How to forward CodeDeploy logs to CloudWatch?

Question

Pulumi · Accepted Answer

To achieve log forwarding from CodeDeploy to CloudWatch, we can follow these steps:

- Create a log group in CloudWatch where the logs from CodeDeploy will be forwarded.
- Create an IAM role for CodeDeploy with CloudWatch permissions to write logs.
- Associate the CloudWatch log group with the CodeDeploy application.

Here's a Pulumi program that accomplishes this:

```typescript
import * as aws from "@pulumi/aws";

// Create a CloudWatch log group
const logGroup = new aws.cloudwatch.LogGroup("codedeployLogGroup", {});

// Create an IAM Role for CodeDeploy logging
const role = new aws.iam.Role("codedeployRole", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Action: "sts:AssumeRole",
                Principal: {
                    Service: "codedeploy.amazonaws.com",
                },
                Effect: "Allow",
                Sid: "",
            },
        ],
    }),
});

// Create an IAM Role Policy to provide logging permissions
new aws.iam.RolePolicy("codedeployLoggingPolicy", {
    role: role.id,
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Action: [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            Resource: `${logGroup.arn}:*`
        }],
    }),
});

// Create a CodeDeploy application
const app = new aws.codedeploy.Application("myapp", {});

// Create a CodeDeploy Deployment Group
new aws.codedeploy.DeploymentGroup("myapp-deploymentgroup", {
    appName: app.name,
    serviceRoleArn: role.arn,
    autoRollbackConfiguration: {
        enabled: true,
        events: ["DEPLOYMENT_FAILURE", "DEPLOYMENT_STOP_ON_ALARM", "DEPLOYMENT_STOP_ON_REQUEST"],
    },
    cloudwatchLogs: {
        enabled: true,
        groupName: logGroup.name,
    },
});

```

**Please replace the below variables accordingly:**

- Replace the "loggedResourceName" with the name of the logged resource.
- Replace the "roleName" with the name of the IAM role you want to create.
- Replace the "policyName" with the name of the IAM policy you want to create.
- Replace the "applicationName" and "deploymentGroupName" with the names of your CodeDeploy application and deployment group, respectively.

For more information, check the [CodeDeploy Deployment Group documentation](https://www.pulumi.com/registry/packages/aws/api-docs/codedeploy/deploymentgroup/) and the [CloudWatch LogGroup documentation](https://www.pulumi.com/registry/packages/aws/api-docs/cloudwatch/loggroup/).