feat(elasticloadbalancingv2): health check logs for ALB #36227
Conversation
github-actions
bot
added
p2
valued-contributor
ren-yamanashi
changed the title
| bucket.addToResourcePolicy( | ||
| new PolicyStatement({ | ||
| actions: ['s3:PutObject'], | ||
| principals: [this.resourcePolicyPrincipal()], |
There was a problem hiding this comment.
This code is followed logConnectionLogs method.
The key point when use resourcePolicyPrincipal method, this public method (logHealthCheckLogs) needs specified region on the stack.
But, based on the documents I think we can choice don't use resourcePolicyPrincipal method like here code.
(see: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-health-check-logging.html)
principals: [new iam.ServicePrincipal('logdelivery.elasticloadbalancing.amazonaws.com')],And when we choice it, not needs specified region on the stack.
Q. Which I choice? Use resourcePolicyPrincipal method? or not use?
Current situation is not same when implementation logConnectionLogs method, so I want advice for you.
| * @see https://docs.aws.amazon.com/cdk/latest/guide/environments.html | ||
| */ | ||
| @MethodMetadata() | ||
| public logHealthCheckLogs(bucket: s3.IBucket, prefix?: string) { |
There was a problem hiding this comment.
Based on documents (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-health-check-logging.html) intuitively, you would think two validations are necessary.
- region for specified bucket is same alb region
- must use SSE-S3
However, I not implemented the validation logic "the region of the specified bucket is the same as the region of the ALB" for the following reasons.
- Basically, S3 Buckets and ALB created within the same Stack are in the same region.
- The case where they are not in the same region is when an imported S3 Bucket is specified. However, since the ARN for S3 does not include the region, we determined that it would be difficult to verify that they "exist in the same region."
There was a problem hiding this comment.
Does IBucket class have a region information from IBucket.env.region? If it is true, I think we can add a validation for the same region restriction.
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
…feat/alb-healthcheck-log
| * @see https://docs.aws.amazon.com/cdk/latest/guide/environments.html | ||
| */ | ||
| @MethodMetadata() | ||
| public logHealthCheckLogs(bucket: s3.IBucket, prefix?: string) { |
There was a problem hiding this comment.
Similar methods to this one (e.g, logConnectionLogs) have the following code implemented, but this method doesn't.
// We still need this policy for the bucket using the ACL
bucket.addToResourcePolicy(
new PolicyStatement({
actions: ['s3:PutObject'],
principals: [logsDeliveryServicePrincipal],
resources: [
bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${Stack.of(this).account}/*`),
],
conditions: {
StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' },
},
}),
);
bucket.addToResourcePolicy(
new PolicyStatement({
actions: ['s3:GetBucketAcl'],
principals: [logsDeliveryServicePrincipal],
resources: [bucket.bucketArn],
}),
);Because, if ACL are enabled on the S3 Bucket, health check logs can be logged even without that code.
I think this has been verified in packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.enable-acl.ts integ test, but please comment if verification method is incorrect.
I think this has been verified in
packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.enable-acl.tsinteg test
If insufficient permissions, I think integ test will failed.
(In fact, I tried deleting the following permissions and running integ tests, deployment failed)
- bucket.addToResourcePolicy(
- new PolicyStatement({
- actions: ['s3:PutObject'],
- principals: [this.resourcePolicyPrincipal()],
- resources: [
- bucket.arnForObjects(
- `${prefix ? prefix + '/' : ''}AWSLogs/${Stack.of(this).account}/*`,
- ),
- ],
- }),
- );There was a problem hiding this comment.
Because the official docs does not mention about bucket policy relates to ACL, I think you don't need to add these policies.
aws-cdk-automation
added
the
pr/needs-community-review
badmintoncryer
left a comment
badmintoncryer
left a comment
There was a problem hiding this comment.
Thank you for your contribution! I've added some comments.
|
|
||
| const app = new cdk.App(); | ||
| const stack = new cdk.Stack(app, 'aws-cdk-elbv2-integ-enable-acl', { env: { region: 'us-west-2' } }); | ||
| stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false); |
There was a problem hiding this comment.
Is this feature flag is essential?
|
|
||
| const app = new cdk.App(); | ||
| const stack = new cdk.Stack(app, 'aws-cdk-elbv2-integ-enable-acl', { env: { region: 'us-west-2' } }); | ||
| stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false); |
There was a problem hiding this comment.
Is this feature flag essential?
|
|
||
| new IntegTest(app, 'cdk-integ-alb-log-enable-acl', { | ||
| testCases: [stack], | ||
| diffAssets: true, |
There was a problem hiding this comment.
Is this option needed?
| vpc.publicSubnets.forEach((subnet) => { | ||
| group1.node.addDependency(subnet); | ||
| }); |
There was a problem hiding this comment.
I'm curious that why is this dependency needed?
| * @see https://docs.aws.amazon.com/cdk/latest/guide/environments.html | ||
| */ | ||
| @MethodMetadata() | ||
| public logHealthCheckLogs(bucket: s3.IBucket, prefix?: string) { |
There was a problem hiding this comment.
Does IBucket class have a region information from IBucket.env.region? If it is true, I think we can add a validation for the same region restriction.
| * See https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-health-check-logging.html | ||
| */ | ||
| if (bucket.encryptionKey) { | ||
| throw new ValidationError('Encryption key detected. Bucket encryption using KMS keys is unsupported', this); |
There was a problem hiding this comment.
I think it might be better to add a description about when the bucket encryption using KMS keys is unsupported.
| * @see https://docs.aws.amazon.com/cdk/latest/guide/environments.html | ||
| */ | ||
| @MethodMetadata() | ||
| public logHealthCheckLogs(bucket: s3.IBucket, prefix?: string) { |
There was a problem hiding this comment.
Because the official docs does not mention about bucket policy relates to ACL, I think you don't need to add these policies.
aws-cdk-automation
removed
pr/needs-community-review
3 participants
This PR is similar to #30599
Reason for this change
ALB can output health check logs as well as access logs to the S3 bucket, but this is not yet supported by L2 Construct.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-health-check-logging.html
Description of changes
Since health check logs are not supported by NLB, but only by ALB, the
logHealthCheckLogsmethod is added to theApplicationLoadBalancerinstead of theBaseLoadBalancer.The needed BucketPolicy is described in the documentation only as follows.
{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "logdelivery.elasticloadbalancing.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/prefix/AWSLogs/123456789012/*" } ] }Description of how you validated changes
add unit tests and integ tests.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license