Skip to content

Commit

Permalink
feat(aws-lambda-s3): added logS3AccessLogs and updated tests (#496)
Browse files Browse the repository at this point in the history 
* added logS3AccessLogs and updated tests

* empty commit
  • Loading branch information
@mickychetta
mickychetta committed Nov 9, 2021
1 parent 85b5f7a commit 9922938
Show file tree
Hide file tree
Showing 13 changed files with 94 additions and 206 deletions.
2 changes: 2 additions & 0 deletions source/patterns/@aws-solutions-constructs/aws-lambda-s3/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ _Parameters_
|deployVpc?|`boolean`|Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern:<ul><li> One isolated subnet in each Availability Zone used by the CDK program</li><li>`enableDnsHostnames` and `enableDnsSupport` will both be set to true</li></ul>If this property is `true` then `existingVpc` cannot be specified. Defaults to `false`.|
|bucketEnvironmentVariableName?|`string`|Optional name for the S3 bucket environment variable set for the Lambda function.|
|loggingBucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.BucketProps.html)|Optional user provided props to override the default props for the S3 Logging Bucket.|
|logS3AccessLogs?| boolean|Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true|

## Pattern Properties

Expand All @@ -70,6 +71,7 @@ _Parameters_
|s3Bucket?|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html)|Returns an instance of the S3 bucket created by the pattern.|
|s3LoggingBucket?|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html)|Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket.|
|vpc?|[`ec2.IVpc`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ec2.IVpc.html)|Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor.|
|s3BucketInterface|[`s3.IBucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.IBucket.html)|Returns an instance of s3.IBucket created by the construct.|

## Default settings

Expand Down
21 changes: 12 additions & 9 deletions source/patterns/@aws-solutions-constructs/aws-lambda-s3/lib/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,13 @@ export interface LambdaToS3Props {
* @default - Default props are used
*/
readonly loggingBucketProps?: s3.BucketProps
/**
* Whether to turn on Access Logs for the S3 bucket with the associated storage costs.
* Enabling Access Logging is a best practice.
*
* @default - true
*/
readonly logS3AccessLogs?: boolean;
}

/**
Expand All @@ -90,6 +97,7 @@ export class LambdaToS3 extends Construct {
public readonly s3Bucket?: s3.Bucket;
public readonly s3LoggingBucket?: s3.Bucket;
public readonly vpc?: ec2.IVpc;
public readonly s3BucketInterface: s3.IBucket;

/**
* @summary Constructs a new instance of the LambdaToS3 class.
Expand All @@ -105,15 +113,7 @@ export class LambdaToS3 extends Construct {

let bucket: s3.IBucket;

if (props.existingBucketObj && props.bucketProps) {
throw new Error('Cannot specify both bucket properties and an existing bucket');
}

if (props.deployVpc || props.existingVpc) {
if (props.deployVpc && props.existingVpc) {
throw new Error("More than 1 VPC specified in the properties");
}

this.vpc = defaults.buildVpc(scope, {
defaultVpcProps: defaults.DefaultIsolatedVpcProps(),
existingVpc: props.existingVpc,
Expand All @@ -138,13 +138,16 @@ export class LambdaToS3 extends Construct {
if (!props.existingBucketObj) {
[this.s3Bucket, this.s3LoggingBucket] = defaults.buildS3Bucket(this, {
bucketProps: props.bucketProps,
loggingBucketProps: props.loggingBucketProps
loggingBucketProps: props.loggingBucketProps,
logS3AccessLogs: props.logS3AccessLogs
});
bucket = this.s3Bucket;
} else {
bucket = props.existingBucketObj;
}

this.s3BucketInterface = bucket;

// Configure environment variables
const bucketEnvironmentVariableName = props.bucketEnvironmentVariableName || 'S3_BUCKET_NAME';
this.lambdaFunction.addEnvironment(bucketEnvironmentVariableName, bucket.bucketName);
Expand Down
2 changes: 1 addition & 1 deletion ...erns/@aws-solutions-constructs/aws-lambda-s3/test/integ.customLoggingBucket.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@
}
},
"Handler": "index.handler",
"Runtime": "nodejs10.x",
"Runtime": "nodejs14.x",
"TracingConfig": {
"Mode": "Active"
}
Expand Down
2 changes: 1 addition & 1 deletion source/patterns/@aws-solutions-constructs/aws-lambda-s3/test/integ.customLoggingBucket.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ const stack = new Stack(app, generateIntegStackName(__filename));

