fix(elbv2): fix access log bucket permissions

fixes aws#8113

Currently, it's not possible to enable access logs for a network load balancer
using the logAccessLogs method. Cloudformation will fail at deploy time because
the S3 Bucket doesn't have the right permissions.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts

@@ -1,6 +1,8 @@
 import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
 import * as ec2 from '@aws-cdk/aws-ec2';
-import { Construct, Resource } from '@aws-cdk/core';
+import { PolicyStatement, ServicePrincipal } from '@aws-cdk/aws-iam';
+import { IBucket } from '@aws-cdk/aws-s3';
+import { Construct, Resource, Stack } from '@aws-cdk/core';
 import { BaseLoadBalancer, BaseLoadBalancerProps, ILoadBalancerV2 } from '../shared/base-load-balancer';
 import { BaseNetworkListenerProps, NetworkListener } from './network-listener';
 
@@ -54,7 +56,11 @@ export interface NetworkLoadBalancerAttributes {
  * @resource AWS::ElasticLoadBalancingV2::LoadBalancer
  */
 export class NetworkLoadBalancer extends BaseLoadBalancer implements INetworkLoadBalancer {
-  public static fromNetworkLoadBalancerAttributes(scope: Construct, id: string, attrs: NetworkLoadBalancerAttributes): INetworkLoadBalancer {
+  public static fromNetworkLoadBalancerAttributes(
+    scope: Construct,
+    id: string,
+    attrs: NetworkLoadBalancerAttributes,
+  ): INetworkLoadBalancer {
     class Import extends Resource implements INetworkLoadBalancer {
       public readonly loadBalancerArn = attrs.loadBalancerArn;
       public readonly vpc?: ec2.IVpc = attrs.vpc;
@@ -66,15 +72,23 @@ export class NetworkLoadBalancer extends BaseLoadBalancer implements INetworkLoa
       }
 
       public get loadBalancerCanonicalHostedZoneId(): string {
-        if (attrs.loadBalancerCanonicalHostedZoneId) { return attrs.loadBalancerCanonicalHostedZoneId; }
+        if (attrs.loadBalancerCanonicalHostedZoneId) {
+          return attrs.loadBalancerCanonicalHostedZoneId;
+        }
         // tslint:disable-next-line:max-line-length
-        throw new Error(`'loadBalancerCanonicalHostedZoneId' was not provided when constructing Network Load Balancer ${this.node.path} from attributes`);
+        throw new Error(
+          `'loadBalancerCanonicalHostedZoneId' was not provided when constructing Network Load Balancer ${this.node.path} from attributes`,
+        );
       }
 
       public get loadBalancerDnsName(): string {
-        if (attrs.loadBalancerDnsName) { return attrs.loadBalancerDnsName; }
+        if (attrs.loadBalancerDnsName) {
+          return attrs.loadBalancerDnsName;
+        }
         // tslint:disable-next-line:max-line-length
-        throw new Error(`'loadBalancerDnsName' was not provided when constructing Network Load Balancer ${this.node.path} from attributes`);
+        throw new Error(
+          `'loadBalancerDnsName' was not provided when constructing Network Load Balancer ${this.node.path} from attributes`,
+        );
       }
     }
 
@@ -86,7 +100,9 @@ export class NetworkLoadBalancer extends BaseLoadBalancer implements INetworkLoa
       type: 'network',
     });
 
-    if (props.crossZoneEnabled) { this.setAttribute('load_balancing.cross_zone.enabled', 'true'); }
+    if (props.crossZoneEnabled) {
+      this.setAttribute('load_balancing.cross_zone.enabled', 'true');
+    }
   }
 
   /**
@@ -101,6 +117,42 @@ export class NetworkLoadBalancer extends BaseLoadBalancer implements INetworkLoa
     });
   }
 
+  /**
+   * Enable access logging for this load balancer.
+   *
+   * A region must be specified on the stack containing the load balancer; you cannot enable logging on
+   * environment-agnostic stacks. See https://docs.aws.amazon.com/cdk/latest/guide/environments.html
+   *
+   * This is extending the BaseLoadBalancer.logAccessLogs method to match the bucket permissions described
+   * at https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html#access-logging-bucket-requirements
+   */
+  public logAccessLogs(bucket: IBucket, prefix?: string) {
+    super.logAccessLogs(bucket, prefix);
+
+    bucket.addToResourcePolicy(
+      new PolicyStatement({
+        actions: ['s3:PutObject'],
+        principals: [new ServicePrincipal('delivery.logs.amazonaws.com')],
+        resources: [
+          `arn:aws:s3:::${bucket.bucketName.toString()}/${prefix ? prefix + '/' : ''}AWSLogs/${
+            Stack.of(this).account
+          }/*`,
+        ],
+        conditions: {
+          StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' },
+        },
+      }),
+    );
+
+    bucket.addToResourcePolicy(
+      new PolicyStatement({
+        actions: ['s3:GetBucketAcl'],
+        principals: [new ServicePrincipal('delivery.logs.amazonaws.com')],
+        resources: [`arn:aws:s3:::${bucket.bucketName.toString()}`],
+      }),
+    );
+  }
+
   /**
    * Return the given named metric for this Network Load Balancer
    *
@@ -236,7 +288,6 @@ export class NetworkLoadBalancer extends BaseLoadBalancer implements INetworkLoa
  * A network load balancer
  */
 export interface INetworkLoadBalancer extends ILoadBalancerV2, ec2.IVpcEndpointServiceLoadBalancer {
-
   /**
    * The VPC this load balancer has been created in (if available)
    */

packages/@aws-cdk/aws-elasticloadbalancingv2/test/nlb/test.load-balancer.ts

@@ -115,6 +115,24 @@ export = {
                 { Ref: 'AWS::AccountId' }, '/*']],
             },
           },
+          {
+            Action: 's3:PutObject',
+            Condition: { StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' }},
+            Effect: 'Allow',
+            Principal: { Service: 'delivery.logs.amazonaws.com' },
+            Resource: {
+              'Fn::Join': ['', ['arn:aws:s3:::', { Ref: 'AccessLoggingBucketA6D88F29' },
+                '/AWSLogs/', { Ref: 'AWS::AccountId' }, '/*']],
+            },
+          },
+          {
+            Action: 's3:GetBucketAcl',
+            Effect: 'Allow',
+            Principal: { Service: 'delivery.logs.amazonaws.com' },
+            Resource: {
+              'Fn::Join': ['', ['arn:aws:s3:::', { Ref: 'AccessLoggingBucketA6D88F29' }]],
+            },
+          },
         ],
       },
     }));
@@ -170,6 +188,24 @@ export = {
                 { Ref: 'AWS::AccountId' }, '/*']],
             },
           },
+          {
+            Action: 's3:PutObject',
+            Condition: { StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' }},
+            Effect: 'Allow',
+            Principal: { Service: 'delivery.logs.amazonaws.com' },
+            Resource: {
+              'Fn::Join': ['', ['arn:aws:s3:::', { Ref: 'AccessLoggingBucketA6D88F29' },
+                '/prefix-of-access-logs/AWSLogs/', { Ref: 'AWS::AccountId' }, '/*']],
+            },
+          },
+          {
+            Action: 's3:GetBucketAcl',
+            Effect: 'Allow',
+            Principal: { Service: 'delivery.logs.amazonaws.com' },
+            Resource: {
+              'Fn::Join': ['', ['arn:aws:s3:::', { Ref: 'AccessLoggingBucketA6D88F29' }]],
+            },
+          },
         ],
       },
     }));