目的:建立Cloudformation堆栈,需要一个日志组名作为参数,每当新的日志,这些日志日志组中露面,他们会发送到lambda函数进行处理,然后室壁运动流水,然后把这些日志文件所谓foobarbaz桶。
问题:lambda函数永远不会得到调用(拉姆达的CloudWatch的日志显示,它从来没有得到即使在新的数据写入日志组触发)。调用应该归功于自动发生到我成立了SubscriptionFilter资源。我没有看到任何错误。无论是发生似乎默默地失败。
注:在SubscriptionFilter的FilterPattern已被设置为空字符串。我有此意是从日志组发送的所有日志lambda函数。
这里是我的Cloudformation模板:
Parameters:
LogGroupName:
Type: String
Description: The name of the log group who's logs we want to send to send to Lambda->Kinesis->S3
AuditTrailPrefix:
Type: String
Description: Log files will be sent to the Logging account S3 bucket with this prefix in the bucket path
Resources:
AuditTrailFunctionPermissions:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !Ref AuditTrailFunction
Principal: logs.amazonaws.com
SourceAccount: !Ref AWS::AccountId
AuditTrailFunction:
Type: AWS::Lambda::Function
Properties:
Handler: index.handler
Role: !GetAtt AuditTrailFunctionRole.Arn
Code:
ZipFile: >
// do some stuff with the data and PUT it to KinesisFirehose
// removed for brevity
Runtime: nodejs8.10
Timeout: 30
AuditTrailFunctionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyDocument:
Statement:
- Action:
- firehose:PutRecord
- firehose:PutRecordBatch
Effect: Allow
Resource: !Sub arn:aws:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${AuditTrailDeliveryStream}
Version: '2012-10-17'
PolicyName: root
AuditTrailSubscription:
Type: AWS::Logs::SubscriptionFilter
DependsOn: AuditTrailFunctionPermissions
Properties:
DestinationArn: !GetAtt AuditTrailFunction.Arn
FilterPattern: ''
LogGroupName: !Ref LogGroupName
AuditTrailDeliveryStream:
Type: AWS::KinesisFirehose::DeliveryStream
Properties:
DeliveryStreamType: DirectPut
S3DestinationConfiguration:
BucketARN: arn:aws:s3:::foobarbaz
BufferingHints:
IntervalInSeconds: 60
SizeInMBs: 50
CompressionFormat: GZIP
Prefix: !Ref AuditTrailPrefix
RoleARN: !GetAtt DeliveryRole.Arn
DeliveryRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
Effect: Allow
Principal:
Service: firehose.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: firehose_delivery_policy
PolicyDocument:
Statement:
Effect: Allow
Action:
- s3:AbortMultipartUpload
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:PutObject
Resource:
- arn:aws:s3:::foobarbaz
- arn:aws:s3:::foobarbaz/${AuditTrailPrefix}*
我看不出什么错,但这里有一些技巧来解决: