ALIYUN::ACTIONTRAIL::Trail is used to create a trail to deliver events to a Log Service Logstore or an Object Storage Service (OSS) bucket.

Syntax

{
  "Type": "ALIYUN::ACTIONTRAIL::Trail",
  "Properties": {
    "Name": String,
    "OssBucketName": String,
    "RoleName": String,
    "OssKeyPrefix": String,
    "EventRW": String,
    "SlsProjectArn": String,
    "SlsWriteRoleArn": String
  }
}            

Properties

Property Type Required Editable Description Constraint
Name String Yes No The name of the trail. The name must be 6 to 36 characters in length and can contain letters, digits, hyphens (-), and underscores (_). It must start with a letter.
Note The name must be unique within your Alibaba Cloud account.
OssBucketName String Yes Yes The name of the OSS bucket to which events are to be delivered. The name must be 3 to 63 characters in length. It must start with a lowercase letter or a digit and can contain lowercase letters, digits, and hyphens (-).
Note
  • Make sure that an OSS bucket is created. For more information, see Create buckets.
  • You must specify at least one of the OssBucketName and SlsProjectArn parameters.
RoleName String Yes Yes The service-linked role assumed by ActionTrail. Default value: AliyunServiceRoleForActionTrail.
OssKeyPrefix String No Yes The prefix of the log files to be stored in the desired OSS bucket. The prefix must be 6 to 32 characters in length and can contain letters, digits, hyphens (-), forward slashes (/), and underscores (_). It must start with a letter.
EventRW String No Yes Specifies whether the event is a read or write event. Default value: Write. Valid values:
  • Read
  • Write
  • All
SlsProjectArn String No Yes The Alibaba Cloud Resource Name (ARN) of the Log Service project to which events are to be delivered. Make sure that a Log Service project and a Logstore are created. The Logstore is named in the format of actiontrail_<Trail name>.

For more information, see Create a Logstore and Create a project.

Note You must specify at least one of the OssBucketName and SlsProjectArn parameters.
SlsWriteRoleArn String No Yes The ARN of the service-linked role that is assumed by ActionTrail to deliver events to the desired Log Service project. None

Response parameters

Fn::GetAtt

Name: The name of the trail.

Examples

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "RoleName": {
      "Type": "String",
      "MinLength": 1,
      "MaxLength": 64
    },
    "EventRW": {
      "Type": "String",
      "AllowedValues": [
        "Write",
        "Read",
        "All"
      ]
    },
    "SlsProjectName": {
      "Type": "String"
    },
    "OssKeyPrefix": {
      "Type": "String",
      "Default": ""
    },
    "OssBucketName": {
      "Type": "String"
    },
    "TrailName": {
      "Type": "String"
    }
  },
  "Resources": {
    "Role": {
      "Type": "ALIYUN::RAM::Role",
      "Properties": {
        "RoleName": {
          "Ref": "RoleName"
        },
        "Policies": [
          {
            "PolicyName": {
              "Fn::Sub": "ActionTrailPolicy-${ALIYUN::StackId}"
            },
            "PolicyDocument": {
              "Version": "1",
              "Statement": [
                {
                  "Action": [
                    "oss:GetBucketLocation",
                    "oss:ListObjects",
                    "oss:PutObject"
                  ],
                  "Resource": [
                    "*"
                  ],
                  "Effect": "Allow"
                },
                {
                  "Action": [
                    "log:PostLogStoreLogs",
                    "log:CreateLogstore",
                    "Log:GetLogstore"
                  ],
                  "Resource": [
                    "*"
                  ],
                  "Effect": "Allow"
                },
                {
                  "Action": [
                    "mns:PublishMessage"
                  ],
                  "Resource": [
                    "*"
                  ],
                  "Effect": "Allow"
                }
              ]
            }
          }
        ],
        "AssumeRolePolicyDocument": {
          "Version": "1",
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "actiontrail.aliyuncs.com"
                ]
              }
            }
          ]
        }
      }
    },
    "Bucket": {
      "Type": "ALIYUN::OSS::Bucket",
      "Properties": {
        "AccessControl": "private",
        "BucketName": {
          "Ref": "OssBucketName"
        },
        "DeletionForce": true
      }
    },
    "SlsProject": {
      "Type": "ALIYUN::SLS::Project",
      "Properties": {
        "Name": {
          "Ref": "SlsProjectName"
        }
      }
    },
    "SlsLogStore": {
      "Type": "ALIYUN::SLS::Logstore",
      "DependsOn": "SlsProject",
      "Properties": {
        "LogstoreName": {
          "Fn::Sub": "actiontrail_${TrailName}"
        },
        "PreserveStorage": true,
        "ProjectName": {
          "Fn::GetAtt": [
            "SlsProject",
            "Name"
          ]
        },
        "AppendMeta": true,
        "MaxSplitShard": 64,
        "AutoSplit": true,
        "EnableTracking": false,
        "ShardCount": 2
      }
    },
    "Trail": {
      "DependsOn": [
        "Role",
        "Bucket",
        "SlsLogStore"
      ],
      "Type": "ALIYUN::ACTIONTRAIL::Trail",
      "Properties": {
        "SlsProjectArn": {
          "Fn::Sub": "acs:log:${ALIYUN::Region}::project/${SlsProjectName}"
        },
        "RoleName": {
          "Fn::GetAtt": [
            "Role",
            "RoleName"
          ]
        },
        "EventRW": {
          "Ref": "EventRW"
        },
        "OssKeyPrefix": {
          "Ref": "OssKeyPrefix"
        },
        "OssBucketName": {
          "Fn::GetAtt": [
            "Bucket",
            "Name"
          ]
        },
        "SlsWriteRoleArn": {
          "Fn::Sub": "acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}"
        },
        "Name": {
          "Ref": "TrailName"
        }
      }
    },
    "TrailLogging": {
      "Type": "ALIYUN::ACTIONTRAIL::TrailLogging",
      "Properties": {
        "Name": {
          "Fn::GetAtt": [
            "Trail",
            "Name"
          ]
        },
        "Enable": {
          "Ref": "Enable"
        }
      }
    }
  },
  "Outputs": {
    "Name": {
      "Value": {
        "Fn::GetAtt": [
          "Trail",
          "Name"
        ]
      }
    }
  }
}

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  RoleName:
    Type: String
    MinLength: 1
    MaxLength: 64
  EventRW:
    Type: String
    AllowedValues:
      - Write
      - Read
      - All
  SlsProjectName:
    Type: String
  OssKeyPrefix:
    Type: String
    Default: ''
  OssBucketName:
    Type: String
  TrailName:
    Type: String
Resources:
  Role:
    Type: 'ALIYUN::RAM::Role'
    Properties:
      RoleName:
        Ref: RoleName
      Policies:
        - PolicyName:
            'Fn::Sub': 'ActionTrailPolicy-${ALIYUN::StackId}'
          PolicyDocument:
            Version: '1'
            Statement:
              - Action:
                  - 'oss:GetBucketLocation'
                  - 'oss:ListObjects'
                  - 'oss:PutObject'
                Resource:
                  - '*'
                Effect: Allow
              - Action:
                  - 'log:PostLogStoreLogs'
                  - 'log:CreateLogstore'
                  - 'Log:GetLogstore'
                Resource:
                  - '*'
                Effect: Allow
              - Action:
                  - 'mns:PublishMessage'
                Resource:
                  - '*'
                Effect: Allow
      AssumeRolePolicyDocument:
        Version: '1'
        Statement:
          - Action: 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service:
                - actiontrail.aliyuncs.com
  Bucket:
    Type: 'ALIYUN::OSS::Bucket'
    Properties:
      AccessControl: private
      BucketName:
        Ref: OssBucketName
      DeletionForce: true
  SlsProject:
    Type: 'ALIYUN::SLS::Project'
    Properties:
      Name:
        Ref: SlsProjectName
  SlsLogStore:
    Type: 'ALIYUN::SLS::Logstore'
    DependsOn: SlsProject
    Properties:
      LogstoreName:
        'Fn::Sub': 'actiontrail_${TrailName}'
      PreserveStorage: true
      ProjectName:
        'Fn::GetAtt':
          - SlsProject
          - Name
      AppendMeta: true
      MaxSplitShard: 64
      AutoSplit: true
      EnableTracking: false
      ShardCount: 2
  Trail:
    DependsOn:
      - Role
      - Bucket
      - SlsLogStore
    Type: 'ALIYUN::ACTIONTRAIL::Trail'
    Properties:
      SlsProjectArn:
        'Fn::Sub': 'acs:log:${ALIYUN::Region}::project/${SlsProjectName}'
      RoleName:
        'Fn::GetAtt':
          - Role
          - RoleName
      EventRW:
        Ref: EventRW
      OssKeyPrefix:
        Ref: OssKeyPrefix
      OssBucketName:
        'Fn::GetAtt':
          - Bucket
          - Name
      SlsWriteRoleArn:
        'Fn::Sub': 'acs:ram::${ALIYUN::TenantId}:role/${Role.RoleName}'
      Name:
        Ref: TrailName
  TrailLogging:
    Type: 'ALIYUN::ACTIONTRAIL::TrailLogging'
    Properties:
      Name:
        'Fn::GetAtt':
          - Trail
          - Name
      Enable:
        Ref: Enable
Outputs:
  Name:
    Value:
      'Fn::GetAtt':
        - Trail
        - Name

To view more examples, visit TrailLogging.json and TrailLogging.yml. In the examples, the ALIYUN::ACTIONTRAIL::Trail and ALIYUN::ACTIONTRAIL::TrailLogging resource types are involved.