tflint-ruleset-aws
tflint-ruleset-aws copied to clipboard
Published
20 hours ago •
terraform-linters
terraform-linters
ECS container definitions: Log driver awslogs option 'awslogs-create-group' should only be set to 'true' or omitted
This bit me today. In an ECS task definition's container definitions, when using the awslogs log driver, I tried specifying awslogs-create-group = "false" to be explicit, but apparently that's not allowed and you get this error:
ClientException: Log driver awslogs option 'awslogs-create-group' should only be set to 'true', else omit option.
This ruleset should have a check for this.
GOOD:
resource "aws_ecs_task_definition" "this" {
# snip
container_definitions = jsonencode([
{
name = "cloudwatch-agent"
image = "public.ecr.aws/cloudwatch-agent/cloudwatch-agent:latest"
cpu = 512
memory = 1024
essential = true
# snip
logConfiguration = {
logDriver = "awslogs"
options = {
"awslogs-group" = aws_cloudwatch_log_group.this.name
"awslogs-region" = data.aws_region.current.name
"awslogs-stream-prefix" = "cloudwatch-agent"
}
}
])
}
resource "aws_ecs_task_definition" "this" {
# snip
container_definitions = jsonencode([
{
name = "cloudwatch-agent"
image = "public.ecr.aws/cloudwatch-agent/cloudwatch-agent:latest"
cpu = 512
memory = 1024
essential = true
# snip
logConfiguration = {
logDriver = "awslogs"
options = {
"awslogs-create-group" = "true"
"awslogs-group" = aws_cloudwatch_log_group.this.name
"awslogs-region" = data.aws_region.current.name
"awslogs-stream-prefix" = "cloudwatch-agent"
}
}
])
}
BAD:
resource "aws_ecs_task_definition" "this" {
# snip
container_definitions = jsonencode([
{
name = "cloudwatch-agent"
image = "public.ecr.aws/cloudwatch-agent/cloudwatch-agent:latest"
cpu = 512
memory = 1024
essential = true
# snip
logConfiguration = {
logDriver = "awslogs"
options = {
"awslogs-create-group" = "false"
"awslogs-group" = aws_cloudwatch_log_group.this.name
"awslogs-region" = data.aws_region.current.name
"awslogs-stream-prefix" = "cloudwatch-agent"
}
}
])
}
