How to send docker using terraform to aws cloudwatch?

0 votes

I'm trying to send container logs to aws cloudwatch using terrfaorm. Here's the ECS role I'm using for IAM:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": ["ecs.amazonaws.com", "ec2.amazonaws.com"]
      },
      "Effect": "Allow"
    }
  ]
}

the ECS service role policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "elasticloadbalancing:Describe*",
        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
        "ec2:Describe*",
        "ec2:AuthorizeSecurityGroupIngress",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

the task definition for docker container contains this for cloudwatch logging

  "logConfiguration": {
    "logDriver": "awslogs",
    "options": {
        "awslogs-group": "awslog-mylogs",
        "awslogs-region": "eu-west-1",
        "awslogs-stream-prefix": "awslogs-mylogs-stream"
    }
  }

(I have the awslog-mylogs log group pre-created via AWS console).

Now, when I run an aws instance without the shown logging config for the container, everything runs(except logs being send to cloudwatch). If I add the logging config, ec2 starts but the container does not start properly. It seems that the docker container bails out. Anything that I can do to get the logs to cloudwatch?

Jun 7, 2018 in Docker by Atul
• 5,530 points
397 views

1 answer to this question.

0 votes

Check if you set all the permissions and also include cloudwatch and ecs service role in policy. To do that jus copy paste your existing ECS service policy.

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "cloudwatch:PutMetricData",
        "ec2:DescribeTags",
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:DescribeLogStreams",
        "logs:PutSubscriptionFilter",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:*:*"
      ]
    }
  ]
}
EOF
answered Jun 7, 2018 by DareDev
• 6,810 points
need to install any agent for ECS-optimised AMI ?
@vishwanath Challa

Yes you need to have ECS container agent installed

Here is a documentation by Amazon you can follow this to install

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-install.html

No @Vishwanath Challa, you only need an agent when your container instance was not launched using an Amazon ECS optimized AMI. So basically when you're instance isn't launched using the ECS optimized AMI you need to install it manually, that's when you need to use the agent. To install an AMI manually using agent, have a look at this.

Installing the Amazon ECS Container Agent

If your container instance was not launched using an Amazon ECS-optimized AMI, you can install the Amazon ECS container agent manually using one of the following procedures.

Note

The Amazon ECS container agent is included in the Amazon ECS-optimized AMIs and does not require installation.

@Viswanath Challa 

If your container instance was not launched using an Amazon ECS-optimized AMI, you can install the Amazon ECS container agent manually using one of the following procedures.

This isn't the scenario you stated. So if your instance is launched using an Amazon ECS-optimizes AMI then you dont need an external agent 

and if it is not then according to the documentation you will need to install an external container agent.

Hope this helps!

and thank you for correction, i should have asked the pre-requisites.

Yess @Vishwanath Challa, this is the exact documentation even I was talking about... Hope it has helped..

Related Questions In Docker

+1 vote
4 answers
0 votes
2 answers
0 votes
1 answer

How to remove docker installed using wget

The uninstallation step mentions: sudo apt-get purge -y docker-engine sudo apt-get ...READ MORE

answered Jul 30, 2018 in Docker by Kalgi
• 41,460 points
48 views
0 votes
1 answer
0 votes
1 answer

Deploy Docker Containers from Docker Cloud

To solve this problem, I followed advice ...READ MORE

answered Sep 3, 2018 in AWS by Priyaj
• 56,900 points
186 views
0 votes
2 answers

How to open docker containers file system?

Adding on to @DareDev's answer there's one ...READ MORE

answered Aug 5 in Docker by Sirajul
• 29,340 points
86 views
+2 votes
6 answers

If conditional in docker file

You can use the test command RUN test ...READ MORE

answered Dec 10, 2018 in Docker by Shushant
15,764 views