Skip to content

feat(elasticloadbalancingv2): health check logs for ALB #36227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ren-yamanashi wants to merge 18 commits into
base: main
Choose a base branch
from
Open

feat(elasticloadbalancingv2): health check logs for ALB #36227

Changes from 1 commit
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
b2ff5fb
feat(elasticloadbalancingv2): healthCheck logs for ALB
Nov 27, 2025
07c7645
test: add unit test
Nov 28, 2025
412c6e7
test: add comment
Nov 28, 2025
03271c1
test: update
Nov 28, 2025
f0bccf7
chore: update jsdoc
Nov 28, 2025
8d35eaf
docs: update README.md
Nov 28, 2025
747a861
chore: rm changes
Nov 28, 2025
c778084
chore: rm changes
Nov 28, 2025
756938f
test: add integ test
ren-yamanashi Nov 29, 2025
f95848b
test: add integ test
ren-yamanashi Nov 29, 2025
6498fa7
Merge branch 'main' of https://github.com/ren-yamanashi/aws-cdk into …
ren-yamanashi Nov 29, 2025
ed1f307
test: add integ test
ren-yamanashi Nov 29, 2025
645eafc
test: update integ test assets
ren-yamanashi Nov 29, 2025
9055a51
Merge branch 'main' of https://github.com/ren-yamanashi/aws-cdk into …
ren-yamanashi Dec 6, 2025
db0fccd
update integ test
ren-yamanashi Dec 6, 2025
961b907
update error msg
Dec 6, 2025
974e516
update error msg
Dec 7, 2025
364abd3
Merge branch 'main' of https://github.com/ren-yamanashi/aws-cdk into …
Dec 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -401,6 +401,56 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic
}
}

/**
* Enable health check logging for this load balancer.
*/
@MethodMetadata()
public logHealthCheckLogs(bucket: s3.IBucket, prefix?: string) {
/**
* The bucket must be located in the same Region as the load balancer
*/
if (Stack.of(this).region !== Stack.of(bucket).region) {
throw new ValidationError('Health Check Log bucket must be in the same region as the Application Load Balancer', this);
}

/**
* KMS key encryption is not supported on HealthCheck Log bucket for ALB, the bucket must use Amazon S3-managed keys (SSE-S3).
* See https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-health-check-logging.html
*/
if (bucket.encryptionKey) {
throw new ValidationError('Encryption key detected. Bucket encryption using KMS keys is unsupported', this);
}

prefix = prefix || '';
this.setAttribute('health_check_logs.s3.enabled', 'true');
this.setAttribute(
'health_check_logs.s3.bucket',
bucket.bucketName.toString(),
);
this.setAttribute('health_check_logs.s3.prefix', prefix);

bucket.addToResourcePolicy(
new PolicyStatement({
actions: ['s3:PutObject'],
principals: [this.resourcePolicyPrincipal()],
Copy link
Contributor Author

@ren-yamanashi ren-yamanashi Nov 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code is followed logConnectionLogs method.

see: https://github.com/aws/aws-cdk/blob/v2.230.0/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts#L368

The key point when use resourcePolicyPrincipal method, this public method (logHealthCheckLogs) needs specified region on the stack.


But, based on the documents I think we can choice don't use resourcePolicyPrincipal method like here code.
(see: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-health-check-logging.html)

principals: [new iam.ServicePrincipal('logdelivery.elasticloadbalancing.amazonaws.com')],

And when we choice it, not needs specified region on the stack.

Q. Which I choice? Use resourcePolicyPrincipal method? or not use?

Current situation is not same when implementation logConnectionLogs method, so I want advice for you.

Copy link
Contributor Author

@ren-yamanashi ren-yamanashi Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@badmintoncryer

What could you think about this?

Copy link
Contributor

@badmintoncryer badmintoncryer Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personally, I’d prefer to implement it using the ServicePrincipal method, but I think it’s better to align with the existing implementation…

For now, let’s keep the current implementation as is, and could you discuss this with the maintainers again?​​​​​​​​​​​​​​​​

Copy link
Contributor Author

@ren-yamanashi ren-yamanashi Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay. I follow you.

resources: [
bucket.arnForObjects(
`${prefix ? prefix + '/' : ''}AWSLogs/${Stack.of(this).account}/*`,
),
],
}),
);

// make sure the bucket's policy is created before the ALB (see https://github.com/aws/aws-cdk/issues/1633)
// at the L1 level to avoid creating a circular dependency (see https://github.com/aws/aws-cdk/issues/27528
// and https://github.com/aws/aws-cdk/issues/27928)
const lb = this.node.defaultChild;
const bucketPolicy = bucket.policy?.node.defaultChild;
if (lb && bucketPolicy && CfnResource.isCfnResource(lb) && CfnResource.isCfnResource(bucketPolicy)) {
lb.addDependency(bucketPolicy);
}
}

/**
* Add a security group to this load balancer
*/
Expand Down
Loading