birkeh
/
o3de
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make the access log bucket optional in the AWSCore CDK application (#4553)

Browse Source 
* Make the access log bucket optional in the AWSCore CDK application

Signed-off-by: Junbo Liang <junbo@amazon.com>
monroegm-disable-blank-issue-2
Junbo Liang 4 years ago committed by GitHub
parent 5ff6e9951f
commit a5cd1b55e4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 44 additions and 28 deletions
Show Stats Download Patch File Download Diff File

10
Gems/AWSCore/cdk/README.md
Unescape Escape View File

@ -64,6 +64,16 @@ To add additional dependencies, for example other CDK libraries, just add
them to your `setup.py` file and rerun the `pip install -r requirements.txt` them to your `setup.py` file and rerun the `pip install -r requirements.txt`
command. command.
## Optional Features
Server access logging is enabled by default. To disable the feature, use the following commands to synthesize and deploy this CDK application.
```
$ cdk synth -c disable_access_log=true --all
$ cdk deploy -c disable_access_log=true --all
```
See https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html for more information about server access logging.
## Useful commands ## Useful commands
* `cdk ls` list all stacks in the app * `cdk ls` list all stacks in the app

5
Gems/AWSCore/cdk/app.py
Unescape Escape View File

@ -57,8 +57,9 @@ example_stack = ExampleResources(
tags={Constants.O3DE_PROJECT_TAG_NAME: PROJECT_NAME, Constants.O3DE_FEATURE_TAG_NAME: FEATURE_NAME}, tags={Constants.O3DE_PROJECT_TAG_NAME: PROJECT_NAME, Constants.O3DE_FEATURE_TAG_NAME: FEATURE_NAME},
env=env env=env
) )
#
# Add the common stack as a dependency of the feature stack # Add the core stack as a dependency of the feature stack since the feature stack
# requires the core stack outputs for deployment.
example_stack.add_dependency(core_construct.common_stack) example_stack.add_dependency(core_construct.common_stack)
app.synth() app.synth()

23
Gems/AWSCore/cdk/core/core_stack.py
Unescape Escape View File

@ -60,17 +60,6 @@ class CoreStack(core.Stack):
type='TAG_FILTERS_1_0') type='TAG_FILTERS_1_0')
) )
# Create an S3 bucket for Amazon S3 server access logging
# See https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html
self._server_access_logs_bucket = s3.Bucket(
self,
f'{self._project_name}-{self._feature_name}-Access-Log-Bucket',
block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
encryption=s3.BucketEncryption.S3_MANAGED,
access_control=s3.BucketAccessControl.LOG_DELIVERY_WRITE
)
self._server_access_logs_bucket.grant_read(self._admin_group)
# Define exports # Define exports
# Export resource group # Export resource group
self._resource_group_output = core.CfnOutput( self._resource_group_output = core.CfnOutput(
@ -94,6 +83,18 @@ class CoreStack(core.Stack):
export_name=f"{self._project_name}:AdminGroup", export_name=f"{self._project_name}:AdminGroup",
value=self._admin_group.group_arn) value=self._admin_group.group_arn)
# Create an S3 bucket for Amazon S3 server access logging
# See https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html
if self.node.try_get_context('disable_access_log') != 'true':
self._server_access_logs_bucket = s3.Bucket(
self,
f'{self._project_name}-{self._feature_name}-Access-Log-Bucket',
block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
encryption=s3.BucketEncryption.S3_MANAGED,
access_control=s3.BucketAccessControl.LOG_DELIVERY_WRITE
)
self._server_access_logs_bucket.grant_read(self._admin_group)
# Export access log bucket name # Export access log bucket name
self._server_access_logs_bucket_output = core.CfnOutput( self._server_access_logs_bucket_output = core.CfnOutput(
self, self,

8
Gems/AWSCore/cdk/example/example_resources_stack.py
Unescape Escape View File

@ -118,6 +118,8 @@ class ExampleResources(core.Stack):
# https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html # https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html
# 3. Enable Amazon S3 server access logging # 3. Enable Amazon S3 server access logging
# https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html # https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html
server_access_logs_bucket = None
if self.node.try_get_context('disable_access_log') != 'true':
server_access_logs_bucket = s3.Bucket.from_bucket_name( server_access_logs_bucket = s3.Bucket.from_bucket_name(
self, self,
f'{self._project_name}-{self._feature_name}-ImportedAccessLogsBucket', f'{self._project_name}-{self._feature_name}-ImportedAccessLogsBucket',
@ -129,8 +131,10 @@ class ExampleResources(core.Stack):
f'{self._project_name}-{self._feature_name}-Example-S3bucket', f'{self._project_name}-{self._feature_name}-Example-S3bucket',
block_public_access=s3.BlockPublicAccess.BLOCK_ALL, block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
encryption=s3.BucketEncryption.S3_MANAGED, encryption=s3.BucketEncryption.S3_MANAGED,
server_access_logs_bucket=server_access_logs_bucket, server_access_logs_bucket=
server_access_logs_prefix=f'{self._project_name}-{self._feature_name}-{self.region}-AccessLogs' server_access_logs_bucket if server_access_logs_bucket else None,
server_access_logs_prefix=
f'{self._project_name}-{self._feature_name}-{self.region}-AccessLogs' if server_access_logs_bucket else None
) )
s3_deployment.BucketDeployment( s3_deployment.BucketDeployment(

2
scripts/build/Platform/Windows/deploy_cdk_applications.cmd
Unescape Escape View File

@ -57,7 +57,7 @@ IF ERRORLEVEL 1 (
exit /b 1 exit /b 1
) )
CALL :DeployCDKApplication AWSCore --all CALL :DeployCDKApplication AWSCore --all "-c disable_access_log=true"
IF ERRORLEVEL 1 ( IF ERRORLEVEL 1 (
exit /b 1 exit /b 1
) )

Write Preview
Loading…
Cancel
Save