Open3日前にコメント追加2

LocalStack

インストール

MacOSはHomebrewからインストールできる

brew install localstack/tap/localstack-cli

他にもLocalStack環境に対してAWS CLIとTerraformを実行するためのツールである awslocal と tflocal をインストールしておく。

pip install awscli-local
pip install terraform-local

各ツールの公式インストールガイドはこちら。

渡邉芳幸

CloudWatch Logsのロググループ作成に失敗する | エンドポイントの設定をミスると起きること

事象

terraform applyだとCloudWatch Logsのロググループ作成に失敗する
tflocal applyだと作成に成功する

terraformコード

resource "aws_cloudwatch_log_group" "this" {
  name              = "/aws/lambda/${var.function_name}"
  retention_in_days = 14
}

エラーメッセージ

$ terraform apply
〜略〜
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.lambda.aws_cloudwatch_log_group.this will be created
  + resource "aws_cloudwatch_log_group" "this" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + log_group_class   = (known after apply)
      + name              = "/aws/lambda/demo-local-lambda"
      + name_prefix       = (known after apply)
      + region            = "ap-northeast-1"
      + retention_in_days = 14
      + skip_destroy      = false
      + tags_all          = (known after apply)
    }

〜略〜
╷
│ Error: creating CloudWatch Logs Log Group (/aws/lambda/demo-local-lambda): operation error CloudWatch Logs: CreateLogGroup, https response error StatusCode: 400, RequestID: 3dab1ecf-f2a7-4759-971d-60b401f75043, api error UnrecognizedClientException: The security token included in the request is invalid.
│
│   with module.lambda.aws_cloudwatch_log_group.this,
│   on ../../modules/lambda/main.tf line 74, in resource "aws_cloudwatch_log_group" "this":
│   74: resource "aws_cloudwatch_log_group" "this" {
│

エラー発生時のエンドポイント等の設定

provider "aws" {
  access_key = "dummy"
  secret_key = "dummy"
  region     = "ap-northeast-1"

  s3_use_path_style           = true
  skip_credentials_validation = true
  skip_metadata_api_check     = true
  skip_requesting_account_id  = true

  endpoints {
    cloudwatch = "http://localhost:4566"
    iam        = "http://localhost:4566"
    lambda     = "http://localhost:4566"
    s3         = "http://localhost:4566"
  }
}

原因

エンドポイントの指定が間違っていた。

こちらの設定方法を見て、CloudWatch Logs のエンドポイントはcloudwatchだと勘違いしていたが正しくはlogsだった。

$ localstack status services
┏━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┓
┃ Service                  ┃ Status      ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━┩
│ acm                      │ ✔ available │
│ apigateway               │ ✔ available │
│ cloudformation           │ ✔ available │
│ cloudwatch               │ ✔ available │
│ config                   │ ✔ available │
│ dynamodb                 │ ✔ available │
│ dynamodbstreams          │ ✔ available │
│ ec2                      │ ✔ available │
│ es                       │ ✔ available │
│ events                   │ ✔ available │
│ firehose                 │ ✔ available │
│ iam                      │ ✔ available │
│ kinesis                  │ ✔ available │
│ kms                      │ ✔ available │
│ lambda                   │ ✔ available │
│ logs                     │ ✔ available │
│ opensearch               │ ✔ available │
│ redshift                 │ ✔ available │
│ resource-groups          │ ✔ available │
│ resourcegroupstaggingapi │ ✔ available │
│ route53                  │ ✔ available │
│ route53resolver          │ ✔ available │
│ s3                       │ ✔ available │
│ s3control                │ ✔ available │
│ scheduler                │ ✔ available │
│ secretsmanager           │ ✔ available │
│ ses                      │ ✔ available │
│ sns                      │ ✔ available │
│ sqs                      │ ✔ available │
│ ssm                      │ ✔ available │
│ stepfunctions            │ ✔ available │
│ sts                      │ ✔ available │
│ support                  │ ✔ available │
│ swf                      │ ✔ available │
│ transcribe               │ ✔ available │
└──────────────────────────┴─────────────┘

tflocalは provider の endpoints を自動で上書きするためエラーが起きていなかった。

解決方法

エンドポイントのcloudwatchをlogsに変更してエラーは解消された。

   endpoints {
-    cloudwatch = "http://localhost:4566"
+    logs       = "http://localhost:4566"
   }

$ terraform apply
〜略〜
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.lambda.aws_cloudwatch_log_group.this will be created
  + resource "aws_cloudwatch_log_group" "this" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + log_group_class   = (known after apply)
      + name              = "/aws/lambda/demo-local-lambda"
      + name_prefix       = (known after apply)
      + region            = "ap-northeast-1"
      + retention_in_days = 14
      + skip_destroy      = false
      + tags_all          = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.lambda.aws_cloudwatch_log_group.this: Creating...
module.lambda.aws_cloudwatch_log_group.this: Creation complete after 0s [id=/aws/lambda/demo-local-lambda]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

まとめ

tflocalは provider の endpoints{}を明示的に設定する必要はないので、TerraformでLocalStackの環境を作る時はtflocalを使ったほうが簡単そうです。