README
¶
Vibe-io CDK-Extensions Stacks Library
These are full-stack solutions, offering rapid deployment of commonly used enterprise scale patterns with little to no configuration needed.
All Stacks utilize patterns and constructs from the cdk-extensions library.
Stacks
AwsLoggingStack
- Summary
- Usage
- The Athena Queries
- Application Load Balancer
- CloudFront
- CloudTrail
- VPC FlowLogs
- S3 Access Logs
- SES
- WAF
- More Info About The Resources
- Examples
Summary
Having a good logging strategy for your AWS Services is a recommended best practice in every case. It increases operational visibility and strengthens an enterprise's security posture in a measurable manner.
It is recommended, but it is not always easy to set up, and it is rarely done for you.
A good logging strategy for AWS services should utilize the most cost effective, secure, and reliable solutions available, and include data analysis that can yield actionable intelligence.
- This will mean storing logs in S3, typically with secure encryption and versioning enabled, as well as Cfn Retention set.
- Creating a secure Glue Database for storage and analysis of log data
- Writing custom Glue jobs that can extract and transform logs from S3, and store them in the Glue database
- Writing Athena queries tuned for that particular service's log data, that can produce good information, and saving them as named queries
The AwsLoggingStack sets that up for seven of the AWS services where it is most frequently needed, handling everything from bucket to query for:
- Application Load Balancer
- CloudFront
- CloudTrail
- VPC FlowLogs
- S3(Access Logs)
- SES
- WAF
S3 Access logging is enabled for all the logging buckets, with logs delivered to the
S3AccessLogsBucket.
Usage
All S3 buckets, Glue resources, and Athena queries are created using cdk_extensions modules. As such, this stack can be initialized with no parameters to rapidly deploy an industry standard logging strategy into an AWS account, including recommended named Athena Queries for each service.
Install
To import and use this module within your CDK project:
TypeScript
import { AwsLoggingStack } from 'cdk-extensions/stacks';
new AwsLoggingStack(this, 'AwsLoggingStack')
Python
from cdk_extensions.stacks import (
AwsLoggingStack
)
aws_logging_stack = AwsLoggingStack(self, 'AwsLoggingStack')
Enable Logging
AwsLoggingStack manages buckets, glue tables, and permissions. All that is left is to start delivering the logs.
Remember that logging configuration for most aws-cdk-lib constructs will require
an L2 construct(i.e. iBucket), but the resources created by the AwsLoggingStack
are L1 constructs(i.e. CfnBucket). In order to configure cdk-extensions logging
buckets, they must be first wrapped in an L2 construct.
logging_stack = new AwsLoggingStack(this, 'LoggingStack')
const l2_cloudtrail_bucket = s3.Bucket.fromCfnBucket(
logging_stack.cloudtraillogsBucket.resource
);
const trail = new cloudtrail.Trail(this, 'myCloudTrail', {
bucket: l2_cloudtrail_bucket
});
Follow the docs for each service or resource to enable logging to the respective
AwsLoggingStack S3 buckets:
-
As described in the documentation linked above, SES event logs first need to publish to an intermediate service, such as Kinesis Firehose, and then be streamed to the S3 bucket(opinionated Firehose constructs are also available in cdk-extensions/kinesis-firehose)
The Athena Queries
Once beyond the nuts and bolts of setting up logging buckets and glue jobs to get important data into a secure format that can be queried, your data provides its best value through well written Athena queries that draw out important metrics and actionable intelligence. The AwsLoggingStack creates a few immediately useful
CfnNamedQueriesfor each service to get you started.Application Load Balancer
Two Athena queries provide valuable insight into traffic to your ALB:
- alb-top-ips: Gets the 100 most active IP addresses by request count.
- alb-5xx-errors: Gets the 100 most recent ELB 5XX responses
CloudFront Distribution
Four Athena queries provide valuable insight into traffic across your CDNs.
- cloudfront-distribution-statistics: Gets statistics for CloudFront distributions for the last day.
- cloudfront-request-errors: Gets the 100 most recent requests that resulted in an error from CloudFront.
- cloudfront-top-ips: Gets the 100 most active IP addresses by request count.
- cloudfront-top-objects: Gets the 100 most requested CloudFront objects.
CloudTrail
Two Athena queries provide valuable insight into user activity on your AWS account.
- cloudtrail-unauthorized-errors: Gets the 100 most recent unauthorized AWS API calls.
- cloudtrail-user-logins: Gets the 100 most recent AWS user logins.
VPC FlowLogs
An Athena query is created to expose info about rejected internal traffic
- flow-logs-internal-rejected: Gets the 100 most recent rejected packets that stayed within the private network ranges.
