D-system · August 16, 2024 02:48
diff --git a/aws_cloudwatch_log_to_appsignal.yml b/aws_cloudwatch_log_to_appsignal.yml
 ---
 AWSTemplateFormatVersion: 2010-09-09
 Description: >-
  Configures CloudWatch logs stream and Kinesis Data Firehose to
  send logs to AppSignal from an existing CloudWatch log group.

  It must be deployed in the same region and same account as the CloudWatch log group.

  Implements all the steps from AppSignal documentation all at once:
  https://docs.appsignal.com/logging/platforms/cloudwatch.html

 Parameters:
  AppSignalLicenseKey:
    Type: String
    Description: 39-character hexadecimal string
    NoEcho: true
    MinLength: 39
    MaxLength: 39
  CloudWatchLogGroupName:
    Type: String
    Description: >-
      Name (not the ARN) of the CloudWatch log group to send to AppSignal.
      Group logs list: https://console.aws.amazon.com/cloudwatch/home#logsV2:log-groups
    MinLength: 1

 Resources:
  S3FirehoseEventsBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Join
        - "-"
        - - "appsignal-firehose"
          - !Ref AWS::StackName
          - !Ref AWS::AccountId
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256

  FirehoseRole:
    Type: AWS::IAM::Role
    Properties:
      Description: >-
        Role to allow firehose stream to put events into S3 backup bucket
      RoleName: !Join
        - "-"
        - - "appsignal-firehose"
          - !Ref AWS::StackName
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - firehose.amazonaws.com
            Action:
              - 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref AWS::AccountId
      Policies:
        - PolicyName: !Join
            - "-"
            - - "appsignal-firehose"
              - !Ref AWS::StackName
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - "s3:AbortMultipartUpload"
                  - "s3:GetBucketLocation"
                  - "s3:GetObject"
                  - "s3:ListBucket"
                  - "s3:ListBucketMultipartUploads"
                  - "s3:PutObject"
                Resource:
                  - !GetAtt S3FirehoseEventsBucket.Arn
                  - !Join ["", [!GetAtt S3FirehoseEventsBucket.Arn, "/*"]]
              - Effect: Allow
                Action:
                  - "log:PutLogEvents"
                Resource:
                  - !Join
                    - ""
                    - - "arn:aws:logs:"
                      - !Ref AWS::Region
                      - ":"
                      - !Ref AWS::AccountId
                      - ":log-group:"
                      - !Ref CloudWatchLogGroupName
                      - ":*"
  FirehoseDeliveryStream:
    Type: AWS::KinesisFirehose::DeliveryStream
    Properties:
      DeliveryStreamName: !Join
        - "-"
        - - "appsignal-firehose"
          - !Ref AWS::StackName
      DeliveryStreamType: DirectPut
      HttpEndpointDestinationConfiguration:
        RequestConfiguration:
          ContentEncoding: GZIP
        EndpointConfiguration:
          Name: AppSignal
          Url: "https://appsignal-endpoint.net/logs/aws-kinesis"
          AccessKey: !Ref AppSignalLicenseKey
        BufferingHints:
          IntervalInSeconds: 60
          SizeInMBs: 1
        RetryOptions:
          DurationInSeconds: 60
        S3Configuration:
          CompressionFormat: GZIP
          BucketARN: !GetAtt S3FirehoseEventsBucket.Arn
          RoleARN: !GetAtt FirehoseRole.Arn
        RoleARN: !GetAtt FirehoseRole.Arn

  LogsStreamRole:
    Type: AWS::IAM::Role
    Properties:
      Description: Role to allow stream put into a firehose
      RoleName: !Join
        - "-"
        - - "appsignal-cloudwatch"
          - !Ref AWS::StackName
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - !Sub "logs.${AWS::Region}.amazonaws.com"
            Action:
              - 'sts:AssumeRole'
      Policies:
        - PolicyName: !Join
            - "-"
            - - "appsignal-firehose"
              - !Ref AWS::StackName
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - "firehose:*"
                Resource:
                  - !GetAtt FirehoseDeliveryStream.Arn

  SubscriptionFilter:
    Type: AWS::Logs::SubscriptionFilter
    Properties:
      LogGroupName: !Ref CloudWatchLogGroupName
      FilterName: "AppSignal"
      FilterPattern: ""
      DestinationArn: !GetAtt FirehoseDeliveryStream.Arn
      RoleArn: !GetAtt LogsStreamRole.Arn
	---
	AWSTemplateFormatVersion: 2010-09-09
	Description: >-
	Configures CloudWatch logs stream and Kinesis Data Firehose to
	send logs to AppSignal from an existing CloudWatch log group.

