通過Terraform發送Docker日誌到AWS CloudWatch

Question

我的目標是通過terraform將Docker容器日誌發送到CloudWatch。 這是我使用IAM的ECS作用：

{ 
    "Version": "2008-10-17", 
    "Statement": [ 
    { 
     "Action": "sts:AssumeRole", 
     "Principal": { 
     "Service": ["ecs.amazonaws.com", "ec2.amazonaws.com"] 
     }, 
     "Effect": "Allow" 
    } 
    ] 
} 

這裏是ECS服務作用的政策：

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Action": [ 
     "elasticloadbalancing:Describe*", 
     "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", 
     "elasticloadbalancing:RegisterInstancesWithLoadBalancer", 
     "ec2:Describe*", 
     "ec2:AuthorizeSecurityGroupIngress", 
     "logs:CreateLogStream", 
     "logs:PutLogEvents" 
     ], 
     "Resource": [ 
     "*" 
     ] 
    } 
    ] 
} 

在對搬運工人容器我的任務定義，以及其他的事情，我有這個用於記錄的CloudWatch：

"logConfiguration": { 
    "logDriver": "awslogs", 
    "options": { 
     "awslogs-group": "awslog-mylogs", 
     "awslogs-region": "eu-west-1", 
     "awslogs-stream-prefix": "awslogs-mylogs-stream" 
    } 
    } 

（我有awslog-mylogs日誌組經由AWS控制檯預先創建）。

問題是如果我啓動AWS實例（通過Terraform應用）沒有上述容器的日誌記錄配置，一切工作正常，我的容器已啓動並正在運行（當然，日誌不會發送到Cloudwatch ）。只要我有這個日誌配置信息，EC2實例就會啓動，但容器無法正常啓動。在進入EC2實例之後，我發現碼頭集裝箱已經卸載。

任何想法是怎麼回事錯在這裏？就配置通過地形發送日誌到Cloudwatch而言，我可能會丟失什麼？

Answer 1

請問您是否可以設置所有權限並在ECS服務角色策略中包含Cloudwatch？

policy = <<EOF 
{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Action": [ 
     "cloudwatch:GetMetricStatistics", 
     "cloudwatch:ListMetrics", 
     "cloudwatch:PutMetricData", 
     "ec2:DescribeTags", 
     "logs:CreateLogGroup", 
     "logs:CreateLogStream", 
     "logs:DescribeLogStreams", 
     "logs:PutSubscriptionFilter", 
     "logs:PutLogEvents" 
     ], 
     "Resource": [ 
     "arn:aws:logs:*:*:*" 
     ] 
    } 
    ] 
} 
EOF