AWS ECS FARGATE为什么不在CloudWatch上生成日志(Terraform)?

huangapple go评论87阅读模式
英文:

Why does AWS ECS FARGATE not generate log on cloud watch (terraform)?

问题

1. containerized app

test.py:

import logging
logging.info("wow!!")

Dockerfile:

FROM python:3.10-slim
RUN apt-get update && \
    apt-get -y install git && \
    rm -rf /var/lib/apt/lists/*
COPY test.py /tmp/test.py
CMD ["python", "/tmp/test.py"]

2. Push image on ecr

$ docker push XXXXXXX.dkr.ecr.us-east-1.amazonaws.com/chois-trader:trading-latest

3. terraform

ecs.tf:

resource "aws_kms_key" "chois_trader" {
  deletion_window_in_days = 7
}

resource "aws_cloudwatch_log_group" "chois_trader" {
  name = "chois_trader"
}

resource "aws_iam_role" "chois_trader_task_execution_role" {
  name = "chois-trader-task-execution-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRole"
      ]
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "chois_trader_task_execution_role_policy_attachment" {
  role       = aws_iam_role.chois_trader_task_execution_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}

resource "aws_iam_role" "chois_trader_task_role" {
  name = "chois-trader-task-role"

  assume_role_policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "ecs-tasks.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  })
}

resource "aws_iam_policy" "chois_trader_log_policy" {
  name        = "chois-trader-log-policy"
  description = "chois trader log IAM policy"
  policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "1",
        "Effect": "Allow",
        "Action": [
          "logs:CreateLogStream",
          "logs:CreateLogGroup",
          "logs:DescribeLogStreams",
          "logs:PutLogEvents"
        ],
        "Resource": "arn:aws:logs:ap-northeast-2:YYYYYYYYY:log-group:chois_trader:*"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "example_attachment" {
  role       = aws_iam_role.chois_trader_task_role.name
  policy_arn = aws_iam_policy.chois_trader_log_policy.arn
}

resource "aws_ecs_cluster" "chois_trader" {
  name = "chois_trader"

  configuration {
    execute_command_configuration {
      kms_key_id = aws_kms_key.chois_trader.arn
      logging    = "OVERRIDE"

      log_configuration {
        cloud_watch_encryption_enabled = true
        cloud_watch_log_group_name     = aws_cloudwatch_log_group.chois_trader.name
      }
    }
  }
}

# Create a task definition with a container image
resource "aws_ecs_task_definition" "chois_trader_task" {
  family = "chois-trader-task"
  requires_compatibilities = ["FARGATE"]
  network_mode             = "awsvpc"
  execution_role_arn       = aws_iam_role.chois_trader_task_execution_role.arn
  task_role_arn = aws_iam_role.chois_trader_task_role.arn
  cpu    = 256
  memory = 512
  container_definitions = jsonencode([
    {
      name  = "chois-trader-task-container"
      image = "XXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/chois-trader:trading-latest"
      log_configuration = {
        log_driver = "awslogs"
        options = {
          "awslogs-group"         = "chois_trader"
          "awslogs-region"        = "ap-northeast-2"
          "awslogs-stream-prefix" = "ecs"
        }
      }
    }
  ])
  volume {
    name      = "service-storage"
  }
}

4. tf apply

$ terraform apply

4. Execute task (AWS console)

After a few seconds, exit with status code 0!

But log not appear at all..

5. Reference

Anything i missed?

英文:

(I replace sensitive information with XXXXXX, YYYYYY)

1. containerized app

test.py:

import logging
logging.info(&quot;wow!!&quot;)

Dockerfile:

FROM python:3.10-slim
RUN apt-get update &amp;&amp; \
apt-get -y install git &amp;&amp; \
rm -rf /var/lib/apt/lists/*
COPY test.py /tmp/test.py
CMD [&quot;python&quot;, &quot;/tmp/test.py&quot;]

2. Push image on ecr

$ docker push XXXXXXX.dkr.ecr.us-east-1.amazonaws.com/chois-trader:trading-latest

3. terraform

ecs.tf:

resource &quot;aws_kms_key&quot; &quot;chois_trader&quot; {
deletion_window_in_days = 7
}
resource &quot;aws_cloudwatch_log_group&quot; &quot;chois_trader&quot; {
name = &quot;chois_trader&quot;
}
resource &quot;aws_iam_role&quot; &quot;chois_trader_task_execution_role&quot; {
name = &quot;chois-trader-task-execution-role&quot;
assume_role_policy = &lt;&lt;EOF
{
&quot;Version&quot;: &quot;2012-10-17&quot;,
&quot;Statement&quot;: [
{
&quot;Effect&quot;: &quot;Allow&quot;,
&quot;Principal&quot;: {
&quot;Service&quot;: &quot;ecs-tasks.amazonaws.com&quot;
},
&quot;Action&quot;: [
&quot;sts:AssumeRole&quot;
]
}
]
}
EOF
}
resource &quot;aws_iam_role_policy_attachment&quot; &quot;chois_trader_task_execution_role_policy_attachment&quot; {
role       = aws_iam_role.chois_trader_task_execution_role.name
policy_arn = &quot;arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy&quot;
}
resource &quot;aws_iam_role&quot; &quot;chois_trader_task_role&quot; {
name = &quot;chois-trader-task-role&quot;
assume_role_policy = jsonencode({
&quot;Version&quot;: &quot;2012-10-17&quot;,
&quot;Statement&quot;: [
{
&quot;Effect&quot;: &quot;Allow&quot;,
&quot;Principal&quot;: {
&quot;Service&quot;: &quot;ecs-tasks.amazonaws.com&quot;
},
&quot;Action&quot;: &quot;sts:AssumeRole&quot;
}
]
})
}
resource &quot;aws_iam_policy&quot; &quot;chois_trader_log_policy&quot; {
name        = &quot;chois-trader-log-policy&quot;
description = &quot;chois trader log IAM policy&quot;
policy = jsonencode({
&quot;Version&quot;: &quot;2012-10-17&quot;,
&quot;Statement&quot;: [
{
&quot;Sid&quot;: &quot;1&quot;,
&quot;Effect&quot;: &quot;Allow&quot;,
&quot;Action&quot;: [
&quot;logs:CreateLogStream&quot;,
&quot;logs:CreateLogGroup&quot;,
&quot;logs:DescribeLogStreams&quot;,
&quot;logs:PutLogEvents&quot;
],
&quot;Resource&quot;: &quot;arn:aws:logs:ap-northeast-2:YYYYYYYYY:log-group:chois_trader:*&quot;
}
]
})
}
resource &quot;aws_iam_role_policy_attachment&quot; &quot;example_attachment&quot; {
role       = aws_iam_role.chois_trader_task_role.name
policy_arn = aws_iam_policy.chois_trader_log_policy.arn
}
resource &quot;aws_ecs_cluster&quot; &quot;chois_trader&quot; {
name = &quot;chois_trader&quot;
configuration {
execute_command_configuration {
kms_key_id = aws_kms_key.chois_trader.arn
logging    = &quot;OVERRIDE&quot;
log_configuration {
cloud_watch_encryption_enabled = true
cloud_watch_log_group_name     = aws_cloudwatch_log_group.chois_trader.name
}
}
}
}
# Create a task definition with a container image
resource &quot;aws_ecs_task_definition&quot; &quot;chois_trader_task&quot; {
family = &quot;chois-trader-task&quot;
requires_compatibilities = [&quot;FARGATE&quot;]
network_mode             = &quot;awsvpc&quot;
execution_role_arn       = aws_iam_role.chois_trader_task_execution_role.arn
task_role_arn = aws_iam_role.chois_trader_task_role.arn
cpu    = 256
memory = 512
container_definitions = jsonencode([
{
name  = &quot;chois-trader-task-container&quot;
image = &quot;XXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/chois-trader:trading-latest&quot;
log_configuration = {
log_driver = &quot;awslogs&quot;
options = {
&quot;awslogs-group&quot;         = &quot;chois_trader&quot;
&quot;awslogs-region&quot;        = &quot;ap-northeast-2&quot;
&quot;awslogs-stream-prefix&quot; = &quot;ecs&quot;
}
}
}
])
volume {
name      = &quot;service-storage&quot;
}
}

4. tf apply

$ terraform apply

4. Execute task (AWS console)

AWS ECS FARGATE为什么不在CloudWatch上生成日志(Terraform)?

AWS ECS FARGATE为什么不在CloudWatch上生成日志(Terraform)?

AWS ECS FARGATE为什么不在CloudWatch上生成日志(Terraform)?

After a few seconds, exit with status code 0!

AWS ECS FARGATE为什么不在CloudWatch上生成日志(Terraform)?

But log not appear at all..

AWS ECS FARGATE为什么不在CloudWatch上生成日志(Terraform)?

5. Reference

Anything i missed?

答案1

得分: 2

以下是我们的 ECS 任务定义模板,通过该模板日志正常传递。我猜想问题可能是由于使用下划线分隔的键而不是驼峰命名法导致的。

"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "${cw_log_group_name}",
"awslogs-region": "${aws_region}",
"awslogs-stream-prefix": "${app_name}-${environment}-log-stream"
}
},

英文:

Below is our ECS task definition template through which the logs are going through fine. I am guessing there may be issue due to usage of underscore_separated keys instead of camelCase.

&quot;logConfiguration&quot;: {
&quot;logDriver&quot;: &quot;awslogs&quot;,
&quot;options&quot;: {
&quot;awslogs-group&quot;: &quot;${cw_log_group_name}&quot;,
&quot;awslogs-region&quot;: &quot;${aws_region}&quot;,
&quot;awslogs-stream-prefix&quot;: &quot;${app_name}-${environment}-log-stream&quot;
}
},

huangapple
  • 本文由 发表于 2023年6月6日 12:40:25
  • 转载请务必保留本文链接:https://go.coder-hub.com/76411490.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定