	It must be deployed in the same region and same account as the CloudWatch log group.

	Implements all the steps from AppSignal documentation all at once:
	https://docs.appsignal.com/logging/platforms/cloudwatch.html

	Parameters:
	AppSignalLicenseKey:
	Type: String
	Description: 39-character hexadecimal string
	NoEcho: true
	MinLength: 39
	MaxLength: 39
	CloudWatchLogGroupName:
	Type: String
	Description: >-
	Name (not the ARN) of the CloudWatch log group to send to AppSignal.
	Group logs list: https://console.aws.amazon.com/cloudwatch/home#logsV2:log-groups
	MinLength: 1

	Resources:
	S3FirehoseEventsBucket:
	Type: AWS::S3::Bucket
	Properties:
	BucketName: !Join
	- "-"
	- - "appsignal-firehose"
	- !Ref AWS::StackName
	- !Ref AWS::AccountId
	PublicAccessBlockConfiguration:
	BlockPublicAcls: true
	BlockPublicPolicy: true
	IgnorePublicAcls: true
	RestrictPublicBuckets: true
	BucketEncryption:
	ServerSideEncryptionConfiguration:
	- ServerSideEncryptionByDefault:
	SSEAlgorithm: AES256

	FirehoseRole:
	Type: AWS::IAM::Role
	Properties:
	Description: >-
	Role to allow firehose stream to put events into S3 backup bucket
	RoleName: !Join
	- "-"
	- - "appsignal-firehose"
	- !Ref AWS::StackName
	AssumeRolePolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- firehose.amazonaws.com
	Action:
	- 'sts:AssumeRole'
	Condition:
	StringEquals:
	'sts:ExternalId': !Ref AWS::AccountId
	Policies:
	- PolicyName: !Join
	- "-"
	- - "appsignal-firehose"
	- !Ref AWS::StackName
	PolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Action:
	- "s3:AbortMultipartUpload"
	- "s3:GetBucketLocation"
	- "s3:GetObject"
	- "s3:ListBucket"
	- "s3:ListBucketMultipartUploads"
	- "s3:PutObject"
	Resource:
	- !GetAtt S3FirehoseEventsBucket.Arn
	- !Join ["", [!GetAtt S3FirehoseEventsBucket.Arn, "/*"]]
	- Effect: Allow
	Action:
	- "log:PutLogEvents"
	Resource:
	- !Join
	- ""
	- - "arn:aws:logs:"
	- !Ref AWS::Region
	- ":"
	- !Ref AWS::AccountId
	- ":log-group:"
	- !Ref CloudWatchLogGroupName
	- ":*"
	FirehoseDeliveryStream:
	Type: AWS::KinesisFirehose::DeliveryStream
	Properties:
	DeliveryStreamName: !Join
	- "-"
	- - "appsignal-firehose"
	- !Ref AWS::StackName
	DeliveryStreamType: DirectPut
	HttpEndpointDestinationConfiguration:
	RequestConfiguration:
	ContentEncoding: GZIP
	EndpointConfiguration:
	Name: AppSignal
	Url: "https://appsignal-endpoint.net/logs/aws-kinesis"
	AccessKey: !Ref AppSignalLicenseKey
	BufferingHints:
	IntervalInSeconds: 60
	SizeInMBs: 1
	RetryOptions:
	DurationInSeconds: 60
	S3Configuration:
	CompressionFormat: GZIP
	BucketARN: !GetAtt S3FirehoseEventsBucket.Arn
	RoleARN: !GetAtt FirehoseRole.Arn
	RoleARN: !GetAtt FirehoseRole.Arn

	LogsStreamRole:
	Type: AWS::IAM::Role
	Properties:
	Description: Role to allow stream put into a firehose
	RoleName: !Join
	- "-"
	- - "appsignal-cloudwatch"
	- !Ref AWS::StackName
	AssumeRolePolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- !Sub "logs.${AWS::Region}.amazonaws.com"
	Action:
	- 'sts:AssumeRole'
	Policies:
	- PolicyName: !Join
	- "-"
	- - "appsignal-firehose"
	- !Ref AWS::StackName
	PolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Action:
	- "firehose:*"
	Resource:
	- !GetAtt FirehoseDeliveryStream.Arn

	SubscriptionFilter:
	Type: AWS::Logs::SubscriptionFilter
	Properties:
	LogGroupName: !Ref CloudWatchLogGroupName
	FilterName: "AppSignal"
	FilterPattern: ""
	DestinationArn: !GetAtt FirehoseDeliveryStream.Arn
	RoleArn: !GetAtt LogsStreamRole.Arn