fix(apigateway): Add contextOwnerAccountId log pattern (#21989)

Closes: #21731 As mentioned in the referenced PR the `contextAccountId` doc string contained the wrong docstring as it in fact returns the callers account id. Implemented a the fix as per the ticket recommendation. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Sep 14, 2022 · c24027b · c24027b
1 parent ebca8c6
commit c24027b
Show file tree

Hide file tree

Showing 12 changed files with 789 additions and 4 deletions.
diff --git a/packages/@aws-cdk/aws-apigateway/lib/access-log.ts b/packages/@aws-cdk/aws-apigateway/lib/access-log.ts
@@ -43,12 +43,27 @@ export class LogGroupLogDestination implements IAccessLogDestination {
  */
 export class AccessLogField {
   /**
-   * The API owner's AWS account ID.
+   * The API callers AWS account ID.
+   * @deprecated Use `contextCallerAccountId` or `contextOwnerAccountId` instead
    */
   public static contextAccountId() {
     return '$context.identity.accountId';
   }
 
+  /**
+   * The API callers AWS account ID.
+   */
+  public static contextCallerAccountId() {
+    return '$context.identity.accountId';
+  }
+
+  /**
+   * The API owner's AWS account ID.
+   */
+  public static contextOwnerAccountId() {
+    return '$context.accountId';
+  }
+
   /**
    * The identifier API Gateway assigns to your API.
    */

diff --git a/packages/@aws-cdk/aws-apigateway/test/access-log.test.ts b/packages/@aws-cdk/aws-apigateway/test/access-log.test.ts
@@ -31,12 +31,13 @@ describe('access log', () => {
       requestId: apigateway.AccessLogField.contextRequestId(),
       sourceIp: apigateway.AccessLogField.contextIdentitySourceIp(),
       method: apigateway.AccessLogField.contextHttpMethod(),
-      accountId: apigateway.AccessLogField.contextAccountId(),
+      callerAccountId: apigateway.AccessLogField.contextCallerAccountId(),
+      ownerAccountId: apigateway.AccessLogField.contextOwnerAccountId(),
       userContext: {
         sub: apigateway.AccessLogField.contextAuthorizerClaims('sub'),
         email: apigateway.AccessLogField.contextAuthorizerClaims('email'),
       },
     }));
-    expect(testFormat.toString()).toEqual('{"requestId":"$context.requestId","sourceIp":"$context.identity.sourceIp","method":"$context.httpMethod","accountId":"$context.identity.accountId","userContext":{"sub":"$context.authorizer.claims.sub","email":"$context.authorizer.claims.email"}}');
+    expect(testFormat.toString()).toEqual('{"requestId":"$context.requestId","sourceIp":"$context.identity.sourceIp","method":"$context.httpMethod","callerAccountId":"$context.identity.accountId","ownerAccountId":"$context.accountId","userContext":{"sub":"$context.authorizer.claims.sub","email":"$context.authorizer.claims.email"}}');
   });
 });
diff --git a/packages/@aws-cdk/aws-apigateway/test/integ.cors.ts b/packages/@aws-cdk/aws-apigateway/test/integ.cors.ts
@@ -1,9 +1,9 @@
 import * as path from 'path';
 import * as lambda from '@aws-cdk/aws-lambda';
 import { App, Stack, StackProps } from '@aws-cdk/core';
+import { IntegTest } from '@aws-cdk/integ-tests';
 import { Construct } from 'constructs';
 import * as apigw from '../lib';
-import { IntegTest } from '@aws-cdk/integ-tests';
 
 class TestStack extends Stack {
   constructor(scope: Construct, id: string, props?: StackProps) {

