Ship logs directly to CWLogs

ryanjjung · ryanjjung · commit 0ee694dd9397 · 2026-04-09T13:52:16.000-06:00
diff --git a/pulumi/bootstrap/bootstrap.py b/pulumi/bootstrap/bootstrap.py
@@ -13,6 +13,7 @@
 
 # Map of template files to target files
 TEMPLATE_MAP = {
+    'fluent-bit.service.j2': '/usr/lib/systemd/system/fluent-bit.service',
     'fluent-bit.yaml.j2': '/etc/fluent-bit/fluent-bit.yaml',
     'stalwart.toml.j2': '/opt/stalwart/etc/config.toml',
     'thundermail.service.j2': '/usr/lib/systemd/system/thundermail.service',
diff --git a/pulumi/bootstrap/templates/fluent-bit.service.j2 b/pulumi/bootstrap/templates/fluent-bit.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=Fluent Bit
+Documentation=https://docs.fluentbit.io/manual/
+Requires=network.target
+After=network.target
+
+[Service]
+Type=simple
+Environment="ENV={{ env }}"
+ExecStart=/opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.yaml
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/pulumi/bootstrap/templates/fluent-bit.yaml.j2 b/pulumi/bootstrap/templates/fluent-bit.yaml.j2
@@ -21,11 +21,25 @@ pipeline:
   filters: []
     
   outputs:
-    - name: forward
-      match: '*'
-{%- if env == 'prod' %}
-      host: fluentbit.tb.pro
-{%- else %}
-      host: {{ 'fluentbit-' + env + '.tb.pro' }}
-{%- endif %}
-      port: 24224
+    # Send logs onward to CloudWatch. Log groups by the derived name must pre-exist, and this
+    # service must have sufficient IAM permissions to create log streams and post events to them.
+    - name: cloudwatch_logs
+      match: cloudwatch.stalwart.mail
+      log_group_name: /tb/${ENV}/stalwart
+      log_stream_name: mail
+      region: eu-central-1
+      log_key: MESSAGE
+
+    - name: cloudwatch_logs
+      match: cloudwatch.stalwart.api
+      log_group_name: /tb/${ENV}/stalwart
+      log_stream_name: api
+      region: eu-central-1
+      log_key: MESSAGE
+    
+    - name: cloudwatch_logs
+      match: cloudwatch.untagged
+      log_group_name: /tb/${ENV}/stalwart
+      log_stream_name: untagged
+      region: eu-central-1
+      log_key: MESSAGE
diff --git a/pulumi/config.dev.yaml b/pulumi/config.dev.yaml
@@ -15,6 +15,7 @@ resources:
       log_streams:
         api: api
         mail: mail
+        untagged: untagged
       org_name: tb
 
   tb:network:MultiTierVpc:
diff --git a/pulumi/requirements.txt b/pulumi/requirements.txt
@@ -1,4 +1,5 @@
 Jinja2>=3.1,<4.0
 pulumi_cloudflare==6.6.0
-tb_pulumi @ git+https://github.com/thunderbird/pulumi.git@main
+# tb_pulumi @ git+https://github.com/thunderbird/pulumi.git@main
+-e /home/rjung/workspace/thunderbird/pulumi
 toml>=0.10.2,<0.11
diff --git a/pulumi/stalwart/__init__.py b/pulumi/stalwart/__init__.py
@@ -825,6 +825,7 @@ def user_data(self):
         archive_file_base = './bootstrap'
         archive_files = [
             'bootstrap.py',
+            'templates/fluent-bit.service.j2',
             'templates/fluent-bit.yaml.j2',
             'templates/ports.j2',
             'templates/stalwart.toml.j2',
diff --git a/pulumi/stalwart_instance_user_data.sh.j2 b/pulumi/stalwart_instance_user_data.sh.j2
@@ -28,9 +28,6 @@ dnf install -y bzip2 docker fluent-bit python3.12
 # Delete the default fluent-bit config; we'll template a new one in Phase 2
 rm -f /etc/fluent-bit/fluent-bit.conf
 
-# Make sure fluent-bit uses the right config file
-sed -i 's/fluent-bit.conf/fluent-bit.yaml/' /usr/lib/systemd/system/fluent-bit.service
-
 # Set up Stalwart config directory and virtual environment
 mkdir -p $STALWART_DIR/etc
 python3.12 -m ensurepip
