Merge pull request #48001 from libander/RHDEVDOCS-3551

RHDEVDOCS-3551 - Cloudwatch Forwarding with STS

Author: JStickler

logging/cluster-logging-external.adoc

@@ -43,6 +43,140 @@ include::modules/cluster-logging-collector-log-forward-syslog.adoc[leveloffset=+
 
 include::modules/cluster-logging-collector-log-forward-cloudwatch.adoc[leveloffset=+1]
 
+=== Forwarding logs to Amazon CloudWatch from STS enabled clusters
+
+For clusters with AWS Security Token Service (STS) enabled, you can create an AWS service account manually or create a credentials request using the xref:../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc[Cloud Credential Operator(CCO)] utility `ccoctl`.
+
+.Prerequisites
+
+* {logging-title-uc}: 5.5 and later
+
+[NOTE]
+====
+This feature is not supported by the vector collector.
+====
+
+.Creating an AWS credentials request
+. Create a `CredentialsRequest` Custom Resource YAML using the template below:
++
+.CloudWatch Credentials Request Template
+[source,yaml]
+----
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  name: <your_role_name>-credrequest
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+      - action:
+          - logs:PutLogEvents
+          - logs:CreateLogGroup
+          - logs:PutRetentionPolicy
+          - logs:CreateLogStream
+          - logs:DescribeLogGroups
+          - logs:DescribeLogStreams
+        effect: Allow
+        resource: arn:aws:logs:*:*:*
+  secretRef:
+    name: <your_role_name>
+    namespace: openshift-logging
+  serviceAccountNames:
+    - logcollector
+----
++
+. Use the `ccoctl` command to to create a role for AWS using your `CredentialsRequest` CR. With the `CredentialsRequest` object, this `ccoctl` command creates an IAM role with a trust policy that is tied to the specified OIDC identity provider, and a permissions policy that grants permissions to perform operations on CloudWatch resources. This command also creates a YAML configuration file in ``/<path_to_ccoctl_output_dir>/manifests/openshift-logging-<your_role_name>-credentials.yaml`. This secret file contains the `role_arn` key/value used during authentication with the AWS IAM identity provider.
++
+[source,terminal]
+----
+ccoctl aws create-iam-roles \
+--name=<name> \
+--region=<aws_region> \
+--credentials-requests-dir=<path_to_directory_with_list_of_credentials_requests>/credrequests \
+--identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com <1>
+----
+<1> <name> is the name used to tag your cloud resources and should match the name used during your STS cluster install
++
+. Apply the secret created:
+[source,terminal]
++
+----
+ oc apply -f output/manifests/openshift-logging-<your_role_name>-credentials.yaml
+----
++
+. Create or edit a `ClusterLogForwarder` custom resource:
++
+[source,yaml]
+----
+apiVersion: "logging.openshift.io/v1"
+kind: ClusterLogForwarder
+metadata:
+  name: instance <1>
+  namespace: openshift-logging <2>
+spec:
+  outputs:
+   - name: cw <3>
+     type: cloudwatch <4>
+     cloudwatch:
+       groupBy: logType <5>
+       groupPrefix: <group prefix> <6>
+       region: us-east-2 <7>
+     secret:
+        name: <your_role_name> <8>
+  pipelines:
+    - name: to-cloudwatch <9>
+      inputRefs: <10>
+        - infrastructure
+        - audit
+        - application
+      outputRefs:
+        - cw <11>
+----
+<1> The name of the `ClusterLogForwarder` CR must be `instance`.
+<2> The namespace for the `ClusterLogForwarder` CR must be `openshift-logging`.
+<3> Specify a name for the output.
+<4> Specify the `cloudwatch` type.
+<5> Optional: Specify how to group the logs:
++
+* `logType` creates log groups for each log type
+* `namespaceName` creates a log group for each application name space. Infrastructure and audit logs are unaffected, remaining grouped by `logType`.
+* `namespaceUUID` creates a new log groups for each application namespace UUID. It also creates separate log groups for infrastructure and audit logs.
+<6> Optional: Specify a string to replace the default `infrastructureName` prefix in the names of the log groups.
+<7> Specify the AWS region.
+<8> Specify the name of the secret that contains your AWS credentials.
+<9> Optional: Specify a name for the pipeline.
+<10> Specify which log types to forward by using the pipeline: `application,` `infrastructure`, or `audit`.
+<11> Specify the name of the output to use when forwarding logs with this pipeline.
+
+
+[role="_additional-resources"]
+.Additional resources
+* link:https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html[AWS STS API Reference]
+
+
+==== Creating a secret for AWS CloudWatch with an existing AWS role
+If you have an existing role for AWS, you can create a secret for AWS with STS using the `oc create secret --from-literal` command.
+
+[source,terminal]
+----
+oc create secret generic cw-sts-secret -n openshift-logging --from-literal=role_arn=arn:aws:iam::123456789012:role/my-role_with-permissions
+----
+
+.Example Secret
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: openshift-logging
+  name: my-secret-name
+stringData:
+  role_arn: arn:aws:iam::123456789012:role/my-role_with-permissions
+----
+
 include::modules/cluster-logging-collector-log-forward-loki.adoc[leveloffset=+1]
 
 include::modules/cluster-logging-troubleshooting-loki-entry-out-of-order-errors.adoc[leveloffset=+2]

modules/cluster-logging-collector-log-forward-cloudwatch.adoc

@@ -2,7 +2,7 @@
 [id="cluster-logging-collector-log-forward-cloudwatch_{context}"]
 = Forwarding logs to Amazon CloudWatch
 
-You can forward logs to Amazon CloudWatch, a monitoring and log storage service hosted by Amazon Web Services (AWS). You can forward logs to CloudWatch in addition to, or instead of, the default {logging} managed Elasticsearch log store.
+You can forward logs to Amazon CloudWatch, a monitoring and log storage service hosted by Amazon Web Services (AWS). You can forward logs to CloudWatch in addition to, or instead of, the default log store.
 
 To configure log forwarding to CloudWatch, you must create a `ClusterLogForwarder` custom resource (CR) with an output for CloudWatch, and a pipeline that uses the output.