ALIYUN::ACTIONTRAIL::Trail类型用于跟踪,帮助用户将审计数据保存到指定的OSS Bucket中。

语法

{
  "Type": "ALIYUN::ACTIONTRAIL::Trail",
  "Properties": {
    "Name": String,
    "OssBucketName": String,
    "RoleName": String,
    "OssKeyPrefix": String,
    "EventRW": String,
    "SlsProjectArn": String,
    "SlsWriteRoleArn": String
  }
}            

属性

属性名称 类型 必须 允许更新 描述 约束
Name String 创建的跟踪名称。 同一个账户内跟踪名称不可重复。
OssBucketName String 跟踪写入的OSS Bucket。 创建跟踪时必须保证该Bucket已经存在。
RoleName String 用户允许操作审计扮演的RAM角色名称。 请对RAM角色授权相应的策略,详情请参见示例
OssKeyPrefix String 写入的OSS Bucket文件名的前缀。 取值可为空。
EventRW String 投递事件的读写类型。 取值:
  • Read:读类型。
  • Write(默认值):写类型。
  • All:读类型和写类型。
SlsProjectArn String 跟踪投递目标的日志服务项目在阿里云唯一的资源名称(Aliyun Resource Name,ARN)。 需要在SLS的Project中创建一个以actiontrail_开头,加上跟踪名称的Logstore。
SlsWriteRoleArn String 操作审计向目标日志服务项目投递日志时,扮演的角色在阿里云唯一的资源名称(Aliyun Resource Name,ARN)。

返回值

Fn::GetAtt

Name:创建的跟踪名称。

示例

JSON格式

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "RoleName": {
      "Type": "String",
      "MinLength": 1,
      "MaxLength": 64
    },
    "EventRW": {
      "Type": "String",
      "AllowedValues": [
        "Write",
        "Read",
        "All"
      ]
    },
    "SlsProjectName": {
      "Type": "String"
    },
    "OssKeyPrefix": {
      "Type": "String",
      "Default": ""
    },
    "OssBucketName": {
      "Type": "String"
    },
    "TrailName": {
      "Type": "String"
    }
  },
  "Resources": {
    "Role": {
      "Type": "ALIYUN::RAM::Role",
      "Properties": {
        "RoleName": {
          "Ref": "RoleName"
        },
        "Policies": [
          {
            "PolicyName": {
              "Fn::Sub": "ActionTrailPolicy-${ALIYUN::StackId}"
            },
            "PolicyDocument": {
              "Version": "1",
              "Statement": [
                {
                  "Action": [
                    "oss:GetBucketLocation",
                    "oss:ListObjects",
                    "oss:PutObject"
                  ],
                  "Resource": [
                    "*"
                  ],
                  "Effect": "Allow"
                },
                {
                  "Action": [
                    "log:PostLogStoreLogs",
                    "log:CreateLogstore",
                    "Log:GetLogstore"
                  ],
                  "Resource": [
                    "*"
                  ],
                  "Effect": "Allow"
                },
                {
                  "Action": [
                    "mns:PublishMessage"
                  ],
                  "Resource": [
                    "*"
                  ],
                  "Effect": "Allow"
                }
              ]
            }
          }
        ],
        "AssumeRolePolicyDocument": {
          "Version": "1",
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "actiontrail.aliyuncs.com"
                ]
              }
            }
          ]
        }
      }
    },
    "Bucket": {
      "Type": "ALIYUN::OSS::Bucket",
      "Properties": {
        "AccessControl": "private",
        "BucketName": {
          "Ref": "OssBucketName"
        },
        "DeletionForce": true
      }
    },
    "SlsProject": {
      "Type": "ALIYUN::SLS::Project",
      "Properties": {
        "Name": {
          "Ref": "SlsProjectName"
        }
      }
    },
    "SlsLogStore": {
      "Type": "ALIYUN::SLS::Logstore",
      "DependsOn": "SlsProject",
      "Properties": {
        "LogstoreName": {
          "Fn::Sub": "actiontrail_${TrailName}"
        },
        "PreserveStorage": true,
        "ProjectName": {
          "Fn::GetAtt": [
            "SlsProject",
            "Name"
          ]
        },
        "AppendMeta": true,
        "MaxSplitShard": 64,
        "AutoSplit": true,
        "EnableTracking": false,
        "ShardCount": 2
      }
    },
    "Trail": {
      "DependsOn": [
        "Role",
        "Bucket",
        "SlsLogStore"
      ],
      "Type": "ALIYUN::ACTIONTRAIL::Trail",
      "Properties": {
        "SlsProjectArn": {
          "Fn::Sub": "acs:log:${ALIYUN::Region}::project/${SlsProjectName}"
        },
        "RoleName": {
          "Fn::GetAtt": [
            "Role",
            "RoleName"
          ]
        },
        "EventRW": {
          "Ref": "EventRW"
        },
        "OssKeyPrefix": {
          "Ref": "OssKeyPrefix"
        },
        "OssBucketName": {
          "Fn::GetAtt": [
            "Bucket",
            "Name"
          ]
        },
        "SlsWriteRoleArn": {
          "Fn::Sub": "acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}"
        },
        "Name": {
          "Ref": "TrailName"
        }
      }
    },
    "TrailLogging": {
      "Type": "ALIYUN::ACTIONTRAIL::TrailLogging",
      "Properties": {
        "Name": {
          "Fn::GetAtt": [
            "Trail",
            "Name"
          ]
        },
        "Enable": {
          "Ref": "Enable"
        }
      }
    }
  },
  "Outputs": {
    "Name": {
      "Value": {
        "Fn::GetAtt": [
          "Trail",
          "Name"
        ]
      }
    }
  }
}