S3 Access Logs
An Athena query is created that exposes failed attempts to access your S3 buckets
- s3-request-errors: Gets the 100 most recent failed S3 access requests.
SES
Protect your domain, and your enterprise's, sending reputation by tracking bounces and complaints
- ses-bounces: Gets the 100 most recent bounces from the last day.
- ses-complaints: Gets the 100 most recent complaints from the last day.
WAF
Strategy is implemented for storage of WAF logs in S3 with ETL jobs loading to the Glue table, but no default Athena queries have been added yet.
More Info About The Resources
This solution utilizes the AwsLoggingStack patterns from the cdk-extensions/glue-tables and cdk-extensions/s3-buckets libraries, which in turn utilize constructs from cdk-extensions Glue and Athena libraries. Detailed info about each is covered their respective documentation.
Examples
TypeScript
bin/demo.ts
#!/usr/bin/env node import * as cdk from 'aws-cdk-lib'; import { DemoStack } from '../lib/demo-stack'; import { AwsLoggingStack } from 'cdk-extensions/stacks'; const app = new cdk.App(); // For some cases, like ALB and Flow Logs, we can not have an environment agnostic // stack const env = { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION } const aws_logging_stack = new AwsLoggingStack(app, 'AwsLoggingStack', { env: env }); new DemoStack(app, 'DemoStack', { env: env, aws_logging_stack: aws_logging_stack });/lib/demo-stack
import { App, Stack, StackProps, aws_s3 as s3, aws_elasticloadbalancingv2 as elbv2, aws_ec2 as ec2, aws_cloudfront as cloudfront, aws_cloudfront_origins as origins, aws_cloudtrail as cloudtrail, aws_iam as iam, aws_ses as ses, aws_wafv2 as wafv2 } from 'aws-cdk-lib'; import { Construct } from 'constructs'; import { AwsLoggingStack } from 'cdk-extensions/stacks'; import * as firehose from '@aws-cdk/aws-kinesisfirehose-alpha'; import { S3Bucket } from '@aws-cdk/aws-kinesisfirehose-destinations-alpha'; export interface DemoProps extends StackProps { readonly aws_logging_stack: AwsLoggingStack; } export class DemoStack extends Stack { // input properties public readonly aws_logging_stack: AwsLoggingStack; constructor(scope: Construct, id: string, props: DemoProps) { super(scope, id, props); /************** VPC FLOW LOGS ***************/ // Wrap L1 logging bucket in L2 Construct const flow_logs_bucket = s3.Bucket.fromCfnBucket( props.aws_logging_stack.flowLogsBucket.resource ); // Create a VPC const vpc = new ec2.Vpc(this, 'VPC'); // Enable flow log output to the FlowLogs bucket for the new VPC new ec2.FlowLog(this, 'FlowLog', { resourceType: ec2.FlowLogResourceType.fromVpc(vpc), destination: ec2.FlowLogDestination.toS3( flow_logs_bucket ) }); /*************** S3 ACCESS LOGS ****************/ const s3_access_logs_bucket = s3.Bucket.fromCfnBucket( props.aws_logging_stack.s3AccessLogsBucket.resource ); // Create a simple S3 bucket, with access logging sent to // the s3AccessLogsBucket const s3Bucket = new s3.Bucket(this, 'WebsiteBucket', { serverAccessLogsBucket: s3_access_logs_bucket }); /**************** CLOUDFRONT LOGS *****************/ // Wrap L1 logging bucket in L2 Construct const cloudfront_logs_bucket = s3.Bucket.fromCfnBucket( props.aws_logging_stack.cloudfrontLogsBucket.resource ); // Create a CDN in front of the demo bucket, with logBucket configured // to the cloudfrontLogsBucket const cdn = new cloudfront.Distribution(this, 'Distro', { defaultBehavior: { origin: new origins.S3Origin(s3Bucket) }, logBucket: cloudfront_logs_bucket }); /**************** ALB ACCESS LOGS *****************/ // Wrap L1 bucket in L2 construct // Create a simple Load Balancer const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', { vpc }); // Send logs to the AlbLogsBucket lb.logAccessLogs( s3.Bucket.fromCfnBucket(props.aws_logging_stack.albLogsBucket.resource ) ); /*********** CLOUDTRAIL ************/ // // Wrap L1 logging bucket in L2 Construct const cloudtrail_logs_bucket = s3.Bucket.fromCfnBucket( props.aws_logging_stack.cloudtrailLogsBucket.resource ); // // Create a Cloudtrail trail that sends logs to the CloudtrailLogsBucket const trail = new cloudtrail.Trail(this, 'myCloudTrail', { bucket: cloudtrail_logs_bucket }); /********* SES LOGS **********/ // Wrap L1 logging bucket in L2 Construct const ses_logs_bucket = s3.Bucket.fromCfnBucket( props.aws_logging_stack.sesLogsBucket.resource ); // Creates IAM roles for firehose to assume const destinationRole = new iam.Role(this, 'Destination Role', { assumedBy: new iam.ServicePrincipal('firehose.amazonaws.com'), }); const deliveryStreamRole = new iam.Role(this, 'Delivery Stream Role', { assumedBy: new iam.ServicePrincipal('firehose.amazonaws.com'), }); // Specify the roles created above when defining the destination and delivery stream. // Connects Kinesis Firehose to the SES Logs Bucket const destination = new S3Bucket(ses_logs_bucket, {role: destinationRole}); // Create the Kinesis DeliveryStream for the SES log destination const delivery_stream = new firehose.DeliveryStream(this, 'KinesisStream', { destinations: [destination], role: deliveryStreamRole }); // Creates an SES ConfigurationSet with reputation metrics enabled const config_set = new ses.ConfigurationSet(this, 'ConfigurationSet', { reputationMetrics: true }); // Set up permissions for SES to publish events to Kinesis Firehose // Creates service principal we can use to restrict the IAM role to the ConfigurationSet const service_principal = new iam.PrincipalWithConditions(new iam.ServicePrincipal('ses.amazonaws.com'), { "StringEquals": { "AWS:SourceAccount": [process.env.CDK_DEFAULT_ACCOUNT], "AWS:SourceArn": [ `arn:aws:ses:${process.env.CDK_DEFAULT_REGION}:${process.env.CDK_DEFAULT_ACCOUNT}:configuration-set/${config_set.configurationSetName}` ] } } ); // Create the IAM Role const sesRole = new iam.Role(this, 'SES Role', { assumedBy: new iam.ServicePrincipal('ses.amazonaws.com'), // It's important to add the firehose permissions as inline // policies. If policies are added after role creation, CDK // will not know to wait, and may fail to create the ConfigurationSet // due to insufficient permissions inlinePolicies: { 'root': new iam.PolicyDocument({ statements: [ new iam.PolicyStatement({ effect: iam.Effect.ALLOW, actions: [ 'firehose:PutRecord', 'firehose:PutRecordBatch' ], resources: [ delivery_stream.deliveryStreamArn ] }) ] }) } }); // Creates a Configuraton Set Event Destination that will send all SES events // to the Kinesis Firehose Stream. const cfnConfigurationSetEventDestination = new ses.CfnConfigurationSetEventDestination(this, 'MyCfnConfigurationSetEventDestination', { configurationSetName: config_set.configurationSetName, eventDestination: { matchingEventTypes: [ 'send', 'reject', 'bounce', 'complaint', 'delivery', 'open', 'click', 'renderingFailure' ], enabled: true, kinesisFirehoseDestination: { deliveryStreamArn: delivery_stream.deliveryStreamArn, iamRoleArn: sesRole.roleArn } } }); // TODO: Manually configure any verified SES sending domains, or emails, for which // event publishing is desired to use the above configuration set /***** WAF ******/ // Create a simple WAF with default settings and no rules const cfnWebACL = new wafv2.CfnWebACL(this, 'MyCfnWebACL', { defaultAction: { allow: {} }, scope: 'REGIONAL', visibilityConfig: { cloudWatchMetricsEnabled: true, metricName:'MetricForWebACLCDK', sampledRequestsEnabled: true, }, }); // Create a logging configuration for the WAF logging bucket const cfnLoggingConfiguration = new wafv2.CfnLoggingConfiguration(this, 'MyCfnLoggingConfiguration', { logDestinationConfigs: [props.aws_logging_stack.wafLogsBucket.bucketArn], resourceArn: cfnWebACL.attrArn }); }
}
Documentation
¶
Index ¶
- func AwsLoggingStack_IsConstruct(x interface{}) *bool
- func AwsLoggingStack_IsStack(x interface{}) *bool
- func AwsLoggingStack_Of(construct constructs.IConstruct) awscdk.Stack
- func NewAwsLoggingStack_Override(a AwsLoggingStack, scope constructs.Construct, id *string, ...)
- type AwsLoggingStack
- type AwsLoggingStackProps
- type LoggingWorkGroupConfiguration
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AwsLoggingStack_IsConstruct ¶
func AwsLoggingStack_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.
func AwsLoggingStack_IsStack ¶
func AwsLoggingStack_IsStack(x interface{}) *bool
Return whether the given object is a Stack.
We do attribute detection since we can't reliably use 'instanceof'.
func AwsLoggingStack_Of ¶
func AwsLoggingStack_Of(construct constructs.IConstruct) awscdk.Stack
Looks up the first stack scope in which `construct` is defined.
