From 52a5579aa52c88bb289a7a9677c35385763c8fff Mon Sep 17 00:00:00 2001 From: sakurai-ryo <58683719+sakurai-ryo@users.noreply.github.com> Date: Tue, 19 Dec 2023 10:21:23 +0900 Subject: [PATCH] feat(ecs): log retention for FireLensLogDriver (#28354) This PR resolves the missing `logs:PutRetentionPolicy` permission issue when using `FireLensLogDriver` with CloudWatch Logs. ### Description When using `FireLensLogDriver` to send logs to CloudWatch Logs, we can specify the retention period for newly created Log Groups by specifying `log_retention_days` in the `FireLensLogDriverProps.options`. https://docs.fluentbit.io/manual/pipeline/outputs/cloudwatch#configuration-parameters https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FireLensLogDriverProps.html#options If you have not added a FluentBit container, CDK will automatically add it to the task definition, and the IAM permissions required for this are added to the task role. https://github.com/aws/aws-cdk/blob/db22b85c9b2a853aa2f830c182a340f0bcf95d1a/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts#L816 https://github.com/aws/aws-cdk/blob/db22b85c9b2a853aa2f830c182a340f0bcf95d1a/packages/aws-cdk-lib/aws-ecs/lib/firelens-log-router.ts#L170 While `FireLensLogDriver` allows specifying `log_retention_days` for Log Groups, FluentBit cannot set the retention period due to the absence of the `logs:PutRetentionPolicy` policy. Consequently, it results in an `AccessDeniedException`. To address this, the PR adds the necessary `logs:PutRetentionPolicy` permission to the task role when `log_retention_days` is set in `FireLensLogDriverProps.options`, ensuring FluentBit has the required permissions to set the retention period for Log Groups. Relates to #28258 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-ecs-integ.assets.json | 6 +- .../aws-ecs-integ.template.json | 112 ++++++++--------- .../cdk.out | 2 +- .../integ.json | 2 +- .../manifest.json | 10 +- .../tree.json | 114 +++++++++--------- .../test/fargate/integ.firelens-cloudwatch.ts | 1 + packages/aws-cdk-lib/aws-ecs/README.md | 25 ++++ .../aws-ecs/lib/firelens-log-router.ts | 18 ++- .../aws-ecs/test/firelens-log-driver.test.ts | 62 ++++++++++ 10 files changed, 227 insertions(+), 125 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/aws-ecs-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/aws-ecs-integ.assets.json index 1ad4b057dd1f2..17788827dc9ca 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/aws-ecs-integ.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/aws-ecs-integ.assets.json @@ -1,7 +1,7 @@ { - "version": "31.0.0", + "version": "35.0.0", "files": { - "10bff152279ef3672b42fc5e451dfc88969fb7b89b060b3718d3b227e503c086": { + "0d5d7ac4381dd405aeae3bc20779469489f9db0134d9e9b264b04d8cb99e70e5": { "source": { "path": "aws-ecs-integ.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "10bff152279ef3672b42fc5e451dfc88969fb7b89b060b3718d3b227e503c086.json", + "objectKey": "0d5d7ac4381dd405aeae3bc20779469489f9db0134d9e9b264b04d8cb99e70e5.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/aws-ecs-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/aws-ecs-integ.template.json index e9d910679f078..db3603559b258 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/aws-ecs-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/aws-ecs-integ.template.json @@ -18,9 +18,6 @@ "VpcPublicSubnet1Subnet5C2D37C4": { "Type": "AWS::EC2::Subnet", "Properties": { - "VpcId": { - "Ref": "Vpc8378EB38" - }, "AvailabilityZone": { "Fn::Select": [ 0, @@ -44,21 +41,24 @@ "Key": "Name", "Value": "aws-ecs-integ/Vpc/PublicSubnet1" } - ] + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } } }, "VpcPublicSubnet1RouteTable6C95E38E": { "Type": "AWS::EC2::RouteTable", "Properties": { - "VpcId": { - "Ref": "Vpc8378EB38" - }, "Tags": [ { "Key": "Name", "Value": "aws-ecs-integ/Vpc/PublicSubnet1" } - ] + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } } }, "VpcPublicSubnet1RouteTableAssociation97140677": { @@ -75,12 +75,12 @@ "VpcPublicSubnet1DefaultRoute3DA9E72A": { "Type": "AWS::EC2::Route", "Properties": { - "RouteTableId": { - "Ref": "VpcPublicSubnet1RouteTable6C95E38E" - }, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "VpcIGWD7BA715C" + }, + "RouteTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" } }, "DependsOn": [ @@ -102,15 +102,15 @@ "VpcPublicSubnet1NATGateway4D7517AA": { "Type": "AWS::EC2::NatGateway", "Properties": { - "SubnetId": { - "Ref": "VpcPublicSubnet1Subnet5C2D37C4" - }, "AllocationId": { "Fn::GetAtt": [ "VpcPublicSubnet1EIPD7E02669", "AllocationId" ] }, + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + }, "Tags": [ { "Key": "Name", @@ -126,9 +126,6 @@ "VpcPublicSubnet2Subnet691E08A3": { "Type": "AWS::EC2::Subnet", "Properties": { - "VpcId": { - "Ref": "Vpc8378EB38" - }, "AvailabilityZone": { "Fn::Select": [ 1, @@ -152,21 +149,24 @@ "Key": "Name", "Value": "aws-ecs-integ/Vpc/PublicSubnet2" } - ] + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } } }, "VpcPublicSubnet2RouteTable94F7E489": { "Type": "AWS::EC2::RouteTable", "Properties": { - "VpcId": { - "Ref": "Vpc8378EB38" - }, "Tags": [ { "Key": "Name", "Value": "aws-ecs-integ/Vpc/PublicSubnet2" } - ] + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } } }, "VpcPublicSubnet2RouteTableAssociationDD5762D8": { @@ -183,12 +183,12 @@ "VpcPublicSubnet2DefaultRoute97F91067": { "Type": "AWS::EC2::Route", "Properties": { - "RouteTableId": { - "Ref": "VpcPublicSubnet2RouteTable94F7E489" - }, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "VpcIGWD7BA715C" + }, + "RouteTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" } }, "DependsOn": [ @@ -210,15 +210,15 @@ "VpcPublicSubnet2NATGateway9182C01D": { "Type": "AWS::EC2::NatGateway", "Properties": { - "SubnetId": { - "Ref": "VpcPublicSubnet2Subnet691E08A3" - }, "AllocationId": { "Fn::GetAtt": [ "VpcPublicSubnet2EIP3C605A87", "AllocationId" ] }, + "SubnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + }, "Tags": [ { "Key": "Name", @@ -234,9 +234,6 @@ "VpcPrivateSubnet1Subnet536B997A": { "Type": "AWS::EC2::Subnet", "Properties": { - "VpcId": { - "Ref": "Vpc8378EB38" - }, "AvailabilityZone": { "Fn::Select": [ 0, @@ -260,21 +257,24 @@ "Key": "Name", "Value": "aws-ecs-integ/Vpc/PrivateSubnet1" } - ] + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } } }, "VpcPrivateSubnet1RouteTableB2C5B500": { "Type": "AWS::EC2::RouteTable", "Properties": { - "VpcId": { - "Ref": "Vpc8378EB38" - }, "Tags": [ { "Key": "Name", "Value": "aws-ecs-integ/Vpc/PrivateSubnet1" } - ] + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } } }, "VpcPrivateSubnet1RouteTableAssociation70C59FA6": { @@ -291,21 +291,18 @@ "VpcPrivateSubnet1DefaultRouteBE02A9ED": { "Type": "AWS::EC2::Route", "Properties": { - "RouteTableId": { - "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" - }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "VpcPublicSubnet1NATGateway4D7517AA" + }, + "RouteTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" } } }, "VpcPrivateSubnet2Subnet3788AAA1": { "Type": "AWS::EC2::Subnet", "Properties": { - "VpcId": { - "Ref": "Vpc8378EB38" - }, "AvailabilityZone": { "Fn::Select": [ 1, @@ -329,21 +326,24 @@ "Key": "Name", "Value": "aws-ecs-integ/Vpc/PrivateSubnet2" } - ] + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } } }, "VpcPrivateSubnet2RouteTableA678073B": { "Type": "AWS::EC2::RouteTable", "Properties": { - "VpcId": { - "Ref": "Vpc8378EB38" - }, "Tags": [ { "Key": "Name", "Value": "aws-ecs-integ/Vpc/PrivateSubnet2" } - ] + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } } }, "VpcPrivateSubnet2RouteTableAssociationA89CAD56": { @@ -360,12 +360,12 @@ "VpcPrivateSubnet2DefaultRoute060D2087": { "Type": "AWS::EC2::Route", "Properties": { - "RouteTableId": { - "Ref": "VpcPrivateSubnet2RouteTableA678073B" - }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "VpcPublicSubnet2NATGateway9182C01D" + }, + "RouteTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" } } }, @@ -383,11 +383,11 @@ "VpcVPCGWBF912B6E": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { - "VpcId": { - "Ref": "Vpc8378EB38" - }, "InternetGatewayId": { "Ref": "VpcIGWD7BA715C" + }, + "VpcId": { + "Ref": "Vpc8378EB38" } } }, @@ -421,7 +421,8 @@ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", - "logs:PutLogEvents" + "logs:PutLogEvents", + "logs:PutRetentionPolicy" ], "Effect": "Allow", "Resource": "*" @@ -453,7 +454,8 @@ }, "log_group_name": "ecs-integ-test", "auto_create_group": "true", - "log_stream_prefix": "nginx" + "log_stream_prefix": "nginx", + "log_retention_days": "1" } }, "Name": "nginx", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/cdk.out index 7925065efbcc4..c5cb2e5de6344 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"31.0.0"} \ No newline at end of file +{"version":"35.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/integ.json index e0e344838d8aa..a14c794d5031f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "35.0.0", "testCases": { "integ.firelens-cloudwatch": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/manifest.json index 72dcddccd1a77..12f16f76f8729 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "31.0.0", + "version": "35.0.0", "artifacts": { "aws-ecs-integ.assets": { "type": "cdk:asset-manifest", @@ -14,10 +14,11 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "aws-ecs-integ.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/10bff152279ef3672b42fc5e451dfc88969fb7b89b060b3718d3b227e503c086.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/0d5d7ac4381dd405aeae3bc20779469489f9db0134d9e9b264b04d8cb99e70e5.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -192,7 +193,10 @@ "/aws-ecs-integ/TaskDef/Resource": [ { "type": "aws:cdk:logicalId", - "data": "TaskDef54694570" + "data": "TaskDef54694570", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_REPLACE" + ] } ], "/aws-ecs-integ/TaskDef/ExecutionRole/Resource": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/tree.json index d355b8a18673b..de83da7184391 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.js.snapshot/tree.json @@ -45,9 +45,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "Vpc8378EB38" - }, "availabilityZone": { "Fn::Select": [ 0, @@ -71,7 +68,10 @@ "key": "Name", "value": "aws-ecs-integ/Vpc/PublicSubnet1" } - ] + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } } }, "constructInfo": { @@ -93,15 +93,15 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "Vpc8378EB38" - }, "tags": [ { "key": "Name", "value": "aws-ecs-integ/Vpc/PublicSubnet1" } - ] + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } } }, "constructInfo": { @@ -134,12 +134,12 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "VpcPublicSubnet1RouteTable6C95E38E" - }, "destinationCidrBlock": "0.0.0.0/0", "gatewayId": { "Ref": "VpcIGWD7BA715C" + }, + "routeTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" } } }, @@ -174,15 +174,15 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::NatGateway", "aws:cdk:cloudformation:props": { - "subnetId": { - "Ref": "VpcPublicSubnet1Subnet5C2D37C4" - }, "allocationId": { "Fn::GetAtt": [ "VpcPublicSubnet1EIPD7E02669", "AllocationId" ] }, + "subnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + }, "tags": [ { "key": "Name", @@ -212,9 +212,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "Vpc8378EB38" - }, "availabilityZone": { "Fn::Select": [ 1, @@ -238,7 +235,10 @@ "key": "Name", "value": "aws-ecs-integ/Vpc/PublicSubnet2" } - ] + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } } }, "constructInfo": { @@ -260,15 +260,15 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "Vpc8378EB38" - }, "tags": [ { "key": "Name", "value": "aws-ecs-integ/Vpc/PublicSubnet2" } - ] + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } } }, "constructInfo": { @@ -301,12 +301,12 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "VpcPublicSubnet2RouteTable94F7E489" - }, "destinationCidrBlock": "0.0.0.0/0", "gatewayId": { "Ref": "VpcIGWD7BA715C" + }, + "routeTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" } } }, @@ -341,15 +341,15 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::NatGateway", "aws:cdk:cloudformation:props": { - "subnetId": { - "Ref": "VpcPublicSubnet2Subnet691E08A3" - }, "allocationId": { "Fn::GetAtt": [ "VpcPublicSubnet2EIP3C605A87", "AllocationId" ] }, + "subnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + }, "tags": [ { "key": "Name", @@ -379,9 +379,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "Vpc8378EB38" - }, "availabilityZone": { "Fn::Select": [ 0, @@ -405,7 +402,10 @@ "key": "Name", "value": "aws-ecs-integ/Vpc/PrivateSubnet1" } - ] + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } } }, "constructInfo": { @@ -427,15 +427,15 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "Vpc8378EB38" - }, "tags": [ { "key": "Name", "value": "aws-ecs-integ/Vpc/PrivateSubnet1" } - ] + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } } }, "constructInfo": { @@ -468,12 +468,12 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" - }, "destinationCidrBlock": "0.0.0.0/0", "natGatewayId": { "Ref": "VpcPublicSubnet1NATGateway4D7517AA" + }, + "routeTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" } } }, @@ -498,9 +498,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "Vpc8378EB38" - }, "availabilityZone": { "Fn::Select": [ 1, @@ -524,7 +521,10 @@ "key": "Name", "value": "aws-ecs-integ/Vpc/PrivateSubnet2" } - ] + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } } }, "constructInfo": { @@ -546,15 +546,15 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "Vpc8378EB38" - }, "tags": [ { "key": "Name", "value": "aws-ecs-integ/Vpc/PrivateSubnet2" } - ] + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } } }, "constructInfo": { @@ -587,12 +587,12 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "VpcPrivateSubnet2RouteTableA678073B" - }, "destinationCidrBlock": "0.0.0.0/0", "natGatewayId": { "Ref": "VpcPublicSubnet2NATGateway9182C01D" + }, + "routeTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" } } }, @@ -632,11 +632,11 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::VPCGatewayAttachment", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "Vpc8378EB38" - }, "internetGatewayId": { "Ref": "VpcIGWD7BA715C" + }, + "vpcId": { + "Ref": "Vpc8378EB38" } } }, @@ -731,7 +731,8 @@ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", - "logs:PutLogEvents" + "logs:PutLogEvents", + "logs:PutRetentionPolicy" ], "Effect": "Allow", "Resource": "*" @@ -790,7 +791,8 @@ }, "log_group_name": "ecs-integ-test", "auto_create_group": "true", - "log_stream_prefix": "nginx" + "log_stream_prefix": "nginx", + "log_retention_days": "1" } } }, @@ -1137,7 +1139,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.3.0" } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.ts index 6bf323fba3edb..347b66f152b28 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.firelens-cloudwatch.ts @@ -22,6 +22,7 @@ const container = taskDefinition.addContainer('nginx', { log_group_name: 'ecs-integ-test', auto_create_group: 'true', log_stream_prefix: 'nginx', + log_retention_days: '1', }, }), }); diff --git a/packages/aws-cdk-lib/aws-ecs/README.md b/packages/aws-cdk-lib/aws-ecs/README.md index 9d79e4797c1ab..399ee801cd348 100644 --- a/packages/aws-cdk-lib/aws-ecs/README.md +++ b/packages/aws-cdk-lib/aws-ecs/README.md @@ -1132,6 +1132,31 @@ taskDefinition.addContainer('TheContainer', { }); ``` +When forwarding logs to CloudWatch Logs using Fluent Bit, you can set the retention period for the newly created Log Group by specifying the `log_retention_days` parameter. +If a Fluent Bit container has not been added, CDK will automatically add it to the task definition, and the necessary IAM permissions will be added to the task role. +If you are adding the Fluent Bit container manually, ensure to add the `logs:PutRetentionPolicy` policy to the task role. + +```ts +const taskDefinition = new ecs.Ec2TaskDefinition(this, 'TaskDef'); +taskDefinition.addContainer('TheContainer', { + image: ecs.ContainerImage.fromRegistry('example-image'), + memoryLimitMiB: 256, + logging: ecs.LogDrivers.firelens({ + options: { + Name: 'cloudwatch', + region: 'us-west-2', + log_group_name: 'firelens-fluent-bit', + log_stream_prefix: 'from-fluent-bit', + auto_create_group: 'true', + log_retention_days: '1', + }, + }), +}); +``` + +> Visit [Fluent Bit CloudWatch Configuration Parameters](https://docs.fluentbit.io/manual/pipeline/outputs/cloudwatch#configuration-parameters) +for more details. + ### Generic Log Driver A generic log driver object exists to provide a lower level abstraction of the log driver configuration. diff --git a/packages/aws-cdk-lib/aws-ecs/lib/firelens-log-router.ts b/packages/aws-cdk-lib/aws-ecs/lib/firelens-log-router.ts index 373e6b877cfde..ccea834c0a23d 100644 --- a/packages/aws-cdk-lib/aws-ecs/lib/firelens-log-router.ts +++ b/packages/aws-cdk-lib/aws-ecs/lib/firelens-log-router.ts @@ -168,13 +168,19 @@ export function obtainDefaultFluentBitECRImage(task: TaskDefinition, logDriverCo const logName = logDriverConfig && logDriverConfig.logDriver === 'awsfirelens' && logDriverConfig.options && logDriverConfig.options.Name; if (logName === 'cloudwatch') { + const actions = [ + 'logs:CreateLogGroup', + 'logs:CreateLogStream', + 'logs:DescribeLogStreams', + 'logs:PutLogEvents', + ]; + + if (logDriverConfig && logDriverConfig.options && 'log_retention_days' in logDriverConfig.options) { + actions.push('logs:PutRetentionPolicy'); + } + task.addToTaskRolePolicy(new iam.PolicyStatement({ - actions: [ - 'logs:CreateLogGroup', - 'logs:CreateLogStream', - 'logs:DescribeLogStreams', - 'logs:PutLogEvents', - ], + actions, resources: ['*'], })); } else if (logName === 'firehose') { diff --git a/packages/aws-cdk-lib/aws-ecs/test/firelens-log-driver.test.ts b/packages/aws-cdk-lib/aws-ecs/test/firelens-log-driver.test.ts index 8b348bc37a083..57dda00535cdb 100644 --- a/packages/aws-cdk-lib/aws-ecs/test/firelens-log-driver.test.ts +++ b/packages/aws-cdk-lib/aws-ecs/test/firelens-log-driver.test.ts @@ -212,6 +212,68 @@ describe('firelens log driver', () => { }); }); + test('create a firelens log driver to route logs to CloudWatch Logs with log_retention_days option', () => { + // WHEN + td.addContainer('Container', { + image, + logging: ecs.LogDrivers.firelens({ + options: { + Name: 'cloudwatch', + region: 'us-west-2', + log_group_name: 'firelens-fluent-bit', + auto_create_group: 'true', + log_stream_prefix: 'from-fluent-bit', + log_retention_days: '1', + }, + }), + memoryLimitMiB: 128, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ECS::TaskDefinition', { + ContainerDefinitions: [ + Match.objectLike({ + LogConfiguration: { + LogDriver: 'awsfirelens', + Options: { + Name: 'cloudwatch', + region: 'us-west-2', + log_group_name: 'firelens-fluent-bit', + auto_create_group: 'true', + log_stream_prefix: 'from-fluent-bit', + log_retention_days: '1', + }, + }, + }), + Match.objectLike({ + Essential: true, + FirelensConfiguration: { + Type: 'fluentbit', + }, + }), + ], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ + { + Action: [ + 'logs:CreateLogGroup', + 'logs:CreateLogStream', + 'logs:DescribeLogStreams', + 'logs:PutLogEvents', + 'logs:PutRetentionPolicy', + ], + Effect: 'Allow', + Resource: '*', + }, + ]), + Version: '2012-10-17', + }, + }); + }); + test('create a firelens log driver to route logs to kinesis firehose Logs with Fluent Bit', () => { // WHEN td.addContainer('Container', {