YAML格式

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  RoleName:
    Type: String
    MinLength: 1
    MaxLength: 64
  EventRW:
    Type: String
    AllowedValues:
      - Write
      - Read
      - All
  SlsProjectName:
    Type: String
  OssKeyPrefix:
    Type: String
    Default: ''
  OssBucketName:
    Type: String
  TrailName:
    Type: String
Resources:
  Role:
    Type: 'ALIYUN::RAM::Role'
    Properties:
      RoleName:
        Ref: RoleName
      Policies:
        - PolicyName:
            'Fn::Sub': 'ActionTrailPolicy-${ALIYUN::StackId}'
          PolicyDocument:
            Version: '1'
            Statement:
              - Action:
                  - 'oss:GetBucketLocation'
                  - 'oss:ListObjects'
                  - 'oss:PutObject'
                Resource:
                  - '*'
                Effect: Allow
              - Action:
                  - 'log:PostLogStoreLogs'
                  - 'log:CreateLogstore'
                  - 'Log:GetLogstore'
                Resource:
                  - '*'
                Effect: Allow
              - Action:
                  - 'mns:PublishMessage'
                Resource:
                  - '*'
                Effect: Allow
      AssumeRolePolicyDocument:
        Version: '1'
        Statement:
          - Action: 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service:
                - actiontrail.aliyuncs.com
  Bucket:
    Type: 'ALIYUN::OSS::Bucket'
    Properties:
      AccessControl: private
      BucketName:
        Ref: OssBucketName
      DeletionForce: true
  SlsProject:
    Type: 'ALIYUN::SLS::Project'
    Properties:
      Name:
        Ref: SlsProjectName
  SlsLogStore:
    Type: 'ALIYUN::SLS::Logstore'
    DependsOn: SlsProject
    Properties:
      LogstoreName:
        'Fn::Sub': 'actiontrail_${TrailName}'
      PreserveStorage: true
      ProjectName:
        'Fn::GetAtt':
          - SlsProject
          - Name
      AppendMeta: true
      MaxSplitShard: 64
      AutoSplit: true
      EnableTracking: false
      ShardCount: 2
  Trail:
    DependsOn:
      - Role
      - Bucket
      - SlsLogStore
    Type: 'ALIYUN::ACTIONTRAIL::Trail'
    Properties:
      SlsProjectArn:
        'Fn::Sub': 'acs:log:${ALIYUN::Region}::project/${SlsProjectName}'
      RoleName:
        'Fn::GetAtt':
          - Role
          - RoleName
      EventRW:
        Ref: EventRW
      OssKeyPrefix:
        Ref: OssKeyPrefix
      OssBucketName:
        'Fn::GetAtt':
          - Bucket
          - Name
      SlsWriteRoleArn:
        'Fn::Sub': 'acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}'
      Name:
        Ref: TrailName
  TrailLogging:
    Type: 'ALIYUN::ACTIONTRAIL::TrailLogging'
    Properties:
      Name:
        'Fn::GetAtt':
          - Trail
          - Name
      Enable:
        Ref: Enable
Outputs:
  Name:
    Value:
      'Fn::GetAtt':
        - Trail
        - Name