文档

ALIYUN::ACTIONTRAIL::Trail

更新时间:

ALIYUN::ACTIONTRAIL::Trail类型用于创建跟踪,将事件投递到日志服务SLS或对象存储OSS。

语法

{
  "Type": "ALIYUN::ACTIONTRAIL::Trail",
  "Properties": {
    "Name": String,
    "OssBucketName": String,
    "RoleName": String,
    "OssKeyPrefix": String,
    "EventRW": String,
    "SlsProjectArn": String,
    "SlsWriteRoleArn": String
  }
}            

属性

属性名称

类型

必须

允许更新

描述

约束

Name

String

跟踪名称。

长度为6~36个字符,必须以英文字母开头,可包含英文字母、数字、短划线(-)和下划线(_)。

说明

同一个阿里云账号内跟踪名称不可重复。

OssBucketName

String

跟踪投递的OSS存储空间名称。

长度为3~63个字符,必须以小写英文字母或者数字开头,可包含小写英文字母、数字和短划线(-)。

说明
  • 请确保您已经创建对象存储OSS的存储空间。具体操作,请参见创建存储空间

  • OssBucketName和SlsProjectArn需至少指定其中一个参数。

RoleName

String

操作审计服务关联角色名称。

默认值:AliyunServiceRoleForActionTrail。

OssKeyPrefix

String

跟踪投递的OSS存储空间文件名的前缀。

长度为6~32个字符,必须以英文字母开头,可包含英文字母、数字、短划线(-)、正斜线(/)和下划线(_)。

EventRW

String

投递事件的读写类型。

取值:

  • Read:读类型。

  • Write(默认值):写类型。

  • All:读类型和写类型。

SlsProjectArn

String

跟踪投递的日志服务项目的ARN。

请确保您已经创建SLS的Project和LogStore。其中LogStore需要以actiontrail_<跟踪名称>命名。

具体操作,请参见创建Project创建Logstore

说明

OssBucketName和SlsProjectArn需至少指定其中一个参数。

SlsWriteRoleArn

String

操作审计向日志服务项目投递操作事件时,扮演的角色ARN。

返回值

Fn::GetAtt

Name:跟踪名称。

示例

  • YAML格式

    ROSTemplateFormatVersion: '2015-09-01'
    Parameters: {}
    Resources:
      Role:
        Type: ALIYUN::RAM::Role
        Properties:
          RoleName: TestRole
          Policies:
            - PolicyName:
                Fn::Sub: ActionTrailPolicy-${ALIYUN::StackId}
              PolicyDocument:
                Version: '1'
                Statement:
                  - Action:
                      - oss:GetBucketLocation
                      - oss:ListObjects
                      - oss:PutObject
                    Resource:
                      - '*'
                    Effect: Allow
                  - Action:
                      - log:PostLogStoreLogs
                      - log:CreateLogstore
                      - Log:GetLogstore
                    Resource:
                      - '*'
                    Effect: Allow
                  - Action:
                      - mns:PublishMessage
                    Resource:
                      - '*'
                    Effect: Allow
          AssumeRolePolicyDocument:
            Version: '1'
            Statement:
              - Action: sts:AssumeRole
                Effect: Allow
                Principal:
                  Service:
                    - actiontrail.aliyuncs.com
      Bucket:
        Type: ALIYUN::OSS::Bucket
        Properties:
          AccessControl: private
          BucketName: MyTestBucket
          DeletionForce: true
      SlsProject:
        Type: ALIYUN::SLS::Project
        Properties:
          Name: DemoSls
      SlsLogStore:
        Type: ALIYUN::SLS::Logstore
        DependsOn: SlsProject
        Properties:
          LogstoreName: ActiontrailTestTrail
          PreserveStorage: true
          ProjectName:
            Fn::GetAtt:
              - SlsProject
              - Name
          AppendMeta: true
          MaxSplitShard: 64
          AutoSplit: true
          EnableTracking: false
          ShardCount: 2
      Trail:
        DependsOn:
          - Role
          - Bucket
          - SlsLogStore
        Type: ALIYUN::ACTIONTRAIL::Trail
        Properties:
          SlsProjectArn:
            Fn::Sub: acs:log:${ALIYUN::Region}::project/DemoSls
          RoleName:
            Fn::GetAtt:
              - Role
              - RoleName
          EventRW: All
          OssKeyPrefix: TestFile
          OssBucketName:
            Fn::GetAtt:
              - Bucket
              - Name
          SlsWriteRoleArn:
            Fn::Sub: acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}
          Name: TestTrail
      TrailLogging:
        Type: ALIYUN::ACTIONTRAIL::TrailLogging
        Properties:
          Name:
            Fn::GetAtt:
              - Trail
              - Name
          Enable:
            Ref: Enable
    Outputs:
      Name:
        Value:
          Fn::GetAtt:
            - Trail
            - Name
  • JSON格式

