I'm following this guide on setting up a lambda function to subcribe to log events. In step 5 you need to "Grant CloudWatch Logs the permission to execute your function" like this:
aws lambda add-permission \
--function-name "helloworld" \
--statement-id "helloworld" \
--principal "logs.region.amazonaws.com" \
--action "lambda:InvokeFunction" \
--source-arn "arn:aws:logs:region:123456789123:log-group:TestLambda:*" \
--source-account "123456789012"
This works fine.
Now, according to the docs the --source-arn argument to aws lambda add-permission is optional. But if I don't provide it, when I visit the config page for the lambda function in the AWS website, the subscription doesn't show up as registered (see first screenshot below). The subscription is actually registered and can trigger the Lambda. I can confirm if I delete the permission and re-add it with a --source-arn the subscription shows up as registered (second screenshot).
I guess it's a minor thing, but why should --source-arn arg to add-permission have anything to do with why / why not the subscription shows up in the UI? Especially since whether or not you provide --source-arn the permission is still sufficient for the execution of the lambda.
(Note: having got his far through writing this Q it just seems like a bug. But I'm going to leave up so I can refer to it in a big report, pending any answer).
