Fixes ECS Agent stats for Empire

conf/empire/empire.yaml

@@ -39,15 +39,15 @@ mappings:
     us-east-1:
       NAT: ami-c02b04a8
       ubuntu1404: ami-c135f3aa
-      empire: ami-1963c872
+      empire: ami-8fbaf1ea # https://circleci.com/gh/remind101/empire_ami/43
     us-west-1:
       NAT: ami-67a54423
       ubuntu1404: ami-bf3dccfb
-      empire: ami-25d02e61
+      empire: ami-6b57962f # https://circleci.com/gh/remind101/empire_ami/43
     us-west-2:
       NAT: ami-2dae821d
       ubuntu1404: ami-f15b5dc1
-      empire: ami-85ede7b5
+      empire: ami-4628ce75 # https://circleci.com/gh/remind101/empire_ami/43
 
 # Many stacks need these settings, or a subset of them, from the VPC -
 # this makes it easy to pass them around. Stacker will drop unused Parameters
@@ -134,6 +134,7 @@ stacks:
       MaxSize: ${empire_minion_max_instance_count}
       SshKeyName: ${ssh_key_name}
       ImageName: empire
+      DisableStreamingLogs: ${empire_disable_streaming_logs}
   - name: empireController
     class_path: stacker.blueprints.empire.empire_controller.EmpireController
     parameters:
@@ -160,3 +161,4 @@ stacks:
       EmpireGithubClientSecret: ${empire_controller_github_client_secret}
       EmpireGithubOrganization: ${empire_controller_github_organization}
       EmpireTokenSecret: ${empire_controller_token_secret}
+      DisableStreamingLogs: ${empire_disable_streaming_logs}

conf/empire/example.env

@@ -40,6 +40,9 @@ empiredb_instance_type: db.m3.large
 empiredb_user:
 empiredb_password:
 
+# Change to anything non-blank to disable streaming logs (enabled by default)
+empire_disable_streaming_logs: "''"
+
 empire_minion_min_instance_count: 3
 empire_minion_max_instance_count: 10
 empire_minion_instance_type: c4.xlarge

stacker/blueprints/empire/empire_controller.py

@@ -127,6 +127,12 @@ class EmpireController(EmpireBase):
         "DockerRegistryEmail": {
             "type": "String",
             "description": "Email for authentication with docker registry."},
+        "DisableStreamingLogs": {
+            "type": "String",
+            "description": "Disables streaming logging if set to anything."
+                           "Note: Without this Empire creates a kinesis "
+                           "stream per app that you deploy in Empire.",
+            "default": ""},
     }
 
     def create_conditions(self):
@@ -136,6 +142,9 @@ def create_conditions(self):
         self.template.add_condition(
             "UseDNS",
             Not(Equals(Ref("ExternalDomain"), "")))
+        self.template.add_condition(
+            "EnableStreamingLogs",
+            Equals(Ref("DisableStreamingLogs"), ""))
 
     def create_security_groups(self):
         t = self.template
@@ -286,6 +295,8 @@ def generate_seed_contents(self):
             "DOCKER_USER=", Ref("DockerRegistryUser"), "\n",
             "DOCKER_PASS=", Ref("DockerRegistryPassword"), "\n",
             "DOCKER_EMAIL=", Ref("DockerRegistryEmail"), "\n",
+            "ENABLE_STREAMING_LOGS=", If("EnableStreamingLogs",
+                                         "true", "false"), "\n"
             ]
         return seed
 

stacker/blueprints/empire/empire_minion.py

@@ -1,8 +1,9 @@
 import logging
+import copy
 
 logger = logging.getLogger(__name__)
 
-from troposphere import Ref, Output, GetAtt, Tags, FindInMap
+from troposphere import Ref, Output, GetAtt, Tags, FindInMap, If, Equals
 from troposphere import ec2, autoscaling, ecs
 from troposphere.autoscaling import Tag as ASTag
 from troposphere.iam import Role, InstanceProfile, Policy
@@ -11,7 +12,7 @@
 
 from .empire_base import EmpireBase
 
-from .policies import ecs_agent_policy
+from .policies import ecs_agent_policy, logstream_policy
 
 CLUSTER_SG_NAME = "EmpireMinionSecurityGroup"
 
