ALIYUN::ACTIONTRAIL::Trail

ALIYUN::ACTIONTRAIL::Trail类型用于创建跟踪,将事件投递到日志服务SLS或对象存储OSS。

语法

{
  "Type": "ALIYUN::ACTIONTRAIL::Trail",
  "Properties": {
    "Name": String,
    "OssBucketName": String,
    "RoleName": String,
    "OssKeyPrefix": String,
    "EventRW": String,
    "SlsProjectArn": String,
    "SlsWriteRoleArn": String
  }
}            

属性

属性名称

类型

必须

允许更新

描述

约束

Name

String

跟踪名称。

长度为6~36个字符,必须以英文字母开头,可包含英文字母、数字、短划线(-)和下划线(_)。

说明

同一个阿里云账号内跟踪名称不可重复。

EventRW

String

投递事件的读写类型。

取值:

  • Read:读类型。

  • Write(默认值):写类型。

  • All:读类型和写类型。

OssBucketName

String

跟踪投递的OSS存储空间名称。

长度为3~63个字符,必须以小写英文字母或者数字开头,可包含小写英文字母、数字和短划线(-)。

说明
  • 请确保您已经创建对象存储OSS的存储空间。具体操作,请参见创建存储空间

  • OssBucketName和SlsProjectArn需至少指定其中一个参数。

OssKeyPrefix

String

跟踪投递的OSS存储空间文件名的前缀。

长度为6~32个字符,必须以英文字母开头,可包含英文字母、数字、短划线(-)、正斜线(/)和下划线(_)。

RoleName

String

操作审计服务关联角色名称。

默认值:AliyunServiceRoleForActionTrail。

SlsProjectArn

String

跟踪投递的日志服务项目的ARN。

请确保您已经创建SLS的Project和LogStore。其中LogStore需要以actiontrail_<跟踪名称>命名。

具体操作,请参见创建Project创建Logstore

说明

OssBucketName和SlsProjectArn需至少指定其中一个参数。

SlsWriteRoleArn

String

操作审计向日志服务项目投递操作事件时,扮演的角色ARN。

返回值

Fn::GetAtt

Name:跟踪名称。

示例

YAML格式

ROSTemplateFormatVersion: '2015-09-01'
Parameters: {}
Resources:
  Role:
    Type: ALIYUN::RAM::Role
    Properties:
      RoleName: TestRole
      Policies:
        - PolicyName:
            Fn::Sub: ActionTrailPolicy-${ALIYUN::StackId}
          PolicyDocument:
            Version: '1'
            Statement:
              - Action:
                  - oss:GetBucketLocation
                  - oss:ListObjects
                  - oss:PutObject
                Resource:
                  - '*'
                Effect: Allow
              - Action:
                  - log:PostLogStoreLogs
                  - log:CreateLogstore
                  - Log:GetLogstore
                Resource:
                  - '*'
                Effect: Allow
              - Action:
                  - mns:PublishMessage
                Resource:
                  - '*'
                Effect: Allow
      AssumeRolePolicyDocument:
        Version: '1'
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - actiontrail.aliyuncs.com
  Bucket:
    Type: ALIYUN::OSS::Bucket
    Properties:
      AccessControl: private
      BucketName: MyTestBucket
      DeletionForce: true
  SlsProject:
    Type: ALIYUN::SLS::Project
    Properties:
      Name: DemoSls
  SlsLogStore:
    Type: ALIYUN::SLS::Logstore
    DependsOn: SlsProject
    Properties:
      LogstoreName: ActiontrailTestTrail
      PreserveStorage: true
      ProjectName:
        Fn::GetAtt:
          - SlsProject
          - Name
      AppendMeta: true
      MaxSplitShard: 64
      AutoSplit: true
      EnableTracking: false
      ShardCount: 2
  Trail:
    DependsOn:
      - Role
      - Bucket
      - SlsLogStore
    Type: ALIYUN::ACTIONTRAIL::Trail
    Properties:
      SlsProjectArn:
        Fn::Sub: acs:log:${ALIYUN::Region}::project/DemoSls
      RoleName:
        Fn::GetAtt:
          - Role
          - RoleName
      EventRW: All
      OssKeyPrefix: TestFile
      OssBucketName:
        Fn::GetAtt:
          - Bucket
          - Name
      SlsWriteRoleArn:
        Fn::Sub: acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}
      Name: TestTrail
  TrailLogging:
    Type: ALIYUN::ACTIONTRAIL::TrailLogging
    Properties:
      Name:
        Fn::GetAtt:
          - Trail
          - Name
      Enable: true
Outputs:
  Name:
    Value:
      Fn::GetAtt:
        - Trail
        - Name

