Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(elasticloadbalancingv2): connection logs for ALB #30599

Merged
merged 10 commits into from
Aug 9, 2024
Merged

feat(elasticloadbalancingv2): connection logs for ALB #30599

merged 10 commits into from
Aug 9, 2024

Conversation

sakurai-ryo
Copy link
Contributor

Reason for this change

ALB can output connection logs as well as access logs to the S3 bucket, but this is not yet supported by L2 Construct.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-connection-logs.html

Description of changes

The implementation is almost the same as for access logs.
However, since connection logs are not supported by NLB, but only by ALB, the logConnectionLogs method is added to the ApplicationLoadBalancer instead of the BaseLoadBalancer.

The needed BucketPolicy is described in the documentation only as follows, but to support buckets that still use the ACL, it is necessary to set the same policy that is currently set in the access logs.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::elb-account-id:root"
      },
      "Action": "s3:PutObject",
       "Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
    }
  ]
}

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-connection-logging.html#attach-bucket-policy-connection

Description of how you validated changes

add unit tests and integ tests.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the star-contributor [Pilot] contributed between 25-49 PRs to the CDK label Jun 20, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team June 20, 2024 15:25
@github-actions github-actions bot added the p2 label Jun 20, 2024
sakurai-ryo
sakurai-ryo commented Jun 20, 2024
View reviewed changes
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts Outdated
if (bucket.encryptionKey) {
throw new Error('Encryption key detected. Bucket encryption using KMS keys is unsupported');
}
super.logAccessLogs(bucket, prefix);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR adds a method with the same content as BaseLoadBalancer.logAccessLogs to ApplicationLoadBalancer to perform validation for ALB only.
However, modifying both methods would be necessary when changing the access log settings, so I changed it to call the base class implementation except for the validation.
#29382

Copy link
Contributor

@go-to-k go-to-k Jul 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this change fundamentally not related to this PR for the connection logs? If so, it would be better to create a separated PR.

If not, please let me know.

@sakurai-ryo sakurai-ryo changed the title feat(elasticloadbalancingv2): setting up connection logs for ALB feat(elasticloadbalancingv2): connection logs for ALB Jun 20, 2024
@sakurai-ryo sakurai-ryo changed the title feat(elasticloadbalancingv2): connection logs for ALB feat(elasticloadbalancingv2): connection logging for ALB Jun 20, 2024
@sakurai-ryo sakurai-ryo changed the title feat(elasticloadbalancingv2): connection logging for ALB feat(elasticloadbalancingv2): connection logs for ALB Jun 20, 2024
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jun 20, 2024
This was referenced Jun 24, 2024
Closed
Closed
go-to-k
go-to-k suggested changes Jul 3, 2024
View reviewed changes
Copy link
Contributor

@go-to-k go-to-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR. I just made a minor comment.

packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts Outdated
if (bucket.encryptionKey) {
throw new Error('Encryption key detected. Bucket encryption using KMS keys is unsupported');
}
super.logAccessLogs(bucket, prefix);
Copy link
Contributor

@go-to-k go-to-k Jul 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this change fundamentally not related to this PR for the connection logs? If so, it would be better to create a separated PR.

If not, please let me know.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jul 3, 2024
go-to-k
go-to-k reviewed Jul 3, 2024
View reviewed changes
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts Outdated
public logConnectionLogs(bucket: s3.IBucket, prefix?: string) {
/**
* KMS key encryption is not supported on Connection Log bucket for ALB, the bucket must use Amazon S3-managed keys (SSE-S3).
* See https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#bucket-permissions-troubleshooting
Copy link
Contributor

@go-to-k go-to-k Jul 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The link for the troubleshooting section is for the access logs not the connection logs.

I think the correct link is here.

@sakurai-ryo
Copy link
Contributor Author

@go-to-k
Thanks for the review!
I fixed the wrong link and deleted unrelated changes for the connection logs feat.

go-to-k
go-to-k reviewed Jul 8, 2024
View reviewed changes
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts Outdated
* Enable connection logging for this load balancer.
*
* A region must be specified on the stack containing the load balancer; you cannot enable logging on
* environment-agnostic stacks. See https://docs.aws.amazon.com/cdk/latest/guide/environments.html
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about using the @see label?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@go-to-k
Yes, add the @see label.

go-to-k
go-to-k approved these changes Jul 8, 2024
View reviewed changes
Copy link
Contributor

@go-to-k go-to-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes.

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jul 8, 2024
@shikha372 shikha372 self-assigned this Jul 12, 2024
@shikha372 shikha372 removed their assignment Jul 23, 2024
@shikha372 shikha372 self-assigned this Jul 23, 2024
@sakurai-ryo
Copy link
Contributor Author

@shikha372
Thanks for the review!
I've made the changes based on your feedback

@shikha372
Copy link
Contributor

Thank you for your contribution @sakurai-ryo !!

@mergify Mergify
Copy link
Contributor

mergify bot commented Aug 9, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Aug 9, 2024
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 800df62
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 7c4f423 into aws:main Aug 9, 2024
12 checks passed
@mergify Mergify
Copy link
Contributor

mergify bot commented Aug 9, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 9, 2024

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@go-to-k go-to-k go-to-k approved these changes

@shikha372 shikha372 shikha372 approved these changes

Assignees

@shikha372 shikha372

Labels
p2 star-contributor [Pilot] contributed between 25-49 PRs to the CDK
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sakurai-ryo @shikha372 @aws-cdk-automation @go-to-k