fix: elb logging on (#843)

addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/application-load-balancer.cfn.yml

@@ -22,6 +22,9 @@ Parameters:
   PublicRouteTableId:
     Type: String
     Description: Public Route Table ID
+  LoggingBucket:
+    Type: String
+    Description: Bucket for ELB Logs
 
   # For an ALB - You must specify subnets from at least two Availability Zones.
   # AWS recommends Availability Zone subnet for your load balancer to have a CIDR block with at least a /27 bitmask
@@ -150,6 +153,13 @@ Resources:
         !If [AppStreamEnabled, [!Ref PrivateSubnet1, !Ref PrivateSubnet2], [!Ref PublicSubnet1, !Ref PublicSubnet2]]
       SecurityGroups:
         - Ref: ALBSecurityGroup
+      LoadBalancerAttributes:
+        - Key: 'access_logs.s3.enabled'
+          Value: 'true'
+        - Key: 'access_logs.s3.bucket'
+          Value: !Ref LoggingBucket
+        - Key: 'access_logs.s3.prefix'
+          Value: 'elb'
 
   ALBSecurityGroup:
     Type: AWS::EC2::SecurityGroup

addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml

@@ -460,6 +460,7 @@ Resources:
               - elasticloadbalancing:DescribeRules
               - elasticloadbalancing:AddTags
               - elasticloadbalancing:RemoveTags
+              - elasticloadbalancing:ModifyLoadBalancerAttributes
             Resource: '*' # For the actions listed above IAM does not support resource-level permissions and requires all resources to be chosen
           - Effect: Allow
             Action:

addons/addon-base-raas/packages/base-raas-services/lib/alb/__tests__/alb-service.test.js

@@ -24,6 +24,9 @@ const AwsServiceMock = require('@aws-ee/base-services/lib/aws/aws-service');
 jest.mock('@aws-ee/base-services/lib/audit/audit-writer-service');
 const AuditServiceMock = require('@aws-ee/base-services/lib/audit/audit-writer-service');
 
+jest.mock('@aws-ee/base-services/lib/settings/env-settings-service');
+const SettingsServiceMock = require('@aws-ee/base-services/lib/settings/env-settings-service');
+
 jest.mock('../../indexes/indexes-service');
 const IndexServiceMock = require('../../indexes/indexes-service');
 
@@ -50,6 +53,7 @@ describe('ALBService', () => {
   let cfnTemplateService = null;
   let albClient = null;
   let ec2Client = null;
+  let settings;
   const albDetails = {
     createdAt: '2021-05-21T13:06:58.216Z',
     id: 'test-id',
@@ -71,13 +75,17 @@ describe('ALBService', () => {
     container.register('cfnTemplateService', new CfnTemplateServiceMock());
     container.register('environmentScService', new EnvironmentScServiceMock());
     container.register('auditWriterService', new AuditServiceMock());
+    container.register('settings', new SettingsServiceMock());
 
     await container.initServices();
 
     // Get instance of the service we are testing
     service = await container.find('albService');
     projectService = await container.find('projectService');
     cfnTemplateService = await container.find('cfnTemplateService');
+    settings = await container.find('settings');
+    settings.get = jest.fn(() => 'samplelogbucket');
+
     // Skip authorization
     service.assertAuthorized = jest.fn();
   });
@@ -303,6 +311,10 @@ describe('ALBService', () => {
             ParameterKey: 'PublicRouteTableId',
             ParameterValue: 'N/A',
           },
+          {
+            ParameterKey: 'LoggingBucket',
+            ParameterValue: 'samplelogbucket',
+          },
         ],
         TemplateBody: ['template'],
         Tags: [
@@ -357,6 +369,10 @@ describe('ALBService', () => {
             ParameterKey: 'PublicRouteTableId',
             ParameterValue: 'rtb-sampleRouteTableId',
           },
+          {
+            ParameterKey: 'LoggingBucket',
+            ParameterValue: 'samplelogbucket',
+          },
         ],
         TemplateBody: ['template'],
         Tags: [

addons/addon-base-raas/packages/base-raas-services/lib/alb/alb-service.js

@@ -19,6 +19,7 @@ const Service = require('@aws-ee/base-services-container/lib/service');
 const settingKeys = {
   domainName: 'domainName',
   isAppStreamEnabled: 'isAppStreamEnabled',
+  loggingBucketName: 'loggingBucketName',
 };
 
