diff --git a/.viperlightignore b/.viperlightignore index 1812d6097..6604c2705 100644 --- a/.viperlightignore +++ b/.viperlightignore @@ -140,4 +140,8 @@ source/patterns/@aws-solutions-constructs/aws-lambda-eventbridge/test/integ.depl source/patterns/@aws-solutions-constructs/aws-lambda-eventbridge/test/integ.existingEventBus.expected.json:108 source/patterns/@aws-solutions-constructs/aws-lambda-eventbridge/test/integ.existingFunction.expected.json:122 source/patterns/@aws-solutions-constructs/aws-lambda-eventbridge/test/aws-lambda-eventbridge.test.ts:28 -source/patterns/@aws-solutions-constructs/aws-lambda-eventbridge/test/aws-lambda-eventbridge.test.ts:339 \ No newline at end of file +source/patterns/@aws-solutions-constructs/aws-lambda-eventbridge/test/aws-lambda-eventbridge.test.ts:339 +# These are references to the us-east-1 ELBV2 account (publicly known) +source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApi.expected.json:193 +source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApiExistingZone.expected.json:844 +source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiNewAlb.expected.json:188 diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md index e69de29bb..6cd195bac 100644 --- a/CHANGELOG.v2.md +++ b/CHANGELOG.v2.md @@ -0,0 +1,56 @@ +# Changelog + +All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. + +## 2.0.0-rc.1 (2021-10-12) + +### Added +This is the first release candidate of Solutions Constructs 2.0 based on CDK v2.0 🎉 +- aws-apigateway-dynamodb +- aws-apigateway-iot +- aws-apigateway-kinesisstreams +- aws-apigateway-lambda +- aws-apigateway-sagemakerendpoint +- aws-apigateway-sqs +- aws-cloudfront-apigateway +- aws-cloudfront-apigateway-lambda +- aws-cloudfront-mediastore +- aws-cloudfront-s3 +- aws-cognito-apigateway-lambda +- aws-dynamodbstreams-lambda +- aws-dynamodbstreams-lambda-elasticsearch-kibana +- aws-eventbridge-kinesisfirehose-s3 +- aws-eventbridge-kinesisstreams +- aws-eventbridge-lambda +- aws-eventbridge-sns +- aws-eventbridge-sqs +- aws-eventbridge-stepfunctions +- aws-iot-kinesisfirehose-s3 +- aws-iot-kinesisstreams +- aws-iot-lambda +- aws-iot-lambda-dynamodb +- aws-iot-sqs +- aws-kinesisfirehose-s3 +- aws-kinesisfirehose-s3-and-kinesisanalytics +- aws-kinesisstreams-gluejob +- aws-kinesisstreams-kinesisfirehose-s3 +- aws-kinesisstreams-lambda +- aws-lambda-dynamodb +- aws-lambda-elasticsearch-kibana +- aws-lambda-eventbridge +- aws-lambda-s3 +- aws-lambda-sagemakerendpoint +- aws-lambda-secretsmanager +- aws-lambda-sns +- aws-lambda-sqs +- aws-lambda-sqs-lambda +- aws-lambda-ssmstringparameter +- aws-lambda-stepfunctions +- aws-s3-lambda +- aws-s3-sqs +- aws-s3-stepfunctions +- aws-sns-lambda +- aws-sns-sqs +- aws-sqs-lambda +- aws-wafwebacl-apigateway +- aws-wafwebacl-cloudfront \ No newline at end of file diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 000000000..56d8b5a65 --- /dev/null +++ b/package-lock.json @@ -0,0 +1,34 @@ +{ + "requires": true, + "lockfileVersion": 1, + "dependencies": { + "eslint-plugin-mocha": { + "version": "9.0.0", + "resolved": "https://registry.npmjs.org/eslint-plugin-mocha/-/eslint-plugin-mocha-9.0.0.tgz", + "integrity": "sha512-d7knAcQj1jPCzZf3caeBIn3BnW6ikcvfz0kSqQpwPYcVGLoJV5sz0l0OJB2LR8I7dvTDbqq1oV6ylhSgzA10zg==", + "dev": true, + "requires": { + "eslint-utils": "^3.0.0", + "ramda": "^0.27.1" + } + }, + "eslint-utils": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/eslint-utils/-/eslint-utils-3.0.0.tgz", + "integrity": "sha512-uuQC43IGctw68pJA1RgbQS8/NP7rch6Cwd4j3ZBtgo4/8Flj4eGE7ZYSZRN3iq5pVUv6GPdW5Z1RFleo84uLDA==", + "requires": { + "eslint-visitor-keys": "^2.0.0" + } + }, + "eslint-visitor-keys": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-2.1.0.tgz", + "integrity": "sha512-0rSmRBzXgDzIsD6mGdJgevzgezI534Cer5L/vyMX0kHzT/jiB43jRhd9YUlMGYLQy2zprNmoT8qasCGtY+QaKw==" + }, + "ramda": { + "version": "0.27.1", + "resolved": "https://registry.npmjs.org/ramda/-/ramda-0.27.1.tgz", + "integrity": "sha512-PgIdVpn5y5Yns8vqb8FzBUEYn98V3xcPgawAkkgj0YJ0qDsnHCiNmZYfOGMgOvoB0eWFLpYbhxUR3mxfDIMvpw==" + } + } +} diff --git a/sonar-project.properties b/sonar-project.properties index 90a7c88da..e825ec85b 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -22,50 +22,65 @@ sonar.exclusions=\ # source/test/coverage-reports/jest/*/lcov.info # so we have to provide an explicit list of reportPaths sonar.javascript.lcov.reportPaths= \ - source/patterns/@aws-solutions-constructs/aws-kinesisstreams-kinesisfirehose-s3/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-apigateway-iot/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-apigateway-sqs/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-apigateway-lambda/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-sns-sqs/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-s3-lambda/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-lambda-sqs/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-apigateway-kinesisstreams/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/core/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-iot-kinesisfirehose-s3/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-dynamodb-stream-lambda-elasticsearch-kibana/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-kinesisfirehose-s3/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-lambda-s3/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-kinesisfirehose-s3-and-kinesisanalytics/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-apigateway-sagemakerendpoint/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-lambda-sns/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-events-rule-sns/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-lambda-sqs-lambda/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-apigateway-dynamodb/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-dynamodb-stream-lambda/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-events-rule-lambda/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-lambda-elasticsearch-kibana/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-kinesisstreams-lambda/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-events-rule-kinesisstreams/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-sns-lambda/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-cognito-apigateway-lambda/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-events-rule-step-function/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-iot-lambda/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-events-rule-kinesisfirehose-s3/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-sqs-lambda/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-iot-lambda-dynamodb/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-lambda-dynamodb/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-s3-step-function/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-lambda-step-function/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-s3-sqs/coverage/lcov.info, \ - source/patterns/@aws-solutions-constructs/aws-kinesisstreams-gluejob/coverage/lcov.info, \ + source/patterns/@aws-solutions-constructs/aws-apigateway-dynamodb/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-apigateway-iot/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-apigateway-kinesisstreams/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-apigateway-lambda/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-apigateway-sagemakerendpoint/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-apigateway-sqs/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-cognito-apigateway-lambda/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-dynamodb-stream-lambda/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-dynamodb-stream-lambda-elasticsearch-kibana/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-dynamodbstreams-lambda/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-dynamodbstreams-lambda-elasticsearch-kibana/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-eventbridge-kinesisfirehose-s3/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-eventbridge-kinesisstreams/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-eventbridge-lambda/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-eventbridge-stepfunctions/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-events-rule-kinesisfirehose-s3/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-events-rule-kinesisstreams/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-events-rule-lambda/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-events-rule-sns/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-events-rule-step-function/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-iot-kinesisfirehose-s3/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-iot-kinesisstreams/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-iot-lambda/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-iot-lambda-dynamodb/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-iot-sqs/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-kinesisfirehose-s3/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-kinesisfirehose-s3-and-kinesisanalytics/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-kinesisstreams-gluejob/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-kinesisstreams-kinesisfirehose-s3/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-kinesisstreams-lambda/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-lambda-dynamodb/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-lambda-elasticsearch-kibana/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-lambda-eventbridge/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-lambda-s3/coverage/lcov.info \ source/patterns/@aws-solutions-constructs/aws-lambda-sagemakerendpoint/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-lambda-secretsmanager/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-lambda-sns/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-lambda-sqs/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-lambda-sqs-lambda/coverage/lcov.info \ source/patterns/@aws-solutions-constructs/aws-lambda-ssmstringparameter/coverage/lcov.info \ - source/patterns/@aws-solutions-constructs/aws-lambda-secretsmanager/coverage/lcov.info + source/patterns/@aws-solutions-constructs/aws-lambda-step-function/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-lambda-stepfunctions/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-route53-alb/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-s3-lambda/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-s3-sqs/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-s3-step-function/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-s3-stepfunctions/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-sns-lambda/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-sns-sqs/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-sqs-lambda/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-wafwebacl-apigateway/coverage/lcov.info \ + source/patterns/@aws-solutions-constructs/aws-wafwebacl-cloudfront/coverage/lcov.info # Encoding of the source files sonar.sourceEncoding=UTF-8 diff --git a/source/lerna.v2.json b/source/lerna.v2.json index 98fd484be..738e6f111 100644 --- a/source/lerna.v2.json +++ b/source/lerna.v2.json @@ -6,5 +6,5 @@ "./patterns/@aws-solutions-constructs/*" ], "rejectCycles": "true", - "version": "2.0.0-rc.0" + "version": "2.0.0-rc.1" } diff --git a/source/patterns/@aws-solutions-constructs/aws-apigateway-dynamodb/README.md b/source/patterns/@aws-solutions-constructs/aws-apigateway-dynamodb/README.md index bf683e496..e555d3768 100644 --- a/source/patterns/@aws-solutions-constructs/aws-apigateway-dynamodb/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-apigateway-dynamodb/README.md @@ -71,7 +71,7 @@ _Parameters_ |apiGateway|[`api.RestApi`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.RestApi.html)|Returns an instance of the api.RestApi created by the construct.| |apiGatewayRole|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway.| |dynamoTable|[`dynamodb.Table`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-dynamodb.Table.html)|Returns an instance of dynamodb.Table created by the construct.| -|apiGatewayCloudWatchRole|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| +|apiGatewayCloudWatchRole?|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| |apiGatewayLogGroup|[`logs.LogGroup`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-logs.LogGroup.html)|Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch.| ## Default settings diff --git a/source/patterns/@aws-solutions-constructs/aws-apigateway-dynamodb/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-apigateway-dynamodb/lib/index.ts index 7d34ec10a..b891136a8 100644 --- a/source/patterns/@aws-solutions-constructs/aws-apigateway-dynamodb/lib/index.ts +++ b/source/patterns/@aws-solutions-constructs/aws-apigateway-dynamodb/lib/index.ts @@ -109,7 +109,7 @@ export class ApiGatewayToDynamoDB extends Construct { public readonly dynamoTable: dynamodb.Table; public readonly apiGatewayRole: iam.Role; public readonly apiGateway: api.RestApi; - public readonly apiGatewayCloudWatchRole: iam.Role; + public readonly apiGatewayCloudWatchRole?: iam.Role; public readonly apiGatewayLogGroup: logs.LogGroup; /** * @summary Constructs a new instance of the ApiGatewayToDynamoDB class. diff --git a/source/patterns/@aws-solutions-constructs/aws-apigateway-iot/README.md b/source/patterns/@aws-solutions-constructs/aws-apigateway-iot/README.md index 2c60a9345..be5017cab 100755 --- a/source/patterns/@aws-solutions-constructs/aws-apigateway-iot/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-apigateway-iot/README.md @@ -69,7 +69,7 @@ _Parameters_ |:-------------|:----------------|-----------------| |apiGateway|[`api.RestApi`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.RestApi.html)|Returns an instance of the API Gateway REST API created by the pattern.| |apiGatewayRole|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway.| -|apiGatewayCloudWatchRole|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| +|apiGatewayCloudWatchRole?|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| |apiGatewayLogGroup|[`logs.LogGroup`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-logs.LogGroup.html)|Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch.| ## Default settings diff --git a/source/patterns/@aws-solutions-constructs/aws-apigateway-iot/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-apigateway-iot/lib/index.ts index 44fb1581d..bacfba624 100755 --- a/source/patterns/@aws-solutions-constructs/aws-apigateway-iot/lib/index.ts +++ b/source/patterns/@aws-solutions-constructs/aws-apigateway-iot/lib/index.ts @@ -61,7 +61,7 @@ export interface ApiGatewayToIotProps { */ export class ApiGatewayToIot extends Construct { public readonly apiGateway: api.RestApi; - public readonly apiGatewayCloudWatchRole: iam.Role; + public readonly apiGatewayCloudWatchRole?: iam.Role; public readonly apiGatewayLogGroup: logs.LogGroup; public readonly apiGatewayRole: iam.IRole; private readonly iotEndpoint: string; diff --git a/source/patterns/@aws-solutions-constructs/aws-apigateway-kinesisstreams/README.md b/source/patterns/@aws-solutions-constructs/aws-apigateway-kinesisstreams/README.md index f58b778ab..a3dd78c13 100644 --- a/source/patterns/@aws-solutions-constructs/aws-apigateway-kinesisstreams/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-apigateway-kinesisstreams/README.md @@ -5,10 +5,6 @@ ![Stability: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge) -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- @@ -67,7 +63,7 @@ _Parameters_ |:-------------|:----------------|-----------------| |apiGateway|[`api.RestApi`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.RestApi.html)|Returns an instance of the API Gateway REST API created by the pattern.| |apiGatewayRole|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway.| -|apiGatewayCloudWatchRole|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| +|apiGatewayCloudWatchRole?|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| |apiGatewayLogGroup|[`logs.LogGroup`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-logs.LogGroup.html)|Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch.| |kinesisStream|[`kinesis.Stream`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-kinesis.Stream.html)|Returns an instance of the Kinesis stream created or used by the pattern.| |cloudwatchAlarms?|[`cloudwatch.Alarm[]`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudwatch.Alarm.html)|Returns an array of recommended CloudWatch Alarms created by the construct for Kinesis Data stream| diff --git a/source/patterns/@aws-solutions-constructs/aws-apigateway-kinesisstreams/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-apigateway-kinesisstreams/lib/index.ts index a67badf60..9cbc11443 100644 --- a/source/patterns/@aws-solutions-constructs/aws-apigateway-kinesisstreams/lib/index.ts +++ b/source/patterns/@aws-solutions-constructs/aws-apigateway-kinesisstreams/lib/index.ts @@ -96,7 +96,7 @@ export interface ApiGatewayToKinesisStreamsProps { export class ApiGatewayToKinesisStreams extends Construct { public readonly apiGateway: api.RestApi; public readonly apiGatewayRole: iam.Role; - public readonly apiGatewayCloudWatchRole: iam.Role; + public readonly apiGatewayCloudWatchRole?: iam.Role; public readonly apiGatewayLogGroup: logs.LogGroup; public readonly kinesisStream: kinesis.Stream; public readonly cloudwatchAlarms?: cloudwatch.Alarm[]; diff --git a/source/patterns/@aws-solutions-constructs/aws-apigateway-lambda/README.md b/source/patterns/@aws-solutions-constructs/aws-apigateway-lambda/README.md index a321d7b6c..80182026b 100644 --- a/source/patterns/@aws-solutions-constructs/aws-apigateway-lambda/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-apigateway-lambda/README.md @@ -64,7 +64,7 @@ _Parameters_ |:-------------|:----------------|-----------------| |lambdaFunction|[`lambda.Function`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-lambda.Function.html)|Returns an instance of the Lambda function created by the pattern.| |apiGateway|[`api.LambdaRestApi`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.LambdaRestApi.html)|Returns an instance of the API Gateway REST API created by the pattern.| -|apiGatewayCloudWatchRole|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| +|apiGatewayCloudWatchRole?|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| |apiGatewayLogGroup|[`logs.LogGroup`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-logs.LogGroup.html)|Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch.| ## Default settings diff --git a/source/patterns/@aws-solutions-constructs/aws-apigateway-lambda/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-apigateway-lambda/lib/index.ts index 6711937c2..244e29f15 100644 --- a/source/patterns/@aws-solutions-constructs/aws-apigateway-lambda/lib/index.ts +++ b/source/patterns/@aws-solutions-constructs/aws-apigateway-lambda/lib/index.ts @@ -55,7 +55,7 @@ export interface ApiGatewayToLambdaProps { */ export class ApiGatewayToLambda extends Construct { public readonly apiGateway: api.RestApi; - public readonly apiGatewayCloudWatchRole: iam.Role; + public readonly apiGatewayCloudWatchRole?: iam.Role; public readonly apiGatewayLogGroup: logs.LogGroup; public readonly lambdaFunction: lambda.Function; diff --git a/source/patterns/@aws-solutions-constructs/aws-apigateway-lambda/test/test.apigateway-lambda.test.ts b/source/patterns/@aws-solutions-constructs/aws-apigateway-lambda/test/test.apigateway-lambda.test.ts index 3fab28f12..c6c70bc2f 100644 --- a/source/patterns/@aws-solutions-constructs/aws-apigateway-lambda/test/test.apigateway-lambda.test.ts +++ b/source/patterns/@aws-solutions-constructs/aws-apigateway-lambda/test/test.apigateway-lambda.test.ts @@ -145,12 +145,5 @@ test('Test deployment ApiGateway override cloudWatchRole = false', () => { } }); // Assertion 1 - expect(stack).toHaveResourceLike("AWS::ApiGateway::Account", { - CloudWatchRoleArn: { - "Fn::GetAtt": [ - "apigatewaylambdaLambdaRestApiCloudWatchRoleA759E8AC", - "Arn" - ] - } - }); + expect(stack).not.toHaveResource("AWS::ApiGateway::Account", {}); }); \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-apigateway-sagemakerendpoint/README.md b/source/patterns/@aws-solutions-constructs/aws-apigateway-sagemakerendpoint/README.md index d935c5d2b..fd86c4979 100644 --- a/source/patterns/@aws-solutions-constructs/aws-apigateway-sagemakerendpoint/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-apigateway-sagemakerendpoint/README.md @@ -83,7 +83,7 @@ _Parameters_ |:-------------|:----------------|-----------------| |apiGateway|[`api.RestApi`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.RestApi.html)|Returns an instance of the API Gateway REST API created by the pattern.| |apiGatewayRole|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway.| -|apiGatewayCloudWatchRole|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| +|apiGatewayCloudWatchRole?|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| |apiGatewayLogGroup|[`logs.LogGroup`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-logs.LogGroup.html)|Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch.| ## Sample API Usage diff --git a/source/patterns/@aws-solutions-constructs/aws-apigateway-sagemakerendpoint/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-apigateway-sagemakerendpoint/lib/index.ts index 46d4c7c1b..0ed559f24 100644 --- a/source/patterns/@aws-solutions-constructs/aws-apigateway-sagemakerendpoint/lib/index.ts +++ b/source/patterns/@aws-solutions-constructs/aws-apigateway-sagemakerendpoint/lib/index.ts @@ -78,7 +78,7 @@ export interface ApiGatewayToSageMakerEndpointProps { export class ApiGatewayToSageMakerEndpoint extends Construct { public readonly apiGateway: api.RestApi; public readonly apiGatewayRole: iam.Role; - public readonly apiGatewayCloudWatchRole: iam.Role; + public readonly apiGatewayCloudWatchRole?: iam.Role; public readonly apiGatewayLogGroup: logs.LogGroup; /** diff --git a/source/patterns/@aws-solutions-constructs/aws-apigateway-sqs/README.md b/source/patterns/@aws-solutions-constructs/aws-apigateway-sqs/README.md index e6633f78a..c7c88eacb 100644 --- a/source/patterns/@aws-solutions-constructs/aws-apigateway-sqs/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-apigateway-sqs/README.md @@ -65,7 +65,7 @@ _Parameters_ |:-------------|:----------------|-----------------| |apiGateway|[`api.RestApi`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.RestApi.html)|Returns an instance of the API Gateway REST API created by the pattern.| |apiGatewayRole|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway.| -|apiGatewayCloudWatchRole|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| +|apiGatewayCloudWatchRole?|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| |apiGatewayLogGroup|[`logs.LogGroup`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-logs.LogGroup.html)|Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch.| |sqsQueue|[`sqs.Queue`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-sqs.Queue.html)|Returns an instance of the SQS queue created by the pattern.| |deadLetterQueue?|[`sqs.DeadLetterQueue`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-sqs.DeadLetterQueue.html)|Returns an instance of the DeadLetterQueue created by the pattern.| diff --git a/source/patterns/@aws-solutions-constructs/aws-apigateway-sqs/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-apigateway-sqs/lib/index.ts index 9193b9c80..48d851f66 100644 --- a/source/patterns/@aws-solutions-constructs/aws-apigateway-sqs/lib/index.ts +++ b/source/patterns/@aws-solutions-constructs/aws-apigateway-sqs/lib/index.ts @@ -111,7 +111,7 @@ export interface ApiGatewayToSqsProps { export class ApiGatewayToSqs extends Construct { public readonly apiGateway: api.RestApi; public readonly apiGatewayRole: iam.Role; - public readonly apiGatewayCloudWatchRole: iam.Role; + public readonly apiGatewayCloudWatchRole?: iam.Role; public readonly apiGatewayLogGroup: logs.LogGroup; public readonly sqsQueue: sqs.Queue; public readonly deadLetterQueue?: sqs.DeadLetterQueue; diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/README.md b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/README.md index 1959fb6f1..28b782cc9 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/README.md @@ -5,10 +5,6 @@ ![Stability: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge) -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- @@ -55,11 +51,12 @@ _Parameters_ | **Name** | **Type** | **Description** | |:-------------|:----------------|-----------------| |existingLambdaObj?|[`lambda.Function`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-lambda.Function.html)|Existing instance of Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error.| -|lambdaFunctionProps?|[`lambda.FunctionProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-lambda.FunctionProps.html)|User provided props to override the default props for the Lambda function.| +|lambdaFunctionProps?|[`lambda.FunctionProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-lambda.FunctionProps.html)|Optional user provided props to override the default props for the Lambda function.| |apiGatewayProps?|[`api.LambdaRestApiProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.LambdaRestApiProps.html)|Optional user provided props to override the default props for API Gateway| |cloudFrontDistributionProps?|[`cloudfront.DistributionProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.DistributionProps.html)|Optional user provided props to override the default props for CloudFront Distribution| |insertHttpSecurityHeaders?|`boolean`|Optional user provided props to turn on/off the automatic injection of best practice HTTP security headers in all responses from CloudFront| -|logGroupProps?|[`logs.LogGroupProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-logs.LogGroupProps.html)|User provided props to override the default props for for the CloudWatchLogs LogGroup.| +|logGroupProps?|[`logs.LogGroupProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-logs.LogGroupProps.html)|Optional user provided props to override the default props for for the CloudWatchLogs LogGroup.| +|cloudFrontLoggingBucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.BucketProps.html)|Optional user provided props to override the default props for the CloudFront Logging Bucket.| ## Pattern Properties @@ -69,7 +66,7 @@ _Parameters_ |cloudFrontFunction?|[`cloudfront.Function`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.Function.html)|Returns an instance of the Cloudfront function created by the pattern.| |cloudFrontLoggingBucket|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-s3-readme.html)|Returns an instance of the logging bucket for CloudFront WebDistribution.| |apiGateway|[`api.RestApi`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.RestApi.html)|Returns an instance of the API Gateway REST API created by the pattern.| -|apiGatewayCloudWatchRole|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| +|apiGatewayCloudWatchRole?|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| |apiGatewayLogGroup|[`logs.LogGroup`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-logs.LogGroup.html)|Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch.| |lambdaFunction|[`lambda.Function`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-lambda.Function.html)|Returns an instance of the Lambda function created by the pattern.| diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/lib/index.ts index 95f5c5e13..d4b55a100 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/lib/index.ts +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/lib/index.ts @@ -33,7 +33,7 @@ export interface CloudFrontToApiGatewayToLambdaProps { */ readonly existingLambdaObj?: lambda.Function, /** - * User provided props to override the default props for the Lambda function. + * Optional user provided props to override the default props for the Lambda function. * * @default - Default props are used */ @@ -58,11 +58,17 @@ export interface CloudFrontToApiGatewayToLambdaProps { */ readonly insertHttpSecurityHeaders?: boolean, /** - * User provided props to override the default props for the CloudWatchLogs LogGroup. + * Optional user provided props to override the default props for the CloudWatchLogs LogGroup. * * @default - Default props are used */ readonly logGroupProps?: logs.LogGroupProps + /** + * Optional user provided props to override the default props for the CloudFront Logging Bucket. + * + * @default - Default props are used + */ + readonly cloudFrontLoggingBucketProps?: s3.BucketProps } export class CloudFrontToApiGatewayToLambda extends Construct { @@ -70,7 +76,7 @@ export class CloudFrontToApiGatewayToLambda extends Construct { public readonly cloudFrontFunction?: cloudfront.Function; public readonly cloudFrontLoggingBucket?: s3.Bucket; public readonly apiGateway: api.RestApi; - public readonly apiGatewayCloudWatchRole: iam.Role; + public readonly apiGatewayCloudWatchRole?: iam.Role; public readonly apiGatewayLogGroup: logs.LogGroup; public readonly lambdaFunction: lambda.Function; @@ -113,7 +119,8 @@ export class CloudFrontToApiGatewayToLambda extends Construct { const apiCloudfront: CloudFrontToApiGateway = new CloudFrontToApiGateway(this, 'CloudFrontToApiGateway', { existingApiGatewayObj: this.apiGateway, cloudFrontDistributionProps: props.cloudFrontDistributionProps, - insertHttpSecurityHeaders: props.insertHttpSecurityHeaders + insertHttpSecurityHeaders: props.insertHttpSecurityHeaders, + cloudFrontLoggingBucketProps: props.cloudFrontLoggingBucketProps }); this.cloudFrontWebDistribution = apiCloudfront.cloudFrontWebDistribution; diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/test/integ.customCloudfrontLoggingBucket.expected.json b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/test/integ.customCloudfrontLoggingBucket.expected.json new file mode 100644 index 000000000..a19ef02d9 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/test/integ.customCloudfrontLoggingBucket.expected.json @@ -0,0 +1,859 @@ +{ + "Description": "Integration Test for aws-cloudfront-apigateway-lambda custom Cloudfront Logging Bucket", + "Resources": { + "cfapigwlambdaLambdaFunctionServiceRole9B40D826": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/lambda/*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "LambdaFunctionServiceRolePolicy" + } + ] + } + }, + "cfapigwlambdaLambdaFunctionServiceRoleDefaultPolicy388158BB": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "xray:PutTraceSegments", + "xray:PutTelemetryRecords" + ], + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "cfapigwlambdaLambdaFunctionServiceRoleDefaultPolicy388158BB", + "Roles": [ + { + "Ref": "cfapigwlambdaLambdaFunctionServiceRole9B40D826" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W12", + "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC." + } + ] + } + } + }, + "cfapigwlambdaLambdaFunction10C09D31": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "42a35bbf0dec9ef0ac5b0dde87e71a1b8929e8d2d178dd09ccfb2c928ec0198c.zip" + }, + "Role": { + "Fn::GetAtt": [ + "cfapigwlambdaLambdaFunctionServiceRole9B40D826", + "Arn" + ] + }, + "Environment": { + "Variables": { + "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1" + } + }, + "Handler": "index.handler", + "Runtime": "nodejs10.x", + "TracingConfig": { + "Mode": "Active" + } + }, + "DependsOn": [ + "cfapigwlambdaLambdaFunctionServiceRoleDefaultPolicy388158BB", + "cfapigwlambdaLambdaFunctionServiceRole9B40D826" + ], + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W58", + "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions." + }, + { + "id": "W89", + "reason": "This is not a rule for the general case, just for specific use cases/industries" + }, + { + "id": "W92", + "reason": "Impossible for us to define the correct concurrency for clients" + } + ] + } + } + }, + "cfapigwlambdaApiAccessLogGroup16C73450": { + "Type": "AWS::Logs::LogGroup", + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W86", + "reason": "Retention period for CloudWatchLogs LogGroups are set to 'Never Expire' to preserve customer data indefinitely" + }, + { + "id": "W84", + "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)" + } + ] + } + } + }, + "cfapigwlambdaLambdaRestApi775C255B": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Name": "LambdaRestApi" + } + }, + "cfapigwlambdaLambdaRestApiDeployment33C24C7D5b6eb6dc887b9e8b9bde9a765f4aacbb": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "cfapigwlambdaLambdaRestApi775C255B" + }, + "Description": "Automatically created by the RestApi construct" + }, + "DependsOn": [ + "cfapigwlambdaLambdaRestApiproxyANY68181290", + "cfapigwlambdaLambdaRestApiproxy6A768910", + "cfapigwlambdaLambdaRestApiANY81C176E9" + ], + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W45", + "reason": "ApiGateway has AccessLogging enabled in AWS::ApiGateway::Stage resource, but cfn_nag checkes for it in AWS::ApiGateway::Deployment resource" + } + ] + } + } + }, + "cfapigwlambdaLambdaRestApiDeploymentStageprod83104011": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "RestApiId": { + "Ref": "cfapigwlambdaLambdaRestApi775C255B" + }, + "AccessLogSetting": { + "DestinationArn": { + "Fn::GetAtt": [ + "cfapigwlambdaApiAccessLogGroup16C73450", + "Arn" + ] + }, + "Format": "{\"requestId\":\"$context.requestId\",\"ip\":\"$context.identity.sourceIp\",\"user\":\"$context.identity.user\",\"caller\":\"$context.identity.caller\",\"requestTime\":\"$context.requestTime\",\"httpMethod\":\"$context.httpMethod\",\"resourcePath\":\"$context.resourcePath\",\"status\":\"$context.status\",\"protocol\":\"$context.protocol\",\"responseLength\":\"$context.responseLength\"}" + }, + "DeploymentId": { + "Ref": "cfapigwlambdaLambdaRestApiDeployment33C24C7D5b6eb6dc887b9e8b9bde9a765f4aacbb" + }, + "MethodSettings": [ + { + "DataTraceEnabled": false, + "HttpMethod": "*", + "LoggingLevel": "INFO", + "ResourcePath": "/*" + } + ], + "StageName": "prod", + "TracingEnabled": true + } + }, + "cfapigwlambdaLambdaRestApiproxy6A768910": { + "Type": "AWS::ApiGateway::Resource", + "Properties": { + "ParentId": { + "Fn::GetAtt": [ + "cfapigwlambdaLambdaRestApi775C255B", + "RootResourceId" + ] + }, + "PathPart": "{proxy+}", + "RestApiId": { + "Ref": "cfapigwlambdaLambdaRestApi775C255B" + } + } + }, + "cfapigwlambdaLambdaRestApiproxyANYApiPermissioncustomCloudfrontLoggingBucketcfapigwlambdaLambdaRestApi1C5998E7ANYproxyA3ACBFF5": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "cfapigwlambdaLambdaFunction10C09D31", + "Arn" + ] + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "cfapigwlambdaLambdaRestApi775C255B" + }, + "/", + { + "Ref": "cfapigwlambdaLambdaRestApiDeploymentStageprod83104011" + }, + "/*/*" + ] + ] + } + } + }, + "cfapigwlambdaLambdaRestApiproxyANYApiPermissionTestcustomCloudfrontLoggingBucketcfapigwlambdaLambdaRestApi1C5998E7ANYproxyAF2D9C87": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "cfapigwlambdaLambdaFunction10C09D31", + "Arn" + ] + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "cfapigwlambdaLambdaRestApi775C255B" + }, + "/test-invoke-stage/*/*" + ] + ] + } + } + }, + "cfapigwlambdaLambdaRestApiproxyANY68181290": { + "Type": "AWS::ApiGateway::Method", + "Properties": { + "HttpMethod": "ANY", + "ResourceId": { + "Ref": "cfapigwlambdaLambdaRestApiproxy6A768910" + }, + "RestApiId": { + "Ref": "cfapigwlambdaLambdaRestApi775C255B" + }, + "AuthorizationType": "NONE", + "Integration": { + "IntegrationHttpMethod": "POST", + "Type": "AWS_PROXY", + "Uri": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":apigateway:", + { + "Ref": "AWS::Region" + }, + ":lambda:path/2015-03-31/functions/", + { + "Fn::GetAtt": [ + "cfapigwlambdaLambdaFunction10C09D31", + "Arn" + ] + }, + "/invocations" + ] + ] + } + } + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W59", + "reason": "AWS::ApiGateway::Method AuthorizationType is set to 'NONE' because API Gateway behind CloudFront does not support AWS_IAM authentication" + } + ] + } + } + }, + "cfapigwlambdaLambdaRestApiANYApiPermissioncustomCloudfrontLoggingBucketcfapigwlambdaLambdaRestApi1C5998E7ANY3C46A898": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "cfapigwlambdaLambdaFunction10C09D31", + "Arn" + ] + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "cfapigwlambdaLambdaRestApi775C255B" + }, + "/", + { + "Ref": "cfapigwlambdaLambdaRestApiDeploymentStageprod83104011" + }, + "/*/" + ] + ] + } + } + }, + "cfapigwlambdaLambdaRestApiANYApiPermissionTestcustomCloudfrontLoggingBucketcfapigwlambdaLambdaRestApi1C5998E7ANY2F5B90FD": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "cfapigwlambdaLambdaFunction10C09D31", + "Arn" + ] + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "cfapigwlambdaLambdaRestApi775C255B" + }, + "/test-invoke-stage/*/" + ] + ] + } + } + }, + "cfapigwlambdaLambdaRestApiANY81C176E9": { + "Type": "AWS::ApiGateway::Method", + "Properties": { + "HttpMethod": "ANY", + "ResourceId": { + "Fn::GetAtt": [ + "cfapigwlambdaLambdaRestApi775C255B", + "RootResourceId" + ] + }, + "RestApiId": { + "Ref": "cfapigwlambdaLambdaRestApi775C255B" + }, + "AuthorizationType": "NONE", + "Integration": { + "IntegrationHttpMethod": "POST", + "Type": "AWS_PROXY", + "Uri": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":apigateway:", + { + "Ref": "AWS::Region" + }, + ":lambda:path/2015-03-31/functions/", + { + "Fn::GetAtt": [ + "cfapigwlambdaLambdaFunction10C09D31", + "Arn" + ] + }, + "/invocations" + ] + ] + } + } + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W59", + "reason": "AWS::ApiGateway::Method AuthorizationType is set to 'NONE' because API Gateway behind CloudFront does not support AWS_IAM authentication" + } + ] + } + } + }, + "cfapigwlambdaLambdaRestApiUsagePlan11CE9748": { + "Type": "AWS::ApiGateway::UsagePlan", + "Properties": { + "ApiStages": [ + { + "ApiId": { + "Ref": "cfapigwlambdaLambdaRestApi775C255B" + }, + "Stage": { + "Ref": "cfapigwlambdaLambdaRestApiDeploymentStageprod83104011" + }, + "Throttle": {} + } + ] + } + }, + "cfapigwlambdaLambdaRestApiCloudWatchRole76F5ABDF": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "apigateway.