I have the following cloudformation template to create a cloudwatch event , a SQS queue , SQSQueuepolicy to allow cloudwatch forward logs to SQS queue whenever s3 objects are updated
However ; after template completed succesfully. I don't see log in SQS queue unless I go to ( via aws console) "cloudwatch"--> chose my event --> click till step2 event detail 'add permission to SQS queue" --> update event
I think the missing part might be that I need a "RoleArn" in event Target in order to grant permission. However; AWS:SQS:QUEUEPOLICY does not return an ARN. How Can I do this with cloudFormation ?
Thanks!
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"LucyQueue": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "LucySQS"
}
},
"LucyQueuePolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Id": "arn:aws:sqs:ca-central-1:805182230944:LucySQS/SQSDefaultPolicy",
"Statement": [
{
"Sid": "Sid1513273009724",
"Effect": "Allow",
"Principal": "*",
"Action": "SQS:SendMessage",
"Resource": {
"Ref": "LucyQueue"
},
"Condition": {
"ArnEquals": {
"aws:SourceArn": {
"Fn::GetAtt": [
"LucyEventRule",
"Arn"
]
}
}
}
}
]
},
"Queues": [
{
"Ref": "LucyQueue"
}
]
}
},
"LucyEventRule": {
"Type": "AWS::Events::Rule",
"Properties": {
"Description": "LucyEventRule",
"EventPattern": {
"source": [
"aws.s3"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"s3.amazonaws.com"
],
"eventName": [
"PutObject",
"UploadPart",
"CreateMultipartUpload"
]
}
},
"State": "ENABLED",
"Targets": [
{
"Arn": {
"Fn::GetAtt": [
"LucyQueue",
"Arn"
]
},
"Id": "lucy_event1",
***"RoleArn" : "Do i need this ? if yes, How to get the Arn"***
}
]
}
}
}
}
