Skip to content

Commit

Permalink
[cloudfront-s3] do not create cf log bucket if cf logs disabled
Browse files Browse the repository at this point in the history 
Signed-off-by: Naseem <naseem@toric.com>
  • Loading branch information
@naseemkullah
naseemkullah committed Aug 7, 2021
1 parent 7f4308b commit d373bdc
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 209 deletions.
55 changes: 13 additions & 42 deletions source/patterns/@aws-solutions-constructs/core/lib/cloudfront-distribution-helper.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,26 +131,17 @@ export function CloudFrontDistributionForApiGateway(scope: cdk.Construct,

const _httpSecurityHeaders = (httpSecurityHeaders !== undefined && httpSecurityHeaders === false) ? false : true;

let defaultprops: cloudfront.DistributionProps;
let edgeLambdaVersion;
let loggingBucket;

if (_httpSecurityHeaders) {
edgeLambdaVersion = new lambda.Version(scope, "SetHttpSecurityHeadersVersion", {
lambda: defaultLambdaEdgeFunction(scope)
});
}

if (cloudFrontDistributionProps && cloudFrontDistributionProps.enableLogging && cloudFrontDistributionProps.logBucket) {
defaultprops = DefaultCloudFrontWebDistributionForApiGatewayProps(apiEndPoint,
cloudFrontDistributionProps.logBucket, _httpSecurityHeaders,
edgeLambdaVersion);
} else {
loggingBucket = createLoggingBucket(scope, 'CloudfrontLoggingBucket');
defaultprops = DefaultCloudFrontWebDistributionForApiGatewayProps(apiEndPoint,
loggingBucket, _httpSecurityHeaders,
edgeLambdaVersion);
}
const loggingBucket = cloudFrontDistributionProps?.enableLogging ? cloudFrontDistributionProps.logBucket ?? createLoggingBucket(scope, 'CloudfrontLoggingBucket') : undefined;

const defaultprops = DefaultCloudFrontWebDistributionForApiGatewayProps(apiEndPoint, loggingBucket, _httpSecurityHeaders, edgeLambdaVersion);

const cfprops = cloudFrontDistributionProps ? overrideProps(defaultprops, cloudFrontDistributionProps, true) : defaultprops;
// Create the Cloudfront Distribution
Expand All @@ -166,24 +157,13 @@ export function CloudFrontDistributionForS3(scope: cdk.Construct,
httpSecurityHeaders?: boolean): [cloudfront.Distribution,
cloudfront.Function?, s3.Bucket?] {

let defaultprops: cloudfront.DistributionProps;
// let edgeLambdaVersion;
let cloudfrontFunction;
let loggingBucket;
const _httpSecurityHeaders = (httpSecurityHeaders !== undefined && httpSecurityHeaders === false) ? false : true;

if (_httpSecurityHeaders) {
cloudfrontFunction = defaultCloudfrontFunction(scope);
}
const cloudfrontFunction = _httpSecurityHeaders ? defaultCloudfrontFunction(scope) : undefined;

if (cloudFrontDistributionProps && cloudFrontDistributionProps.enableLogging && cloudFrontDistributionProps.logBucket) {
defaultprops = DefaultCloudFrontWebDistributionForS3Props(sourceBucket,
cloudFrontDistributionProps.logBucket, _httpSecurityHeaders, cloudfrontFunction);
} else {
loggingBucket = createLoggingBucket(scope, 'CloudfrontLoggingBucket');
defaultprops = DefaultCloudFrontWebDistributionForS3Props(sourceBucket, loggingBucket,
_httpSecurityHeaders, cloudfrontFunction);
}
const loggingBucket = cloudFrontDistributionProps?.enableLogging ? cloudFrontDistributionProps.logBucket ?? createLoggingBucket(scope, 'CloudfrontLoggingBucket') : undefined;

const defaultprops: cloudfront.DistributionProps = DefaultCloudFrontWebDistributionForS3Props(sourceBucket, loggingBucket, _httpSecurityHeaders, cloudfrontFunction);

const cfprops = cloudFrontDistributionProps ? overrideProps(defaultprops, cloudFrontDistributionProps, false) : defaultprops;
// Create the Cloudfront Distribution
Expand All @@ -208,23 +188,14 @@ export function CloudFrontDistributionForMediaStore(scope: cdk.Construct,
httpSecurityHeaders?: boolean): [cloudfront.Distribution,
s3.Bucket, cloudfront.OriginRequestPolicy, lambda.Version?] {

let defaultprops: cloudfront.DistributionProps;
let originRequestPolicy: cloudfront.OriginRequestPolicy;
let loggingBucket: s3.Bucket;
let edgeLambdaVersion: lambda.Version | undefined;
const _httpSecurityHeaders = (httpSecurityHeaders !== undefined && httpSecurityHeaders === false) ? false : true;