@@ -74,8 +75,21 @@ class EmpireMinion(EmpireBase):
         "DockerRegistryEmail": {
             "type": "String",
             "description": "Email for authentication with docker registry."},
+        "DisableStreamingLogs": {
+            "type": "String",
+            "description": "Disables streaming logging if set to anything."
+                           "Note: Without this Empire creates a kinesis "
+                           "stream per app that you deploy in Empire.",
+            "default": "",
+        },
     }
 
+    def create_conditions(self):
+        t = self.template
+        t.add_condition(
+            "EnableStreamingLogs",
+            Equals(Ref("DisableStreamingLogs"), ""))
+
     def create_security_groups(self):
         t = self.template
         t.add_resource(
@@ -144,22 +158,32 @@ def build_block_device(self):
 
         return [docker_volume, swap_volume]
 
+    def generate_iam_policies(self):
+        ns = self.context.namespace
+        base_policies = [
+            Policy(
+                PolicyName="%s-ecs-agent" % ns,
+                PolicyDocument=ecs_agent_policy()),
+        ]
+        with_logging = copy.deepcopy(base_policies)
+        with_logging.append(
+            Policy(
+                PolicyName="%s-kinesis-logging" % ns,
+                PolicyDocument=logstream_policy()
+            )
+        )
+        policies = If("EnableStreamingLogs", with_logging, base_policies)
+        return policies
+
     def create_iam_profile(self):
         t = self.template
-        ns = self.context.namespace
-        # Create the EmpireMinionRole - this has all the permissions
-        # that the ECS Agent needs.
         ec2_role_policy = get_default_assumerole_policy()
         t.add_resource(
             Role(
                 "EmpireMinionRole",
                 AssumeRolePolicyDocument=ec2_role_policy,
                 Path="/",
-                Policies=[
-                    Policy(
-                        PolicyName="%s-ecs-agent" % ns,
-                        PolicyDocument=ecs_agent_policy()),
-                ]))
+                Policies=self.generate_iam_policies()))
         t.add_resource(
             InstanceProfile(
                 "EmpireMinionProfile",
@@ -180,6 +204,8 @@ def generate_seed_contents(self):
             "DOCKER_USER=", Ref("DockerRegistryUser"), "\n",
             "DOCKER_PASS=", Ref("DockerRegistryPassword"), "\n",
             "DOCKER_EMAIL=", Ref("DockerRegistryEmail"), "\n",
+            "ENABLE_STREAMING_LOGS=", If("EnableStreamingLogs",
+                                         "true", "false"), "\n"
             ]
         return seed
 

stacker/blueprints/empire/policies.py

@@ -4,7 +4,7 @@
 
 from awacs.aws import Statement, Allow, Policy, Action
 
-from awacs import ecs, ec2, iam, route53
+from awacs import ecs, ec2, iam, route53, kinesis
 from awacs import elasticloadbalancing as elb
 
 
@@ -17,7 +17,7 @@ def ecs_agent_policy():
                 Action=[ecs.CreateCluster, ecs.RegisterContainerInstance,
                         ecs.DeregisterContainerInstance,
                         ecs.DiscoverPollEndpoint, ecs.ECSAction("Submit*"),
-                        ecs.Poll]
+                        ecs.Poll, ecs.ECSAction("StartTelemetrySession")]
             )
         ]
     )
@@ -78,7 +78,32 @@ def empire_policy():
                     route53.ListHostedZones, route53.GetHostedZone
                 ],
                 # TODO: Limit to specific zones
-                Resource=["*"])
+                Resource=["*"]),
+            Statement(
+                Effect=Allow,
+                Action=[
+                    kinesis.DescribeStream,
+                    Action(kinesis.prefix, "Get*"),
+                    Action(kinesis.prefix, "List*")
+                ],
+                Resource=["*"]),
+        ]
+    )
+    return p
+
+
+def logstream_policy():
+    """Policy needed for logspout -> kinesis log streaming."""
+    p = Policy(
+        Statement=[
+            Statement(
+                Effect=Allow,
+                Resource=["*"],
+                Action=[
+                    kinesis.CreateStream, kinesis.DescribeStream,
+                    Action(kinesis.prefix, "AddTagsToStream"),
+                    Action(kinesis.prefix, "PutRecords")
+                ])
         ]
     )
     return p