log_group_arn
ARN of the CloudWatch Log Group. Use this for IAM policies, subscription filters, and cross-account access.
The ARN of the CloudWatch Log Group. Use this for IAM policies, subscription filters, and cross-account access.
Example Value
arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/my-function:*
Common Use Cases
IAM Policy Resource
resource "aws_iam_policy" "log_writer" {
policy = jsonencode({
Statement = [{
Effect = "Allow"
Action = [
"logs:CreateLogStream",
"logs:PutLogEvents"
]
Resource = "${module.app_logs.log_group_arn}:*"
}]
})
}
Lambda Log Subscription
resource "aws_cloudwatch_log_subscription_filter" "lambda" {
name = "lambda-processor"
log_group_name = module.app_logs.log_group_name
filter_pattern = ""
destination_arn = aws_lambda_function.processor.arn
}
Cross-Account Access
resource "aws_cloudwatch_log_destination_policy" "cross_account" {
destination_name = aws_cloudwatch_log_destination.main.name
access_policy = jsonencode({
Statement = [{
Effect = "Allow"
Principal = { AWS = "arn:aws:iam::OTHER_ACCOUNT:root" }
Action = "logs:PutSubscriptionFilter"
Resource = module.app_logs.log_group_arn
}]
})
}
Usage
module "cloudwatch_logs" {
source = "registry.patterneddesigns.ca/essentials/cloudwatch-logs/aws"
version = "1.0.0"
# ... inputs
}
# Access this output
output "log_group_arn" {
value = module.cloudwatch_logs.log_group_arn
}