    {
      "ROSTemplateFormatVersion": "2015-09-01",
      "Parameters": {
      },
      "Resources": {
        "Role": {
          "Type": "ALIYUN::RAM::Role",
          "Properties": {
            "RoleName": "TestRole",
            "Policies": [
              {
                "PolicyName": {
                  "Fn::Sub": "ActionTrailPolicy-${ALIYUN::StackId}"
                },
                "PolicyDocument": {
                  "Version": "1",
                  "Statement": [
                    {
                      "Action": [
                        "oss:GetBucketLocation",
                        "oss:ListObjects",
                        "oss:PutObject"
                      ],
                      "Resource": [
                        "*"
                      ],
                      "Effect": "Allow"
                    },
                    {
                      "Action": [
                        "log:PostLogStoreLogs",
                        "log:CreateLogstore",
                        "Log:GetLogstore"
                      ],
                      "Resource": [
                        "*"
                      ],
                      "Effect": "Allow"
                    },
                    {
                      "Action": [
                        "mns:PublishMessage"
                      ],
                      "Resource": [
                        "*"
                      ],
                      "Effect": "Allow"
                    }
                  ]
                }
              }
            ],
            "AssumeRolePolicyDocument": {
              "Version": "1",
              "Statement": [
                {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                    "Service": [
                      "actiontrail.aliyuncs.com"
                    ]
                  }
                }
              ]
            }
          }
        },
        "Bucket": {
          "Type": "ALIYUN::OSS::Bucket",
          "Properties": {
            "AccessControl": "private",
            "BucketName": "MyTestBucket",
            "DeletionForce": true
          }
        },
        "SlsProject": {
          "Type": "ALIYUN::SLS::Project",
          "Properties": {
            "Name": "DemoSls"
          }
        },
        "SlsLogStore": {
          "Type": "ALIYUN::SLS::Logstore",
          "DependsOn": "SlsProject",
          "Properties": {
            "LogstoreName": "ActiontrailTestTrail",
            "PreserveStorage": true,
            "ProjectName": {
              "Fn::GetAtt": [
                "SlsProject",
                "Name"
              ]
            },
            "AppendMeta": true,
            "MaxSplitShard": 64,
            "AutoSplit": true,
            "EnableTracking": false,
            "ShardCount": 2
          }
        },
        "Trail": {
          "DependsOn": [
            "Role",
            "Bucket",
            "SlsLogStore"
          ],
          "Type": "ALIYUN::ACTIONTRAIL::Trail",
          "Properties": {
            "SlsProjectArn": {
              "Fn::Sub": "acs:log:${ALIYUN::Region}::project/DemoSls"
            },
            "RoleName": {
              "Fn::GetAtt": [
                "Role",
                "RoleName"
              ]
            },
            "EventRW": "All",
            "OssKeyPrefix": "TestFile",
            "OssBucketName": {
              "Fn::GetAtt": [
                "Bucket",
                "Name"
              ]
            },
            "SlsWriteRoleArn": {
              "Fn::Sub": "acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}"
            },
            "Name": "TestTrail"
          }
        },
        "TrailLogging": {
          "Type": "ALIYUN::ACTIONTRAIL::TrailLogging",
          "Properties": {
            "Name": {
              "Fn::GetAtt": [
                "Trail",
                "Name"
              ]
            },
            "Enable": {
              "Ref": "Enable"
            }
          }
        }
      },
      "Outputs": {
        "Name": {
          "Value": {
            "Fn::GetAtt": [
              "Trail",
              "Name"
            ]
          }
        }
      }
    }

更多示例,请参见创建跟踪和启用或关闭跟踪的日志记录的组合示例:JSON示例YAML示例

  • 本页导读 (1)
文档反馈