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:FilterLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "LambdaRestApiCloudWatchRolePolicy" + } + ] + } + }, + "cfapigwlambdaLambdaRestApiAccountB2390110": { + "Type": "AWS::ApiGateway::Account", + "Properties": { + "CloudWatchRoleArn": { + "Fn::GetAtt": [ + "cfapigwlambdaLambdaRestApiCloudWatchRole76F5ABDF", + "Arn" + ] + } + }, + "DependsOn": [ + "cfapigwlambdaLambdaRestApi775C255B" + ] + }, + "cfapigwlambdaCloudFrontToApiGatewaySetHttpSecurityHeadersE20F2933": { + "Type": "AWS::CloudFront::Function", + "Properties": { + "Name": "SetHttpSecurityHeadersc8273ed23dc12ef2b23814ad425355213a41659e4f", + "AutoPublish": true, + "FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }", + "FunctionConfig": { + "Comment": "SetHttpSecurityHeadersc8273ed23dc12ef2b23814ad425355213a41659e4f", + "Runtime": "cloudfront-js-1.0" + } + } + }, + "cfapigwlambdaCloudFrontToApiGatewayCloudfrontLoggingBucket2E8E3DC2": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "LogDeliveryWrite", + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "VersioningConfiguration": { + "Status": "Enabled" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W35", + "reason": "This S3 bucket is used as the access logging bucket for CloudFront Distribution" + } + ] + } + } + }, + "cfapigwlambdaCloudFrontToApiGatewayCloudfrontLoggingBucketPolicy416A95E3": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "cfapigwlambdaCloudFrontToApiGatewayCloudfrontLoggingBucket2E8E3DC2" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "cfapigwlambdaCloudFrontToApiGatewayCloudfrontLoggingBucket2E8E3DC2", + "Arn" + ] + }, + "/*" + ] + ] + }, + { + "Fn::GetAtt": [ + "cfapigwlambdaCloudFrontToApiGatewayCloudfrontLoggingBucket2E8E3DC2", + "Arn" + ] + } + ], + "Sid": "HttpsOnly" + } + ], + "Version": "2012-10-17" + } + } + }, + "cfapigwlambdaCloudFrontToApiGatewayCloudFrontDistributionF8B75200": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "DefaultCacheBehavior": { + "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", + "Compress": true, + "FunctionAssociations": [ + { + "EventType": "viewer-response", + "FunctionARN": { + "Fn::GetAtt": [ + "cfapigwlambdaCloudFrontToApiGatewaySetHttpSecurityHeadersE20F2933", + "FunctionARN" + ] + } + } + ], + "TargetOriginId": "customCloudfrontLoggingBucketcfapigwlambdaCloudFrontToApiGatewayCloudFrontDistributionOrigin1C90DACBB", + "ViewerProtocolPolicy": "redirect-to-https" + }, + "Enabled": true, + "HttpVersion": "http2", + "IPV6Enabled": true, + "Logging": { + "Bucket": { + "Fn::GetAtt": [ + "cfapigwlambdaCloudFrontToApiGatewayCloudfrontLoggingBucket2E8E3DC2", + "RegionalDomainName" + ] + } + }, + "Origins": [ + { + "CustomOriginConfig": { + "OriginProtocolPolicy": "https-only", + "OriginSSLProtocols": [ + "TLSv1.2" + ] + }, + "DomainName": { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "://", + { + "Fn::Join": [ + "", + [ + "https://", + { + "Ref": "cfapigwlambdaLambdaRestApi775C255B" + }, + ".execute-api.", + { + "Ref": "AWS::Region" + }, + ".", + { + "Ref": "AWS::URLSuffix" + }, + "/", + { + "Ref": "cfapigwlambdaLambdaRestApiDeploymentStageprod83104011" + }, + "/" + ] + ] + } + ] + } + ] + } + ] + } + ] + }, + "Id": "customCloudfrontLoggingBucketcfapigwlambdaCloudFrontToApiGatewayCloudFrontDistributionOrigin1C90DACBB", + "OriginPath": { + "Fn::Join": [ + "", + [ + "/", + { + "Ref": "cfapigwlambdaLambdaRestApiDeploymentStageprod83104011" + } + ] + ] + } + } + ] + } + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W70", + "reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion" + } + ] + } + } + } + }, + "Outputs": { + "cfapigwlambdaLambdaRestApiEndpoint1004A97F": { + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Ref": "cfapigwlambdaLambdaRestApi775C255B" + }, + ".execute-api.", + { + "Ref": "AWS::Region" + }, + ".", + { + "Ref": "AWS::URLSuffix" + }, + "/", + { + "Ref": "cfapigwlambdaLambdaRestApiDeploymentStageprod83104011" + }, + "/" + ] + ] + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store." + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/test/integ.customCloudfrontLoggingBucket.ts b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/test/integ.customCloudfrontLoggingBucket.ts new file mode 100644 index 000000000..33379a1be --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/test/integ.customCloudfrontLoggingBucket.ts @@ -0,0 +1,40 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +/// !cdk-integ * +import { App, Stack, RemovalPolicy } from "@aws-cdk/core"; +import { CloudFrontToApiGatewayToLambda } from "../lib"; +import * as lambda from '@aws-cdk/aws-lambda'; +import { BucketEncryption } from "@aws-cdk/aws-s3"; +import { generateIntegStackName } from '@aws-solutions-constructs/core'; + +// Setup +const app = new App(); +const stack = new Stack(app, generateIntegStackName(__filename)); +stack.templateOptions.description = 'Integration Test for aws-cloudfront-apigateway-lambda custom Cloudfront Logging Bucket'; + +new CloudFrontToApiGatewayToLambda(stack, 'cf-apigw-lambda', { + lambdaFunctionProps: { + code: lambda.Code.fromAsset(`${__dirname}/lambda`), + runtime: lambda.Runtime.NODEJS_10_X, + handler: 'index.handler' + }, + cloudFrontLoggingBucketProps: { + removalPolicy: RemovalPolicy.DESTROY, + encryption: BucketEncryption.S3_MANAGED, + versioned: true + } +}); + +// Synth +app.synth(); diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/test/test.cloudfront-apigateway-lambda.test.ts b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/test/test.cloudfront-apigateway-lambda.test.ts index 30e2de1ff..3588f48b3 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/test/test.cloudfront-apigateway-lambda.test.ts +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/test/test.cloudfront-apigateway-lambda.test.ts @@ -15,6 +15,7 @@ import { CloudFrontToApiGatewayToLambda, CloudFrontToApiGatewayToLambdaProps } f import * as cdk from "@aws-cdk/core"; import * as lambda from '@aws-cdk/aws-lambda'; import * as api from '@aws-cdk/aws-apigateway'; +import * as s3 from "@aws-cdk/aws-s3"; import '@aws-cdk/assert/jest'; function deployNewFunc(stack: cdk.Stack) { @@ -199,4 +200,75 @@ test('override api gateway properties without existingLambdaObj', () => { }, Name: "LambdaRestApi" }); +}); + +// -------------------------------------------------------------- +// Cloudfront logging bucket with destroy removal policy and auto delete objects +// -------------------------------------------------------------- +test('Cloudfront logging bucket with destroy removal policy and auto delete objects', () => { + const stack = new cdk.Stack(); + + new CloudFrontToApiGatewayToLambda(stack, 'test-cloudfront-apigateway-lambda', { + lambdaFunctionProps: { + code: lambda.Code.fromAsset(`${__dirname}/lambda`), + runtime: lambda.Runtime.NODEJS_10_X, + handler: 'index.handler' + }, + apiGatewayProps: { + endpointConfiguration: { + types: [api.EndpointType.PRIVATE], + } + }, + cloudFrontLoggingBucketProps: { + removalPolicy: cdk.RemovalPolicy.DESTROY, + autoDeleteObjects: true + } + }); + + expect(stack).toHaveResource("AWS::S3::Bucket", { + AccessControl: "LogDeliveryWrite" + }); + + expect(stack).toHaveResource("Custom::S3AutoDeleteObjects", { + ServiceToken: { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn" + ] + }, + BucketName: { + Ref: "testcloudfrontapigatewaylambdaCloudFrontToApiGatewayCloudfrontLoggingBucket7F467421" + } + }); +}); + +// -------------------------------------------------------------- +// Cloudfront logging bucket error providing existing log bucket and logBucketProps +// -------------------------------------------------------------- +test('Cloudfront logging bucket error when providing existing log bucket and logBucketProps', () => { + const stack = new cdk.Stack(); + const logBucket = new s3.Bucket(stack, 'cloudfront-log-bucket', {}); + + const app = () => { new CloudFrontToApiGatewayToLambda(stack, 'cloudfront-s3', { + lambdaFunctionProps: { + code: lambda.Code.fromAsset(`${__dirname}/lambda`), + runtime: lambda.Runtime.NODEJS_10_X, + handler: 'index.handler' + }, + apiGatewayProps: { + endpointConfiguration: { + types: [api.EndpointType.PRIVATE], + } + }, + cloudFrontLoggingBucketProps: { + removalPolicy: cdk.RemovalPolicy.DESTROY, + autoDeleteObjects: true + }, + cloudFrontDistributionProps: { + logBucket + }, + }); + }; + + expect(app).toThrowError(); }); \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/README.md b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/README.md index 930706a64..520a12b62 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/README.md @@ -5,10 +5,6 @@ ![Stability: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge) -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- @@ -74,8 +70,10 @@ _Parameters_ | **Name** | **Type** | **Description** | |:-------------|:----------------|-----------------| |existingApiGatewayObj|[`api.RestApi`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.RestApi.html)|The regional API Gateway that will be fronted with the CloudFront| -|cloudFrontDistributionProps?|[`cloudfront.DistributionProps | any`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.DistributionProps.html)|Optional user provided props to override the default props for CloudFront Distribution| +|cloudFrontDistributionProps?|[`cloudfront.DistributionProps \| any`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.DistributionProps.html)|Optional user provided props to override the default props for CloudFront Distribution| |insertHttpSecurityHeaders?|`boolean`|Optional user provided props to turn on/off the automatic injection of best practice HTTP security headers in all responses from CloudFront| +|cloudFrontLoggingBucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.BucketProps.html)|Optional user provided props to override the default props for the CloudFront Logging Bucket.| + ## Pattern Properties | **Name** | **Type** | **Description** | diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/lib/index.ts index e2468feef..bae337ef6 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/lib/index.ts +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/lib/index.ts @@ -41,6 +41,12 @@ export interface CloudFrontToApiGatewayProps { * @default - true */ readonly insertHttpSecurityHeaders?: boolean; + /** + * Optional user provided props to override the default props for the CloudFront Logging Bucket. + * + * @default - Default props are used + */ + readonly cloudFrontLoggingBucketProps?: s3.BucketProps } export class CloudFrontToApiGateway extends Construct { @@ -65,6 +71,6 @@ export class CloudFrontToApiGateway extends Construct { [this.cloudFrontWebDistribution, this.cloudFrontFunction, this.cloudFrontLoggingBucket] = defaults.CloudFrontDistributionForApiGateway(this, props.existingApiGatewayObj, - props.cloudFrontDistributionProps, props.insertHttpSecurityHeaders); + props.cloudFrontDistributionProps, props.insertHttpSecurityHeaders, props.cloudFrontLoggingBucketProps); } } diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/test/integ.customCloudfrontLoggingBucket.expected.json b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/test/integ.customCloudfrontLoggingBucket.expected.json new file mode 100644 index 000000000..6ab4f740f --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/test/integ.customCloudfrontLoggingBucket.expected.json @@ -0,0 +1,859 @@ +{ + "Description": "Integration Test for aws-cloudfront-apigateway custom Cloudfront Logging Bucket", + "Resources": { + "LambdaFunctionServiceRole0C4CDE0B": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/lambda/*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "LambdaFunctionServiceRolePolicy" + } + ] + } + }, + "LambdaFunctionServiceRoleDefaultPolicy126C8897": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "xray:PutTraceSegments", + "xray:PutTelemetryRecords" + ], + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "LambdaFunctionServiceRoleDefaultPolicy126C8897", + "Roles": [ + { + "Ref": "LambdaFunctionServiceRole0C4CDE0B" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W12", + "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC." + } + ] + } + } + }, + "LambdaFunctionBF21E41F": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "76457685de34c4b8447dc527f32d442291b2efeb05bcfcba793036ac6c94d9a2.zip" + }, + "Role": { + "Fn::GetAtt": [ + "LambdaFunctionServiceRole0C4CDE0B", + "Arn" + ] + }, + "Environment": { + "Variables": { + "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1" + } + }, + "Handler": "index.handler", + "Runtime": "nodejs10.x", + "TracingConfig": { + "Mode": "Active" + } + }, + "DependsOn": [ + "LambdaFunctionServiceRoleDefaultPolicy126C8897", + "LambdaFunctionServiceRole0C4CDE0B" + ], + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W58", + "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions." + }, + { + "id": "W89", + "reason": "This is not a rule for the general case, just for specific use cases/industries" + }, + { + "id": "W92", + "reason": "Impossible for us to define the correct concurrency for clients" + } + ] + } + } + }, + "ApiAccessLogGroupCEA70788": { + "Type": "AWS::Logs::LogGroup", + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W86", + "reason": "Retention period for CloudWatchLogs LogGroups are set to 'Never Expire' to preserve customer data indefinitely" + }, + { + "id": "W84", + "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)" + } + ] + } + } + }, + "LambdaRestApi95870433": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Name": "LambdaRestApi" + } + }, + "LambdaRestApiDeploymentBA640578812946cff1910fe2b8b339ee3a8d51c7": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "LambdaRestApi95870433" + }, + "Description": "Automatically created by the RestApi construct" + }, + "DependsOn": [ + "LambdaRestApiproxyANY93D43CC0", + "LambdaRestApiproxy9F99E187", + "LambdaRestApiANYA831AD87" + ], + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W45", + "reason": "ApiGateway has AccessLogging enabled in AWS::ApiGateway::Stage resource, but cfn_nag checkes for it in AWS::ApiGateway::Deployment resource" + } + ] + } + } + }, + "LambdaRestApiDeploymentStageprodB1F3862A": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "RestApiId": { + "Ref": "LambdaRestApi95870433" + }, + "AccessLogSetting": { + "DestinationArn": { + "Fn::GetAtt": [ + "ApiAccessLogGroupCEA70788", + "Arn" + ] + }, + "Format": "{\"requestId\":\"$context.requestId\",\"ip\":\"$context.identity.sourceIp\",\"user\":\"$context.identity.user\",\"caller\":\"$context.identity.caller\",\"requestTime\":\"$context.requestTime\",\"httpMethod\":\"$context.httpMethod\",\"resourcePath\":\"$context.resourcePath\",\"status\":\"$context.status\",\"protocol\":\"$context.protocol\",\"responseLength\":\"$context.responseLength\"}" + }, + "DeploymentId": { + "Ref": "LambdaRestApiDeploymentBA640578812946cff1910fe2b8b339ee3a8d51c7" + }, + "MethodSettings": [ + { + "DataTraceEnabled": false, + "HttpMethod": "*", + "LoggingLevel": "INFO", + "ResourcePath": "/*" + } + ], + "StageName": "prod", + "TracingEnabled": true + } + }, + "LambdaRestApiproxy9F99E187": { + "Type": "AWS::ApiGateway::Resource", + "Properties": { + "ParentId": { + "Fn::GetAtt": [ + "LambdaRestApi95870433", + "RootResourceId" + ] + }, + "PathPart": "{proxy+}", + "RestApiId": { + "Ref": "LambdaRestApi95870433" + } + } + }, + "LambdaRestApiproxyANYApiPermissioncustomCloudfrontLoggingBucketLambdaRestApiB3C97BC3ANYproxyB2970EF0": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "LambdaFunctionBF21E41F", + "Arn" + ] + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "LambdaRestApi95870433" + }, + "/", + { + "Ref": "LambdaRestApiDeploymentStageprodB1F3862A" + }, + "/*/*" + ] + ] + } + } + }, + "LambdaRestApiproxyANYApiPermissionTestcustomCloudfrontLoggingBucketLambdaRestApiB3C97BC3ANYproxyB96C3608": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "LambdaFunctionBF21E41F", + "Arn" + ] + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "LambdaRestApi95870433" + }, + "/test-invoke-stage/*/*" + ] + ] + } + } + }, + "LambdaRestApiproxyANY93D43CC0": { + "Type": "AWS::ApiGateway::Method", + "Properties": { + "HttpMethod": "ANY", + "ResourceId": { + "Ref": "LambdaRestApiproxy9F99E187" + }, + "RestApiId": { + "Ref": "LambdaRestApi95870433" + }, + "AuthorizationType": "NONE", + "Integration": { + "IntegrationHttpMethod": "POST", + "Type": "AWS_PROXY", + "Uri": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":apigateway:", + { + "Ref": "AWS::Region" + }, + ":lambda:path/2015-03-31/functions/", + { + "Fn::GetAtt": [ + "LambdaFunctionBF21E41F", + "Arn" + ] + }, + "/invocations" + ] + ] + } + } + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W59", + "reason": "AWS::ApiGateway::Method AuthorizationType is set to 'NONE' because API Gateway behind CloudFront does not support AWS_IAM authentication" + } + ] + } + } + }, + "LambdaRestApiANYApiPermissioncustomCloudfrontLoggingBucketLambdaRestApiB3C97BC3ANY61586206": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "LambdaFunctionBF21E41F", + "Arn" + ] + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "LambdaRestApi95870433" + }, + "/", + { + "Ref": "LambdaRestApiDeploymentStageprodB1F3862A" + }, + "/*/" + ] + ] + } + } + }, + "LambdaRestApiANYApiPermissionTestcustomCloudfrontLoggingBucketLambdaRestApiB3C97BC3ANYBE8D9316": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "LambdaFunctionBF21E41F", + "Arn" + ] + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "LambdaRestApi95870433" + }, + "/test-invoke-stage/*/" + ] + ] + } + } + }, + "LambdaRestApiANYA831AD87": { + "Type": "AWS::ApiGateway::Method", + "Properties": { + "HttpMethod": "ANY", + "ResourceId": { + "Fn::GetAtt": [ + "LambdaRestApi95870433", + "RootResourceId" + ] + }, + "RestApiId": { + "Ref": "LambdaRestApi95870433" + }, + "AuthorizationType": "NONE", + "Integration": { + "IntegrationHttpMethod": "POST", + "Type": "AWS_PROXY", + "Uri": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":apigateway:", + { + "Ref": "AWS::Region" + }, + ":lambda:path/2015-03-31/functions/", + { + "Fn::GetAtt": [ + "LambdaFunctionBF21E41F", + "Arn" + ] + }, + "/invocations" + ] + ] + } + } + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W59", + "reason": "AWS::ApiGateway::Method AuthorizationType is set to 'NONE' because API Gateway behind CloudFront does not support AWS_IAM authentication" + } + ] + } + } + }, + "LambdaRestApiUsagePlanB4DF55D0": { + "Type": "AWS::ApiGateway::UsagePlan", + "Properties": { + "ApiStages": [ + { + "ApiId": { + "Ref": "LambdaRestApi95870433" + }, + "Stage": { + "Ref": "LambdaRestApiDeploymentStageprodB1F3862A" + }, + "Throttle": {} + } + ] + } + }, + "LambdaRestApiCloudWatchRoleF339D4E6": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "apigateway.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:FilterLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":*" + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "LambdaRestApiCloudWatchRolePolicy" + } + ] + } + }, + "LambdaRestApiAccount": { + "Type": "AWS::ApiGateway::Account", + "Properties": { + "CloudWatchRoleArn": { + "Fn::GetAtt": [ + "LambdaRestApiCloudWatchRoleF339D4E6", + "Arn" + ] + } + }, + "DependsOn": [ + "LambdaRestApi95870433" + ] + }, + "cfapigwSetHttpSecurityHeaders07A0F0C0": { + "Type": "AWS::CloudFront::Function", + "Properties": { + "Name": "SetHttpSecurityHeadersc8fc067b45a5c199a519a90c3b5f02d380f1625f1d", + "AutoPublish": true, + "FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }", + "FunctionConfig": { + "Comment": "SetHttpSecurityHeadersc8fc067b45a5c199a519a90c3b5f02d380f1625f1d", + "Runtime": "cloudfront-js-1.0" + } + } + }, + "cfapigwCloudfrontLoggingBucket79FE4195": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "LogDeliveryWrite", + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "VersioningConfiguration": { + "Status": "Enabled" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W35", + "reason": "This S3 bucket is used as the access logging bucket for CloudFront Distribution" + } + ] + } + } + }, + "cfapigwCloudfrontLoggingBucketPolicyF5181F4F": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "cfapigwCloudfrontLoggingBucket79FE4195" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "cfapigwCloudfrontLoggingBucket79FE4195", + "Arn" + ] + }, + "/*" + ] + ] + }, + { + "Fn::GetAtt": [ + "cfapigwCloudfrontLoggingBucket79FE4195", + "Arn" + ] + } + ], + "Sid": "HttpsOnly" + } + ], + "Version": "2012-10-17" + } + } + }, + "cfapigwCloudFrontDistribution2DD013DF": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "DefaultCacheBehavior": { + "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", + "Compress": true, + "FunctionAssociations": [ + { + "EventType": "viewer-response", + "FunctionARN": { + "Fn::GetAtt": [ + "cfapigwSetHttpSecurityHeaders07A0F0C0", + "FunctionARN" + ] + } + } + ], + "TargetOriginId": "customCloudfrontLoggingBucketcfapigwCloudFrontDistributionOrigin1D25D62E1", + "ViewerProtocolPolicy": "redirect-to-https" + }, + "Enabled": true, + "HttpVersion": "http2", + "IPV6Enabled": true, + "Logging": { + "Bucket": { + "Fn::GetAtt": [ + "cfapigwCloudfrontLoggingBucket79FE4195", + "RegionalDomainName" + ] + } + }, + "Origins": [ + { + "CustomOriginConfig": { + "OriginProtocolPolicy": "https-only", + "OriginSSLProtocols": [ + "TLSv1.2" + ] + }, + "DomainName": { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "://", + { + "Fn::Join": [ + "", + [ + "https://", + { + "Ref": "LambdaRestApi95870433" + }, + ".execute-api.", + { + "Ref": "AWS::Region" + }, + ".", + { + "Ref": "AWS::URLSuffix" + }, + "/", + { + "Ref": "LambdaRestApiDeploymentStageprodB1F3862A" + }, + "/" + ] + ] + } + ] + } + ] + } + ] + } + ] + }, + "Id": "customCloudfrontLoggingBucketcfapigwCloudFrontDistributionOrigin1D25D62E1", + "OriginPath": { + "Fn::Join": [ + "", + [ + "/", + { + "Ref": "LambdaRestApiDeploymentStageprodB1F3862A" + } + ] + ] + } + } + ] + } + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W70", + "reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion" + } + ] + } + } + } + }, + "Outputs": { + "LambdaRestApiEndpointCCECE4C1": { + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Ref": "LambdaRestApi95870433" + }, + ".execute-api.", + { + "Ref": "AWS::Region" + }, + ".", + { + "Ref": "AWS::URLSuffix" + }, + "/", + { + "Ref": "LambdaRestApiDeploymentStageprodB1F3862A" + }, + "/" + ] + ] + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store." + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/test/integ.customCloudfrontLoggingBucket.ts b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/test/integ.customCloudfrontLoggingBucket.ts new file mode 100644 index 000000000..7c39bda19 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/test/integ.customCloudfrontLoggingBucket.ts @@ -0,0 +1,64 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +/// !cdk-integ * +import { App, Stack, RemovalPolicy } from "@aws-cdk/core"; +import { CloudFrontToApiGateway } from "../lib"; +import { BucketEncryption } from "@aws-cdk/aws-s3"; +import * as lambda from '@aws-cdk/aws-lambda'; +import * as defaults from '@aws-solutions-constructs/core'; +import * as api from '@aws-cdk/aws-apigateway'; +import { generateIntegStackName } from '@aws-solutions-constructs/core'; + +// Setup +const app = new App(); +const stack = new Stack(app, generateIntegStackName(__filename)); +stack.templateOptions.description = 'Integration Test for aws-cloudfront-apigateway custom Cloudfront Logging Bucket'; + +const inProps: lambda.FunctionProps = { + code: lambda.Code.fromAsset(`${__dirname}/lambda`), + runtime: lambda.Runtime.NODEJS_10_X, + handler: 'index.handler' +}; + +const func = defaults.deployLambdaFunction(stack, inProps); + +const [_api] = defaults.RegionalLambdaRestApi(stack, func); + +_api.methods.forEach((apiMethod) => { + // Override the API Gateway Authorization Type from AWS_IAM to NONE + const child = apiMethod.node.findChild('Resource') as api.CfnMethod; + if (child.authorizationType === 'AWS_IAM') { + child.addPropertyOverride('AuthorizationType', 'NONE'); + + defaults.addCfnSuppressRules(apiMethod, [ + { + id: "W59", + reason: `AWS::ApiGateway::Method AuthorizationType is set to 'NONE' because API Gateway behind CloudFront does not support AWS_IAM authentication`, + }, + ]); + + } +}); + +new CloudFrontToApiGateway(stack, 'cf-apigw', { + existingApiGatewayObj: _api, + cloudFrontLoggingBucketProps: { + removalPolicy: RemovalPolicy.DESTROY, + encryption: BucketEncryption.S3_MANAGED, + versioned: true + } +}); + +// Synth +app.synth(); diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/test/test.cloudfront-apigateway.test.ts b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/test/test.cloudfront-apigateway.test.ts index d36ff34f9..28b89b96c 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/test/test.cloudfront-apigateway.test.ts +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/test/test.cloudfront-apigateway.test.ts @@ -14,6 +14,7 @@ import { ResourcePart } from '@aws-cdk/assert'; import { CloudFrontToApiGateway } from "../lib"; import * as cdk from "@aws-cdk/core"; +import * as s3 from "@aws-cdk/aws-s3"; import * as defaults from '@aws-solutions-constructs/core'; import * as lambda from '@aws-cdk/aws-lambda'; import '@aws-cdk/assert/jest'; @@ -158,3 +159,77 @@ test('test api gateway lambda service role', () => { ] }); }); + +// -------------------------------------------------------------- +// Cloudfront logging bucket with destroy removal policy and auto delete objects +// -------------------------------------------------------------- +test('Cloudfront logging bucket with destroy removal policy and auto delete objects', () => { + const stack = new cdk.Stack(); + + const inProps: lambda.FunctionProps = { + code: lambda.Code.fromAsset(`${__dirname}/lambda`), + runtime: lambda.Runtime.NODEJS_10_X, + handler: 'index.handler' + }; + + const func = defaults.deployLambdaFunction(stack, inProps); + + const [_api] = defaults.RegionalLambdaRestApi(stack, func); + + new CloudFrontToApiGateway(stack, 'cloudfront-apigateway', { + existingApiGatewayObj: _api, + cloudFrontLoggingBucketProps: { + removalPolicy: cdk.RemovalPolicy.DESTROY, + autoDeleteObjects: true + } + }); + + expect(stack).toHaveResource("AWS::S3::Bucket", { + AccessControl: "LogDeliveryWrite" + }); + + expect(stack).toHaveResource("Custom::S3AutoDeleteObjects", { + ServiceToken: { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn" + ] + }, + BucketName: { + Ref: "cloudfrontapigatewayCloudfrontLoggingBucket5948F496" + } + }); +}); + +// -------------------------------------------------------------- +// Cloudfront logging bucket error providing existing log bucket and logBucketProps +// -------------------------------------------------------------- +test('Cloudfront logging bucket error when providing existing log bucket and logBucketProps', () => { + const stack = new cdk.Stack(); + + const inProps: lambda.FunctionProps = { + code: lambda.Code.fromAsset(`${__dirname}/lambda`), + runtime: lambda.Runtime.NODEJS_10_X, + handler: 'index.handler' + }; + + const func = defaults.deployLambdaFunction(stack, inProps); + + const [_api] = defaults.RegionalLambdaRestApi(stack, func); + + const logBucket = new s3.Bucket(stack, 'cloudfront-log-bucket', {}); + + const app = () => { new CloudFrontToApiGateway(stack, 'cloudfront-apigateway', { + existingApiGatewayObj: _api, + cloudFrontDistributionProps: { + logBucket + }, + cloudFrontLoggingBucketProps: { + removalPolicy: cdk.RemovalPolicy.DESTROY, + autoDeleteObjects: true + } + }); + }; + + expect(app).toThrowError(); +}); \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/README.md b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/README.md index a512c0f14..6456ce764 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/README.md @@ -5,10 +5,6 @@ ![Stability: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge) -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- @@ -55,6 +51,7 @@ _Parameters_ |mediaStoreContainerProps?