Make the access log bucket optional in the AWSCore CDK application (#4553)

* Make the access log bucket optional in the AWSCore CDK application Signed-off-by: Junbo Liang <junbo@amazon.com>
4 years ago · a5cd1b55e4
parent 5ff6e9951f
commit a5cd1b55e4
5 changed files with 44 additions and 28 deletions
--- a/Gems/AWSCore/cdk/README.md
+++ b/Gems/AWSCore/cdk/README.md
@ -64,6 +64,16 @@ To add additional dependencies, for example other CDK libraries, just add
 them to your `setup.py` file and rerun the `pip install -r requirements.txt`
 command.

+## Optional Features
+Server access logging is enabled by default. To disable the feature, use the following commands to synthesize and deploy this CDK application.
+
+```
+$ cdk synth -c disable_access_log=true --all
+$ cdk deploy -c disable_access_log=true --all
+```
+
+See https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html for more information about server access logging.
+
 ## Useful commands

 * `cdk ls`          list all stacks in the app
--- a/Gems/AWSCore/cdk/app.py
+++ b/Gems/AWSCore/cdk/app.py
@ -57,8 +57,9 @@ example_stack = ExampleResources(
    tags={Constants.O3DE_PROJECT_TAG_NAME: PROJECT_NAME, Constants.O3DE_FEATURE_TAG_NAME: FEATURE_NAME},
    env=env
 )
-#
-# Add the common stack as a dependency of the feature stack
+
+# Add the core stack as a dependency of the feature stack since the feature stack
+# requires the core stack outputs for deployment.
 example_stack.add_dependency(core_construct.common_stack)

 app.synth()
--- a/Gems/AWSCore/cdk/core/core_stack.py
+++ b/Gems/AWSCore/cdk/core/core_stack.py
@ -60,17 +60,6 @@ class CoreStack(core.Stack):
                type='TAG_FILTERS_1_0')
        )

-        # Create an S3 bucket for Amazon S3 server access logging
-        # See https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html
-        self._server_access_logs_bucket = s3.Bucket(
-            self,
-            f'{self._project_name}-{self._feature_name}-Access-Log-Bucket',
-            block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
-            encryption=s3.BucketEncryption.S3_MANAGED,
-            access_control=s3.BucketAccessControl.LOG_DELIVERY_WRITE
-        )
-        self._server_access_logs_bucket.grant_read(self._admin_group)
-
        # Define exports
        # Export resource group
        self._resource_group_output = core.CfnOutput(
@ -94,6 +83,18 @@ class CoreStack(core.Stack):
            export_name=f"{self._project_name}:AdminGroup",
            value=self._admin_group.group_arn)

+        # Create an S3 bucket for Amazon S3 server access logging
+        # See https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html
+        if self.node.try_get_context('disable_access_log') != 'true':
+            self._server_access_logs_bucket = s3.Bucket(
+                self,
+                f'{self._project_name}-{self._feature_name}-Access-Log-Bucket',
+                block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
+                encryption=s3.BucketEncryption.S3_MANAGED,
+                access_control=s3.BucketAccessControl.LOG_DELIVERY_WRITE
+            )
+            self._server_access_logs_bucket.grant_read(self._admin_group)
+
            # Export access log bucket name
            self._server_access_logs_bucket_output = core.CfnOutput(
                self,
--- a/Gems/AWSCore/cdk/example/example_resources_stack.py
+++ b/Gems/AWSCore/cdk/example/example_resources_stack.py
@ -118,6 +118,8 @@ class ExampleResources(core.Stack):
        #    https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html
        # 3. Enable Amazon S3 server access logging
        #    https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html
+        server_access_logs_bucket = None
+        if self.node.try_get_context('disable_access_log') != 'true':
            server_access_logs_bucket = s3.Bucket.from_bucket_name(
                self,
                f'{self._project_name}-{self._feature_name}-ImportedAccessLogsBucket',
@ -129,8 +131,10 @@ class ExampleResources(core.Stack):
            f'{self._project_name}-{self._feature_name}-Example-S3bucket',
            block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
            encryption=s3.BucketEncryption.S3_MANAGED,
-            server_access_logs_bucket=server_access_logs_bucket,
-            server_access_logs_prefix=f'{self._project_name}-{self._feature_name}-{self.region}-AccessLogs'
+            server_access_logs_bucket=
+            server_access_logs_bucket if server_access_logs_bucket else None,
+            server_access_logs_prefix=
+            f'{self._project_name}-{self._feature_name}-{self.region}-AccessLogs' if server_access_logs_bucket else None
        )

        s3_deployment.BucketDeployment(
--- a/scripts/build/Platform/Windows/deploy_cdk_applications.cmd
+++ b/scripts/build/Platform/Windows/deploy_cdk_applications.cmd
@ -57,7 +57,7 @@ IF ERRORLEVEL 1 (
    exit /b 1
 )

-CALL :DeployCDKApplication AWSCore --all
+CALL :DeployCDKApplication AWSCore --all "-c disable_access_log=true"
 IF ERRORLEVEL 1 (
    exit /b 1
 )