JSON格式

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {},
  "Resources": {
    "Role": {
      "Type": "ALIYUN::RAM::Role",
      "Properties": {
        "RoleName": "TestRole",
        "Policies": [
          {
            "PolicyName": {
              "Fn::Sub": "ActionTrailPolicy-${ALIYUN::StackId}"
            },
            "PolicyDocument": {
              "Version": "1",
              "Statement": [
                {
                  "Action": [
                    "oss:GetBucketLocation",
                    "oss:ListObjects",
                    "oss:PutObject"
                  ],
                  "Resource": [
                    "*"
                  ],
                  "Effect": "Allow"
                },
                {
                  "Action": [
                    "log:PostLogStoreLogs",
                    "log:CreateLogstore",
                    "Log:GetLogstore"
                  ],
                  "Resource": [
                    "*"
                  ],
                  "Effect": "Allow"
                },
                {
                  "Action": [
                    "mns:PublishMessage"
                  ],
                  "Resource": [
                    "*"
                  ],
                  "Effect": "Allow"
                }
              ]
            }
          }
        ],
        "AssumeRolePolicyDocument": {
          "Version": "1",
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "actiontrail.aliyuncs.com"
                ]
              }
            }
          ]
        }
      }
    },
    "Bucket": {
      "Type": "ALIYUN::OSS::Bucket",
      "Properties": {
        "AccessControl": "private",
        "BucketName": "MyTestBucket",
        "DeletionForce": true
      }
    },
    "SlsProject": {
      "Type": "ALIYUN::SLS::Project",
      "Properties": {
        "Name": "DemoSls"
      }
    },
    "SlsLogStore": {
      "Type": "ALIYUN::SLS::Logstore",
      "DependsOn": "SlsProject",
      "Properties": {
        "LogstoreName": "ActiontrailTestTrail",
        "PreserveStorage": true,
        "ProjectName": {
          "Fn::GetAtt": [
            "SlsProject",
            "Name"
          ]
        },
        "AppendMeta": true,
        "MaxSplitShard": 64,
        "AutoSplit": true,
        "EnableTracking": false,
        "ShardCount": 2
      }
    },
    "Trail": {
      "DependsOn": [
        "Role",
        "Bucket",
        "SlsLogStore"
      ],
      "Type": "ALIYUN::ACTIONTRAIL::Trail",
      "Properties": {
        "SlsProjectArn": {
          "Fn::Sub": "acs:log:${ALIYUN::Region}::project/DemoSls"
        },
        "RoleName": {
          "Fn::GetAtt": [
            "Role",
            "RoleName"
          ]
        },
        "EventRW": "All",
        "OssKeyPrefix": "TestFile",
        "OssBucketName": {
          "Fn::GetAtt": [
            "Bucket",
            "Name"
          ]
        },
        "SlsWriteRoleArn": {
          "Fn::Sub": "acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}"
        },
        "Name": "TestTrail"
      }
    },
    "TrailLogging": {
      "Type": "ALIYUN::ACTIONTRAIL::TrailLogging",
      "Properties": {
        "Name": {
          "Fn::GetAtt": [
            "Trail",
            "Name"
          ]
        },
        "Enable": true
      }
    }
  },
  "Outputs": {
    "Name": {
      "Value": {
        "Fn::GetAtt": [
          "Trail",
          "Name"
        ]
      }
    }
  }
}