Rundeck S3 Log Storage Plugin
This is a plugin for Rundeck that uses Amazon S3 to store execution log files for backups or for cloud-friendly behavior.
Build
./gradlew clean build
Installation
-
Copy the
rundeck-s3-log-plugin-x.y.jarfile to thelibext/directory inside your Rundeck installation. You can find the releases here. -
Enable the ExecutionFileStorage provider named
org.rundeck.amazon-s3in yourrundeck-config.propertiesfile:
# Set log execution storage backend to Amazon S3
rundeck.execution.logs.fileStoragePlugin=org.rundeck.amazon-s3
Configuration
You can define the configuration values $RUNDECK_DIR/framework.properties by prefixing the property name with the stem. For example:
framework.plugin.ExecutionFileStorage.org.rundeck.amazon-s3.<key>=<value>
Alternatively, use project.properties file with the stem project.plugin.ExecutionFileStorage.org.rundeck.amazon-s3 to achieve per-project configuration.
Configure AWS Credentials
The plugin will use the "credentials provider chain" for AWS access credentials, which allows you to externally configure the credentials in any of three ways:
- Environment variables
AWS_ACCESS_KEY_IDandAWS_SECRET_KEY - Java system properties
aws.accessKeyIdandaws.secretKey - Instance Profile credentials, if you are running on EC2. (See the IAM user guide).
If you want to specify access key and secret key, you can do so in the configuration:
The plugin allows you to set the following property key/values for credentials:
NB: These are stemmed with
framework.plugin.ExecutionFileStorage.org.rundeck.amazon-s3
AWSAccessKeyId: AWS access key, required if using AWSSecretKey
AWSSecretKey: AWS secret key, required if using AWSAccessKeyId
AWSCredentialsFile: Properties file which contains accessKey and secretKey entries. The alternative to specifying
the AWSAccessKeyId and AWSSecretKey
The plugin uses uses the following key/values for configuring the AWS S3 Bucket:
bucket: The name of the S3 bucket to use. This is the shorthand name, eg test-rundeck-logs
path: A path-like string that defines where in the bucket to store the log for a particular execution. You can
include variables. Default value: rundeck/project/$PROJECT/logs/$ID
Variables in the path value include:
${job.execid}- the execution ID${job.project}- the project name${job.id}- the Job UUID if it exists${job.group}- the Job Group if it exists${job.path}- the Job Name if it exists
region: AWS region name to use. Default: us-east-1
endpoint: Optional, a custom S3 compatible endpoint to use, such as https://my-host.com/s3
pathStyle: Optional, boolean, default=False, set to True if you need to define the bucket in your S3 like endpoint URL. e.g:
https://\<s3_like_end_point_url\>/\<your_bucket_name\>
A custom way of defining buckets for your endpoint. Useful for non-AWS S3 like object storage technology e.g SwiftStack, Optums, etc. This background information should be useful.
Basic Example (/etc/rundeck/framework.properties)
# AWSAccessKeyId and AWSSecretKey can be specified in the file
framework.plugin.ExecutionFileStorage.org.rundeck.amazon-s3.AWSAccessKeyId=ABC123...
framework.plugin.ExecutionFileStorage.org.rundeck.amazon-s3.AWSSecretKey=ABC321...
# Alternately, AWSCredentialsFile can point to a custom file which contains `accessKey` and `secretKey`
framework.plugin.ExecutionFileStorage.org.rundeck.amazon-s3.AWSCredentialsFile=/path/to/awscredentials.properties
# Name of the bucket
framework.plugin.ExecutionFileStorage.org.rundeck.amazon-s3.bucket=test-rundeck-logs
# Path to store the logs
framework.plugin.ExecutionFileStorage.org.rundeck.amazon-s3.path=logs/${job.project}/${job.execid}.log
Using with Rundeck SSL Configuration
If you want to use this plugin when you have Rundeck configured with a custom SSL truststore, you will need to import the Amazon S3 SSL certificates to your truststore.
echo -n | openssl s_client -connect my-bucket.s3.amazonaws.com:443 > certs.out
keytool -importcert -trustcacerts -file certs.out -alias s3-amazonaws -keystore $RDECK_BASE/etc/truststore