 class ALBService extends Service {
@@ -106,6 +107,7 @@ class ALBService extends Service {
       'PublicRouteTableId',
       _.isUndefined(awsAccountDetails.appStreamSecurityGroupId) ? awsAccountDetails.publicRouteTableId : 'N/A',
     );
+    addParam('LoggingBucket', this.settings.get(settingKeys.loggingBucketName));
 
     const input = {
       StackName: resolvedVars.namespace,

main/solution/backend/config/infra/functions.yml

@@ -215,4 +215,5 @@ workflowLoopRunner:
     APP_EGRESS_STORE_KMS_KEY_ARN: !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/${self:custom.settings.egressStoreKmsKeyAlias}
     APP_EGRESS_STORE_KMS_POLICY_WORKSPACE_SID: ${self:custom.settings.egressStoreKmsPolicyWorkspaceSid}
     APP_IS_APP_STREAM_ENABLED: ${self:custom.settings.isAppStreamEnabled}
-    APP_PERMISSION_BOUNDARY_POLICY_STUDY_BUCKET_ARN: !Sub arn:aws:iam::${AWS::AccountId}:policy/${self:custom.settings.permissionBoundaryPolicyStudyBucket}
+    APP_PERMISSION_BOUNDARY_POLICY_STUDY_BUCKET_ARN: !Sub arn:aws:iam::${AWS::AccountId}:policy/${self:custom.settings.permissionBoundaryPolicyStudyBucket}
+    APP_LOGGING_BUCKET_NAME: ${self:custom.settings.loggingBucketName}

main/solution/infrastructure/config/infra/cloudformation.yml

@@ -11,6 +11,59 @@ Conditions:
 
 Description: (SO0144) Service Workbench on AWS Solution
 
+Mappings:
+  ELBAccountIDMapping:
+    us-east-1:
+      Id: '127311923021'
+    us-east-2:
+      Id: '033677994240'
+    us-west-1:
+      Id: '027434742980'
+    us-west-2:
+      Id: '797873946194'
+    af-south-1:
+      Id: '098369216593'
+    ca-central-1:
+      Id: '985666609251'
+    eu-central-1:
+      Id: '054676820928'
+    eu-west-1:
+      Id: '156460612806'
+    eu-west-2:
+      Id: '652711504416'
+    eu-south-1:
+      Id: '635631232127'
+    eu-west-3:
+      Id: '009996457667'
+    eu-north-1:
+      Id: '897822967062'
+    ap-east-1:
+      Id: '754344448648'
+    ap-northeast-1:
+      Id: '582318560864'
+    ap-northeast-2:
+      Id: '600734575887'
+    ap-northeast-3:
+      Id: '383597477331'
+    ap-southeast-1:
+      Id: '114774131450'
+    ap-southeast-2:
+      Id: '783225319266'
+    ap-south-1:
+      Id: '718504428378'
+    me-south-1:
+      Id: '076674570225'
+    sa-east-1:
+      Id: '507241528517'
+    us-gov-west-1:
+      Id: '048591011584'
+    us-gov-east-1:
+      Id: '190560391635'
+    cn-north-1:
+      Id: '638102146993'
+    cn-northwest-1:
+      Id: '037604701340'
+
 Resources:
   # =============================================================================================
   # S3 Buckets
@@ -58,6 +111,27 @@ Resources:
             Condition:
               StringNotEquals:
                 s3:signatureversion: 'AWS4-HMAC-SHA256'
+          - Sid: ELB Logging permissions
+            Effect: Allow
+            Principal:
+              AWS: !Join ['', ['arn:aws:iam::', !FindInMap [ELBAccountIDMapping, !Ref 'AWS::Region', Id], ':root']]
+            Action: s3:PutObject
+            Resource: !Join ['', ['arn:aws:s3:::', !Ref LoggingBucket, '/elb/AWSLogs/*/*']]
+          - Sid: ELB Logging permissions
+            Effect: Allow
+            Principal:
+              Service: delivery.logs.amazonaws.com
+            Action: s3:PutObject
+            Resource: !Join ['', ['arn:aws:s3:::', !Ref LoggingBucket, '/elb/AWSLogs/*/*']]
+            Condition:
+              StringEquals:
+                s3:x-amz-acl: bucket-owner-full-control
+          - Sid: ELB Logging permissions
+            Effect: Allow
+            Principal:
+              Service: delivery.logs.amazonaws.com
+            Action: s3:GetBucketAcl
+            Resource: !Join ['', ['arn:aws:s3:::', !Ref LoggingBucket]]
 
   # S3 Bucket for the static website
   WebsiteBucket: