From 22a92db47656d9a9dcbb03396779b9f87af20136 Mon Sep 17 00:00:00 2001 From: Matthias Naber Date: Tue, 5 Mar 2024 15:39:56 +0100 Subject: [PATCH] feat(logging): using init-fluent-bit images Migrate to _Init Process_ of AWS for Fluent-Bit Image. We now use the official image and bootstrap it with centralized configs that support our use case (json and envoy logs). Context: https://github.com/aws/aws-for-fluent-bit/tree/develop/use_cases/init-process-for-fluent-bit --- fluentbit.tf | 59 ++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 50 insertions(+), 9 deletions(-) diff --git a/fluentbit.tf b/fluentbit.tf index bb8da89..3462663 100644 --- a/fluentbit.tf +++ b/fluentbit.tf @@ -2,7 +2,7 @@ locals { // optional FluentBit container for log aggregation fluentbit_container_defaults = { name = var.firelens.container_name - image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/ecr-public/aws-observability/aws-for-fluent-bit:2.32.0" + image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/ecr-public/aws-observability/aws-for-fluent-bit:init-2.32.0.20240122" essential = true mountPoints = [] portMappings = [] @@ -11,15 +11,28 @@ locals { volumesFrom = [] environment = [ - // Valid values are: debug, info and error - { name = " FLB_LOG_LEVEL", value = "error" } + // Valid values are: debug, info and error, default if missing: info + { name = "FLB_LOG_LEVEL", value = "error" }, + { + "name" : "aws_fluent_bit_init_s3_1", + "value" : "arn:aws:s3:::config-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}/ecs/fluent-bit/service-custom.conf" + }, + { + "name" : "aws_fluent_bit_init_s3_2", + "value" : "arn:aws:s3:::config-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}/ecs/fluent-bit/filters-custom.conf" + }, + { + "name" : "aws_fluent_bit_init_s3_3", + "value" : "arn:aws:s3:::config-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}/ecs/fluent-bit/parsers-custom.conf" + }, ], + # https://github.com/aws-samples/amazon-ecs-firelens-examples/tree/mainline/examples/fluent-bit/health-check healthCheck = { retries = 3 command = [ "CMD-SHELL", - "curl -s http://localhost:2020/api/v1/uptime | grep uptime_hr | grep -q running" + "curl --fail localhost:2020/api/v1/uptime" ] timeout = 2 interval = 5 @@ -29,12 +42,9 @@ locals { firelensConfiguration = { type = "fluentbit" - options = { - enable-ecs-log-metadata : "true", - config-file-type : "file", - config-file-value : "/fluent-bit/config/envoy-json.conf" - } + options = { enable-ecs-log-metadata : "true" } } + logConfiguration = var.cloudwatch_logs.enabled ? { logDriver = "awslogs" options = { @@ -58,3 +68,34 @@ module "fluentbit_container_definition" { var.firelens.container_definition ] } + +data "aws_iam_policy_document" "fluent_bit_config_access" { + count = var.firelens.enabled && var.task_role_arn == "" ? 1 : 0 + + statement { + actions = [ + "s3:GetObject", + "s3:GetBucketLocation" + ] + + resources = [ + "arn:aws:s3:::config-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}/ecs/fluent-bit/*", + "arn:aws:s3:::config-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}", + ] + } +} + +resource "aws_iam_policy" "fluent_bit_config_access" { + count = var.firelens.enabled && var.task_role_arn == "" ? 1 : 0 + + name = "fluent-bit-config-access-${var.service_name}-${data.aws_region.current.name}" + path = "/ecs/task-role/" + policy = data.aws_iam_policy_document.fluent_bit_config_access[count.index].json +} + +resource "aws_iam_role_policy_attachment" "fluent_bit_config_access" { + count = var.firelens.enabled && var.task_role_arn == "" ? 1 : 0 + + role = aws_iam_role.ecs_task_role[count.index].name + policy_arn = aws_iam_policy.fluent_bit_config_access[count.index].arn +} \ No newline at end of file