if (_httpSecurityHeaders) {
edgeLambdaVersion = new lambda.Version(scope, 'SetHttpSecurityHeadersVersion', {
lambda: defaultLambdaEdgeFunction(scope)
});
}
const edgeLambdaVersion = _httpSecurityHeaders ? new lambda.Version(scope, 'SetHttpSecurityHeadersVersion', {
lambda: defaultLambdaEdgeFunction(scope)
}) : undefined;

if (cloudFrontDistributionProps && cloudFrontDistributionProps.enableLogging && cloudFrontDistributionProps.logBucket) {
loggingBucket = cloudFrontDistributionProps.logBucket as s3.Bucket;
} else {
loggingBucket = createLoggingBucket(scope, 'CloudfrontLoggingBucket');
}
const loggingBucket = cloudFrontDistributionProps?.enableLogging ? cloudFrontDistributionProps.logBucket ?? createLoggingBucket(scope, 'CloudfrontLoggingBucket') : undefined;

if (cloudFrontDistributionProps
&& cloudFrontDistributionProps.defaultBehavior
Expand Down Expand Up @@ -254,7 +225,7 @@ export function CloudFrontDistributionForMediaStore(scope: cdk.Construct,
originRequestPolicy = new cloudfront.OriginRequestPolicy(scope, 'CloudfrontOriginRequestPolicy', originRequestPolicyProps);
}

