fix(aws-ecs): set permissions for 'awslogs' log driver

Make sure that tasks using the 'awslogs' Log Driver have the correct IAM permissions to actually write logs. Add grant() methods to IAM LogGroups to make this nicer to write. Fixes #1279.
aws · Dec 5, 2018 · 456aa84 · 456aa84
1 parent f06de18
commit 456aa84
Show file tree

Hide file tree

Showing 10 changed files with 791 additions and 2 deletions.
diff --git a/packages/@aws-cdk/aws-ecs/lib/container-definition.ts b/packages/@aws-cdk/aws-ecs/lib/container-definition.ts
@@ -229,6 +229,7 @@ export class ContainerDefinition extends cdk.Construct {
     this.memoryLimitSpecified = props.memoryLimitMiB !== undefined || props.memoryReservationMiB !== undefined;
 
     props.image.bind(this);
+    if (props.logging) { props.logging.bind(this); }
   }
 
   /**

diff --git a/packages/@aws-cdk/aws-ecs/lib/log-drivers/aws-log-driver.ts b/packages/@aws-cdk/aws-ecs/lib/log-drivers/aws-log-driver.ts
@@ -1,5 +1,6 @@
 import logs = require('@aws-cdk/aws-logs');
 import cdk = require('@aws-cdk/cdk');
+import { ContainerDefinition } from '../container-definition';
 import { cloudformation } from '../ecs.generated';
 import { LogDriver } from "./log-driver";
 
@@ -61,6 +62,13 @@ export class AwsLogDriver extends LogDriver {
     });
   }
 
+  /**
+   * Called when the log driver is configured on a container
+   */
+  public bind(containerDefinition: ContainerDefinition): void {
+    this.logGroup.grantWrite(containerDefinition.taskDefinition.obtainExecutionRole());
+  }
+
   /**
    * Return the log driver CloudFormation JSON
    */

diff --git a/packages/@aws-cdk/aws-ecs/lib/log-drivers/log-driver.ts b/packages/@aws-cdk/aws-ecs/lib/log-drivers/log-driver.ts
@@ -1,4 +1,5 @@
 import cdk = require('@aws-cdk/cdk');
+import { ContainerDefinition } from '../container-definition';
 import { cloudformation } from '../ecs.generated';
 
 /**
@@ -9,4 +10,9 @@ export abstract class LogDriver extends cdk.Construct {
    * Return the log driver CloudFormation JSON
    */
   public abstract renderLogDriver(): cloudformation.TaskDefinitionResource.LogConfigurationProperty;
+
+  /**
+   * Called when the log driver is configured on a container
+   */
+  public abstract bind(containerDefinition: ContainerDefinition): void;
 }
diff --git a/packages/@aws-cdk/aws-ecs/test/fargate/integ.asset-image.expected.json b/packages/@aws-cdk/aws-ecs/test/fargate/integ.asset-image.expected.json
@@ -759,6 +759,19 @@
               ],
               "Effect": "Allow",
               "Resource": "*"
+            },
+            {
+              "Action": [
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+              ],
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::GetAtt": [
+                  "FargateServiceLoggingLogGroup9B16742A",
+                  "Arn"
+                ]
+              }
             }
           ],
           "Version": "2012-10-17"