eventbridge does not have permissions to write to cw logs

[zaphrus]

Description

The current code creates a policy to add to the eb role for writing to cw logs when set as a target, however, it is not permitted to add the role to the target. When you try to do so you get an error like ..

│ Error: updating EventBridge Target (aws.partner/test/*******4817/test-events-rule-terraform-20240616162738560600000006): operation error EventBridge: PutTargets, https response error StatusCode: 400, RequestID: cc3fb893-1af2-4046-8bb6-c30aefa9a778, api error ValidationException: RoleArn is not supported for target arn:aws:logs:us-east-1:975050178816:log-group:/aws/events/test-partner-eb. │ │ with module.eventbridge["aws.partner/test.com/********4817/partner-test"].aws_cloudwatch_event_target.this["log-all-events"], │ on .terraform/modules/eventbridge/main.tf line 101, in resource "aws_cloudwatch_event_target" "this": │ 101: resource "aws_cloudwatch_event_target" "this" {

According to this document https://docs.amazonaws.cn/en_us/eventbridge/latest/userguide/eb-use-resource-based.html#cloudwatchlogs-permissions it is necessary to create a resource based policy to allow EB to write to CW logs.

Here is the page describing the Terraform resource that is needed https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_resource_policy

• [ X] ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

• Module version [Required]:
  3.0.0
• Terraform version:
  1.5.7
• Provider version(s):

• provider registry.terraform.io/hashicorp/aws v5.69.0

Reproduction Code [Required]

Nothing special done here. Set a cw log as the target. The module creates a policy to write to the cw log and attaches it to the role, but this does not allow eventbridge to write to the cw log group as it is missing a resource policy.

Steps to reproduce the behavior:

no

yes

I created a target for a rule that wrote events to a cw logs group. Nothing got written to the log group.

Expected behavior

when setting a cw log group as the target, logs should appear in the log group

Actual behavior

logs do not appear in the log group

no logs appear in the log group

Terminal Output Screenshot(s)

Additional context

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.