Guest User

Untitled

a guest
Oct 14th, 2019
117
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Resources:
  2.   LogstashBucket:
  3.     Type: AWS::S3::Bucket
  4.     Properties:
  5.       BucketName: !Ref S3BucketName
  6.       BucketEncryption:
  7.         ServerSideEncryptionConfiguration:
  8.           -
  9.             ServerSideEncryptionByDefault:
  10.               SSEAlgorithm: AES256
  11.       PublicAccessBlockConfiguration:
  12.         BlockPublicAcls: true
  13.         BlockPublicPolicy: true
  14.         IgnorePublicAcls: true
  15.         RestrictPublicBuckets: true
  16.       AccessControl: Private
  17.   LogstashBucketPolicyPut:
  18.     Type: AWS::S3::BucketPolicy
  19.     Properties:
  20.       Bucket: !Ref LogstashBucket
  21.       PolicyDocument:
  22.         Statement:
  23.        -
  24.           Effect: "Allow"
  25.           # Only allow container services to put files to this bucket, despite the bucket being private.
  26.           Principal:
  27.             Service:
  28.               - "ecs-tasks.amazonaws.com"
  29.           Action: "s3:PutObject"
  30.           Resource:
  31.             Fn::Join:
  32.             - ""
  33.             -   - "arn:aws:s3:::"
  34.                 - !Ref LogstashBucket
  35.                 - "/*"  
  36.           #Condition: ArnEquals: !GetAtt LogstashTaskDef.Arn  
  37.   LogstashPolicyPutToS3:
  38.     Type: AWS::IAM::ManagedPolicy
  39.     Properties:
  40.       ManagedPolicyName: "LogstashPolicyPutToS3"
  41.       PolicyDocument:
  42.         Version: "2012-10-17"
  43.         Statement:
  44.         -
  45.           Effect: "Allow"
  46.           Action: "s3:PutObject"
  47.           Resource: !GetAtt LogstashBucket.Arn    
  48.   LogstashRolePutToS3:
  49.     Type: AWS::IAM::Role
  50.     Properties:
  51.       AssumeRolePolicyDocument:
  52.         Version: "2012-10-17"
  53.         Statement:
  54.          -
  55.             Effect: "Allow"
  56.             Principal:
  57.               Service:
  58.                 - "ecs-tasks.amazonaws.com"
  59.             Action: "sts:AssumeRole"
  60.       ManagedPolicyArns:
  61.         - !Ref LogstashPolicyPutToS3
  62.       RoleName: "LogstashRolePutToS3"
  63. LogstashTaskDef:
  64.     Type: AWS::ECS::TaskDefinition
  65.     Properties:
  66.       NetworkMode: awsvpc
  67.       RequiresCompatibilities:
  68.         - FARGATE
  69.       Cpu: !Ref ContainerCPU
  70.       Memory: !Ref ContainerMemory  
  71.       ExecutionRoleArn: !Ref RoleECSExecution                                      
  72.       TaskRoleArn: !Ref LogstashRolePutToS3
  73.       ContainerDefinitions:
  74.         -
  75.           Name: !Ref LogstashContainerName
  76.           Image: !Ref ImageUrl
  77.           PortMappings:
  78.            -
  79.               ContainerPort: !Ref SyslogInputPort
  80.               HostPort: !Ref SyslogInputPort
  81.           LogConfiguration:
  82.             LogDriver: awslogs
  83.             Options:
  84.               awslogs-region: !Ref AWS::Region
  85.               awslogs-group: !Ref LogGroup
  86.               awslogs-stream-prefix: ecs
  87.           Environment:
  88.             - Name: S3_BUCKET_BUCKETNAME
  89.               Value: !Ref S3BucketName
  90.             - Name: S3_BUCKET_CANNED_ACL
  91.               Value: !Ref S3BucketCannedACL
  92.             - Name: SYSLOG_INPUT_PORT
  93.               Value: !Ref SyslogInputPort
  94.             - Name: S3_BUCKET_REGION
  95.               Value: !Ref S3BucketRegion
RAW Paste Data