通过Terraform将docker日志发送到AWS CloudWatch
[英]Sending docker logs to AWS CloudWatch via Terraform
问题描述
My goal is to send docker container logs to CloudWatch via terraform. 
我的目标是通过terraform将docker容器日志发送到CloudWatch。 This is the ECS role that I am using for IAM: 这是我用于IAM的ECS角色:
{
"Version": "2008-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": ["ecs.amazonaws.com", "ec2.amazonaws.com"]
},
"Effect": "Allow"
}
]
}
And here is the ECS service role policy: 这是ECS服务角色政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:Describe*",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"ec2:Describe*",
"ec2:AuthorizeSecurityGroupIngress",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
]
}
]
}
In my task definition for docker container, among other things I have this for cloudwatch logging: 在我的docker容器的任务定义中,我还有其他用于cloudwatch日志记录的东西:
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "awslog-mylogs",
"awslogs-region": "eu-west-1",
"awslogs-stream-prefix": "awslogs-mylogs-stream"
}
}
(I have the awslog-mylogs log group pre-created via AWS console). (我通过AWS控制台预先创建了awslog-mylogs日志组)。
The problem is if I spin up the AWS instance (via Terraform apply) without the above logging config for the container, everything works fine and my container is up and running (except of course, logs are not being sent to Cloudwatch). 问题是如果我在没有容器的上述日志记录配置的情况下启动AWS实例(通过Terraform应用),一切正常并且我的容器已启动并运行(当然,日志不会发送到Cloudwatch)。 As soon as I have this logging config info in place, the EC2 instance spins up but the container does not start properly. 只要我有这个日志配置信息,EC2实例就会旋转,但容器无法正常启动。 After ssh-ing into the EC2 instance, I find that the docker container bailed out. 在进入EC2实例后,我发现docker容器被救了出来。
Any idea what's going wrong here? 知道这里出了什么问题吗? What might I be missing as far as configuring sending logs to Cloudwatch via terraform is concerned? 关于通过terraform配置向Cloudwatch发送日志的问题,我可能会遇到什么?
1 个解决方案
解决方案1
3 已采纳 2017-07-07 06:44:17
Could you please check if you set all permissions and include Cloudwatch as well in ECS service role policy? 您能否检查一下您是否设置了所有权限,并在ECS服务角色策略中包含Cloudwatch ?
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricData",
"ec2:DescribeTags",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutSubscriptionFilter",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
}
]
}
EOF
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.