Fails if there is no stack up the tree.
func NewAwsLoggingStack_Override ¶
func NewAwsLoggingStack_Override(a AwsLoggingStack, scope constructs.Construct, id *string, props *AwsLoggingStackProps)
Creates a new instance of the AwsLoggingStack class.
Types ¶
type AwsLoggingStack ¶
type AwsLoggingStack interface {
awscdk.Stack
// The AWS account into which this stack will be deployed.
//
// This value is resolved according to the following rules:
//
// 1. The value provided to `env.account` when the stack is defined. This can
// either be a concrete account (e.g. `585695031111`) or the
// `Aws.ACCOUNT_ID` token.
// 3. `Aws.ACCOUNT_ID`, which represents the CloudFormation intrinsic reference
// `{ "Ref": "AWS::AccountId" }` encoded as a string token.
//
// Preferably, you should use the return value as an opaque string and not
// attempt to parse it to implement your logic. If you do, you must first
// check that it is a concrete value an not an unresolved token. If this
// value is an unresolved token (`Token.isUnresolved(stack.account)` returns
// `true`), this implies that the user wishes that this stack will synthesize
// into a **account-agnostic template**. In this case, your code should either
// fail (throw an error, emit a synth error using `Annotations.of(construct).addError()`) or
// implement some other region-agnostic behavior.
Account() *string
AlbLogsBucket() s3buckets.AlbLogsBucket
// The ID of the cloud assembly artifact for this stack.
ArtifactId() *string
// Returns the list of AZs that are available in the AWS environment (account/region) associated with this stack.
//
// If the stack is environment-agnostic (either account and/or region are
// tokens), this property will return an array with 2 tokens that will resolve
// at deploy-time to the first two availability zones returned from CloudFormation's
// `Fn::GetAZs` intrinsic function.
//
// If they are not available in the context, returns a set of dummy values and
// reports them as missing, and let the CLI resolve them by calling EC2
// `DescribeAvailabilityZones` on the target environment.
//
// To specify a different strategy for selecting availability zones override this method.
AvailabilityZones() *[]*string
// Indicates whether the stack requires bundling or not.
BundlingRequired() *bool
CloudfrontLogsBucket() s3buckets.CloudfrontLogsBucket
CloudtrailLogsBucket() s3buckets.CloudtrailBucket
Database() glue.Database
// Name for the AWS Logs Glue Database.
DatabaseName() *string
// Return the stacks this stack depends on.
Dependencies() *[]awscdk.Stack
// The environment coordinates in which this stack is deployed.
//
// In the form
// `aws://account/region`. Use `stack.account` and `stack.region` to obtain
// the specific values, no need to parse.
//
// You can use this value to determine if two stacks are targeting the same
// environment.
//
// If either `stack.account` or `stack.region` are not concrete values (e.g.
// `Aws.ACCOUNT_ID` or `Aws.REGION`) the special strings `unknown-account` and/or
// `unknown-region` will be used respectively to indicate this stack is
// region/account-agnostic.
Environment() *string
FlowLogsBucket() s3buckets.FlowLogsBucket
// A cdk-extentions/ec2 {@link aws-ec2 !FlowLogFormat } object defining the desired formatting for Flow Logs.
FlowLogsFormat() ec2.FlowLogFormat
// Boolean for adding "friendly names" for the created Athena queries.
FriendlyQueryNames() *bool
// Indicates if this is a nested stack, in which case `parentStack` will include a reference to it's parent.
Nested() *bool
// If this is a nested stack, returns it's parent stack.
NestedStackParent() awscdk.Stack
// If this is a nested stack, this represents its `AWS::CloudFormation::Stack` resource.
//
// `undefined` for top-level (non-nested) stacks.
NestedStackResource() awscdk.CfnResource
// The tree node.
Node() constructs.Node
// Returns the list of notification Amazon Resource Names (ARNs) for the current stack.
NotificationArns() *[]*string
// The partition in which this stack is defined.
Partition() *string
// The AWS region into which this stack will be deployed (e.g. `us-west-2`).
//
// This value is resolved according to the following rules:
//
// 1. The value provided to `env.region` when the stack is defined. This can
// either be a concrete region (e.g. `us-west-2`) or the `Aws.REGION`
// token.
// 3. `Aws.REGION`, which is represents the CloudFormation intrinsic reference
// `{ "Ref": "AWS::Region" }` encoded as a string token.
//
// Preferably, you should use the return value as an opaque string and not
// attempt to parse it to implement your logic. If you do, you must first
// check that it is a concrete value an not an unresolved token. If this
// value is an unresolved token (`Token.isUnresolved(stack.region)` returns
// `true`), this implies that the user wishes that this stack will synthesize
// into a **region-agnostic template**. In this case, your code should either
// fail (throw an error, emit a synth error using `Annotations.of(construct).addError()`) or
// implement some other region-agnostic behavior.
Region() *string
S3AccessLogsBucket() s3buckets.S3AccessLogsBucket
SesLogsBucket() s3buckets.SesLogsBucket
// The ID of the stack.
//
// Example:
// // After resolving, looks like
// 'arn:aws:cloudformation:us-west-2:123456789012:stack/teststack/51af3dc0-da77-11e4-872e-1234567db123'
//
StackId() *string
// The concrete CloudFormation physical stack name.
//
// This is either the name defined explicitly in the `stackName` prop or
// allocated based on the stack's location in the construct tree. Stacks that
// are directly defined under the app use their construct `id` as their stack
// name. Stacks that are defined deeper within the tree will use a hashed naming
// scheme based on the construct path to ensure uniqueness.
//
// If you wish to obtain the deploy-time AWS::StackName intrinsic,
// you can use `Aws.STACK_NAME` directly.
StackName() *string
// Boolean for using standardized names (i.e. "aws-${service}-logs-${account} -${region}") for the created S3 Buckets.
StandardizeNames() *bool
// Synthesis method for this stack.
Synthesizer() awscdk.IStackSynthesizer
// Tags to be applied to the stack.
Tags() awscdk.TagManager
// The name of the CloudFormation template file emitted to the output directory during synthesis.
//
// Example value: `MyStack.template.json`
TemplateFile() *string
// Options for CloudFormation template (like version, transform, description).
TemplateOptions() awscdk.ITemplateOptions
// Whether termination protection is enabled for this stack.
TerminationProtection() *bool
SetTerminationProtection(val *bool)
// The Amazon domain suffix for the region in which this stack is defined.
UrlSuffix() *string
WafLogsBucket() s3buckets.WafLogsBucket
WorkGroup() athena.WorkGroup
// Controls settings for an Athena WorkGroup used to query logs produced by AWS services.
WorkGroupConfiguration() *LoggingWorkGroupConfiguration
// Add a dependency between this stack and another stack.
//
// This can be used to define dependencies between any two stacks within an
// app, and also supports nested stacks.
AddDependency(target awscdk.Stack, reason *string)
// Adds an arbitary key-value pair, with information you want to record about the stack.
//
// These get translated to the Metadata section of the generated template.
// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
//
AddMetadata(key *string, value interface{})
// Add a Transform to this stack. A Transform is a macro that AWS CloudFormation uses to process your template.
//
// Duplicate values are removed when stack is synthesized.
//
// Example:
// declare const stack: Stack;
//
// stack.addTransform('AWS::Serverless-2016-10-31')
//
// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-section-structure.html
//
AddTransform(transform *string)
// Returns the naming scheme used to allocate logical IDs.
//
// By default, uses
// the `HashedAddressingScheme` but this method can be overridden to customize
// this behavior.
//
// In order to make sure logical IDs are unique and stable, we hash the resource
// construct tree path (i.e. toplevel/secondlevel/.../myresource) and add it as
// a suffix to the path components joined without a separator (CloudFormation
// IDs only allow alphanumeric characters).
//
// The result will be:
//
// <path.join(”)><md5(path.join('/')>
// "human" "hash"
//
// If the "human" part of the ID exceeds 240 characters, we simply trim it so
// the total ID doesn't exceed CloudFormation's 255 character limit.
//
// We only take 8 characters from the md5 hash (0.000005 chance of collision).
//
// Special cases:
//
// - If the path only contains a single component (i.e. it's a top-level
// resource), we won't add the hash to it. The hash is not needed for
// disambiguation and also, it allows for a more straightforward migration an
// existing CloudFormation template to a CDK stack without logical ID changes
// (or renames).
// - For aesthetic reasons, if the last components of the path are the same
// (i.e. `L1/L2/Pipeline/Pipeline`), they will be de-duplicated to make the
// resulting human portion of the ID more pleasing: `L1L2Pipeline<HASH>`
// instead of `L1L2PipelinePipeline<HASH>`
// - If a component is named "Default" it will be omitted from the path. This
// allows refactoring higher level abstractions around constructs without affecting
// the IDs of already deployed resources.
// - If a component is named "Resource" it will be omitted from the user-visible
// path, but included in the hash. This reduces visual noise in the human readable
// part of the identifier.
AllocateLogicalId(cfnElement awscdk.CfnElement) *string
// Create a CloudFormation Export for a string list value.
//
// Returns a string list representing the corresponding `Fn.importValue()`
// expression for this Export. The export expression is automatically wrapped with an
// `Fn::Join` and the import value with an `Fn::Split`, since CloudFormation can only
// export strings. You can control the name for the export by passing the `name` option.
//
// If you don't supply a value for `name`, the value you're exporting must be
// a Resource attribute (for example: `bucket.bucketName`) and it will be
// given the same name as the automatic cross-stack reference that would be created
// if you used the attribute in another Stack.
//
// One of the uses for this method is to *remove* the relationship between
// two Stacks established by automatic cross-stack references. It will
// temporarily ensure that the CloudFormation Export still exists while you
// remove the reference from the consuming stack. After that, you can remove
// the resource and the manual export.
//
// See `exportValue` for an example of this process.
ExportStringListValue(exportedValue interface{}, options *awscdk.ExportValueOptions) *[]*string
// Create a CloudFormation Export for a string value.
//
// Returns a string representing the corresponding `Fn.importValue()`
// expression for this Export. You can control the name for the export by
// passing the `name` option.
//
// If you don't supply a value for `name`, the value you're exporting must be
// a Resource attribute (for example: `bucket.bucketName`) and it will be
// given the same name as the automatic cross-stack reference that would be created
// if you used the attribute in another Stack.
//
// One of the uses for this method is to *remove* the relationship between
// two Stacks established by automatic cross-stack references. It will
// temporarily ensure that the CloudFormation Export still exists while you
// remove the reference from the consuming stack. After that, you can remove
// the resource and the manual export.
//
// ## Example
//
// Here is how the process works. Let's say there are two stacks,
// `producerStack` and `consumerStack`, and `producerStack` has a bucket
// called `bucket`, which is referenced by `consumerStack` (perhaps because
// an AWS Lambda Function writes into it, or something like that).
//
// It is not safe to remove `producerStack.bucket` because as the bucket is being
// deleted, `consumerStack` might still be using it.
//
// Instead, the process takes two deployments:
//
// ### Deployment 1: break the relationship
//
// - Make sure `consumerStack` no longer references `bucket.bucketName` (maybe the consumer
// stack now uses its own bucket, or it writes to an AWS DynamoDB table, or maybe you just
// remove the Lambda Function altogether).
// - In the `ProducerStack` class, call `this.exportValue(this.bucket.bucketName)`. This
// will make sure the CloudFormation Export continues to exist while the relationship
// between the two stacks is being broken.
// - Deploy (this will effectively only change the `consumerStack`, but it's safe to deploy both).
//
// ### Deployment 2: remove the bucket resource
//
// - You are now free to remove the `bucket` resource from `producerStack`.
// - Don't forget to remove the `exportValue()` call as well.
// - Deploy again (this time only the `producerStack` will be changed -- the bucket will be deleted).
ExportValue(exportedValue interface{}, options *awscdk.ExportValueOptions) *string
// Creates an ARN from components.
//
// If `partition`, `region` or `account` are not specified, the stack's
// partition, region and account will be used.
//
// If any component is the empty string, an empty string will be inserted
// into the generated ARN at the location that component corresponds to.
//
// The ARN will be formatted as follows:
//
// arn:{partition}:{service}:{region}:{account}:{resource}{sep}{resource-name}
//
// The required ARN pieces that are omitted will be taken from the stack that
// the 'scope' is attached to. If all ARN pieces are supplied, the supplied scope
// can be 'undefined'.
FormatArn(components *awscdk.ArnComponents) *string
// Allocates a stack-unique CloudFormation-compatible logical identity for a specific resource.
//
// This method is called when a `CfnElement` is created and used to render the
// initial logical identity of resources. Logical ID renames are applied at
// this stage.
//
// This method uses the protected method `allocateLogicalId` to render the
// logical ID for an element. To modify the naming scheme, extend the `Stack`
// class and override this method.
GetLogicalId(element awscdk.CfnElement) *string
// Look up a fact value for the given fact for the region of this stack.
//
// Will return a definite value only if the region of the current stack is resolved.
// If not, a lookup map will be added to the stack and the lookup will be done at
// CDK deployment time.
//
// What regions will be included in the lookup map is controlled by the
// `@aws-cdk/core:target-partitions` context value: it must be set to a list
// of partitions, and only regions from the given partitions will be included.
// If no such context key is set, all regions will be included.
//
// This function is intended to be used by construct library authors. Application
// builders can rely on the abstractions offered by construct libraries and do
// not have to worry about regional facts.
//
// If `defaultValue` is not given, it is an error if the fact is unknown for
// the given region.
RegionalFact(factName *string, defaultValue *string) *string
// Rename a generated logical identities.
//
// To modify the naming scheme strategy, extend the `Stack` class and
// override the `allocateLogicalId` method.
RenameLogicalId(oldId *string, newId *string)
// Indicate that a context key was expected.
//
// Contains instructions which will be emitted into the cloud assembly on how
// the key should be supplied.
ReportMissingContextKey(report *cloudassemblyschema.MissingContext)
// Resolve a tokenized value in the context of the current stack.
