My goal is to send docker container logs to CloudWatch via terraform. This is the ECS role that I am using for IAM:
{
"Version": "2008-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": ["ecs.amazonaws.com", "ec2.amazonaws.com"]
},
"Effect": "Allow"
}
]
}
And here is the ECS service role policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:Describe*",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"ec2:Describe*",
"ec2:AuthorizeSecurityGroupIngress",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
]
}
]
}
In my task definition for docker container, among other things I have this for cloudwatch logging:
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "awslog-mylogs",
"awslogs-region": "eu-west-1",
"awslogs-stream-prefix": "awslogs-mylogs-stream"
}
}
(I have the awslog-mylogs log group pre-created via AWS console).
The problem is if I spin up the AWS instance (via Terraform apply) without the above logging config for the container, everything works fine and my container is up and running (except of course, logs are not being sent to Cloudwatch). As soon as I have this logging config info in place, the EC2 instance spins up but the container does not start properly. After ssh-ing into the EC2 instance, I find that the docker container bailed out.
Any idea what's going wrong here? What might I be missing as far as configuring sending logs to Cloudwatch via terraform is concerned?
