fix(aws-ecs): set permissions for 'awslogs' log driver (aws#1291)

Make sure that tasks using the 'awslogs' Log Driver have the correct IAM permissions to actually write logs. Add grant() methods to IAM LogGroups to make this nicer to write. Fixes aws#1279.
Dicondur · Dec 6, 2018 · f5bc59b · f5bc59b
1 parent 0919bf4
commit f5bc59b
Show file tree

Hide file tree

Showing 10 changed files with 791 additions and 2 deletions.
diff --git a/packages/@aws-cdk/aws-ecs/lib/container-definition.ts b/packages/@aws-cdk/aws-ecs/lib/container-definition.ts
@@ -229,6 +229,7 @@ export class ContainerDefinition extends cdk.Construct {
     this.memoryLimitSpecified = props.memoryLimitMiB !== undefined || props.memoryReservationMiB !== undefined;
 
     props.image.bind(this);
+    if (props.logging) { props.logging.bind(this); }
   }
 
   /**

diff --git a/packages/@aws-cdk/aws-ecs/lib/log-drivers/aws-log-driver.ts b/packages/@aws-cdk/aws-ecs/lib/log-drivers/aws-log-driver.ts
@@ -1,5 +1,6 @@
 import logs = require('@aws-cdk/aws-logs');
 import cdk = require('@aws-cdk/cdk');
+import { ContainerDefinition } from '../container-definition';
 import { cloudformation } from '../ecs.generated';
 import { LogDriver } from "./log-driver";
 
@@ -61,6 +62,13 @@ export class AwsLogDriver extends LogDriver {
     });
   }
 
+  /**
+   * Called when the log driver is configured on a container
+   */
+  public bind(containerDefinition: ContainerDefinition): void {
+    this.logGroup.grantWrite(containerDefinition.taskDefinition.obtainExecutionRole());
+  }
+
   /**
    * Return the log driver CloudFormation JSON
    */

diff --git a/packages/@aws-cdk/aws-ecs/lib/log-drivers/log-driver.ts b/packages/@aws-cdk/aws-ecs/lib/log-drivers/log-driver.ts
@@ -1,4 +1,5 @@
 import cdk = require('@aws-cdk/cdk');
+import { ContainerDefinition } from '../container-definition';
 import { cloudformation } from '../ecs.generated';
 
 /**
@@ -9,4 +10,9 @@ export abstract class LogDriver extends cdk.Construct {
    * Return the log driver CloudFormation JSON
    */
   public abstract renderLogDriver(): cloudformation.TaskDefinitionResource.LogConfigurationProperty;
+
+  /**
+   * Called when the log driver is configured on a container
+   */
+  public abstract bind(containerDefinition: ContainerDefinition): void;
 }
diff --git a/packages/@aws-cdk/aws-ecs/test/fargate/integ.asset-image.expected.json b/packages/@aws-cdk/aws-ecs/test/fargate/integ.asset-image.expected.json
@@ -759,6 +759,19 @@
               ],
               "Effect": "Allow",
               "Resource": "*"
+            },
+            {
+              "Action": [
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+              ],
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::GetAtt": [
+                  "FargateServiceLoggingLogGroup9B16742A",
+                  "Arn"
+                ]
+              }
             }
           ],
           "Version": "2012-10-17"
-Original file line number
+Diff line change
@@ Expand Up / @@ -229,6 +229,7 @@ export class ContainerDefinition extends cdk.Construct { @@
         this.memoryLimitSpecified = props.memoryLimitMiB !== undefined || props.memoryReservationMiB !== undefined;
         props.image.bind(this);
+        if (props.logging) { props.logging.bind(this); }
       }
       /**
@@ Expand Down @@