从 Kinesis 数据 stream 到 Kinesis Firehose 到 S3 存储桶的 CloudFront 实时日志
[英]CloudFront realtime logs from Kinesis data stream to Kinesis Firehose to S3 bucket
问题描述
I was able to create the CloudFront realtime logs through the console, and now I'd like to setup through Terraform.
我能够通过控制台创建 CloudFront 实时日志,现在我想通过 Terraform 进行设置。
I currently have a CloudFront distribution that points back to an S3 bucket.我目前有一个指向 S3 存储桶的 CloudFront 分配。
resource "aws_cloudfront_distribution" "www_distribution" {
default_cache_behavior {
realtime_log_config_arn = aws_cloudfront_realtime_log_config.analytics.arn
...
}
...
}
I created the realtime log configuration.我创建了实时日志配置。
resource "aws_cloudfront_realtime_log_config" "analytics" {
name = "analytics"
sampling_rate = 100
fields = [
...
]
endpoint {
stream_type = "Kinesis"
kinesis_stream_config {
role_arn = aws_iam_role.analytics.arn
stream_arn = aws_kinesis_stream.analytics.arn
}
}
depends_on = [aws_iam_role_policy.analytics]
}
That is then managed by a Kinesis data stream然后由 Kinesis 数据 stream 管理
resource "aws_kinesis_stream" "analytics" {
name = "blog-cloudfront-analytics"
shard_count = 1
retention_period = 48
shard_level_metrics = [
"IncomingBytes",
"OutgoingBytes",
]
}
I'd like for this to be consumed by a Kinesis Firehose stream.我希望它被 Kinesis Firehose stream 消耗。
resource "aws_kinesis_firehose_delivery_stream" "extended_s3_stream" {
name = "example-cloudfront-analytics"
destination = "extended_s3"
kinesis_source_configuration {
kinesis_stream_arn = aws_kinesis_stream.analytics.arn
role_arn = aws_iam_role.kinesis_firehose.arn
}
extended_s3_configuration {
cloudwatch_logging_options {
log_group_name = "/aws/lambda/example_cloudfront_analytics"
log_stream_name = "example_stream"
enabled = true
}
role_arn = aws_iam_role.firehose_role.arn
bucket_arn = aws_s3_bucket.bucket.arn
}
}
resource "aws_s3_bucket" "bucket" {
bucket = "example-cloudfront-analytics"
acl = "private"
}
I've applied this configuration, but the 'monitor' tab in the Kinesis data stream console shows that nothing is being sent to the stream.我已应用此配置,但 Kinesis 数据 stream 控制台中的“监视器”选项卡显示没有任何内容发送到 stream。 How do I set this up?我该如何设置?
Update更新
Here are the IAM roles used for the different services mentioned before.以下是用于前面提到的不同服务的 IAM 角色。
This is the one used for the Kinesis Firehose这是用于Kinesis Firehose的那个
data "aws_iam_policy_document" "kinesis_firehose" {
statement {
effect="Allow"
actions = [
"kinesis:*",
"firehose:*"
]
resources = [
aws_kinesis_stream.analytics.arn,
aws_kinesis_firehose_delivery_stream.extended_s3_stream.arn
]
sid = "kinesisId"
}
}
resource "aws_iam_role" "kinesis_firehose" {
name = "cloudfront_kinesis_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "firehose.amazonaws.com"
},
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_role_policy" "kinesis_firehose_stream" {
policy = data.aws_iam_policy_document.kinesis_firehose.json
role = aws_iam_role.kinesis_firehose.id
}
This is the one use inside the realtime log .这是实时日志中的一种用途。
resource "aws_iam_role" "analytics" {
name = "cloudfront-realtime-log"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "kinesis.amazonaws.com"
},
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_role_policy" "analytics" {
name = "cloudfront-realtime-log"
role = aws_iam_role.analytics.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStreamSummary",
"kinesis:DescribeStream",
"kinesis:PutRecord",
"kinesis:PutRecords"
],
"Resource": "${aws_kinesis_stream.analytics.arn}"
}
]
}
EOF
}
This is the one used for the S3 bucket.这是用于S3存储桶的那个。
resource "aws_iam_role" "firehose_role" {
name = "firehose_cloudfront"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "firehose.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
data "aws_iam_policy_document" "kinesis_firehose_s3" {
statement {
effect="Allow"
actions = [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
]
resources = [
aws_s3_bucket.bucket.arn,
"${aws_s3_bucket.bucket.arn}/*",
]
sid = "kinesisId"
}
}
resource "aws_iam_role_policy" "kinesis_firehose_stream_s3" {
policy = data.aws_iam_policy_document.kinesis_firehose_s3.json
role = aws_iam_role.firehose_role.id
}
1 个解决方案
解决方案1
1 2021-03-07 02:20:43
Your aws_cloudfront_realtime_log_config.analytics uses role aws_iam_role.analytics.arn .您的aws_cloudfront_realtime_log_config.analytics使用角色aws_iam_role.analytics.arn 。 However, its principle is kinesis.amazonaws.com .但是,它的原理是kinesis.amazonaws.com 。 It should be cloudfront.amazonaws.com , as shown in the TF docs :它应该是cloudfront.amazonaws.com ,如TF 文档中所示:
resource "aws_iam_role" "analytics" {
name = "cloudfront-realtime-log"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Effect": "Allow"
}
]
}
EOF
}
There could be other issues, which haven't been yet identified.可能还有其他尚未确定的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.