new LambdaToS3(stack, 'test-lambda-s3', {
lambdaFunctionProps: {
runtime: lambda.Runtime.NODEJS_10_X,
runtime: lambda.Runtime.NODEJS_14_X,
handler: 'index.handler',
code: lambda.Code.fromAsset(`${__dirname}/lambda`)
},
Expand Down
103 changes: 12 additions & 91 deletions .../patterns/@aws-solutions-constructs/aws-lambda-s3/test/integ.deployFunction.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@
}
},
"Handler": "index.handler",
"Runtime": "nodejs10.x",
"Runtime": "nodejs14.x",
"TracingConfig": {
"Mode": "Active"
}
Expand Down Expand Up @@ -175,90 +175,6 @@
}
}
},
"testlambdas3S3LoggingBucketD42FC73D": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "LogDeliveryWrite",
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"VersioningConfiguration": {
"Status": "Enabled"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W35",
"reason": "This S3 bucket is used as the access logging bucket for another bucket"
}
]
}
}
},
"testlambdas3S3LoggingBucketPolicyCEAFB213": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "testlambdas3S3LoggingBucketD42FC73D"
},
"PolicyDocument": {
"Statement": [
{
"Action": "*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"testlambdas3S3LoggingBucketD42FC73D",
"Arn"
]
},
"/*"
]
]
},
{
"Fn::GetAtt": [
"testlambdas3S3LoggingBucketD42FC73D",
"Arn"
]
}
],
"Sid": "HttpsOnly"
}
],
"Version": "2012-10-17"
}
}
},
"testlambdas3S3Bucket179A52E6": {
"Type": "AWS::S3::Bucket",
"Properties": {
Expand All @@ -284,11 +200,6 @@
}
]
},
"LoggingConfiguration": {
"DestinationBucketName": {
"Ref": "testlambdas3S3LoggingBucketD42FC73D"
}
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
Expand All @@ -300,7 +211,17 @@
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
"DeletionPolicy": "Delete",
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W35",
"reason": "This S3 bucket is created for unit/ integration testing purposes only."
}
]
}
}
},
"testlambdas3S3BucketPolicyE899B211": {
"Type": "AWS::S3::BucketPolicy",
Expand Down
16 changes: 13 additions & 3 deletions source/patterns/@aws-solutions-constructs/aws-lambda-s3/test/integ.deployFunction.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ import { App, Stack, RemovalPolicy } from "@aws-cdk/core";
import { LambdaToS3, LambdaToS3Props } from "../lib";
import * as lambda from '@aws-cdk/aws-lambda';
import { generateIntegStackName } from '@aws-solutions-constructs/core';
import * as s3 from "@aws-cdk/aws-s3";
import * as defaults from '@aws-solutions-constructs/core';

// Setup
const app = new App();
Expand All @@ -25,16 +27,24 @@ stack.templateOptions.description = 'Integration Test for aws-lambda-s3';
// Definitions
const props: LambdaToS3Props = {
lambdaFunctionProps: {
runtime: lambda.Runtime.NODEJS_10_X,
runtime: lambda.Runtime.NODEJS_14_X,
handler: 'index.handler',
code: lambda.Code.fromAsset(`${__dirname}/lambda`)
},
bucketProps: {
removalPolicy: RemovalPolicy.DESTROY,
}
},
logS3AccessLogs: false
};

new LambdaToS3(stack, 'test-lambda-s3', props);
const construct = new LambdaToS3(stack, 'test-lambda-s3', props);

const s3Bucket = construct.s3Bucket as s3.Bucket;

defaults.addCfnSuppressRules(s3Bucket, [
{ id: 'W35',
reason: 'This S3 bucket is created for unit/ integration testing purposes only.' },
]);

// Synth
app.synth();
103 changes: 12 additions & 91 deletions ...ns/@aws-solutions-constructs/aws-lambda-s3/test/integ.deployFunctionWithVpc.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@
}
},
"Handler": "index.handler",
"Runtime": "nodejs10.x",
"Runtime": "nodejs14.x",
"TracingConfig": {
"Mode": "Active"
},
Expand Down Expand Up @@ -237,90 +237,6 @@
}
}
},
"testlambdas3S3LoggingBucketD42FC73D": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "LogDeliveryWrite",
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"VersioningConfiguration": {
"Status": "Enabled"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W35",
"reason": "This S3 bucket is used as the access logging bucket for another bucket"
}
]
}
}
},
"testlambdas3S3LoggingBucketPolicyCEAFB213": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "testlambdas3S3LoggingBucketD42FC73D"
},
"PolicyDocument": {
"Statement": [
{
"Action": "*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Resource": [
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"testlambdas3S3LoggingBucketD42FC73D",
"Arn"
]
},
"/*"
]
]
},
{
"Fn::GetAtt": [
"testlambdas3S3LoggingBucketD42FC73D",
"Arn"
]
}
],
"Sid": "HttpsOnly"
}
],
"Version": "2012-10-17"
}
}
},
"testlambdas3S3Bucket179A52E6": {
"Type": "AWS::S3::Bucket",
"Properties": {
Expand All @@ -346,11 +262,6 @@
}
]
},
"LoggingConfiguration": {
"DestinationBucketName": {
"Ref": "testlambdas3S3LoggingBucketD42FC73D"
}
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
Expand All @@ -362,7 +273,17 @@
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
"DeletionPolicy": "Delete",
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W35",
"reason": "This S3 bucket is created for unit/ integration testing purposes only."
}
]
}
}
},
"testlambdas3S3BucketPolicyE899B211": {
"Type": "AWS::S3::BucketPolicy",
Expand Down
Loading

0 comments on commit 9922938

Please sign in to comment.