Skip to main content

aws_cloudwatch_log_metric_filter Resource

[edit on GitHub]

Use the aws_cloudwatch_log_metric_filter InSpec audit resource to search for and test properties of individual AWS Cloudwatch Log Metric Filters.

For additional information, including details on parameters and properties, see the AWS documentation on CloudWatch.

Installation

This resource is available in the Chef InSpec AWS resource pack.

See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.

Syntax

describe aws_cloudwatch_log_metric_filter(filter_name: 'my-filter', log_group_name: 'my-log-group') do
  it { should exist }
end
describe aws_cloudwatch_log_metric_filter(log_group_name:  'my-log-group', pattern: 'my-filter') do
  it { should exist }
end

Parameters

Note: While all parameters are optional, at least one must be provided. In practice, the more parameters you provide the narrower a result you will return.

filter_name (optional)

The name of the Log Metric Filter. Expected in a hash as filter_name: 'value'.

log_group_name (optional)

The log group of the filter. Expected in a hash as log_group_name: 'value'.

pattern (optional)

A pattern by which to narrow down the result-set, if you expect multiple results. Expected in a hash as pattern: 'value'.

Properties

filter_name
The name of the metric filter.
log_group_name
The name of the log group.
metric_name
The name of the metric.
metric_namespace
The namespace of the metric.
pattern
A symbolic description of how CloudWatch Logs should interpret the data in each log event. For example, a log event may contain timestamps, IP addresses, strings, and so on. You use the filter pattern to specify what to look for in the log event message.

Examples

Ensure a Filter exists.

describe aws_cloudwatch_log_metric_filter(filter_name: 'my-filter', log_group_name: 'my-log-group') do
  it { should exist }
end

Ensure a Filter exists for a specific pattern.

describe aws_cloudwatch_log_metric_filter(pattern: '"ERROR" - "Exiting"') do
  it { should exist }
end

Check the name of a Filter.

describe aws_cloudwatch_log_metric_filter(log_group_name: 'app-log-group', pattern: 'KERBLEWIE') do
  its('filter_name') { should eq 'kaboom_lmf' }
end

Check the Log Group name of a Filter.

describe aws_cloudwatch_log_metric_filter(filter_name: 'error-watcher') do
  its('log_group_name') { should eq 'app-log-group' }
end

Check a filter has the correct pattern.

describe aws_cloudwatch_log_metric_filter(filter_name: 'error-watcher', log_group_name: 'app-log-group') do
  its('pattern') { should cmp 'ERROR' }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_cloudwatch_log_metric_filter(log_group_name: 'my-log-group') do
  it { should exist }
end
describe aws_cloudwatch_log_metric_filter(log_group_name: 'i-dont-exist') do
  it { should_not exist }
end

AWS Permissions

Your Principal will need the CloudWatchLogs:Client:DescribeMetricFiltersResponse action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon CloudWatch.

Was this page helpful?

×









Search Results