|[`mediastore.CfnContainerProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-mediastore.CfnContainerProps.html)|Optional user provided props to override the default props for the MediaStore Container.| |cloudFrontDistributionProps?|[`cloudfront.DistributionProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.DistributionProps.html)\|`any`|Optional user provided props to override the default props for the CloudFront Distribution.| |insertHttpSecurityHeaders?|`boolean`|Optional user provided props to turn on/off the automatic injection of best practice HTTP security headers in all responses from CloudFront| +|cloudFrontLoggingBucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.BucketProps.html)|Optional user provided props to override the default props for the CloudFront Logging Bucket.| ## Pattern Properties diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts index 13b0cd237..f66e11a26 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts @@ -15,7 +15,7 @@ import * as cloudfront from '@aws-cdk/aws-cloudfront'; import * as mediastore from '@aws-cdk/aws-mediastore'; import * as s3 from '@aws-cdk/aws-s3'; import * as defaults from '@aws-solutions-constructs/core'; -import { Construct, Aws} from '@aws-cdk/core'; +import { Construct, Aws } from '@aws-cdk/core'; /** * @summary The properties for the CloudFrontToMediaStore Construct @@ -46,6 +46,12 @@ export interface CloudFrontToMediaStoreProps { * @default - true */ readonly insertHttpSecurityHeaders?: boolean; + /** + * Optional user provided props to override the default props for the CloudFront Logging Bucket. + * + * @default - Default props are used + */ + readonly cloudFrontLoggingBucketProps?: s3.BucketProps } export class CloudFrontToMediaStore extends Construct { @@ -65,7 +71,7 @@ export class CloudFrontToMediaStore extends Construct { * @access public */ constructor(scope: Construct, id: string, props: CloudFrontToMediaStoreProps) { - super (scope, id); + super(scope, id); defaults.CheckProps(props); let cloudFrontDistributionProps = props.cloudFrontDistributionProps; @@ -122,6 +128,11 @@ export class CloudFrontToMediaStore extends Construct { } [this.cloudFrontWebDistribution, this.cloudFrontLoggingBucket, this.cloudFrontOriginRequestPolicy, this.cloudFrontFunction] - = defaults.CloudFrontDistributionForMediaStore(this, this.mediaStoreContainer, cloudFrontDistributionProps, props.insertHttpSecurityHeaders); + = defaults.CloudFrontDistributionForMediaStore( + this, this.mediaStoreContainer, + cloudFrontDistributionProps, + props.insertHttpSecurityHeaders, + props.cloudFrontLoggingBucketProps + ); } } diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/cloudfront-mediastore.test.ts b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/cloudfront-mediastore.test.ts index bd04cd311..de0966abb 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/cloudfront-mediastore.test.ts +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/cloudfront-mediastore.test.ts @@ -13,9 +13,10 @@ // Imports import '@aws-cdk/assert/jest'; -import { Stack } from '@aws-cdk/core'; +import { Stack, RemovalPolicy } from '@aws-cdk/core'; import * as mediastore from '@aws-cdk/aws-mediastore'; import * as cloudfront from '@aws-cdk/aws-cloudfront'; +import * as s3 from '@aws-cdk/aws-s3'; import { CloudFrontToMediaStore } from '../lib'; // -------------------------------------------------------------- @@ -581,3 +582,54 @@ test('Test the deployment with the user provided CloudFront properties', () => { } }); }); + +// -------------------------------------------------------------- +// Cloudfront logging bucket with destroy removal policy and auto delete objects +// -------------------------------------------------------------- +test('Cloudfront logging bucket with destroy removal policy and auto delete objects', () => { + const stack = new Stack(); + + new CloudFrontToMediaStore(stack, 'cloudfront-mediatstore', { + cloudFrontLoggingBucketProps: { + removalPolicy: RemovalPolicy.DESTROY, + autoDeleteObjects: true + } + }); + + expect(stack).toHaveResource("AWS::S3::Bucket", { + AccessControl: "LogDeliveryWrite" + }); + + expect(stack).toHaveResource("Custom::S3AutoDeleteObjects", { + ServiceToken: { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn" + ] + }, + BucketName: { + Ref: "cloudfrontmediatstoreCloudfrontLoggingBucket2565C68A" + } + }); +}); + +// -------------------------------------------------------------- +// Cloudfront logging bucket error providing existing log bucket and logBucketProps +// -------------------------------------------------------------- +test('Cloudfront logging bucket error when providing existing log bucket and logBucketProps', () => { + const stack = new Stack(); + const logBucket = new s3.Bucket(stack, 'cloudfront-log-bucket', {}); + + const app = () => { new CloudFrontToMediaStore(stack, 'cloudfront-s3', { + cloudFrontDistributionProps: { + logBucket + }, + cloudFrontLoggingBucketProps: { + removalPolicy: RemovalPolicy.DESTROY, + autoDeleteObjects: true + } + }); + }; + + expect(app).toThrowError(); +}); \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.customCloudFrontLoggingBucket.expected.json b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.customCloudFrontLoggingBucket.expected.json new file mode 100644 index 000000000..9a6902050 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.customCloudFrontLoggingBucket.expected.json @@ -0,0 +1,357 @@ +{ + "Description": "Integration Test for aws-cloudfront-mediastore custom Cloudfront Logging Bucket", + "Resources": { + "cloudfrontmediastoreCloudFrontOriginAccessIdentityEA1869C4": { + "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", + "Properties": { + "CloudFrontOriginAccessIdentityConfig": { + "Comment": { + "Fn::Join": [ + "", + [ + "access-identity-", + { + "Ref": "AWS::Region" + }, + "-", + { + "Ref": "AWS::StackName" + } + ] + ] + } + } + } + }, + "cloudfrontmediastoreMediaStoreContainer1772C1D5": { + "Type": "AWS::MediaStore::Container", + "Properties": { + "ContainerName": { + "Ref": "AWS::StackName" + }, + "AccessLoggingEnabled": true, + "CorsPolicy": [ + { + "AllowedHeaders": [ + "*" + ], + "AllowedMethods": [ + "GET" + ], + "AllowedOrigins": [ + "*" + ], + "ExposeHeaders": [ + "*" + ], + "MaxAgeSeconds": 3000 + } + ], + "LifecyclePolicy": "{\"rules\":[{\"definition\":{\"path\":[{\"wildcard\":\"*\"}],\"days_since_create\":[{\"numeric\":[\">\",30]}]},\"action\":\"EXPIRE\"}]}", + "MetricPolicy": { + "ContainerLevelMetrics": "ENABLED" + }, + "Policy": { + "Fn::Join": [ + "", + [ + "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"MediaStoreDefaultPolicy\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":[\"mediastore:GetObject\",\"mediastore:DescribeObject\"],\"Resource\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":mediastore:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":container/", + { + "Ref": "AWS::StackName" + }, + "/*\",\"Condition\":{\"StringEquals\":{\"aws:UserAgent\":\"", + { + "Ref": "cloudfrontmediastoreCloudFrontOriginAccessIdentityEA1869C4" + }, + "\"},\"Bool\":{\"aws:SecureTransport\":\"true\"}}}]}" + ] + ] + } + }, + "DeletionPolicy": "Retain" + }, + "cloudfrontmediastoreCloudfrontLoggingBucketE54A8D50": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "LogDeliveryWrite", + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "VersioningConfiguration": { + "Status": "Enabled" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W35", + "reason": "This S3 bucket is used as the access logging bucket for CloudFront Distribution" + } + ] + } + } + }, + "cloudfrontmediastoreCloudfrontLoggingBucketPolicyBB2766C9": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "cloudfrontmediastoreCloudfrontLoggingBucketE54A8D50" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "cloudfrontmediastoreCloudfrontLoggingBucketE54A8D50", + "Arn" + ] + }, + "/*" + ] + ] + }, + { + "Fn::GetAtt": [ + "cloudfrontmediastoreCloudfrontLoggingBucketE54A8D50", + "Arn" + ] + } + ], + "Sid": "HttpsOnly" + } + ], + "Version": "2012-10-17" + } + } + }, + "cloudfrontmediastoreCloudfrontOriginRequestPolicyC99EB0D7": { + "Type": "AWS::CloudFront::OriginRequestPolicy", + "Properties": { + "OriginRequestPolicyConfig": { + "Comment": "Policy for Constructs CloudFrontDistributionForMediaStore", + "CookiesConfig": { + "CookieBehavior": "none" + }, + "HeadersConfig": { + "HeaderBehavior": "whitelist", + "Headers": [ + "Access-Control-Allow-Origin", + "Access-Control-Request-Method", + "Access-Control-Request-Header", + "Origin" + ] + }, + "Name": { + "Fn::Join": [ + "", + [ + { + "Ref": "AWS::StackName" + }, + "-", + { + "Ref": "AWS::Region" + }, + "-CloudFrontDistributionForMediaStore" + ] + ] + }, + "QueryStringsConfig": { + "QueryStringBehavior": "all" + } + } + } + }, + "cloudfrontmediastoreSetHttpSecurityHeadersC55C3265": { + "Type": "AWS::CloudFront::Function", + "Properties": { + "Name": "SetHttpSecurityHeadersc80b17555ef95835e434ce55c4536b557a9baf1262", + "AutoPublish": true, + "FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }", + "FunctionConfig": { + "Comment": "SetHttpSecurityHeadersc80b17555ef95835e434ce55c4536b557a9baf1262", + "Runtime": "cloudfront-js-1.0" + } + } + }, + "cloudfrontmediastoreCloudFrontDistribution639346BB": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "DefaultCacheBehavior": { + "AllowedMethods": [ + "GET", + "HEAD", + "OPTIONS" + ], + "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", + "CachedMethods": [ + "GET", + "HEAD", + "OPTIONS" + ], + "Compress": true, + "FunctionAssociations": [ + { + "EventType": "viewer-response", + "FunctionARN": { + "Fn::GetAtt": [ + "cloudfrontmediastoreSetHttpSecurityHeadersC55C3265", + "FunctionARN" + ] + } + } + ], + "OriginRequestPolicyId": { + "Ref": "cloudfrontmediastoreCloudfrontOriginRequestPolicyC99EB0D7" + }, + "TargetOriginId": "customCloudFrontLoggingBucketcloudfrontmediastoreCloudFrontDistributionOrigin1ABFFF077", + "ViewerProtocolPolicy": "redirect-to-https" + }, + "Enabled": true, + "HttpVersion": "http2", + "IPV6Enabled": true, + "Logging": { + "Bucket": { + "Fn::GetAtt": [ + "cloudfrontmediastoreCloudfrontLoggingBucketE54A8D50", + "RegionalDomainName" + ] + } + }, + "Origins": [ + { + "CustomOriginConfig": { + "OriginProtocolPolicy": "https-only", + "OriginSSLProtocols": [ + "TLSv1.2" + ] + }, + "DomainName": { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "://", + { + "Fn::GetAtt": [ + "cloudfrontmediastoreMediaStoreContainer1772C1D5", + "Endpoint" + ] + } + ] + } + ] + } + ] + } + ] + }, + "Id": "customCloudFrontLoggingBucketcloudfrontmediastoreCloudFrontDistributionOrigin1ABFFF077", + "OriginCustomHeaders": [ + { + "HeaderName": "User-Agent", + "HeaderValue": { + "Ref": "cloudfrontmediastoreCloudFrontOriginAccessIdentityEA1869C4" + } + } + ] + } + ] + } + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W70", + "reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion" + } + ] + } + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store." + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.customCloudFrontLoggingBucket.ts b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.customCloudFrontLoggingBucket.ts new file mode 100644 index 000000000..ee3bc4055 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.customCloudFrontLoggingBucket.ts @@ -0,0 +1,34 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +/// !cdk-integ * +import { App, Stack, RemovalPolicy } from "@aws-cdk/core"; +import { CloudFrontToMediaStore } from "../lib"; +import { BucketEncryption } from "@aws-cdk/aws-s3"; +import { generateIntegStackName } from '@aws-solutions-constructs/core'; + +// Setup +const app = new App(); +const stack = new Stack(app, generateIntegStackName(__filename)); +stack.templateOptions.description = 'Integration Test for aws-cloudfront-mediastore custom Cloudfront Logging Bucket'; + +new CloudFrontToMediaStore(stack, 'cloudfront-mediastore', { + cloudFrontLoggingBucketProps: { + removalPolicy: RemovalPolicy.DESTROY, + encryption: BucketEncryption.S3_MANAGED, + versioned: true + } +}); + +// Synth +app.synth(); diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/README.md b/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/README.md index 99ab695b4..b33cb1dc3 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/README.md @@ -5,10 +5,6 @@ ![Stability: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge) -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- @@ -54,6 +50,7 @@ _Parameters_ |cloudFrontDistributionProps?|[`cloudfront.DistributionProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.DistributionProps.html)|Optional user provided props to override the default props for CloudFront Distribution| |insertHttpSecurityHeaders?|`boolean`|Optional user provided props to turn on/off the automatic injection of best practice HTTP security headers in all responses from CloudFront| |loggingBucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.BucketProps.html)|Optional user provided props to override the default props for the S3 Logging Bucket.| +|cloudFrontLoggingBucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.BucketProps.html)|Optional user provided props to override the default props for the CloudFront Logging Bucket.| ## Pattern Properties diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/lib/index.ts index 79b10d11a..644bfb01f 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/lib/index.ts +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/lib/index.ts @@ -52,6 +52,12 @@ export interface CloudFrontToS3Props { * @default - Default props are used */ readonly loggingBucketProps?: s3.BucketProps + /** + * Optional user provided props to override the default props for the CloudFront Logging Bucket. + * + * @default - Default props are used + */ + readonly cloudFrontLoggingBucketProps?: s3.BucketProps } export class CloudFrontToS3 extends Construct { @@ -86,6 +92,6 @@ export class CloudFrontToS3 extends Construct { [this.cloudFrontWebDistribution, this.cloudFrontFunction, this.cloudFrontLoggingBucket] = defaults.CloudFrontDistributionForS3(this, this.s3BucketInterface, - props.cloudFrontDistributionProps, props.insertHttpSecurityHeaders); + props.cloudFrontDistributionProps, props.insertHttpSecurityHeaders, props.cloudFrontLoggingBucketProps); } } diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/test/integ.customCloudFrontLoggingBucket.expected.json b/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/test/integ.customCloudFrontLoggingBucket.expected.json new file mode 100644 index 000000000..adf440209 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/test/integ.customCloudFrontLoggingBucket.expected.json @@ -0,0 +1,424 @@ +{ + "Description": "Integration Test for aws-cloudfront-s3 custom CloudFront Logging Bubkcet", + "Resources": { + "testcloudfronts3S3LoggingBucket90D239DD": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "LogDeliveryWrite", + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "VersioningConfiguration": { + "Status": "Enabled" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W35", + "reason": "This S3 bucket is used as the access logging bucket for another bucket" + } + ] + } + } + }, + "testcloudfronts3S3LoggingBucketPolicy529D4CFF": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "testcloudfronts3S3LoggingBucket90D239DD" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "testcloudfronts3S3LoggingBucket90D239DD", + "Arn" + ] + }, + "/*" + ] + ] + }, + { + "Fn::GetAtt": [ + "testcloudfronts3S3LoggingBucket90D239DD", + "Arn" + ] + } + ], + "Sid": "HttpsOnly" + } + ], + "Version": "2012-10-17" + } + } + }, + "testcloudfronts3S3BucketE0C5F76E": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "LifecycleConfiguration": { + "Rules": [ + { + "NoncurrentVersionTransitions": [ + { + "StorageClass": "GLACIER", + "TransitionInDays": 90 + } + ], + "Status": "Enabled" + } + ] + }, + "LoggingConfiguration": { + "DestinationBucketName": { + "Ref": "testcloudfronts3S3LoggingBucket90D239DD" + } + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "VersioningConfiguration": { + "Status": "Enabled" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "testcloudfronts3S3BucketPolicy250F1F61": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "testcloudfronts3S3BucketE0C5F76E" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "testcloudfronts3S3BucketE0C5F76E", + "Arn" + ] + }, + "/*" + ] + ] + }, + { + "Fn::GetAtt": [ + "testcloudfronts3S3BucketE0C5F76E", + "Arn" + ] + } + ], + "Sid": "HttpsOnly" + }, + { + "Action": "s3:GetObject", + "Effect": "Allow", + "Principal": { + "CanonicalUser": { + "Fn::GetAtt": [ + "testcloudfronts3CloudFrontDistributionOrigin1S3Origin4695F058", + "S3CanonicalUserId" + ] + } + }, + "Resource": { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "testcloudfronts3S3BucketE0C5F76E", + "Arn" + ] + }, + "/*" + ] + ] + } + } + ], + "Version": "2012-10-17" + } + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "F16", + "reason": "Public website bucket policy requires a wildcard principal" + } + ] + } + } + }, + "testcloudfronts3SetHttpSecurityHeaders6C5A1E69": { + "Type": "AWS::CloudFront::Function", + "Properties": { + "Name": "SetHttpSecurityHeadersc88d4d30b2e66a3bd009aa7f11e35596ee70824ece", + "AutoPublish": true, + "FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }", + "FunctionConfig": { + "Comment": "SetHttpSecurityHeadersc88d4d30b2e66a3bd009aa7f11e35596ee70824ece", + "Runtime": "cloudfront-js-1.0" + } + } + }, + "testcloudfronts3CloudfrontLoggingBucket985C0FE8": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "LogDeliveryWrite", + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "VersioningConfiguration": { + "Status": "Enabled" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W35", + "reason": "This S3 bucket is used as the access logging bucket for CloudFront Distribution" + } + ] + } + } + }, + "testcloudfronts3CloudfrontLoggingBucketPolicyDF55851B": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "testcloudfronts3CloudfrontLoggingBucket985C0FE8" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "testcloudfronts3CloudfrontLoggingBucket985C0FE8", + "Arn" + ] + }, + "/*" + ] + ] + }, + { + "Fn::GetAtt": [ + "testcloudfronts3CloudfrontLoggingBucket985C0FE8", + "Arn" + ] + } + ], + "Sid": "HttpsOnly" + } + ], + "Version": "2012-10-17" + } + } + }, + "testcloudfronts3CloudFrontDistributionOrigin1S3Origin4695F058": { + "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", + "Properties": { + "CloudFrontOriginAccessIdentityConfig": { + "Comment": "Identity for customCloudFrontLoggingBuckettestcloudfronts3CloudFrontDistributionOrigin115B4D0FD" + } + } + }, + "testcloudfronts3CloudFrontDistribution0565DEE8": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "DefaultCacheBehavior": { + "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", + "Compress": true, + "FunctionAssociations": [ + { + "EventType": "viewer-response", + "FunctionARN": { + "Fn::GetAtt": [ + "testcloudfronts3SetHttpSecurityHeaders6C5A1E69", + "FunctionARN" + ] + } + } + ], + "TargetOriginId": "customCloudFrontLoggingBuckettestcloudfronts3CloudFrontDistributionOrigin115B4D0FD", + "ViewerProtocolPolicy": "redirect-to-https" + }, + "DefaultRootObject": "index.html", + "Enabled": true, + "HttpVersion": "http2", + "IPV6Enabled": true, + "Logging": { + "Bucket": { + "Fn::GetAtt": [ + "testcloudfronts3CloudfrontLoggingBucket985C0FE8", + "RegionalDomainName" + ] + } + }, + "Origins": [ + { + "DomainName": { + "Fn::GetAtt": [ + "testcloudfronts3S3BucketE0C5F76E", + "RegionalDomainName" + ] + }, + "Id": "customCloudFrontLoggingBuckettestcloudfronts3CloudFrontDistributionOrigin115B4D0FD", + "S3OriginConfig": { + "OriginAccessIdentity": { + "Fn::Join": [ + "", + [ + "origin-access-identity/cloudfront/", + { + "Ref": "testcloudfronts3CloudFrontDistributionOrigin1S3Origin4695F058" + } + ] + ] + } + } + } + ] + } + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W70", + "reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion" + } + ] + } + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store." + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/test/integ.customCloudFrontLoggingBucket.ts b/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/test/integ.customCloudFrontLoggingBucket.ts new file mode 100644 index 000000000..ef5bc7996 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/test/integ.customCloudFrontLoggingBucket.ts @@ -0,0 +1,37 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +// Imports +import { App, Stack, RemovalPolicy } from "@aws-cdk/core"; +import { BucketEncryption } from "@aws-cdk/aws-s3"; +import { CloudFrontToS3 } from "../lib"; +import { generateIntegStackName } from '@aws-solutions-constructs/core'; + +// Setup +const app = new App(); +const stack = new Stack(app, generateIntegStackName(__filename)); +stack.templateOptions.description = 'Integration Test for aws-cloudfront-s3 custom CloudFront Logging Bubkcet'; + +new CloudFrontToS3(stack, 'test-cloudfront-s3', { + bucketProps: { + removalPolicy: RemovalPolicy.DESTROY, + }, + cloudFrontLoggingBucketProps: { + removalPolicy: RemovalPolicy.DESTROY, + encryption: BucketEncryption.S3_MANAGED, + versioned: true + } +}); + +// Synth +app.synth(); diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/test/test.cloudfront-s3.test.ts b/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/test/test.cloudfront-s3.test.ts index 22014ce7b..3eee31add 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/test/test.cloudfront-s3.test.ts +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/test/test.cloudfront-s3.test.ts @@ -262,4 +262,55 @@ test('s3 bucket with bucket, loggingBucket, and auto delete objects', () => { Ref: "cloudfronts3S3LoggingBucket52EEB708" } }); +}); + +// -------------------------------------------------------------- +// Cloudfront logging bucket with destroy removal policy and auto delete objects +// -------------------------------------------------------------- +test('Cloudfront logging bucket with destroy removal policy and auto delete objects', () => { + const stack = new cdk.Stack(); + + new CloudFrontToS3(stack, 'cloudfront-s3', { + cloudFrontLoggingBucketProps: { + removalPolicy: cdk.RemovalPolicy.DESTROY, + autoDeleteObjects: true + } + }); + + expect(stack).toHaveResource("AWS::S3::Bucket", { + AccessControl: "LogDeliveryWrite" + }); + + expect(stack).toHaveResource("Custom::S3AutoDeleteObjects", { + ServiceToken: { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn" + ] + }, + BucketName: { + Ref: "cloudfronts3CloudfrontLoggingBucket5B845143" + } + }); +}); + +// -------------------------------------------------------------- +// Cloudfront logging bucket error providing existing log bucket and logBucketProps +// -------------------------------------------------------------- +test('Cloudfront logging bucket error when providing existing log bucket and logBucketProps', () => { + const stack = new cdk.Stack(); + const logBucket = new s3.Bucket(stack, 'cloudfront-log-bucket', {}); + + const app = () => { new CloudFrontToS3(stack, 'cloudfront-s3', { + cloudFrontDistributionProps: { + logBucket + }, + cloudFrontLoggingBucketProps: { + removalPolicy: cdk.RemovalPolicy.DESTROY, + autoDeleteObjects: true + } + }); + }; + + expect(app).toThrowError(); }); \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-cognito-apigateway-lambda/README.md b/source/patterns/@aws-solutions-constructs/aws-cognito-apigateway-lambda/README.md index b7dc933f9..928c253ad 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cognito-apigateway-lambda/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-cognito-apigateway-lambda/README.md @@ -91,7 +91,7 @@ _Parameters_ |userPool|[`cognito.UserPool`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cognito.UserPool.html)|Returns an instance of cognito.UserPool created by the construct| |userPoolClient|[`cognito.UserPoolClient`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cognito.UserPoolClient.html)|Returns an instance of cognito.UserPoolClient created by the construct| |apiGateway|[`api.RestApi`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.RestApi.html)|Returns an instance of api.RestApi created by the construct| -|apiGatewayCloudWatchRole|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| +|apiGatewayCloudWatchRole?|[`iam.Role`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.Role.html)|Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.| |apiGatewayLogGroup|[`logs.LogGroup`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-logs.LogGroup.html)|Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch.| |apiGatewayAuthorizer|[`api.CfnAuthorizer`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.CfnAuthorizer.html)|Returns an instance of the api.CfnAuthorizer created by the construct for API Gateway methods authorization.