We will once again edit our nodeserver-cf-template.py script. Open the file with your editor, and in the MonitoringPolicy policy, add the following to allow our EC2 instance to communicate with Firehose and put a record into the stream:
t.add_resource(IAMPolicy(
"MonitoringPolicy",
PolicyName="AllowSendingDataForMonitoring",
PolicyDocument=Policy(
Statement=[
Statement(
Effect=Allow,
Action=[
Action("cloudwatch", "Put*"),
Action("logs", "Create*"),
Action("logs", "Put*"),
Action("logs", "Describe*"),
Action("events", "Put*"),
Action("firehose", "Put*"),
],
Resource=["*"])
]
),
Roles=[Ref("Role")],
))
Save the new script, commit your changes, and, following the same steps as before, deploy the new version of the template. Your new template should look like http://bit.ly/2v3bKsY:
$ git add nodeserver-cf-template.py
$ git commit -m "Allowing our application to send logs to Firehose"
$ git push
$ python nodeserver-cf-template.py > nodeserver-cf.template
$ aws cloudformation update-stack
--capabilities CAPABILITY_IAM
--stack-name helloworld-staging
--template-body file://nodeserver-cf.template
--parameters
ParameterKey=InstanceType,UsePreviousValue=true
ParameterKey=KeyPair,,UsePreviousValue=true
ParameterKey=PublicSubnet,,UsePreviousValue=true
ParameterKey=ScaleCapacity,,UsePreviousValue=true
ParameterKey=VpcId,,UsePreviousValue=true
$ aws cloudformation update-stack
--capabilities CAPABILITY_IAM
--stack-name helloworld-production
--template-body file://nodeserver-cf.template
--parameters
ParameterKey=InstanceType,UsePreviousValue=true
ParameterKey=KeyPair,UsePreviousValue=true
ParameterKey=PublicSubnet,UsePreviousValue=true
ParameterKey=ScaleCapacity,UsePreviousValue=true
ParameterKey=VpcId,UsePreviousValue=true
In the case of ECS, we already added the proper permissions in the last chapter when we created our clusters.
Now that this is in place, we will make changes to our code.