fix(elbv2): fix access log bucket permissions

fixes aws#8113 Currently, it's not possible to enable access logs for a network load balancer using the logAccessLogs method. Cloudformation will fail at deploy time because the S3 Bucket doesn't have the right permissions.
DaWyz · May 21, 2020 · 626487d · 626487d
1 parent 6a6298f
commit 626487d
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 2 deletions.
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts
@@ -1,6 +1,8 @@
 import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
 import * as ec2 from '@aws-cdk/aws-ec2';
-import { Construct, Resource } from '@aws-cdk/core';
+import { PolicyStatement, ServicePrincipal } from '@aws-cdk/aws-iam';
+import { IBucket } from '@aws-cdk/aws-s3';
+import { Construct, Resource, Stack } from '@aws-cdk/core';
 import { BaseLoadBalancer, BaseLoadBalancerProps, ILoadBalancerV2 } from '../shared/base-load-balancer';
 import { BaseNetworkListenerProps, NetworkListener } from './network-listener';
 
@@ -101,6 +103,42 @@ export class NetworkLoadBalancer extends BaseLoadBalancer implements INetworkLoa
     });
   }
 
+  /**
+   * Enable access logging for this load balancer.
+   *
+   * A region must be specified on the stack containing the load balancer; you cannot enable logging on
+   * environment-agnostic stacks. See https://docs.aws.amazon.com/cdk/latest/guide/environments.html
+   *
+   * This is extending the BaseLoadBalancer.logAccessLogs method to match the bucket permissions described
+   * at https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html#access-logging-bucket-requirements
+   */
+  public logAccessLogs(bucket: IBucket, prefix?: string) {
+    super.logAccessLogs(bucket, prefix);
+
+    bucket.addToResourcePolicy(
+      new PolicyStatement({
+        actions: ['s3:PutObject'],
+        principals: [new ServicePrincipal('delivery.logs.amazonaws.com')],
+        resources: [
+          `arn:aws:s3:::${bucket.bucketName.toString()}/${prefix ? prefix + '/' : ''}AWSLogs/${
+            Stack.of(this).account
+          }/*`,
+        ],
+        conditions: {
+          StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' },
+        },
+      }),
+    );
+
+    bucket.addToResourcePolicy(
+      new PolicyStatement({
+        actions: ['s3:GetBucketAcl'],
+        principals: [new ServicePrincipal('delivery.logs.amazonaws.com')],
+        resources: [`arn:aws:s3:::${bucket.bucketName.toString()}`],
+      }),
+    );
+  }
+
   /**
    * Return the given named metric for this Network Load Balancer
    *
@@ -236,7 +274,6 @@ export class NetworkLoadBalancer extends BaseLoadBalancer implements INetworkLoa
  * A network load balancer
  */
 export interface INetworkLoadBalancer extends ILoadBalancerV2, ec2.IVpcEndpointServiceLoadBalancer {
-
   /**
    * The VPC this load balancer has been created in (if available)
    */

diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/nlb/test.load-balancer.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/nlb/test.load-balancer.ts
@@ -115,6 +115,24 @@ export = {
                 { Ref: 'AWS::AccountId' }, '/*']],
             },
           },
+          {
+            Action: 's3:PutObject',
+            Condition: { StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' }},
+            Effect: 'Allow',
+            Principal: { Service: 'delivery.logs.amazonaws.com' },
+            Resource: {
+              'Fn::Join': ['', ['arn:aws:s3:::', { Ref: 'AccessLoggingBucketA6D88F29' },
+                '/AWSLogs/', { Ref: 'AWS::AccountId' }, '/*']],
+            },
+          },
+          {
+            Action: 's3:GetBucketAcl',
+            Effect: 'Allow',
+            Principal: { Service: 'delivery.logs.amazonaws.com' },
+            Resource: {
+              'Fn::Join': ['', ['arn:aws:s3:::', { Ref: 'AccessLoggingBucketA6D88F29' }]],
+            },
+          },
         ],
       },
     }));
@@ -170,6 +188,24 @@ export = {
                 { Ref: 'AWS::AccountId' }, '/*']],
             },
           },
+          {
+            Action: 's3:PutObject',
+            Condition: { StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' }},
+            Effect: 'Allow',
+            Principal: { Service: 'delivery.logs.amazonaws.com' },
+            Resource: {
+              'Fn::Join': ['', ['arn:aws:s3:::', { Ref: 'AccessLoggingBucketA6D88F29' },
+                '/prefix-of-access-logs/AWSLogs/', { Ref: 'AWS::AccountId' }, '/*']],
+            },
+          },
+          {
+            Action: 's3:GetBucketAcl',
+            Effect: 'Allow',
+            Principal: { Service: 'delivery.logs.amazonaws.com' },
+            Resource: {
+              'Fn::Join': ['', ['arn:aws:s3:::', { Ref: 'AccessLoggingBucketA6D88F29' }]],
+            },
+          },
         ],
       },
     }));