ERROR aws_cloudwatch_log_subscription_filter to AWS Lambda with Terraform

Question

I'm trying to subscribe a CloudWatchLogs log group to AWS Lambda with Terraform but it's giving me an error.

My code is:

resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter" {
  name            = "test_lambdafunction_logfilter"
  role_arn        = "arn:aws:iam::XXXXXXXXXXXX:role/dx-dev-rol-datadog-log-forwarder-function"
  log_group_name  = "dx-dev-lg-destination-content-full"
  filter_pattern  = "logtype test"
  destination_arn = "arn:aws:iam::XXXXXXXXXXXX:lambda/dx-dev-lmbd-datadog-log-forwarder-function-01"
  distribution    = "Random"
}

Error: Error creating Cloudwatch log subscription filter:
InvalidParameterException: PutSubscriptionFilter operation cannot work with destinationArn for vendor iam
status code: 400, request id: 19836154-97e4-48f0-89b5-692f44ab1764

The distribution parameter is only meant to be used when sending logs to a Kinesis stream. — ydaetskcoR

Vikyol Vikyol · Accepted Answer · 2019-10-16T14:43:29

The Terraform docs states that role_arn and distribution parameters should only be used with Kinesis stream destination. The error message simply states this fact that you cannot use IAM role parameter when the destination is Lambda.

role_arn - (Optional) If you use Lambda as a destination, you should skip this argument and use aws_lambda_permission resource for granting access from CloudWatch logs to the destination Lambda function.

distribution - (Optional) This property is only applicable when the destination is an Amazon Kinesis stream.

ERROR aws_cloudwatch_log_subscription_filter to AWS Lambda with Terraform

2 Answers