通过Terraform发送Docker日志到AWS CloudWatch
我的目标是通过terraform将Docker容器日志发送到CloudWatch。 这是我用于IAM的ECSangular色:
{ "Version": "2008-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": ["ecs.amazonaws.com", "ec2.amazonaws.com"] }, "Effect": "Allow" } ] } 这里是ECS服务angular色策略:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticloadbalancing:Describe*", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "ec2:Describe*", "ec2:AuthorizeSecurityGroupIngress", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "*" ] } ] }
在我的docker集装箱的任务定义,除了其他事情我有这个为cloudwatch日志logging:
"logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "awslog-mylogs", "awslogs-region": "eu-west-1", "awslogs-stream-prefix": "awslogs-mylogs-stream" } }
(我有通过AWS控制台预先创build的awslog-mylogs日志组)。
问题是,如果我旋转AWS实例(通过Terraform应用程序)没有上述容器的日志loggingconfiguration,一切工作正常,我的容器启动和运行(除了当然,日志不会被发送到Cloudwatch)。 只要我有这个日志configuration信息,EC2实例快速启动,但容器无法正常启动。 在进入EC2实例之后,我发现docker容器被释放了。
任何想法这里怎么了? 就configuration通过terraform发送日志到Cloudwatch而言,我可能会丢失什么?
您可以请检查您是否设置了所有权限,并在ECS服务angular色策略中包含Cloudwatch ?
policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricData", "ec2:DescribeTags", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutSubscriptionFilter", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:*" ] } ] } EOF