Resolve(obj interface{}) interface{}
// Splits the provided ARN into its components.
//
// Works both if 'arn' is a string like 'arn:aws:s3:::bucket',
// and a Token representing a dynamic CloudFormation expression
// (in which case the returned components will also be dynamic CloudFormation expressions,
// encoded as Tokens).
SplitArn(arn *string, arnFormat awscdk.ArnFormat) *awscdk.ArnComponents
// Convert an object, potentially containing tokens, to a JSON string.
ToJsonString(obj interface{}, space *float64) *string
// Returns a string representation of this construct.
ToString() *string
// Convert an object, potentially containing tokens, to a YAML string.
ToYamlString(obj interface{}) *string
}
Creates a Stack that deploys a logging strategy for several AWS services.
Stack creates a Glue Database using cdk-extensions Database, deploys cdk-extensions/s3-buckets patterns for each service, and utilizes methods exposed by cdk-extensions/s3-buckets S3AccessLogsBucket to enable logging for each created bucket. See: {@link aws-s3-buckets !WafLogsBucket | cdk-extensions/s3-buckets WafLogsBucket}
func NewAwsLoggingStack ¶
func NewAwsLoggingStack(scope constructs.Construct, id *string, props *AwsLoggingStackProps) AwsLoggingStack
Creates a new instance of the AwsLoggingStack class.
type AwsLoggingStackProps ¶
type AwsLoggingStackProps struct {
// Include runtime versioning information in this Stack.
// Default: `analyticsReporting` setting of containing `App`, or value of
// 'aws:cdk:version-reporting' context key.
//
AnalyticsReporting *bool `field:"optional" json:"analyticsReporting" yaml:"analyticsReporting"`
// Enable this flag to allow native cross region stack references.
//
// Enabling this will create a CloudFormation custom resource
// in both the producing stack and consuming stack in order to perform the export/import
//
// This feature is currently experimental.
// Default: false.
//
CrossRegionReferences *bool `field:"optional" json:"crossRegionReferences" yaml:"crossRegionReferences"`
// A description of the stack.
// Default: - No description.
//
Description *string `field:"optional" json:"description" yaml:"description"`
// The AWS environment (account/region) where this stack will be deployed.
//
// Set the `region`/`account` fields of `env` to either a concrete value to
// select the indicated environment (recommended for production stacks), or to
// the values of environment variables
// `CDK_DEFAULT_REGION`/`CDK_DEFAULT_ACCOUNT` to let the target environment
// depend on the AWS credentials/configuration that the CDK CLI is executed
// under (recommended for development stacks).
//
// If the `Stack` is instantiated inside a `Stage`, any undefined
// `region`/`account` fields from `env` will default to the same field on the
// encompassing `Stage`, if configured there.
//
// If either `region` or `account` are not set nor inherited from `Stage`, the
// Stack will be considered "*environment-agnostic*"". Environment-agnostic
// stacks can be deployed to any environment but may not be able to take
// advantage of all features of the CDK. For example, they will not be able to
// use environmental context lookups such as `ec2.Vpc.fromLookup` and will not
// automatically translate Service Principals to the right format based on the
// environment's AWS partition, and other such enhancements.
//
// Example:
// // Use a concrete account and region to deploy this stack to:
// // `.account` and `.region` will simply return these values.
// new Stack(app, 'Stack1', {
// env: {
// account: '123456789012',
// region: 'us-east-1'
// },
// });
//
// // Use the CLI's current credentials to determine the target environment:
// // `.account` and `.region` will reflect the account+region the CLI
// // is configured to use (based on the user CLI credentials)
// new Stack(app, 'Stack2', {
// env: {
// account: process.env.CDK_DEFAULT_ACCOUNT,
// region: process.env.CDK_DEFAULT_REGION
// },
// });
//
// // Define multiple stacks stage associated with an environment
// const myStage = new Stage(app, 'MyStage', {
// env: {
// account: '123456789012',
// region: 'us-east-1'
// }
// });
//
// // both of these stacks will use the stage's account/region:
// // `.account` and `.region` will resolve to the concrete values as above
// new MyStack(myStage, 'Stack1');
// new YourStack(myStage, 'Stack2');
//
// // Define an environment-agnostic stack:
// // `.account` and `.region` will resolve to `{ "Ref": "AWS::AccountId" }` and `{ "Ref": "AWS::Region" }` respectively.
// // which will only resolve to actual values by CloudFormation during deployment.
// new MyStack(app, 'Stack1');
//
// Default: - The environment of the containing `Stage` if available,
// otherwise create the stack will be environment-agnostic.
//
Env *awscdk.Environment `field:"optional" json:"env" yaml:"env"`
// Options for applying a permissions boundary to all IAM Roles and Users created within this Stage.
