aws_cloudwatch_log_metric_filter Resource
Use the aws_cloudwatch_log_metric_filter
InSpec audit resource to search for and test properties of individual AWS Cloudwatch Log Metric Filters.
For additional information, including details on parameters and properties, see the AWS documentation on CloudWatch.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
describe aws_cloudwatch_log_metric_filter(filter_name: 'my-filter', log_group_name: 'my-log-group') do
it { should exist }
end
describe aws_cloudwatch_log_metric_filter(log_group_name: 'my-log-group', pattern: 'my-filter') do
it { should exist }
end
Parameters
Note: While all parameters are optional, at least one must be provided. In practice, the more parameters you provide the narrower a result you will return.
filter_name
(optional)-
The name of the Log Metric Filter. Expected in a hash as
filter_name: 'value'
. log_group_name
(optional)-
The log group of the filter. Expected in a hash as
log_group_name: 'value'
. pattern
(optional)-
A pattern by which to narrow down the result-set, if you expect multiple results. Expected in a hash as
pattern: 'value'
.
Properties
filter_name
- The name of the metric filter.
log_group_name
- The name of the log group.
metric_name
- The name of the metric.
metric_namespace
- The namespace of the metric.
pattern
- A symbolic description of how CloudWatch Logs should interpret the data in each log event. For example, a log event may contain timestamps, IP addresses, strings, and so on. You use the filter pattern to specify what to look for in the log event message.
Examples
Ensure a Filter exists.
describe aws_cloudwatch_log_metric_filter(filter_name: 'my-filter', log_group_name: 'my-log-group') do
it { should exist }
end
Ensure a Filter exists for a specific pattern.
describe aws_cloudwatch_log_metric_filter(pattern: '"ERROR" - "Exiting"') do
it { should exist }
end
Check the name of a Filter.
describe aws_cloudwatch_log_metric_filter(log_group_name: 'app-log-group', pattern: 'KERBLEWIE') do
its('filter_name') { should eq 'kaboom_lmf' }
end
Check the Log Group name of a Filter.
describe aws_cloudwatch_log_metric_filter(filter_name: 'error-watcher') do
its('log_group_name') { should eq 'app-log-group' }
end
Check a filter has the correct pattern.
describe aws_cloudwatch_log_metric_filter(filter_name: 'error-watcher', log_group_name: 'app-log-group') do
its('pattern') { should cmp 'ERROR' }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
describe aws_cloudwatch_log_metric_filter(log_group_name: 'my-log-group') do
it { should exist }
end
describe aws_cloudwatch_log_metric_filter(log_group_name: 'i-dont-exist') do
it { should_not exist }
end
AWS Permissions
Your Principal will need the CloudWatchLogs:Client:DescribeMetricFiltersResponse
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon CloudWatch.
Was this page helpful?