stackoom
  简体   繁体   中英

Sending docker logs to AWS CloudWatch via Terraform

 原文  2017-07-07 02:45:28       amazon-web-services/ docker/ amazon-ec2/ devops/ terraform

Question

My goal is to send docker container logs to CloudWatch via terraform. This is the ECS role that I am using for IAM: 

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": ["ecs.amazonaws.com", "ec2.amazonaws.com"]
      },
      "Effect": "Allow"
    }
  ]
}

And here is the ECS service role policy: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "elasticloadbalancing:Describe*",
        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
        "ec2:Describe*",
        "ec2:AuthorizeSecurityGroupIngress",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

In my task definition for docker container, among other things I have this for cloudwatch logging: 

  "logConfiguration": {
    "logDriver": "awslogs",
    "options": {
        "awslogs-group": "awslog-mylogs",
        "awslogs-region": "eu-west-1",
        "awslogs-stream-prefix": "awslogs-mylogs-stream"
    }
  }

(I have the awslog-mylogs log group pre-created via AWS console).

The problem is if I spin up the AWS instance (via Terraform apply) without the above logging config for the container, everything works fine and my container is up and running (except of course, logs are not being sent to Cloudwatch). As soon as I have this logging config info in place, the EC2 instance spins up but the container does not start properly. After ssh-ing into the EC2 instance, I find that the docker container bailed out.

Any idea what's going wrong here? What might I be missing as far as configuring sending logs to Cloudwatch via terraform is concerned?

1 answers

solution1
 3 ACCPTED  2017-07-07 06:44:17

Could you please check if you set all permissions and include Cloudwatch as well in ECS service role policy? 

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "cloudwatch:PutMetricData",
        "ec2:DescribeTags",
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:DescribeLogStreams",
        "logs:PutSubscriptionFilter",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:*:*"
      ]
    }
  ]
}
EOF

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS CloudWatch sending logs but not custom metrics to CloudWatch Logs to AWS Cloudwatch from Docker Containers AWS Cloudwatch logs to ElasticSeacrh via Kinesis Firehose Enable CloudWatch logs for AWS API Gateway using Terraform Write AWS Lambda Logs to CloudWatch Log Group with Terraform Use Terraform to enabled AWS CodeBuild to push logs to CloudWatch Cloudwatch agent not sending logs to cloudwatch AWS Cloudwatch Alert Terraform Terraform AWS Cloudwatch alarm Sending EMR Logs to CloudWatch
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM