Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Resources:
- LogstashBucket:
- Type: AWS::S3::Bucket
- Properties:
- BucketName: !Ref S3BucketName
- BucketEncryption:
- ServerSideEncryptionConfiguration:
- -
- ServerSideEncryptionByDefault:
- SSEAlgorithm: AES256
- PublicAccessBlockConfiguration:
- BlockPublicAcls: true
- BlockPublicPolicy: true
- IgnorePublicAcls: true
- RestrictPublicBuckets: true
- AccessControl: Private
- LogstashBucketPolicyPut:
- Type: AWS::S3::BucketPolicy
- Properties:
- Bucket: !Ref LogstashBucket
- PolicyDocument:
- Statement:
- -
- Effect: "Allow"
- # Only allow container services to put files to this bucket, despite the bucket being private.
- Principal:
- Service:
- - "ecs-tasks.amazonaws.com"
- Action: "s3:PutObject"
- Resource:
- Fn::Join:
- - ""
- - - "arn:aws:s3:::"
- - !Ref LogstashBucket
- - "/*"
- #Condition: ArnEquals: !GetAtt LogstashTaskDef.Arn
- LogstashPolicyPutToS3:
- Type: AWS::IAM::ManagedPolicy
- Properties:
- ManagedPolicyName: "LogstashPolicyPutToS3"
- PolicyDocument:
- Version: "2012-10-17"
- Statement:
- -
- Effect: "Allow"
- Action: "s3:PutObject"
- Resource: !GetAtt LogstashBucket.Arn
- LogstashRolePutToS3:
- Type: AWS::IAM::Role
- Properties:
- AssumeRolePolicyDocument:
- Version: "2012-10-17"
- Statement:
- -
- Effect: "Allow"
- Principal:
- Service:
- - "ecs-tasks.amazonaws.com"
- Action: "sts:AssumeRole"
- ManagedPolicyArns:
- - !Ref LogstashPolicyPutToS3
- RoleName: "LogstashRolePutToS3"
- LogstashTaskDef:
- Type: AWS::ECS::TaskDefinition
- Properties:
- NetworkMode: awsvpc
- RequiresCompatibilities:
- - FARGATE
- Cpu: !Ref ContainerCPU
- Memory: !Ref ContainerMemory
- ExecutionRoleArn: !Ref RoleECSExecution
- TaskRoleArn: !Ref LogstashRolePutToS3
- ContainerDefinitions:
- -
- Name: !Ref LogstashContainerName
- Image: !Ref ImageUrl
- PortMappings:
- -
- ContainerPort: !Ref SyslogInputPort
- HostPort: !Ref SyslogInputPort
- LogConfiguration:
- LogDriver: awslogs
- Options:
- awslogs-region: !Ref AWS::Region
- awslogs-group: !Ref LogGroup
- awslogs-stream-prefix: ecs
- Environment:
- - Name: S3_BUCKET_BUCKETNAME
- Value: !Ref S3BucketName
- - Name: S3_BUCKET_CANNED_ACL
- Value: !Ref S3BucketCannedACL
- - Name: SYSLOG_INPUT_PORT
- Value: !Ref SyslogInputPort
- - Name: S3_BUCKET_REGION
- Value: !Ref S3BucketRegion
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement