      }
    },
    "MyFirehoseS3DestinationRoleDE043A9B": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "firehose.amazonaws.com"
              }
            }
          ],
          "Version": "2012-10-17"
        }
      }
    },
    "MyFirehoseS3DestinationRoleDefaultPolicyF2D4C970": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "s3:GetObject*",
                "s3:GetBucket*",
                "s3:List*",
                "s3:DeleteObject*",
                "s3:PutObject",
                "s3:Abort*"
              ],
              "Effect": "Allow",
              "Resource": [
                {
                  "Fn::GetAtt": [
                    "Bucket83908E77",
                    "Arn"
                  ]
                },
                {
                  "Fn::Join": [
                    "",
                    [
                      {
                        "Fn::GetAtt": [
                          "Bucket83908E77",
                          "Arn"
                        ]
                      },
                      "/*"
                    ]
                  ]
                }
              ]
            },
            {
              "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
              ],
              "Effect": "Allow",
              "Resource": {
                "Fn::GetAtt": [
                  "MyFirehoseLogGroupE92127AD",
                  "Arn"
                ]
              }
            }
          ],
          "Version": "2012-10-17"
        },
        "PolicyName": "MyFirehoseS3DestinationRoleDefaultPolicyF2D4C970",
        "Roles": [
          {
            "Ref": "MyFirehoseS3DestinationRoleDE043A9B"
          }
        ]
      }
    },
    "MyFirehoseLogGroupE92127AD": {
      "Type": "AWS::Logs::LogGroup",
      "Properties": {
        "RetentionInDays": 731
      },
      "UpdateReplacePolicy": "Retain",
      "DeletionPolicy": "Retain"
    },
    "MyFirehoseLogGroupS3Destination06C9B080": {
      "Type": "AWS::Logs::LogStream",
      "Properties": {
        "LogGroupName": {
          "Ref": "MyFirehoseLogGroupE92127AD"
        }
      },
      "UpdateReplacePolicy": "Retain",
      "DeletionPolicy": "Retain"
    },
    "MyFirehoseFCA2F9D3": {
      "Type": "AWS::KinesisFirehose::DeliveryStream",
      "Properties": {
        "DeliveryStreamType": "DirectPut",
        "ExtendedS3DestinationConfiguration": {
          "BucketARN": {
            "Fn::GetAtt": [
              "Bucket83908E77",
              "Arn"
            ]
          },
          "CloudWatchLoggingOptions": {
            "Enabled": true,
            "LogGroupName": {
              "Ref": "MyFirehoseLogGroupE92127AD"
            },
            "LogStreamName": {
              "Ref": "MyFirehoseLogGroupS3Destination06C9B080"
            }
          },
          "RoleARN": {
            "Fn::GetAtt": [
              "MyFirehoseS3DestinationRoleDE043A9B",
              "Arn"
            ]
          }
        }
      },
      "DependsOn": [
        "MyFirehoseS3DestinationRoleDefaultPolicyF2D4C970"
      ]
    },
    "MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehose30DECEBA": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": {
                  "Fn::Join": [
                    "",
                    [
                      "logs.",
                      {
                        "Ref": "AWS::Region"
                      },
                      ".amazonaws.com"
                    ]
                  ]
                }
              }
            }
          ],
          "Version": "2012-10-17"
        }
      }
    },
    "MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehoseDefaultPolicyF5730531": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "firehose:PutRecord",
                "firehose:PutRecordBatch"
              ],
              "Effect": "Allow",
              "Resource": {
                "Fn::GetAtt": [
                  "MyFirehoseFCA2F9D3",
                  "Arn"
                ]
              }
            }
          ],
          "Version": "2012-10-17"
        },
        "PolicyName": "MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehoseDefaultPolicyF5730531",
        "Roles": [
          {
            "Ref": "MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehose30DECEBA"
          }
        ]
      }
    },
    "LogGroupF5B46931": {
      "Type": "AWS::Logs::LogGroup",
      "Properties": {
        "RetentionInDays": 731
      },
      "UpdateReplacePolicy": "Delete",
      "DeletionPolicy": "Delete"
    },
    "Subscription391C9821": {
      "Type": "AWS::Logs::SubscriptionFilter",
      "Properties": {
        "DestinationArn": {
          "Fn::GetAtt": [
            "MyFirehoseFCA2F9D3",
            "Arn"
          ]
        },
        "FilterPattern": "",
        "LogGroupName": {
          "Ref": "LogGroupF5B46931"
        },
        "RoleArn": {
          "Fn::GetAtt": [
            "MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehose30DECEBA",
            "Arn"
          ]
        }
      }
    }
  }
}

神秘的错误信息:

Subscription (Subscription391C9821) destinationArn for vendor firehose cannot be used with roleArn (Service: AWSLogs; Status Code: 400; Error Code: InvalidParameterException; Request ID: 0e598426-5fcb-4fde-b9d3-11b14c129eb6; Proxy: null)

堆栈名称是 cdk-logs-destination-firehose-to-s3

显然,CloudWatch Logs 中存在错误,其中包含字符串 destination 的目标 ARN 被拒绝创建订阅。

解决方法是从堆栈名称中删除 destination 子字符串。