Amazon web services CloudFront实时日志从Kinesis数据流到Kinesis Firehose再到S3 bucket
我能够通过控制台创建CloudFront实时日志,现在我想通过Terraform进行设置 我目前有一个CloudFront发行版,它指向S3存储桶Amazon web services CloudFront实时日志从Kinesis数据流到Kinesis Firehose再到S3 bucket,amazon-web-services,terraform,terraform-provider-aws,Amazon Web Services,Terraform,Terraform Provider Aws,我能够通过控制台创建CloudFront实时日志,现在我想通过Terraform进行设置 我目前有一个CloudFront发行版,它指向S3存储桶 resource "aws_cloudfront_distribution" "www_distribution" { default_cache_behavior { realtime_log_config_arn = aws_cloudfront_realtime_log_config.anal
resource "aws_cloudfront_distribution" "www_distribution" {
default_cache_behavior {
realtime_log_config_arn = aws_cloudfront_realtime_log_config.analytics.arn
...
}
...
}
我创建了实时日志配置
resource "aws_cloudfront_realtime_log_config" "analytics" {
name = "analytics"
sampling_rate = 100
fields = [
...
]
endpoint {
stream_type = "Kinesis"
kinesis_stream_config {
role_arn = aws_iam_role.analytics.arn
stream_arn = aws_kinesis_stream.analytics.arn
}
}
depends_on = [aws_iam_role_policy.analytics]
}
然后由动觉数据流管理
resource "aws_kinesis_stream" "analytics" {
name = "blog-cloudfront-analytics"
shard_count = 1
retention_period = 48
shard_level_metrics = [
"IncomingBytes",
"OutgoingBytes",
]
}
我想让它被动情消防水带流消耗掉
resource "aws_kinesis_firehose_delivery_stream" "extended_s3_stream" {
name = "example-cloudfront-analytics"
destination = "extended_s3"
kinesis_source_configuration {
kinesis_stream_arn = aws_kinesis_stream.analytics.arn
role_arn = aws_iam_role.kinesis_firehose.arn
}
extended_s3_configuration {
cloudwatch_logging_options {
log_group_name = "/aws/lambda/example_cloudfront_analytics"
log_stream_name = "example_stream"
enabled = true
}
role_arn = aws_iam_role.firehose_role.arn
bucket_arn = aws_s3_bucket.bucket.arn
}
}
resource "aws_s3_bucket" "bucket" {
bucket = "example-cloudfront-analytics"
acl = "private"
}
我已经应用了此配置,但Kinesis数据流控制台中的“监视器”选项卡显示没有向流发送任何内容。我该如何设置
更新
以下是用于前面提到的不同服务的IAM角色
这是一个用于动力消防软管
数据“aws\u iam\u政策\u文件”“动静\u消防软管”{
声明{
effect=“允许”
行动=[
“运动:”,
“消防喉:”
]
资源=[
aws_kinisis_stream.analytics.arn,
aws\u动静\u消防软管\u输送\u流。扩展\u s3\u流。arn
]
sid=“动觉”
}
}
资源“aws\u iam\u角色”“动力消防软管”{
name=“cloudfront\u运动\u角色”
假设您的aws\u cloudfront\u realtime\u log\u config.analytics
使用角色aws\u iam\u role.analytics.arn
。但是,它的原则是kinisis.amazonaws.com
。它应该是cloudfront.amazonaws.com
,如图所示:
资源“aws\u iam\u角色”“分析”{
name=“cloudfront实时日志”
假设\u role\u policy=可能是权限问题,但您尚未显示您正在使用的任何IAM角色和策略。只添加了IAM角色
data "aws_iam_policy_document" "kinesis_firehose" {
statement {
effect="Allow"
actions = [
"kinesis:*",
"firehose:*"
]
resources = [
aws_kinesis_stream.analytics.arn,
aws_kinesis_firehose_delivery_stream.extended_s3_stream.arn
]
sid = "kinesisId"
}
}
resource "aws_iam_role" "kinesis_firehose" {
name = "cloudfront_kinesis_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "firehose.amazonaws.com"
},
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_role_policy" "kinesis_firehose_stream" {
policy = data.aws_iam_policy_document.kinesis_firehose.json
role = aws_iam_role.kinesis_firehose.id
}
resource "aws_iam_role" "analytics" {
name = "cloudfront-realtime-log"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "kinesis.amazonaws.com"
},
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_role_policy" "analytics" {
name = "cloudfront-realtime-log"
role = aws_iam_role.analytics.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStreamSummary",
"kinesis:DescribeStream",
"kinesis:PutRecord",
"kinesis:PutRecords"
],
"Resource": "${aws_kinesis_stream.analytics.arn}"
}
]
}
EOF
}
resource "aws_iam_role" "firehose_role" {
name = "firehose_cloudfront"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "firehose.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
data "aws_iam_policy_document" "kinesis_firehose_s3" {
statement {
effect="Allow"
actions = [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
]
resources = [
aws_s3_bucket.bucket.arn,
"${aws_s3_bucket.bucket.arn}/*",
]
sid = "kinesisId"
}
}
resource "aws_iam_role_policy" "kinesis_firehose_stream_s3" {
policy = data.aws_iam_policy_document.kinesis_firehose_s3.json
role = aws_iam_role.firehose_role.id
}
resource "aws_iam_role" "analytics" {
name = "cloudfront-realtime-log"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Effect": "Allow"
}
]
}
EOF
}