lambda-promtail/template.yaml at main · edjshelton/lambda-promtail · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
AWSTemplateFormatVersion: '2010-09-09'
Description: >
  lambda-promtail:

  propagate Cloudwatch Logs to Loki/Promtail via Loki Write API.

Parameters:
  WriteAddress:
    Description: 'Address to write to in the form of: http<s>://<location><:port>/loki/api/v1/push'
    Type: String
    Default: 'http://localhost:8080/loki/api/v1/push'
  ReservedConcurrency:
    Description: The maximum of concurrent executions you want to reserve for the function.
    Type: Number
    Default: 2
  MaximumEventAgeInSeconds:
    Description: The maximum age of a request that Lambda sends to a function for processing.
    Type: Number
    Default: 21600
  Username:
    Description: The basic auth username, necessary if writing directly to Grafana Cloud Loki.
    Type: String
    Default: ""
  Password:
    Description: The basic auth password, necessary if writing directly to Grafana Cloud Loki.
    Type: String
    Default: ""
    NoEcho: true
  BearerToken:
    Description: The bearer token, necessary if target endpoint requires it.
    Type: String
    Default: ""
    NoEcho: true
  LambdaPromtailImage:
    Description: The ECR image URI to pull and use for lambda-promtail.
    Type: String
    Default: ""
  KeepStream:
    Description: Determines whether to keep the CloudWatch Log Stream value as a Loki label when writing logs from lambda-promtail.
    Type: String
    Default: "false"
  ExtraLabels:
    Description: Comma separated list of extra labels, in the format 'name1,value1,name2,value2,...,nameN,valueN' to add to entries forwarded by lambda-promtail.
    Type: String
    Default: ""
  OmitExtraLabelsPrefix:
    Description: Whether or not to omit the prefix `__extra_` from extra labels defined in `ExtraLabels`.
    Type: String
    Default: "false"
  TenantID:
    Description: Tenant ID to be added when writing logs from lambda-promtail.
    Type: String
    Default: ""
  SkipTlsVerify:
    Description: Determines whether to verify the TLS certificate
    Type: String
    Default: "false"
  LogGroupName:
    Description: Name of the CloudWatch Log Group to subscribe from.
    Type: String
    Default: "/aws/lambda/some-lamda-log-group"
  IAMRoleName:
    Description: Name of the LambdaPromtailRole IAM Role.
    Type: String
    Default: "iam_for_lambda"

Resources:
  LambdaPromtailRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - lambda.amazonaws.com
          Action:
          - sts:AssumeRole
      Description: "Lambda Promtail Role"
      Policies:
      - PolicyName: logs
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:PutLogEvents
            - logs:PutSubscriptionFilter
            Resource: arn:aws:logs:*:*:*
      RoleName: !Ref IAMRoleName
  LambdaPromtailFunction:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        ImageUri: !Ref LambdaPromtailImage
      MemorySize: 128
      PackageType: Image
      Timeout: 60
      Role: !GetAtt LambdaPromtailRole.Arn
      ReservedConcurrentExecutions: !Ref ReservedConcurrency
      # # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-vpcconfig.html
      # VpcConfig:
      Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
        Variables:
          WRITE_ADDRESS: !Ref WriteAddress
          USERNAME: !Ref Username
          PASSWORD: !Ref Password
          BEARER_TOKEN: !Ref BearerToken
          KEEP_STREAM: !Ref KeepStream
          EXTRA_LABELS: !Ref ExtraLabels
          OMIT_EXTRA_LABELS_PREFIX: !Ref OmitExtraLabelsPrefix
          TENANT_ID: !Ref TenantID
          SKIP_TLS_VERIFY: !Ref SkipTlsVerify
  LambdaPromtailVersion:
    Type: AWS::Lambda::Version
    Properties:
      FunctionName: !Ref LambdaPromtailFunction
  LambdaPromtailPermissions:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt LambdaPromtailFunction.Arn
      Principal: !Sub
        - logs.${Region}.amazonaws.com
        - { Region: !Ref "AWS::Region" }
  LambdaPromtailEventInvokeConfig:
    Type: AWS::Lambda::EventInvokeConfig
    Properties:
      FunctionName: !Ref LambdaPromtailFunction
      MaximumRetryAttempts: 2
      MaximumEventAgeInSeconds: !Ref MaximumEventAgeInSeconds
      Qualifier: !GetAtt LambdaPromtailVersion.Version
  # Copy this block and modify as required to create Subscription Filters for
  # additional CloudWatch Log Groups.
  MainLambdaPromtailSubscriptionFilter:
    Type: AWS::Logs::SubscriptionFilter
    DependsOn: LambdaPromtailPermissions
    Properties:
      DestinationArn: !GetAtt LambdaPromtailFunction.Arn
      FilterPattern: ""
      LogGroupName: !Ref LogGroupName

Outputs:
  LambdaPromtailFunction:
    Description: "Lambda Promtail Function ARN"
    Value: !GetAtt LambdaPromtailFunction.Arn