-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathtemplate.yml
130 lines (122 loc) · 3.45 KB
/
template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
AWSTemplateFormatVersion: 2010-09-09
Parameters:
Endpoint:
Type: String
Description: The Apex Logs CloudWatch Logs integration URL.
AllowedPattern: ".+"
AuthToken:
Type: String
Description: The Apex Logs API token with write access.
AllowedPattern: ".+"
ProjectID:
Type: String
Description: The Apex Logs destination project ID.
AllowedPattern: ".+"
BufferInterval:
Type: Number
Description: The buffer flush interval in seconds.
Default: 60
BufferSize:
Type: Number
Description: The buffer max size in megabytes.
Default: 1
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
LifecycleConfiguration:
Rules:
- ExpirationInDays: 7
Status: Enabled
LogsRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: !Sub "logs.${AWS::Region}.amazonaws.com"
Action: 'sts:AssumeRole'
LogsPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: logs_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Allow
Action:
- 'firehose:*'
Resource:
- !Sub "arn:aws:firehose:${AWS::Region}:${AWS::AccountId}:*"
Roles:
- !Ref LogsRole
DeliveryRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: firehose.amazonaws.com
Action: 'sts:AssumeRole'
DeliveryPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: firehose_delivery_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 's3:AbortMultipartUpload'
- 's3:GetBucketLocation'
- 's3:GetObject'
- 's3:ListBucket'
- 's3:ListBucketMultipartUploads'
- 's3:PutObject'
Resource:
- !Sub 'arn:aws:s3:::${S3Bucket}'
- !Sub 'arn:aws:s3:::${S3Bucket}*'
Roles:
- !Ref DeliveryRole
DeliveryStream:
Type: AWS::KinesisFirehose::DeliveryStream
Properties:
DeliveryStreamType: DirectPut
HttpEndpointDestinationConfiguration:
EndpointConfiguration:
Name: "ApexLogs"
AccessKey: !Ref AuthToken
Url: !Ref Endpoint
S3Configuration:
BucketARN: !GetAtt S3Bucket.Arn
RoleARN: !GetAtt DeliveryRole.Arn
RetryOptions:
DurationInSeconds: 300
RequestConfiguration:
ContentEncoding: NONE
CommonAttributes:
- AttributeName: project_id
AttributeValue: !Ref ProjectID
- AttributeName: aws_region
AttributeValue: !Ref AWS::Region
BufferingHints:
IntervalInSeconds: !Ref BufferInterval
SizeInMBs: !Ref BufferSize
RoleARN: !GetAtt DeliveryRole.Arn
{{range $index, $group := .Groups}}
LogsSubscription{{$index}}:
Type: AWS::Logs::SubscriptionFilter
Properties:
LogGroupName: {{printf "%q" $group}}
FilterPattern: ""
DestinationArn: !GetAtt DeliveryStream.Arn
RoleArn: !GetAtt LogsRole.Arn
DependsOn: DeliveryStream
{{end}}