Merge branch 'main' into add-ec2-instance-types-classes

aws · Jul 6, 2022 · 4abaa83 · 4abaa83
2 parents f6ef31b + 43a0cec
commit 4abaa83
Show file tree

Hide file tree

Showing 50 changed files with 6,861 additions and 618 deletions.
diff --git a/packages/@aws-cdk/aws-dynamodb/README.md b/packages/@aws-cdk/aws-dynamodb/README.md
@@ -36,6 +36,8 @@ If you intend to use the `tableStreamArn` (including indirectly, for example by
 `@aws-cdk/aws-lambda-event-source.DynamoEventSource` on the imported table), you *must* use the
 `Table.fromTableAttributes` method and the `tableStreamArn` property *must* be populated.
 
+In order to grant permissions to indexes on imported tables you can either set `grantIndexPermissions` to `true`, or you can provide the indexes via the `globalIndexes` or `localIndexes` properties. This will enable `grant*` methods to also grant permissions to *all* table indexes.
+
 ## Keys
 
 When a table is defined, you must define it's schema using the `partitionKey`

diff --git a/packages/@aws-cdk/aws-dynamodb/lib/table.ts b/packages/@aws-cdk/aws-dynamodb/lib/table.ts
@@ -599,6 +599,15 @@ export interface TableAttributes {
    * @default - no local indexes
    */
   readonly localIndexes?: string[];
+
+  /**
+   * If set to true, grant methods always grant permissions for all indexes.
+   * If false is provided, grant methods grant the permissions
+   * only when {@link globalIndexes} or {@link localIndexes} is specified.
+   *
+   * @default - false
+   */
+  readonly grantIndexPermissions?: boolean;
 }
 
 abstract class TableBase extends Resource implements ITable {
@@ -1078,7 +1087,8 @@ export class Table extends TableBase {
       public readonly tableArn: string;
       public readonly tableStreamArn?: string;
       public readonly encryptionKey?: kms.IKey;
-      protected readonly hasIndex = (attrs.globalIndexes ?? []).length > 0 ||
+      protected readonly hasIndex = (attrs.grantIndexPermissions ?? false) ||
+        (attrs.globalIndexes ?? []).length > 0 ||
         (attrs.localIndexes ?? []).length > 0;
 
       constructor(_tableArn: string, tableName: string, tableStreamArn?: string) {

diff --git a/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts b/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts
@@ -2508,6 +2508,64 @@ describe('import', () => {
         },
       });
     });
+
+    test('creates the index permissions if grantIndexPermissions is provided', () => {
+      const stack = new Stack();
+
+      const table = Table.fromTableAttributes(stack, 'ImportedTable', {
+        tableName: 'MyTableName',
+        grantIndexPermissions: true,
+      });
+
+      const role = new iam.Role(stack, 'Role', {
+        assumedBy: new iam.AnyPrincipal(),
+      });
+
+      table.grantReadData(role);
+
+      Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+        PolicyDocument: {
+          Statement: [
+            {
+              Action: [
+                'dynamodb:BatchGetItem',
+                'dynamodb:GetRecords',
+                'dynamodb:GetShardIterator',
+                'dynamodb:Query',
+                'dynamodb:GetItem',
+                'dynamodb:Scan',
+                'dynamodb:ConditionCheckItem',
+                'dynamodb:DescribeTable',
+              ],
+              Resource: [
+                {
+                  'Fn::Join': ['', [
+                    'arn:',
+                    { Ref: 'AWS::Partition' },
+                    ':dynamodb:',
+                    { Ref: 'AWS::Region' },
+                    ':',
+                    { Ref: 'AWS::AccountId' },
+                    ':table/MyTableName',
+                  ]],
+                },
+                {
+                  'Fn::Join': ['', [
+                    'arn:',
+                    { Ref: 'AWS::Partition' },
+                    ':dynamodb:',
+                    { Ref: 'AWS::Region' },
+                    ':',
+                    { Ref: 'AWS::AccountId' },
+                    ':table/MyTableName/index/*',
+                  ]],
+                },
+              ],
+            },
+          ],
+        },
+      });
+    });
   });
 });
 

