Problem
During terraform plan, AWS Cloudwatch configuration experiences an AccessDeniedException.
Example of error message:
…
[0m [1m module.splunk_delivery.aws_iam_role.cloudwatch_xxx: Destroying… [id=xxx-xxx-xxxxxx]
[0m [1m module.splunk_delivery.aws_iam_role.cloudwatch_xxx: Destruction complete after 0s
[0m [1m aws_s3_bucket.s3_xxx_xxxxxx: Modifications complete after 5s [id=yyy-yyy-yyyyyyyy]
[0m [1m data.template_file.xxx_xxxxx_log_replication_policy: Refreshing state…
[0m [1m data.aws_iam_policy_document.xxx_xxxxxx: Refreshing state…
[31m
[1m [31m Error: [0m [0m [1m Error creating Cloudwatch log subscription filter: AccessDeniedException: Cross-account role passing is not allowed.
status code: 400, request id: XXXXXXXXXXXXX
[0m
Cause
Additional resource configuration and verification of AWS cross-account setup is needed.
Solution
-
To support this configuration, configure the resource
aws_cloudwatch_event_permission. This provides a resource to create an EventBridge permission to supportcross-accountevents in the current account default event bus. -
Reference the guide provided by AWS and verify if the expected
cross-accountfunctionality is in place.