Make the access log bucket optional in the AWSCore CDK application (#4553)

* Make the access log bucket optional in the AWSCore CDK application

Signed-off-by: Junbo Liang <junbo@amazon.com>

Gems/AWSCore/cdk/README.md

@@ -64,6 +64,16 @@ To add additional dependencies, for example other CDK libraries, just add
 them to your `setup.py` file and rerun the `pip install -r requirements.txt`
 command.
 
+## Optional Features
+Server access logging is enabled by default. To disable the feature, use the following commands to synthesize and deploy this CDK application.
+
+```
+$ cdk synth -c disable_access_log=true --all
+$ cdk deploy -c disable_access_log=true --all
+```
+
+See https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html for more information about server access logging.
+
 ## Useful commands
 
  * `cdk ls`          list all stacks in the app

Gems/AWSCore/cdk/app.py

@@ -57,8 +57,9 @@ example_stack = ExampleResources(
     tags={Constants.O3DE_PROJECT_TAG_NAME: PROJECT_NAME, Constants.O3DE_FEATURE_TAG_NAME: FEATURE_NAME},
     env=env
 )
-#
+
-# Add the common stack as a dependency of the feature stack
+# Add the core stack as a dependency of the feature stack since the feature stack
+# requires the core stack outputs for deployment.
 example_stack.add_dependency(core_construct.common_stack)
 
 app.synth()

Gems/AWSCore/cdk/core/core_stack.py

@@ -60,17 +60,6 @@ class CoreStack(core.Stack):
                 type='TAG_FILTERS_1_0')
         )
 
-        # Create an S3 bucket for Amazon S3 server access logging
-        # See https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html
-        self._server_access_logs_bucket = s3.Bucket(
-            self,
-            f'{self._project_name}-{self._feature_name}-Access-Log-Bucket',
-            block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
-            encryption=s3.BucketEncryption.S3_MANAGED,
-            access_control=s3.BucketAccessControl.LOG_DELIVERY_WRITE
-        )
-        self._server_access_logs_bucket.grant_read(self._admin_group)
-
         # Define exports
         # Export resource group
         self._resource_group_output = core.CfnOutput(
@@ -94,10 +83,22 @@ class CoreStack(core.Stack):
             export_name=f"{self._project_name}:AdminGroup",
             value=self._admin_group.group_arn)
 
-        # Export access log bucket name
+        # Create an S3 bucket for Amazon S3 server access logging
-        self._server_access_logs_bucket_output = core.CfnOutput(
+        # See https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html
-            self,
+        if self.node.try_get_context('disable_access_log') != 'true':
-            id=f'ServerAccessLogsBucketOutput',
+            self._server_access_logs_bucket = s3.Bucket(
-            description='Name of the S3 bucket for storing server access logs generated by the sample CDK application(s)',
+                self,
-            export_name=f"{self._project_name}:ServerAccessLogsBucket",
+                f'{self._project_name}-{self._feature_name}-Access-Log-Bucket',
-            value=self._server_access_logs_bucket.bucket_name)
+                block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
+                encryption=s3.BucketEncryption.S3_MANAGED,
+                access_control=s3.BucketAccessControl.LOG_DELIVERY_WRITE
+            )
+            self._server_access_logs_bucket.grant_read(self._admin_group)
+
+            # Export access log bucket name
+            self._server_access_logs_bucket_output = core.CfnOutput(
+                self,
+                id=f'ServerAccessLogsBucketOutput',
+                description='Name of the S3 bucket for storing server access logs generated by the sample CDK application(s)',
+                export_name=f"{self._project_name}:ServerAccessLogsBucket",
+                value=self._server_access_logs_bucket.bucket_name)

Gems/AWSCore/cdk/example/example_resources_stack.py

@@ -118,19 +118,23 @@ class ExampleResources(core.Stack):
         #    https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html
         # 3. Enable Amazon S3 server access logging
         #    https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html
-        server_access_logs_bucket = s3.Bucket.from_bucket_name(
+        server_access_logs_bucket = None
-            self,
+        if self.node.try_get_context('disable_access_log') != 'true':
-            f'{self._project_name}-{self._feature_name}-ImportedAccessLogsBucket',
+            server_access_logs_bucket = s3.Bucket.from_bucket_name(
-            core.Fn.import_value(f"{self._project_name}:ServerAccessLogsBucket")
+                self,
-        )
+                f'{self._project_name}-{self._feature_name}-ImportedAccessLogsBucket',
+                core.Fn.import_value(f"{self._project_name}:ServerAccessLogsBucket")
+            )
 
         example_bucket = s3.Bucket(
             self,
             f'{self._project_name}-{self._feature_name}-Example-S3bucket',
             block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
             encryption=s3.BucketEncryption.S3_MANAGED,
-            server_access_logs_bucket=server_access_logs_bucket,
+            server_access_logs_bucket=
-            server_access_logs_prefix=f'{self._project_name}-{self._feature_name}-{self.region}-AccessLogs'
+            server_access_logs_bucket if server_access_logs_bucket else None,
+            server_access_logs_prefix=
+            f'{self._project_name}-{self._feature_name}-{self.region}-AccessLogs' if server_access_logs_bucket else None
         )
 
         s3_deployment.BucketDeployment(

scripts/build/Platform/Windows/deploy_cdk_applications.cmd

@@ -57,7 +57,7 @@ IF ERRORLEVEL 1 (
     exit /b 1
 )
 
-CALL :DeployCDKApplication AWSCore --all
+CALL :DeployCDKApplication AWSCore --all "-c disable_access_log=true"
 IF ERRORLEVEL 1 (
     exit /b 1
 )