Amazon web services CloudFront实时日志从Kinesis数据流到Kinesis Firehose再到S3 bucket_Amazon Web Services_Terraform_Terraform Provider Aws

Amazon web services CloudFront实时日志从Kinesis数据流到Kinesis Firehose再到S3 bucket

amazon-web-services terraform

Amazon web services CloudFront实时日志从Kinesis数据流到Kinesis Firehose再到S3 bucket,amazon-web-services,terraform,terraform-provider-aws,Amazon Web Services,Terraform,Terraform Provider Aws,我能够通过控制台创建CloudFront实时日志，现在我想通过Terraform进行设置我目前有一个CloudFront发行版，它指向S3存储桶 resource "aws_cloudfront_distribution" "www_distribution" { default_cache_behavior { realtime_log_config_arn = aws_cloudfront_realtime_log_config.anal

我能够通过控制台创建CloudFront实时日志，现在我想通过Terraform进行设置

我目前有一个CloudFront发行版，它指向S3存储桶

resource "aws_cloudfront_distribution" "www_distribution" {
  default_cache_behavior {
    realtime_log_config_arn = aws_cloudfront_realtime_log_config.analytics.arn
    ...
  }
  ...
}

我创建了实时日志配置

resource "aws_cloudfront_realtime_log_config" "analytics" {
  name          = "analytics"
  sampling_rate = 100
  fields        = [
    ...
  ]

  endpoint {
    stream_type = "Kinesis"

    kinesis_stream_config {
      role_arn   = aws_iam_role.analytics.arn
      stream_arn = aws_kinesis_stream.analytics.arn
    }
  }

  depends_on = [aws_iam_role_policy.analytics]
}

然后由动觉数据流管理

resource "aws_kinesis_stream" "analytics" {
  name             = "blog-cloudfront-analytics"
  shard_count      = 1
  retention_period = 48

  shard_level_metrics = [
    "IncomingBytes",
    "OutgoingBytes",
  ]
}

我想让它被动情消防水带流消耗掉

resource "aws_kinesis_firehose_delivery_stream" "extended_s3_stream" {
  name        = "example-cloudfront-analytics"
  destination = "extended_s3"

  kinesis_source_configuration {
    kinesis_stream_arn = aws_kinesis_stream.analytics.arn
    role_arn = aws_iam_role.kinesis_firehose.arn
  }

  extended_s3_configuration {
     cloudwatch_logging_options {
      log_group_name = "/aws/lambda/example_cloudfront_analytics"
      log_stream_name = "example_stream"
      enabled = true
    }
    role_arn   = aws_iam_role.firehose_role.arn
    bucket_arn = aws_s3_bucket.bucket.arn
  }
}
resource "aws_s3_bucket" "bucket" {
  bucket = "example-cloudfront-analytics"
  acl    = "private"
}

我已经应用了此配置，但Kinesis数据流控制台中的“监视器”选项卡显示没有向流发送任何内容。我该如何设置

更新以下是用于前面提到的不同服务的IAM角色

这是一个用于动力消防软管

数据“aws\u iam\u政策\u文件”“动静\u消防软管”{
声明{
effect=“允许”
行动=[
“运动：”，
“消防喉：”
]
资源=[
aws_kinisis_stream.analytics.arn，
aws\u动静\u消防软管\u输送\u流。扩展\u s3\u流。arn
]
sid=“动觉”
}
}
资源“aws\u iam\u角色”“动力消防软管”{
name=“cloudfront\u运动\u角色”
假设您的aws\u cloudfront\u realtime\u log\u config.analytics
使用角色aws\u iam\u role.analytics.arn
。但是，它的原则是kinisis.amazonaws.com
。它应该是cloudfront.amazonaws.com
，如图所示：
资源“aws\u iam\u角色”“分析”{
name=“cloudfront实时日志”
假设\u role\u policy=可能是权限问题，但您尚未显示您正在使用的任何IAM角色和策略。只添加了IAM角色
data "aws_iam_policy_document" "kinesis_firehose" {
  statement {
    effect="Allow"
    actions = [
      "kinesis:*",
      "firehose:*"
    ]
    resources = [
      aws_kinesis_stream.analytics.arn,
      aws_kinesis_firehose_delivery_stream.extended_s3_stream.arn
    ]
    sid = "kinesisId"
  }
}
resource "aws_iam_role" "kinesis_firehose" {
   name = "cloudfront_kinesis_role"
   assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "firehose.amazonaws.com"
      },
      "Effect": "Allow"
    }
  ]
}
EOF
}
resource "aws_iam_role_policy" "kinesis_firehose_stream" {
  policy = data.aws_iam_policy_document.kinesis_firehose.json
  role   = aws_iam_role.kinesis_firehose.id
}

resource "aws_iam_role" "analytics" {
  name = "cloudfront-realtime-log"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "kinesis.amazonaws.com"
      },
      "Effect": "Allow"
    }
  ]
}
EOF
}
resource "aws_iam_role_policy" "analytics" {
  name = "cloudfront-realtime-log"
  role = aws_iam_role.analytics.id

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Allow",
        "Action": [
          "kinesis:DescribeStreamSummary",
          "kinesis:DescribeStream",
          "kinesis:PutRecord",
          "kinesis:PutRecords"
        ],
        "Resource": "${aws_kinesis_stream.analytics.arn}"
    }
  ]
}
EOF
}

resource "aws_iam_role" "firehose_role" {
  name = "firehose_cloudfront"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "firehose.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}
data "aws_iam_policy_document" "kinesis_firehose_s3" {
  statement {
    effect="Allow"
    actions = [
      "s3:AbortMultipartUpload",
      "s3:GetBucketLocation",
      "s3:GetObject",
      "s3:ListBucket",
      "s3:ListBucketMultipartUploads",
      "s3:PutObject",
    ]
    resources = [
      aws_s3_bucket.bucket.arn,
      "${aws_s3_bucket.bucket.arn}/*",
    ]
    sid = "kinesisId"
  }
}
resource "aws_iam_role_policy" "kinesis_firehose_stream_s3" {
  policy = data.aws_iam_policy_document.kinesis_firehose_s3.json
  role   = aws_iam_role.firehose_role.id
}

resource "aws_iam_role" "analytics" {
  name = "cloudfront-realtime-log"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "cloudfront.amazonaws.com"
      },
      "Effect": "Allow"
    }
  ]
}
EOF
}