Record OpenSearch error logs

MCP asked us to do this for compliance purposes.
nasa-gcn · Aug 6, 2024 · eeb2460 · eeb2460
1 parent aab58aa
commit eeb2460
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 0 deletions.
diff --git a/index.ts b/index.ts
@@ -61,6 +61,19 @@ async function executeSearchRequests(cwd: string) {
   }
 }
 
+function addTransforms(
+  cloudformation: { Transform?: string[] | string },
+  ...transforms: string[]
+) {
+  if (cloudformation.Transform === undefined) {
+    cloudformation.Transform = transforms
+  } else if (typeof cloudformation.Transform === 'string') {
+    cloudformation.Transform = [cloudformation.Transform, ...transforms]
+  } else {
+    cloudformation.Transform.push(...transforms)
+  }
+}
+
 export const deploy = {
   // @ts-expect-error: The Architect plugins API has no type definitions.
   start({ cloudformation, inventory, arc, stage }) {
@@ -74,6 +87,7 @@ export const deploy = {
       resources = serverlessCloudformationResources(collectionName)
     }
     Object.assign(cloudformation.Resources, resources)
+    addTransforms(cloudformation, 'AWS::LanguageExtensions')
     return cloudformation
   },
   // @ts-expect-error: The Architect plugins API has no type definitions.

diff --git a/service.ts b/service.ts
@@ -36,8 +36,38 @@ export function cloudformationResources({
   }
 
   return {
+    OpenSearchLogGroup: {
+      Type: 'AWS::Logs::LogGroup',
+      Properties: {
+        LogGroupName: {
+          'Fn::Sub':
+            '/aws/OpenSearchService/stacks/${AWS::StackName}/application-logs',
+        },
+      },
+    },
+    OpenSearchLogPolicy: {
+      Type: 'AWS::Logs::ResourcePolicy',
+      Properties: {
+        PolicyName: { 'Fn::Sub': '${AWS::StackName}-OpenSearchLogPolicy' },
+        PolicyDocument: {
+          'Fn::ToJsonString': {
+            Version: '2012-10-17',
+            Statement: [
+              {
+                Sid: '',
+                Effect: 'Allow',
+                Principal: { Service: 'es.amazonaws.com' },
+                Action: ['logs:PutLogEvents', 'logs:CreateLogStream'],
+                Resource: { 'Fn::GetAtt': ['OpenSearchLogGroup', 'Arn'] },
+              },
+            ],
+          },
+        },
+      },
+    },
     OpenSearchServiceDomain: {
       Type: 'AWS::OpenSearchService::Domain',
+      DependsOn: 'OpenSearchLogPolicy',
       Properties: {
         AccessPolicies: {
           Version: '2012-10-17',
@@ -67,6 +97,14 @@ export function cloudformationResources({
         EBSOptions: { EBSEnabled: true, VolumeSize },
         EncryptionAtRestOptions: { Enabled: true },
         IPAddressType: 'dualstack',
+        LogPublishingOptions: {
+          ES_APPLICATION_LOGS: {
+            CloudWatchLogsLogGroupArn: {
+              'Fn::GetAtt': ['OpenSearchLogGroup', 'Arn'],
+            },
+            Enabled: true,
+          },
+        },
         NodeToNodeEncryptionOptions: { Enabled: true },
       },
     },