When creating a new subscription filter for a CloudWatch log group, the AWS Console doesn't seem to offer a way to select a specific Lambda fn version. This is important for CI/CD where I might want to update the fn and test it without breaking current subscriptions.
Is there a way to lock the fn version for a subscription? If so then how do you achieve this?
EDIT 2020-10-19
You must also grant CloudWatch logs permission to invoke your lambda function!
aws lambda add-permission \
--function-name "foo" \
--qualifier "56" \
--statement-id "Allow-invoke-foo-or-whatever" \
--principal "logs.us-east-42.amazonaws.com" \
--action "lambda:InvokeFunction" \
--source-arn "arn:aws:logs:us-east-1:123456789012:log-group:/ecs/my-prod-server:*" \
--source-account "123456789012"
Original answer
Still not sure if possible via console but I've found a solution using aws-cli. You can add version number at the end of the destination arn. For example, to send logs to foo version 56, do:
aws logs put-subscription-filter \
--log-group-name "/ecs/my-prod-server" \
--filter-name "BestFilter_ever" \
--filter-pattern "{$.level=*}" \
--destination-arn "arn:aws:lambda:us-east-42:123456789012:function:foo:56"