diff --git a/packages/@aws-cdk/aws-apigateway/test/integ.restapi.access-log.ts b/packages/@aws-cdk/aws-apigateway/test/integ.restapi.access-log.ts
@@ -0,0 +1,41 @@
+import * as logs from '@aws-cdk/aws-logs';
+import * as cdk from '@aws-cdk/core';
+import { IntegTest } from '@aws-cdk/integ-tests';
+import * as apigateway from '../lib';
+
+class Test extends cdk.Stack {
+  constructor(scope: cdk.App, id: string) {
+    super(scope, id);
+
+    const testFormat = apigateway.AccessLogFormat.custom(JSON.stringify({
+      requestId: apigateway.AccessLogField.contextRequestId(),
+      sourceIp: apigateway.AccessLogField.contextIdentitySourceIp(),
+      method: apigateway.AccessLogField.contextHttpMethod(),
+      callerAccountId: apigateway.AccessLogField.contextCallerAccountId(),
+      ownerAccountId: apigateway.AccessLogField.contextOwnerAccountId(),
+      userContext: {
+        sub: apigateway.AccessLogField.contextAuthorizerClaims('sub'),
+        email: apigateway.AccessLogField.contextAuthorizerClaims('email'),
+      },
+    }));
+
+    const logGroup = new logs.LogGroup(this, 'MyLogGroup');
+    const api = new apigateway.RestApi(this, 'MyApi', {
+      cloudWatchRole: true,
+      deployOptions: {
+        accessLogDestination: new apigateway.LogGroupLogDestination(logGroup),
+        accessLogFormat: testFormat,
+      },
+    });
+    api.root.addMethod('GET');
+  }
+}
+
+const app = new cdk.App();
+
+const testCase = new Test(app, 'test-apigateway-access-logs');
+new IntegTest(app, 'apigateway-access-logs', {
+  testCases: [testCase],
+});
+
+app.synth();
diff --git a/...access-log.integ.snapshot/apigatewayaccesslogsDefaultTestDeployAssert751ACD40.assets.json b/...access-log.integ.snapshot/apigatewayaccesslogsDefaultTestDeployAssert751ACD40.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "apigatewayaccesslogsDefaultTestDeployAssert751ACD40.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...cess-log.integ.snapshot/apigatewayaccesslogsDefaultTestDeployAssert751ACD40.template.json b/...cess-log.integ.snapshot/apigatewayaccesslogsDefaultTestDeployAssert751ACD40.template.json
@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/packages/@aws-cdk/aws-apigateway/test/restapi.access-log.integ.snapshot/cdk.out b/packages/@aws-cdk/aws-apigateway/test/restapi.access-log.integ.snapshot/cdk.out
@@ -0,0 +1 @@
+{"version":"21.0.0"}
diff --git a/packages/@aws-cdk/aws-apigateway/test/restapi.access-log.integ.snapshot/integ.json b/packages/@aws-cdk/aws-apigateway/test/restapi.access-log.integ.snapshot/integ.json
@@ -0,0 +1,12 @@
+{
+  "version": "21.0.0",
+  "testCases": {
+    "apigateway-access-logs/DefaultTest": {
+      "stacks": [
+        "test-apigateway-access-logs"
+      ],
+      "assertionStack": "apigateway-access-logs/DefaultTest/DeployAssert",
+      "assertionStackName": "apigatewayaccesslogsDefaultTestDeployAssert751ACD40"
+    }
+  }
+}
diff --git a/packages/@aws-cdk/aws-apigateway/test/restapi.access-log.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-apigateway/test/restapi.access-log.integ.snapshot/manifest.json
@@ -0,0 +1,153 @@
+{
+  "version": "21.0.0",
+  "artifacts": {
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
+    },
+    "test-apigateway-access-logs.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "test-apigateway-access-logs.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "test-apigateway-access-logs": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "test-apigateway-access-logs.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/bfcd014ed17d9d37eb988448edc7e87eb2ab77e6f7508bf3de2714a6322c99b3.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "test-apigateway-access-logs.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "test-apigateway-access-logs.assets"
+      ],
+      "metadata": {
+        "/test-apigateway-access-logs/MyLogGroup/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyLogGroup5C0DAD85"
+          }
+        ],
+        "/test-apigateway-access-logs/MyApi/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyApi49610EDF"
+          }
+        ],
+        "/test-apigateway-access-logs/MyApi/CloudWatchRole/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyApiCloudWatchRole2BEC1A9C"
+          }
+        ],
+        "/test-apigateway-access-logs/MyApi/Account": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyApiAccount13882D84"
+          }
+        ],
+        "/test-apigateway-access-logs/MyApi/Deployment/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyApiDeploymentECB0D05E81594d6748b4b291f993111a5070d710"
+          }
+        ],
+        "/test-apigateway-access-logs/MyApi/DeploymentStage.prod/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyApiDeploymentStageprodE1054AF0"
+          }
+        ],
+        "/test-apigateway-access-logs/MyApi/Endpoint": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyApiEndpoint869ABE96"
+          }
+        ],
+        "/test-apigateway-access-logs/MyApi/Default/GET/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyApiGETD0C7AA0C"
+          }
+        ],
+        "/test-apigateway-access-logs/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/test-apigateway-access-logs/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "test-apigateway-access-logs"
+    },
+    "apigatewayaccesslogsDefaultTestDeployAssert751ACD40.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "apigatewayaccesslogsDefaultTestDeployAssert751ACD40.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "apigatewayaccesslogsDefaultTestDeployAssert751ACD40": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "apigatewayaccesslogsDefaultTestDeployAssert751ACD40.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "apigatewayaccesslogsDefaultTestDeployAssert751ACD40.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "apigatewayaccesslogsDefaultTestDeployAssert751ACD40.assets"
+      ],
+      "metadata": {
+        "/apigateway-access-logs/DefaultTest/DeployAssert/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/apigateway-access-logs/DefaultTest/DeployAssert/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "apigateway-access-logs/DefaultTest/DeployAssert"
+    }
+  }
+}
diff --git a/...apigateway/test/restapi.access-log.integ.snapshot/test-apigateway-access-logs.assets.json b/...apigateway/test/restapi.access-log.integ.snapshot/test-apigateway-access-logs.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "bfcd014ed17d9d37eb988448edc7e87eb2ab77e6f7508bf3de2714a6322c99b3": {
+      "source": {
+        "path": "test-apigateway-access-logs.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "bfcd014ed17d9d37eb988448edc7e87eb2ab77e6f7508bf3de2714a6322c99b3.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}