diff --git a/packages/@aws-cdk/aws-ec2/README.md b/packages/@aws-cdk/aws-ec2/README.md
@@ -1356,6 +1356,20 @@ new ec2.FlowLog(this, 'FlowLogWithKeyPrefix', {
 });
 ```
 
+When the S3 destination is configured, AWS will automatically create an S3 bucket policy
+that allows the service to write logs to the bucket. This makes it impossible to later update
+that bucket policy. To have CDK create the bucket policy so that future updates can be made,
+the `@aws-cdk/aws-s3:createDefaultLoggingPolicy` [feature flag](https://docs.aws.amazon.com/cdk/v2/guide/featureflags.html) can be used. This can be set
+in the `cdk.json` file.
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true
+  }
+}
+```
+
 ## User Data
 
 User data enables you to run a script when your instances start up.  In order to configure these scripts you can add commands directly to the script

diff --git a/packages/@aws-cdk/aws-ec2/lib/vpc-flow-logs.ts b/packages/@aws-cdk/aws-ec2/lib/vpc-flow-logs.ts
@@ -1,15 +1,14 @@
 import * as iam from '@aws-cdk/aws-iam';
 import * as logs from '@aws-cdk/aws-logs';
 import * as s3 from '@aws-cdk/aws-s3';
-import { IResource, PhysicalName, RemovalPolicy, Resource } from '@aws-cdk/core';
+import { IResource, PhysicalName, RemovalPolicy, Resource, FeatureFlags, Stack } from '@aws-cdk/core';
+import { S3_CREATE_DEFAULT_LOGGING_POLICY } from '@aws-cdk/cx-api';
 import { Construct } from 'constructs';
 import { CfnFlowLog } from './ec2.generated';
 import { ISubnet, IVpc } from './vpc';
 
 /**
  * A FlowLog
- *
- *
  */
 export interface IFlowLog extends IResource {
   /**
@@ -22,8 +21,6 @@ export interface IFlowLog extends IResource {
 
 /**
  * The type of VPC traffic to log
- *
- *
  */
 export enum FlowLogTrafficType {
   /**
@@ -44,7 +41,6 @@ export enum FlowLogTrafficType {
 
 /**
  * The available destination types for Flow Logs
- *
  */
 export enum FlowLogDestinationType {
   /**
@@ -60,8 +56,6 @@ export enum FlowLogDestinationType {
 
 /**
  * The type of resource to create the flow log for
- *
- *
  */
 export abstract class FlowLogResourceType {
   /**
@@ -106,9 +100,29 @@ export abstract class FlowLogResourceType {
 }
 
 /**
- * The destination type for the flow log
- *
+ * Options for writing logs to a S3 destination
+ */
+export interface S3DestinationOptions {
+  /**
+   * Use Hive-compatible prefixes for flow logs
+   * stored in Amazon S3
+   *
+   * @default false
+   */
+  readonly hiveCompatiblePartitions?: boolean;
+}
+
+/**
+ * Options for writing logs to a destination
  *
+ * TODO: there are other destination options, currently they are
+ * only for s3 destinations (not sure if that will change)
+ */
+export interface DestinationOptions extends S3DestinationOptions { }
+
+
+/**
+ * The destination type for the flow log
  */
 export abstract class FlowLogDestination {
   /**
@@ -124,12 +138,18 @@ export abstract class FlowLogDestination {
 
   /**
    * Use S3 as the destination
+   *
+   * @param bucket optional s3 bucket to publish logs to. If one is not provided
+   * a default bucket will be created
+   * @param keyPrefix optional prefix within the bucket to write logs to
+   * @param options additional s3 destination options
    */
-  public static toS3(bucket?: s3.IBucket, keyPrefix?: string): FlowLogDestination {
+  public static toS3(bucket?: s3.IBucket, keyPrefix?: string, options?: S3DestinationOptions): FlowLogDestination {
     return new S3Destination({
       logDestinationType: FlowLogDestinationType.S3,
       s3Bucket: bucket,
       keyPrefix,
+      destinationOptions: options,
     });
   }
 
@@ -141,8 +161,6 @@ export abstract class FlowLogDestination {
 
 /**
  * Flow Log Destination configuration
- *
- *
  */
 export interface FlowLogDestinationConfig {
   /**
@@ -179,6 +197,13 @@ export interface FlowLogDestinationConfig {
    * @default - undefined
    */
   readonly keyPrefix?: string;
+
+  /**
+   * Options for writing flow logs to a supported destination
+   *