// Default: - no permissions boundary is applied.
//
PermissionsBoundary awscdk.PermissionsBoundary `field:"optional" json:"permissionsBoundary" yaml:"permissionsBoundary"`
// Name to deploy the stack with.
// Default: - Derived from construct path.
//
StackName *string `field:"optional" json:"stackName" yaml:"stackName"`
// Enable this flag to suppress indentation in generated CloudFormation templates.
//
// If not specified, the value of the `@aws-cdk/core:suppressTemplateIndentation`
// context key will be used. If that is not specified, then the
// default value `false` will be used.
// Default: - the value of `@aws-cdk/core:suppressTemplateIndentation`, or `false` if that is not set.
//
SuppressTemplateIndentation *bool `field:"optional" json:"suppressTemplateIndentation" yaml:"suppressTemplateIndentation"`
// Synthesis method to use while deploying this stack.
//
// The Stack Synthesizer controls aspects of synthesis and deployment,
// like how assets are referenced and what IAM roles to use. For more
// information, see the README of the main CDK package.
//
// If not specified, the `defaultStackSynthesizer` from `App` will be used.
// If that is not specified, `DefaultStackSynthesizer` is used if
// `@aws-cdk/core:newStyleStackSynthesis` is set to `true` or the CDK major
// version is v2. In CDK v1 `LegacyStackSynthesizer` is the default if no
// other synthesizer is specified.
// Default: - The synthesizer specified on `App`, or `DefaultStackSynthesizer` otherwise.
//
Synthesizer awscdk.IStackSynthesizer `field:"optional" json:"synthesizer" yaml:"synthesizer"`
// Stack tags that will be applied to all the taggable resources and the stack itself.
// Default: {}.
//
Tags *map[string]*string `field:"optional" json:"tags" yaml:"tags"`
// Whether to enable termination protection for this stack.
// Default: false.
//
TerminationProtection *bool `field:"optional" json:"terminationProtection" yaml:"terminationProtection"`
// A cdk-extensions/s3-buckets {@link aws-s3-buckets !AlbLogsBucket} object.
AlbLogsBucket s3buckets.AlbLogsBucket `field:"optional" json:"albLogsBucket" yaml:"albLogsBucket"`
// A cdk-extensions/s3-buckets {@link aws-s3-buckets !CloudfrontLogsBucket} object.
CloudfrontLogsBucket s3buckets.CloudfrontLogsBucket `field:"optional" json:"cloudfrontLogsBucket" yaml:"cloudfrontLogsBucket"`
// A cdk-extensions/s3-buckets {@link aws-s3-buckets !CloudtrailBucket} object.
CloudtrailLogsBucket s3buckets.CloudtrailBucket `field:"optional" json:"cloudtrailLogsBucket" yaml:"cloudtrailLogsBucket"`
// Name used for the Glue Database that will be created.
DatabaseName *string `field:"optional" json:"databaseName" yaml:"databaseName"`
// A cdk-extensions/s3-buckets {@link aws-s3-buckets !FlowLogsBucket} object.
FlowLogsBucket s3buckets.FlowLogsBucket `field:"optional" json:"flowLogsBucket" yaml:"flowLogsBucket"`
// A cdk-extentions/ec2 {@link aws-ec2 !FlowLogFormat } object defining the desired formatting for Flow Logs.
FlowLogsFormat ec2.FlowLogFormat `field:"optional" json:"flowLogsFormat" yaml:"flowLogsFormat"`
// Boolean for adding "friendly names" for the created Athena queries.
FriendlyQueryNames *bool `field:"optional" json:"friendlyQueryNames" yaml:"friendlyQueryNames"`
// A cdk-extensions/s3-buckets {@link aws-s3-buckets !SesLogsBucket} object.
SesLogsBucket s3buckets.SesLogsBucket `field:"optional" json:"sesLogsBucket" yaml:"sesLogsBucket"`
// Boolean for using "standardized" naming (i.e. "aws-${service}-logs-${account} -${region}") for the created S3 Buckets.
StandardizeNames *bool `field:"optional" json:"standardizeNames" yaml:"standardizeNames"`
// A cdk-extensions/s3-buckets {@link aws-s3-buckets !WafLogsBucket} object.
WafLogsBucket s3buckets.WafLogsBucket `field:"optional" json:"wafLogsBucket" yaml:"wafLogsBucket"`
// Controls settings for an Athena WorkGroup used to query logs produced by AWS services.
WorkGroupConfiguration *LoggingWorkGroupConfiguration `field:"optional" json:"workGroupConfiguration" yaml:"workGroupConfiguration"`
}
Configuration for AwsLoggingStack.
type LoggingWorkGroupConfiguration ¶ added in v0.0.56
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.