feat: Add support for automatic log shipping

(Applies to the Ec2App patterns.) A LogKinesisStreamName tag is added to the ASG and nested resources (including instances). These are read to enable automatic log shipping, initially of Cloud Init Logs. For more info see: * https://github.com/guardian/amigo/blob/46725214bac8d4ced5f3b2df27bc49ec6c37bd20/roles/cdk-base/README.md * guardian/amigo#706
guardian · Apr 13, 2022 · 366f3c7 · 366f3c7
1 parent 653ef05
commit 366f3c7
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 1 deletion.
diff --git a/src/constants/tag-keys.ts b/src/constants/tag-keys.ts
@@ -2,4 +2,5 @@ export const TagKeys = {
   TRACKING_TAG: "gu:cdk:version",
   REPOSITORY_NAME: "gu:repo",
   PATTERN_NAME: "gu:cdk:pattern-name",
+  LOG_KINESIS_STREAM_NAME: "LogKinesisStreamName",
 };
diff --git a/src/constructs/iam/roles/instance-role.ts b/src/constructs/iam/roles/instance-role.ts
@@ -12,7 +12,14 @@ import type { GuPolicy } from "../policies";
 import { GuRole } from "./roles";
 
 export interface GuInstanceRoleProps {
+  /**
+   * By default, instances are given permissions to write to Kinesis. Set to
+   * 'true' to prevent this. Note, disabling will prevent not just application
+   * logs being shipped but also anything else - for example, automatic log
+   * shipping of Cloud Init and other logs by the cdk-base role in your AMI.
+   */
   withoutLogShipping?: boolean;
+
   additionalPolicies?: GuPolicy[];
 }
 

diff --git a/src/patterns/ec2-app/base.ts b/src/patterns/ec2-app/base.ts
@@ -12,7 +12,7 @@ import { GuAutoScalingGroup, GuUserData } from "../../constructs/autoscaling";
 import type { Http5xxAlarmProps, NoMonitoring } from "../../constructs/cloudwatch";
 import { Gu5xxPercentageAlarm, GuUnhealthyInstancesAlarm } from "../../constructs/cloudwatch";
 import type { GuStack } from "../../constructs/core";
-import { AppIdentity, GuStringParameter } from "../../constructs/core";
+import { AppIdentity, GuLoggingStreamNameParameter, GuStringParameter } from "../../constructs/core";
 import { GuSecurityGroup, GuVpc, SubnetType } from "../../constructs/ec2";
 import type { GuInstanceRoleProps } from "../../constructs/iam";
 import { GuGetPrivateConfigPolicy, GuInstanceRole } from "../../constructs/iam";
@@ -348,6 +348,13 @@ export class GuEc2App {
     // TODO: Do we need to tag all resources with this value? What would the use-cases be?
     Tags.of(autoScalingGroup).add(TagKeys.PATTERN_NAME, this.constructor.name, { applyToLaunchedInstances: true });
 
+    // This allows automatic shipping of instance Cloud Init logs when using the
+    // `cdk-base` Amigo role on your AMI.
+    Tags.of(autoScalingGroup).add(
+      TagKeys.LOG_KINESIS_STREAM_NAME,
+      GuLoggingStreamNameParameter.getInstance(scope).valueAsString
+    );
+
     const loadBalancer = new GuApplicationLoadBalancer(scope, "LoadBalancer", {
       app,
       vpc,