Como usar a Pesquisa de transações com o AWS CloudFormation - Amazon CloudWatch

Como usar a Pesquisa de transações com o AWS CloudFormation

Você pode usar o AWS CloudFormation para habilitar e configurar a Pesquisa de transações no X-Ray.

nota

Para criar uma pilha do AWS CloudFormation, consulte Criar sua primeira pilha.

  • Você deve ter acesso a uma conta da AWS com um usuário ou perfil do IAM que tenha permissões para usar o Amazon EC2, o Amazon S3, o AWS CloudFormation ou ter acesso de usuário administrativo.

  • Você deve ter uma nuvem privada virtual (VPC) que tenha acesso à internet. Para simplificar, você pode usar a VPC padrão que vem com sua conta. A VPC padrão e as sub-redes padrão são suficientes para essa configuração.

  • Certifique-se de que a Pesquisa de transações esteja desabilitada antes de habilitá-la com o AWS CDK ou o AWS CloudFormation.

Como habilitar a Pesquisa de transações

Para habilitar a Pesquisa de transações usando o CloudFormation, é necessário criar os dois recursos a seguir.

  • AWS::Logs::ResourcePolicy

  • AWS::XRay::TransactionSearchConfig

  1. Create AWS::Logs::ResourcePolicy: crie uma política de recursos que permita que o X-Ray envie rastreamentos para o CloudWatch Logs

    YAML

    Resources: LogsResourcePolicy: Type: AWS::Logs::ResourcePolicy Properties: PolicyName: TransactionSearchAccess PolicyDocument: !Sub > { "Version": "2012-10-17", "Statement": [ { "Sid": "TransactionSearchXRayAccess", "Effect": "Allow", "Principal": { "Service": "xray.amazonaws.com" }, "Action": "logs:PutLogEvents", "Resource": [ "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws/spans:*", "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/application-signals/data:*" ], "Condition": { "ArnLike": { "aws:SourceArn": "arn:${AWS::Partition}:xray:${AWS::Region}:${AWS::AccountId}:*" }, "StringEquals": { "aws:SourceAccount": "${AWS::AccountId}" } } } ] }

    JSON

    { "Resources": { "LogsResourcePolicy": { "Type": "AWS::Logs::ResourcePolicy", "Properties": { "PolicyName": "TransactionSearchAccess", "PolicyDocument": { "Fn::Sub": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"TransactionSearchXRayAccess\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"xray.amazonaws.com\"\n },\n \"Action\": \"logs:PutLogEvents\",\n \"Resource\": [\n \"arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws/spans:*\",\n \"arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/application-signals/data:*\"\n ],\n \"Condition\": {\n \"ArnLike\": {\n \"aws:SourceArn\": \"arn:${AWS::Partition}:xray:${AWS::Region}:${AWS::AccountId}:*\"\n },\n \"StringEquals\": {\n \"aws:SourceAccount\": \"${AWS::AccountId}\"\n }\n }\n }\n ]\n}" } } } } }
  2. Create and Configure AWS::XRay::TransactionSearchConfig: crie o recurso TransactionSearchConfig para habilitar a Pesquisa de transações.

    YAML

    Resources: XRayTransactionSearchConfig: Type: AWS::XRay::TransactionSearchConfig

    JSON

    { "Resources": { "XRayTransactionSearchConfig": { "Type": "AWS::XRay::TransactionSearchConfig" } } }
  3. (Opcional) Você pode definir a propriedade IndexingPercentage para controlar o percentual de spans que serão indexados.

    YAML

    Resources: XRayTransactionSearchConfig: Type: AWS::XRay::TransactionSearchConfig Properties: IndexingPercentage: 50

    JSON

    { "Resources": { "XRayTransactionSearchConfig": { "Type": "AWS::XRay::TransactionSearchConfig", "Properties": { "IndexingPercentage": 20 } } } }

    O valor de IndexingPercentage pode ser definido entre 0 e 100.

Exemplos de modelos

O exemplo a seguir inclui a política de recursos e a TransactionSearchConfig.

YAML

Resources: LogsResourcePolicy: Type: AWS::Logs::ResourcePolicy Properties: PolicyName: TransactionSearchAccess PolicyDocument: !Sub > { "Version": "2012-10-17", "Statement": [ { "Sid": "TransactionSearchXRayAccess", "Effect": "Allow", "Principal": { "Service": "xray.amazonaws.com" }, "Action": "logs:PutLogEvents", "Resource": [ "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws/spans:*", "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/application-signals/data:*" ], "Condition": { "ArnLike": { "aws:SourceArn": "arn:${AWS::Partition}:xray:${AWS::Region}:${AWS::AccountId}:*" }, "StringEquals": { "aws:SourceAccount": "${AWS::AccountId}" } } } ] } XRayTransactionSearchConfig: Type: AWS::XRay::TransactionSearchConfig Properties: IndexingPercentage: 10

JSON

{ "Resources": { "LogsResourcePolicy": { "Type": "AWS::Logs::ResourcePolicy", "Properties": { "PolicyName": "TransactionSearchAccess", "PolicyDocument": { "Fn::Sub": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"TransactionSearchXRayAccess\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"xray.amazonaws.com\"\n },\n \"Action\": \"logs:PutLogEvents\",\n \"Resource\": [\n \"arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws/spans:*\",\n \"arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/application-signals/data:*\"\n ],\n \"Condition\": {\n \"ArnLike\": {\n \"aws:SourceArn\": \"arn:${AWS::Partition}:xray:${AWS::Region}:${AWS::AccountId}:*\"\n },\n \"StringEquals\": {\n \"aws:SourceAccount\": \"${AWS::AccountId}\"\n }\n }\n }\n ]\n}" } } }, "XRayTransactionSearchConfig": { "Type": "AWS::XRay::TransactionSearchConfig", "Properties": { "IndexingPercentage": 20 } } } }

Veja um exemplo usando o AWS CDK no TypeScript.

CDK

import * as cdk from '@aws-cdk/core'; import * as logs from '@aws-cdk/aws-logs'; import * as xray from '@aws-cdk/aws-xray'; export class XRayTransactionSearchStack extends cdk.Stack { constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); // Create the resource policy const transactionSearchAccess = new logs.CfnResourcePolicy(this, 'XRayLogResourcePolicy', { policyName: 'TransactionSearchAccess', policyDocument: JSON.stringify({ Version: '2012-10-17', Statement: [ { Sid: 'TransactionSearchXRayAccess', Effect: 'Allow', Principal: { Service: 'xray.amazonaws.com', }, Action: 'logs:PutLogEvents', Resource: [ `arn:${this.partition}:logs:${this.region}:${this.account}:log-group:aws/spans:*`, `arn:${this.partition}:logs:${this.region}:${this.account}:log-group:/aws/application-signals/data:*`, ], Condition: { ArnLike: { 'aws:SourceArn': `arn:${this.partition}:xray:${this.region}:${this.account}:*`, }, StringEquals: { 'aws:SourceAccount': this.account, }, }, }, ], }), }); // Create the TransactionSearchConfig with dependency const transactionSearchConfig = new xray.CfnTransactionSearchConfig(this, 'XRayTransactionSearchConfig', { indexingPercentage: 10, }); // Add the dependency to ensure Resource Policy is created first transactionSearchConfig.addDependsOn(transactionSearchAccess); } }

Como verificar a configuração

Depois de implantar sua pilha do AWS CloudFormation, você pode verificar a configuração usando a AWS CLI.

aws xray get-trace-segment-destination

Uma configuração bem-sucedida retornará o seguinte:

{ "Destination": "CloudWatchLogs", "Status": "ACTIVE" }