Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(ecs): log retention for FireLensLogDriver (#28354)
This PR resolves the missing `logs:PutRetentionPolicy` permission issue when using `FireLensLogDriver` with CloudWatch Logs. ### Description When using `FireLensLogDriver` to send logs to CloudWatch Logs, we can specify the retention period for newly created Log Groups by specifying `log_retention_days` in the `FireLensLogDriverProps.options`. https://docs.fluentbit.io/manual/pipeline/outputs/cloudwatch#configuration-parameters https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FireLensLogDriverProps.html#options If you have not added a FluentBit container, CDK will automatically add it to the task definition, and the IAM permissions required for this are added to the task role. https://github.com/aws/aws-cdk/blob/db22b85c9b2a853aa2f830c182a340f0bcf95d1a/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts#L816 https://github.com/aws/aws-cdk/blob/db22b85c9b2a853aa2f830c182a340f0bcf95d1a/packages/aws-cdk-lib/aws-ecs/lib/firelens-log-router.ts#L170 While `FireLensLogDriver` allows specifying `log_retention_days` for Log Groups, FluentBit cannot set the retention period due to the absence of the `logs:PutRetentionPolicy` policy. Consequently, it results in an `AccessDeniedException`. To address this, the PR adds the necessary `logs:PutRetentionPolicy` permission to the task role when `log_retention_days` is set in `FireLensLogDriverProps.options`, ensuring FluentBit has the required permissions to set the retention period for Log Groups. Relates to #28258 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
- Loading branch information