通过 CloudFormation 创建 AWS::Logs::SubscriptionFilter 时,供应商 firehose 的 destinationArn 不能与 roleArn 一起使用
destinationArn for vendor firehose cannot be used with roleArn when creating AWS::Logs::SubscriptionFilter via CloudFormation
我的 CloudFormation 模板无法创建 AWS::Logs::SubscriptionFilter 资源:
{
"Resources": {
"Bucket83908E77": {
"Type": "AWS::S3::Bucket",
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"MyFirehoseServiceRoleFD019CCC": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "firehose.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
},
"MyFirehoseS3DestinationRoleDE043A9B": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "firehose.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
},
"MyFirehoseS3DestinationRoleDefaultPolicyF2D4C970": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject",
"s3:Abort*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Bucket83908E77",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"Bucket83908E77",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyFirehoseLogGroupE92127AD",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "MyFirehoseS3DestinationRoleDefaultPolicyF2D4C970",
"Roles": [
{
"Ref": "MyFirehoseS3DestinationRoleDE043A9B"
}
]
}
},
"MyFirehoseLogGroupE92127AD": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": 731
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain"
},
"MyFirehoseLogGroupS3Destination06C9B080": {
"Type": "AWS::Logs::LogStream",
"Properties": {
"LogGroupName": {
"Ref": "MyFirehoseLogGroupE92127AD"
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain"
},
"MyFirehoseFCA2F9D3": {
"Type": "AWS::KinesisFirehose::DeliveryStream",
"Properties": {
"DeliveryStreamType": "DirectPut",
"ExtendedS3DestinationConfiguration": {
"BucketARN": {
"Fn::GetAtt": [
"Bucket83908E77",
"Arn"
]
},
"CloudWatchLoggingOptions": {
"Enabled": true,
"LogGroupName": {
"Ref": "MyFirehoseLogGroupE92127AD"
},
"LogStreamName": {
"Ref": "MyFirehoseLogGroupS3Destination06C9B080"
}
},
"RoleARN": {
"Fn::GetAtt": [
"MyFirehoseS3DestinationRoleDE043A9B",
"Arn"
]
}
}
},
"DependsOn": [
"MyFirehoseS3DestinationRoleDefaultPolicyF2D4C970"
]
},
"MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehose30DECEBA": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Join": [
"",
[
"logs.",
{
"Ref": "AWS::Region"
},
".amazonaws.com"
]
]
}
}
}
],
"Version": "2012-10-17"
}
}
},
"MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehoseDefaultPolicyF5730531": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyFirehoseFCA2F9D3",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehoseDefaultPolicyF5730531",
"Roles": [
{
"Ref": "MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehose30DECEBA"
}
]
}
},
"LogGroupF5B46931": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": 731
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"Subscription391C9821": {
"Type": "AWS::Logs::SubscriptionFilter",
"Properties": {
"DestinationArn": {
"Fn::GetAtt": [
"MyFirehoseFCA2F9D3",
"Arn"
]
},
"FilterPattern": "",
"LogGroupName": {
"Ref": "LogGroupF5B46931"
},
"RoleArn": {
"Fn::GetAtt": [
"MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehose30DECEBA",
"Arn"
]
}
}
}
}
}
神秘的错误信息:
Subscription (Subscription391C9821) destinationArn for vendor firehose cannot be used with roleArn (Service: AWSLogs; Status Code: 400; Error Code: InvalidParameterException; Request ID: 0e598426-5fcb-4fde-b9d3-11b14c129eb6; Proxy: null)
堆栈名称是 cdk-logs-destination-firehose-to-s3。
显然,CloudWatch Logs 中存在错误,其中包含字符串 destination 的目标 ARN 被拒绝创建订阅。
解决方法是从堆栈名称中删除 destination 子字符串。
我的 CloudFormation 模板无法创建 AWS::Logs::SubscriptionFilter 资源:
{
"Resources": {
"Bucket83908E77": {
"Type": "AWS::S3::Bucket",
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"MyFirehoseServiceRoleFD019CCC": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "firehose.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
},
"MyFirehoseS3DestinationRoleDE043A9B": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "firehose.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
},
"MyFirehoseS3DestinationRoleDefaultPolicyF2D4C970": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject",
"s3:Abort*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"Bucket83908E77",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"Bucket83908E77",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyFirehoseLogGroupE92127AD",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "MyFirehoseS3DestinationRoleDefaultPolicyF2D4C970",
"Roles": [
{
"Ref": "MyFirehoseS3DestinationRoleDE043A9B"
}
]
}
},
"MyFirehoseLogGroupE92127AD": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": 731
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain"
},
"MyFirehoseLogGroupS3Destination06C9B080": {
"Type": "AWS::Logs::LogStream",
"Properties": {
"LogGroupName": {
"Ref": "MyFirehoseLogGroupE92127AD"
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain"
},
"MyFirehoseFCA2F9D3": {
"Type": "AWS::KinesisFirehose::DeliveryStream",
"Properties": {
"DeliveryStreamType": "DirectPut",
"ExtendedS3DestinationConfiguration": {
"BucketARN": {
"Fn::GetAtt": [
"Bucket83908E77",
"Arn"
]
},
"CloudWatchLoggingOptions": {
"Enabled": true,
"LogGroupName": {
"Ref": "MyFirehoseLogGroupE92127AD"
},
"LogStreamName": {
"Ref": "MyFirehoseLogGroupS3Destination06C9B080"
}
},
"RoleARN": {
"Fn::GetAtt": [
"MyFirehoseS3DestinationRoleDE043A9B",
"Arn"
]
}
}
},
"DependsOn": [
"MyFirehoseS3DestinationRoleDefaultPolicyF2D4C970"
]
},
"MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehose30DECEBA": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Join": [
"",
[
"logs.",
{
"Ref": "AWS::Region"
},
".amazonaws.com"
]
]
}
}
}
],
"Version": "2012-10-17"
}
}
},
"MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehoseDefaultPolicyF5730531": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyFirehoseFCA2F9D3",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehoseDefaultPolicyF5730531",
"Roles": [
{
"Ref": "MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehose30DECEBA"
}
]
}
},
"LogGroupF5B46931": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": 731
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"Subscription391C9821": {
"Type": "AWS::Logs::SubscriptionFilter",
"Properties": {
"DestinationArn": {
"Fn::GetAtt": [
"MyFirehoseFCA2F9D3",
"Arn"
]
},
"FilterPattern": "",
"LogGroupName": {
"Ref": "LogGroupF5B46931"
},
"RoleArn": {
"Fn::GetAtt": [
"MyFirehoseCloudWatchLogsCanPutRecordsIntoKinesisFirehose30DECEBA",
"Arn"
]
}
}
}
}
}
神秘的错误信息:
Subscription (Subscription391C9821) destinationArn for vendor firehose cannot be used with roleArn (Service: AWSLogs; Status Code: 400; Error Code: InvalidParameterException; Request ID: 0e598426-5fcb-4fde-b9d3-11b14c129eb6; Proxy: null)
堆栈名称是 cdk-logs-destination-firehose-to-s3。
显然,CloudWatch Logs 中存在错误,其中包含字符串 destination 的目标 ARN 被拒绝创建订阅。
解决方法是从堆栈名称中删除 destination 子字符串。