defaultprops = DefaultCloudFrontDisributionForMediaStoreProps(
const defaultprops = DefaultCloudFrontDisributionForMediaStoreProps(
mediaStoreContainer,
loggingBucket,
originRequestPolicy,
Expand Down Expand Up @@ -282,4 +253,4 @@ export function CloudFrontOriginAccessIdentity(scope: cdk.Construct, comment?: s
return new cloudfront.OriginAccessIdentity(scope, 'CloudFrontOriginAccessIdentity', {
comment: comment ? comment : `access-identity-${cdk.Aws.REGION}-${cdk.Aws.STACK_NAME}`
});
}
}
166 changes: 4 additions & 162 deletions ...onstructs/core/test/__snapshots__/cloudfront-distribution-api-gateway-helper.test.js.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ Object {
"Logging": Object {
"Bucket": Object {
"Fn::GetAtt": Array [
"CloudfrontLoggingBucket3C3EFAA7",
"CloudFrontDistributionLoggingBucket0F015D0B",
"RegionalDomainName",
],
},
Expand Down Expand Up @@ -153,90 +153,11 @@ Object {
},
"Type": "AWS::CloudFront::Distribution",
},
"CloudfrontLoggingBucket3C3EFAA7": Object {
"CloudFrontDistributionLoggingBucket0F015D0B": Object {
"DeletionPolicy": "Retain",
"Metadata": Object {
"cfn_nag": Object {
"rules_to_suppress": Array [
Object {
"id": "W35",
"reason": "This S3 bucket is used as the access logging bucket for CloudFront Distribution",
},
],
},
},
"Properties": Object {
"AccessControl": "LogDeliveryWrite",
"BucketEncryption": Object {
"ServerSideEncryptionConfiguration": Array [
Object {
"ServerSideEncryptionByDefault": Object {
"SSEAlgorithm": "AES256",
},
},
],
},
"PublicAccessBlockConfiguration": Object {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true,
},
"VersioningConfiguration": Object {
"Status": "Enabled",
},
},
"Type": "AWS::S3::Bucket",
"UpdateReplacePolicy": "Retain",
},
"CloudfrontLoggingBucketPolicy8FC0956D": Object {
"Properties": Object {
"Bucket": Object {
"Ref": "CloudfrontLoggingBucket3C3EFAA7",
},
"PolicyDocument": Object {
"Statement": Array [
Object {
"Action": "*",
"Condition": Object {
"Bool": Object {
"aws:SecureTransport": "false",
},
},
"Effect": "Deny",
"Principal": Object {
"AWS": "*",
},
"Resource": Array [
Object {
"Fn::Join": Array [
"",
Array [
Object {
"Fn::GetAtt": Array [
"CloudfrontLoggingBucket3C3EFAA7",
"Arn",
],
},
"/*",
],
],
},
Object {
"Fn::GetAtt": Array [
"CloudfrontLoggingBucket3C3EFAA7",
"Arn",
],
},
],
"Sid": "HttpsOnly",
},
],
"Version": "2012-10-17",
},
},
"Type": "AWS::S3::BucketPolicy",
},
"LambdaFunctionBF21E41F": Object {
"DependsOn": Array [
"LambdaFunctionServiceRoleC555A460",
Expand Down Expand Up @@ -872,7 +793,7 @@ Object {
"Logging": Object {
"Bucket": Object {
"Fn::GetAtt": Array [
"CloudfrontLoggingBucket3C3EFAA7",
"CloudFrontDistributionLoggingBucket0F015D0B",
"RegionalDomainName",
],
},
Expand Down Expand Up @@ -947,90 +868,11 @@ Object {
},
"Type": "AWS::CloudFront::Distribution",
},
"CloudfrontLoggingBucket3C3EFAA7": Object {
"CloudFrontDistributionLoggingBucket0F015D0B": Object {
"DeletionPolicy": "Retain",
"Metadata": Object {
"cfn_nag": Object {
"rules_to_suppress": Array [
Object {
"id": "W35",
"reason": "This S3 bucket is used as the access logging bucket for CloudFront Distribution",
},
],
},
},
"Properties": Object {
"AccessControl": "LogDeliveryWrite",
"BucketEncryption": Object {
"ServerSideEncryptionConfiguration": Array [
Object {
"ServerSideEncryptionByDefault": Object {
"SSEAlgorithm": "AES256",
},
},
],
},
"PublicAccessBlockConfiguration": Object {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true,
},
"VersioningConfiguration": Object {
"Status": "Enabled",
},
},
"Type": "AWS::S3::Bucket",
"UpdateReplacePolicy": "Retain",
},
"CloudfrontLoggingBucketPolicy8FC0956D": Object {
"Properties": Object {
"Bucket": Object {
"Ref": "CloudfrontLoggingBucket3C3EFAA7",
},
"PolicyDocument": Object {
"Statement": Array [
Object {
"Action": "*",
"Condition": Object {
"Bool": Object {
"aws:SecureTransport": "false",
},
},
"Effect": "Deny",
"Principal": Object {
"AWS": "*",
},
"Resource": Array [
Object {
"Fn::Join": Array [
"",
Array [
Object {
"Fn::GetAtt": Array [
"CloudfrontLoggingBucket3C3EFAA7",
"Arn",
],
},
"/*",
],
],
},
Object {
"Fn::GetAtt": Array [
"CloudfrontLoggingBucket3C3EFAA7",
"Arn",
],
},
],
"Sid": "HttpsOnly",
},
],
"Version": "2012-10-17",
},
},
"Type": "AWS::S3::BucketPolicy",
},
"LambdaFunctionBF21E41F": Object {
"DependsOn": Array [
"LambdaFunctionServiceRoleC555A460",
Expand Down
8 changes: 4 additions & 4 deletions ...ns/@aws-solutions-constructs/core/test/cloudfront-distribution-api-gateway-helper.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -237,7 +237,7 @@ test('test cloudfront for Api Gateway override properties', () => {
Logging: {
Bucket: {
"Fn::GetAtt": [
"CloudfrontLoggingBucket3C3EFAA7",
"CloudFrontDistributionLoggingBucket0F015D0B",
"RegionalDomainName"
]
}
Expand Down Expand Up @@ -346,7 +346,7 @@ test('test override cloudfront add custom lambda@edge', () => {
Logging: {
Bucket: {
"Fn::GetAtt": [
"CloudfrontLoggingBucket3C3EFAA7",
"CloudFrontDistributionLoggingBucket0F015D0B",
"RegionalDomainName"
]
}
Expand Down Expand Up @@ -483,7 +483,7 @@ test('test override cloudfront replace custom lambda@edge', () => {
Logging: {
Bucket: {
"Fn::GetAtt": [
"CloudfrontLoggingBucket3C3EFAA7",
"CloudFrontDistributionLoggingBucket0F015D0B",
"RegionalDomainName"
]
}
Expand Down Expand Up @@ -556,4 +556,4 @@ test('test override cloudfront replace custom lambda@edge', () => {
]
}
});
});
});
15 changes: 14 additions & 1 deletion ...ce/patterns/@aws-solutions-constructs/core/test/cloudfront-distribution-s3-helper.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -315,6 +315,19 @@ test('test cloudfront override cloudfront logging bucket ', () => {
});
});

test('test cloudfront disable cloudfront logging', () => {
const stack = new Stack();
const [sourceBucket] = buildS3Bucket(stack, {});

CloudFrontDistributionForS3(stack, sourceBucket, {
enableLogging: false,
});

expect(stack).toHaveResourceLike("AWS::CloudFront::Distribution", {
DistributionConfig: {Logging: null}
});
});

test('test cloudfront override properties', () => {
const stack = new Stack();
const [sourceBucket] = buildS3Bucket(stack, {});
Expand Down Expand Up @@ -565,4 +578,4 @@ test('test override cloudfront replace custom lambda@edge', () => {
]
}
});
});
});

0 comments on commit d373bdc

Please sign in to comment.