quickstart-amazon-eks-cluster-resource-provider
quickstart-amazon-eks-cluster-resource-provider copied to clipboard
Published
20 hours ago •
aws-quickstart
aws-quickstart
No logs being delivery to CloudWatch
Hi.
We can't have logs from the extension in CloudWatch. We already tried out different regions.
The issue may be linked to this: https://github.com/aws-quickstart/quickstart-kubernetes-resource-provider/issues/32
We have some log groups from some installation made in July, but for new deployments there are no logs at all in CloudWatch.
Our deployment:
AWSTemplateFormatVersion: '2010-09-09'
Description: Extensions
Resources:
# AWSQS::EKS::Cluster
AWSQSEKSClusterExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Join
- '-'
- - 'AWSQSExecutionIAMRole'
- !Select [2, !Split [ '/', !Ref AWS::StackId ]]
MaxSessionDuration: 8400
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- resources.cloudformation.amazonaws.com
- cloudformation.amazonaws.com
- lambda.amazonaws.com
Action: sts:AssumeRole
Path: '/'
Policies:
- PolicyName: !Join
- '-'
- - 'AWSQSExecutionIAMRole'
- 'policy'
- !Select [2, !Split [ '/', !Ref AWS::StackId ]]
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sts:GetCallerIdentity
- eks:CreateCluster
- eks:DeleteCluster
- eks:DescribeCluster
- eks:ListTagsForResource
- eks:UpdateClusterVersion
- eks:UpdateClusterConfig
- eks:TagResource
- eks:UntagResource
- iam:PassRole
- sts:AssumeRole
- lambda:UpdateFunctionConfiguration
- lambda:DeleteFunction
- lambda:GetFunction
- lambda:InvokeFunction
- lambda:CreateFunction
- lambda:UpdateFunctionCode
- ec2:DescribeVpcs
- ec2:DescribeSubnets
- ec2:DescribeSecurityGroups
- kms:CreateGrant
- kms:DescribeKey
Resource:
- '*'
Tags:
- Key: Name
Value: !Join
- '-'
- - 'AWSQSExecutionIAMRole'
- !Select [2, !Split [ '/', !Ref AWS::StackId ]]
AWSQSEKSClusterLogDeliveryRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Join
- '-'
- - 'AWSQSLogDeliveryIAMRole'
- !Select [2, !Split [ '/', !Ref AWS::StackId ]]
MaxSessionDuration: 8400
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- resources.cloudformation.amazonaws.com
- cloudformation.amazonaws.com
Action: sts:AssumeRole
Path: '/'
Policies:
- PolicyName: !Join
- '-'
- - 'AWSQSLogDeliveryIAMRole'
- 'policy'
- !Select [2, !Split [ '/', !Ref AWS::StackId ]]
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
- cloudwatch:ListMetrics
- cloudwatch:PutMetricData
Resource:
- '*'
Tags:
- Key: Name
Value: !Join
- '-'
- - 'AWSQSLogDeliveryIAMRole'
- !Select [2, !Split [ '/', !Ref AWS::StackId ]]
AWSQSEKSClusterActivation:
Type: AWS::CloudFormation::TypeActivation
Properties:
AutoUpdate: true
ExecutionRoleArn: !GetAtt AWSQSEKSClusterExecutionRole.Arn
LoggingConfig:
LogGroupName: !Join
- '-'
- - '/aws/cloudformation/registry/AWSQSEKSClusterLogGroup'
- !Select [2, !Split [ '/', !Ref AWS::StackId ]]
LogRoleArn: !GetAtt AWSQSEKSClusterLogDeliveryRole.Arn
PublicTypeArn: !Sub arn:aws:cloudformation:${AWS::Region}::type/resource/408988dff9e863704bcc72e7e13f8d645cee8311/AWSQS-EKS-Cluster