+   * @default - undefined
+   */
+  readonly destinationOptions?: DestinationOptions;
 }
 
 /**
@@ -196,13 +221,73 @@ class S3Destination extends FlowLogDestination {
         encryption: s3.BucketEncryption.UNENCRYPTED,
         removalPolicy: RemovalPolicy.RETAIN,
       });
+
     } else {
       s3Bucket = this.props.s3Bucket;
     }
+
+    // https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html#flow-logs-s3-permissions
+    if (FeatureFlags.of(scope).isEnabled(S3_CREATE_DEFAULT_LOGGING_POLICY)) {
+      const stack = Stack.of(scope);
+      let keyPrefix = this.props.keyPrefix ?? '';
+      if (keyPrefix && !keyPrefix.endsWith('/')) {
+        keyPrefix = keyPrefix + '/';
+      }
+      const prefix = this.props.destinationOptions?.hiveCompatiblePartitions
+        ? s3Bucket.arnForObjects(`${keyPrefix}AWSLogs/aws-account-id=${stack.account}/*`)
+        : s3Bucket.arnForObjects(`${keyPrefix}AWSLogs/${stack.account}/*`);
+
+      s3Bucket.addToResourcePolicy(new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        principals: [
+          new iam.ServicePrincipal('delivery.logs.amazonaws.com'),
+        ],
+        resources: [
+          prefix,
+        ],
+        actions: ['s3:PutObject'],
+        conditions: {
+          StringEquals: {
+            's3:x-amz-acl': 'bucket-owner-full-control',
+            'aws:SourceAccount': stack.account,
+          },
+          ArnLike: {
+            'aws:SourceArn': stack.formatArn({
+              service: 'logs',
+              resource: '*',
+            }),
+          },
+        },
+      }));
+
+      s3Bucket.addToResourcePolicy(new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        principals: [
+          new iam.ServicePrincipal('delivery.logs.amazonaws.com'),
+        ],
+        resources: [s3Bucket.bucketArn],
+        actions: [
+          's3:GetBucketAcl',
+          's3:ListBucket',
+        ],
+        conditions: {
+          StringEquals: {
+            'aws:SourceAccount': stack.account,
+          },
+          ArnLike: {
+            'aws:SourceArn': stack.formatArn({
+              service: 'logs',
+              resource: '*',
+            }),
+          },
+        },
+      }));
+    }
     return {
       logDestinationType: FlowLogDestinationType.S3,
       s3Bucket,
       keyPrefix: this.props.keyPrefix,
+      destinationOptions: this.props.destinationOptions,
     };
   }
 }
@@ -263,8 +348,6 @@ class CloudWatchLogsDestination extends FlowLogDestination {
 
 /**
  * Options to add a flow log to a VPC
- *
- *
  */
 export interface FlowLogOptions {
   /**
@@ -285,8 +368,6 @@ export interface FlowLogOptions {
 
 /**
  * Properties of a VPC Flow Log
- *
- *
  */
 export interface FlowLogProps extends FlowLogOptions {
   /**
@@ -307,8 +388,6 @@ export interface FlowLogProps extends FlowLogOptions {
 
 /**
  * The base class for a Flow Log
- *
- *
  */
 abstract class FlowLogBase extends Resource implements IFlowLog {
   /**
@@ -322,8 +401,6 @@ abstract class FlowLogBase extends Resource implements IFlowLog {
 /**
  * A VPC flow log.
  * @resource AWS::EC2::FlowLog
- *
- *
  */
 export class FlowLog extends FlowLogBase {
   /**
@@ -383,6 +460,7 @@ export class FlowLog extends FlowLogBase {
     }
 
     const flowLog = new CfnFlowLog(this, 'FlowLog', {
+      destinationOptions: destinationConfig.destinationOptions,
       deliverLogsPermissionArn: this.iamRole ? this.iamRole.roleArn : undefined,
       logDestinationType: destinationConfig.logDestinationType,
       logGroupName: this.logGroup ? this.logGroup.logGroupName : undefined,

diff --git a/packages/@aws-cdk/aws-ec2/package.json b/packages/@aws-cdk/aws-ec2/package.json
@@ -83,6 +83,7 @@
     "@aws-cdk/assertions": "0.0.0",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/integ-runner": "0.0.0",
+    "@aws-cdk/integ-tests": "0.0.0",
     "@aws-cdk/cfn2ts": "0.0.0",
     "@aws-cdk/cloud-assembly-schema": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",