From b2400b18651d7bbf213a3ff2fabb475f1a7038cf Mon Sep 17 00:00:00 2001
From: pgasca <87044997+pgasca@users.noreply.github.com>
Date: Thu, 18 May 2023 11:11:16 -0500
Subject: [PATCH] Add permission to configure retention in CW LogGroups

This is based on the following SIM from an external customer. Please test before merging:
https://sim.amazon.com/issues/AWSDocsSchedule-27532

Page URL

https://docs.aws.amazon.com/eks/latest/userguide/fargate-logging.html
Issue type:

Incomplete information
Name:

[none provided]
Email:
l**a@dock.tech

Trying to do:
Enable Retention in logGroup over the EKS Fargate LogRouter
Make Better:

The IAM Policy recommended in this documentation, not has permission to configure retention in CW LogGroups.

https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json

This policy needs add the follow permissions:

"logs:PutRetentionPolicy"
"logs:DeleteRetentionPolicy"
---
 examples/fargate/cloudwatchlogs/permissions.json | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/examples/fargate/cloudwatchlogs/permissions.json b/examples/fargate/cloudwatchlogs/permissions.json
index 9a7bd56..b287076 100644
--- a/examples/fargate/cloudwatchlogs/permissions.json
+++ b/examples/fargate/cloudwatchlogs/permissions.json
@@ -6,7 +6,9 @@
 			"logs:CreateLogStream",
 			"logs:CreateLogGroup",
 			"logs:DescribeLogStreams",
-			"logs:PutLogEvents"
+			"logs:PutLogEvents",
+			"logs:PutRetentionPolicy",
+                        "logs:DeleteRetentionPolicy"
 		],
 		"Resource": "*"
 	}]