| |lambdaFunction|[`lambda.Function`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-lambda.Function.html)|Returns an instance of lambda.Function created by the construct| diff --git a/source/patterns/@aws-solutions-constructs/aws-cognito-apigateway-lambda/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-cognito-apigateway-lambda/lib/index.ts index 872a57e28..d4f2d0fb2 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cognito-apigateway-lambda/lib/index.ts +++ b/source/patterns/@aws-solutions-constructs/aws-cognito-apigateway-lambda/lib/index.ts @@ -66,7 +66,7 @@ export class CognitoToApiGatewayToLambda extends Construct { public readonly userPool: cognito.UserPool; public readonly userPoolClient: cognito.UserPoolClient; public readonly apiGateway: api.RestApi; - public readonly apiGatewayCloudWatchRole: iam.Role; + public readonly apiGatewayCloudWatchRole?: iam.Role; public readonly apiGatewayLogGroup: logs.LogGroup; public readonly apiGatewayAuthorizer: api.CfnAuthorizer; public readonly lambdaFunction: lambda.Function; diff --git a/source/patterns/@aws-solutions-constructs/aws-dynamodb-stream-lambda-elasticsearch-kibana/README.md b/source/patterns/@aws-solutions-constructs/aws-dynamodb-stream-lambda-elasticsearch-kibana/README.md index 1292575aa..2b71dbacf 100644 --- a/source/patterns/@aws-solutions-constructs/aws-dynamodb-stream-lambda-elasticsearch-kibana/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-dynamodb-stream-lambda-elasticsearch-kibana/README.md @@ -7,10 +7,6 @@ > Some of our early constructs don’t meet the naming standards that evolved for the library. We are releasing completely feature compatible versions with corrected names. The underlying implementation code is the same regardless of whether you deploy the construct using the old or new name. We will support both names for all 1.x releases, but in 2.x we will only publish the correctly named constructs. This construct is being replaced by the functionally identical aws-dynamodbstreams-lambda-elasticsearch-kibana. -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-dynamodb-stream-lambda/README.md b/source/patterns/@aws-solutions-constructs/aws-dynamodb-stream-lambda/README.md index 976af49c0..af4f0f2a0 100644 --- a/source/patterns/@aws-solutions-constructs/aws-dynamodb-stream-lambda/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-dynamodb-stream-lambda/README.md @@ -6,10 +6,6 @@ > Some of our early constructs don’t meet the naming standards that evolved for the library. We are releasing completely feature compatible versions with corrected names. The underlying implementation code is the same regardless of whether you deploy the construct using the old or new name. We will support both names for all 1.x releases, but in 2.x we will only publish the correctly named constructs. This construct is being replaced by the functionally identical aws-dynamodbstreams-lambda. -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-kinesisfirehose-s3/README.md b/source/patterns/@aws-solutions-constructs/aws-eventbridge-kinesisfirehose-s3/README.md index 853661648..9fd066a9d 100644 --- a/source/patterns/@aws-solutions-constructs/aws-eventbridge-kinesisfirehose-s3/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-eventbridge-kinesisfirehose-s3/README.md @@ -5,10 +5,6 @@ ![Stability: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge) -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-lambda/README.md b/source/patterns/@aws-solutions-constructs/aws-eventbridge-lambda/README.md index b1c59551d..d3178f267 100644 --- a/source/patterns/@aws-solutions-constructs/aws-eventbridge-lambda/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-eventbridge-lambda/README.md @@ -5,10 +5,6 @@ ![Stability: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge) -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/README.md b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/README.md index 7c0fd6687..4c7f72cb7 100644 --- a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/README.md @@ -5,10 +5,6 @@ ![Stability: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge) -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.eb-existing-bus.expected.json b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.exist-bus.expected.json similarity index 99% rename from source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.eb-existing-bus.expected.json rename to source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.exist-bus.expected.json index 9efdd95bf..dd2d0fa67 100644 --- a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.eb-existing-bus.expected.json +++ b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.exist-bus.expected.json @@ -3,7 +3,7 @@ "existingeventbusA5B80487": { "Type": "AWS::Events::EventBus", "Properties": { - "Name": "ebexistingbusexistingeventbusFB0366AD" + "Name": "existbusexistingeventbus2F3AAC82" } }, "testconstructEncryptionKey6153B053": { diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.eb-existing-bus.ts b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.exist-bus.ts similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.eb-existing-bus.ts rename to source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.exist-bus.ts diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.eb-new-bus.expected.json b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.new-bus.expected.json similarity index 98% rename from source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.eb-new-bus.expected.json rename to source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.new-bus.expected.json index e89375af4..2e03a11c5 100644 --- a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.eb-new-bus.expected.json +++ b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.new-bus.expected.json @@ -158,7 +158,7 @@ "testconstructCustomEventBusFBDE2130": { "Type": "AWS::Events::EventBus", "Properties": { - "Name": "ebnewbustestconstructCustomEventBusEF296666" + "Name": "newbustestconstructCustomEventBus62B63ED1" } }, "testconstructEventsRule145DBA20": { diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.eb-new-bus.ts b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.new-bus.ts similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.eb-new-bus.ts rename to source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.new-bus.ts diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.eventbridge-no-arg.expected.json b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.no-arg.expected.json similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.eventbridge-no-arg.expected.json rename to source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.no-arg.expected.json diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.eventbridge-no-arg.ts b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.no-arg.ts similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.eventbridge-no-arg.ts rename to source/patterns/@aws-solutions-constructs/aws-eventbridge-sns/test/integ.no-arg.ts diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/README.md b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/README.md index c5388913f..9d4fa70fb 100644 --- a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/README.md @@ -5,10 +5,6 @@ ![Stability: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge) -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-existing-eventbus.expected.json b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.exist-bus.expected.json similarity index 98% rename from source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-existing-eventbus.expected.json rename to source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.exist-bus.expected.json index 3843613d4..bebc8e2a5 100644 --- a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-existing-eventbus.expected.json +++ b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.exist-bus.expected.json @@ -97,7 +97,7 @@ "existingeventbusA5B80487": { "Type": "AWS::Events::EventBus", "Properties": { - "Name": "eventbridgeexistingeventbusexistingeventbus41AE8F43" + "Name": "existbusexistingeventbus2F3AAC82" } }, "constructEventsRule43880ADB": { diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-existing-eventbus.ts b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.exist-bus.ts similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-existing-eventbus.ts rename to source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.exist-bus.ts diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-existing-queue.expected.json b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.exist-queue.expected.json similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-existing-queue.expected.json rename to source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.exist-queue.expected.json diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-existing-queue.ts b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.exist-queue.ts similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-existing-queue.ts rename to source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.exist-queue.ts diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-new-eventbus.expected.json b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.new-bus.expected.json similarity index 99% rename from source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-new-eventbus.expected.json rename to source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.new-bus.expected.json index da6b38cb9..b32e17be7 100644 --- a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-new-eventbus.expected.json +++ b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.new-bus.expected.json @@ -241,7 +241,7 @@ "constructCustomEventBusA674C94A": { "Type": "AWS::Events::EventBus", "Properties": { - "Name": "eventbridgeneweventbusconstructCustomEventBusB03DAAB5" + "Name": "newbusconstructCustomEventBus7B12A72E" } }, "constructEventsRule43880ADB": { diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-new-eventbus.ts b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.new-bus.ts similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-new-eventbus.ts rename to source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.new-bus.ts diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-no-arguments.expected.json b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.no-arg.expected.json similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-no-arguments.expected.json rename to source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.no-arg.expected.json diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-no-arguments.ts b/source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.no-arg.ts similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.eventbridge-no-arguments.ts rename to source/patterns/@aws-solutions-constructs/aws-eventbridge-sqs/test/integ.no-arg.ts diff --git a/source/patterns/@aws-solutions-constructs/aws-eventbridge-stepfunctions/README.md b/source/patterns/@aws-solutions-constructs/aws-eventbridge-stepfunctions/README.md index 2302ed33a..cac4b2368 100644 --- a/source/patterns/@aws-solutions-constructs/aws-eventbridge-stepfunctions/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-eventbridge-stepfunctions/README.md @@ -5,10 +5,6 @@ ![Stability: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge) -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-kinesisfirehose-s3/README.md b/source/patterns/@aws-solutions-constructs/aws-events-rule-kinesisfirehose-s3/README.md index 0f2a2c1c4..600f65ea6 100644 --- a/source/patterns/@aws-solutions-constructs/aws-events-rule-kinesisfirehose-s3/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-events-rule-kinesisfirehose-s3/README.md @@ -7,10 +7,6 @@ > Some of our early constructs don’t meet the naming standards that evolved for the library. We are releasing completely feature compatible versions with corrected names. The underlying implementation code is the same regardless of whether you deploy the construct using the old or new name. We will support both names for all 1.x releases, but in 2.x we will only publish the correctly named constructs. This construct is being replaced by the functionally identical aws-eventbridge-kinesisfirehose-s3. -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-kinesisstreams/README.md b/source/patterns/@aws-solutions-constructs/aws-events-rule-kinesisstreams/README.md index ef0747998..3d771ed94 100644 --- a/source/patterns/@aws-solutions-constructs/aws-events-rule-kinesisstreams/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-events-rule-kinesisstreams/README.md @@ -7,10 +7,6 @@ > Some of our early constructs don’t meet the naming standards that evolved for the library. We are releasing completely feature compatible versions with corrected names. The underlying implementation code is the same regardless of whether you deploy the construct using the old or new name. We will support both names for all 1.x releases, but in 2.x we will only publish the correctly named constructs. This construct is being replaced by the functionally identical aws-eventbridge-kinesisstreams. -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-lambda/README.md b/source/patterns/@aws-solutions-constructs/aws-events-rule-lambda/README.md index 00f9e3618..5cd8b6a26 100644 --- a/source/patterns/@aws-solutions-constructs/aws-events-rule-lambda/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-events-rule-lambda/README.md @@ -7,10 +7,6 @@ > Some of our early constructs don’t meet the naming standards that evolved for the library. We are releasing completely feature compatible versions with corrected names. The underlying implementation code is the same regardless of whether you deploy the construct using the old or new name. We will support both names for all 1.x releases, but in 2.x we will only publish the correctly named constructs. This construct is being replaced by the functionally identical aws-eventbridge-lambda. -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-sns/README.md b/source/patterns/@aws-solutions-constructs/aws-events-rule-sns/README.md index 7d4b3836d..c45bf8914 100644 --- a/source/patterns/@aws-solutions-constructs/aws-events-rule-sns/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-events-rule-sns/README.md @@ -6,10 +6,6 @@ > Some of our early constructs don’t meet the naming standards that evolved for the library. We are releasing completely feature compatible versions with corrected names. The underlying implementation code is the same regardless of whether you deploy the construct using the old or new name. We will support both names for all 1.x releases, but in 2.x we will only publish the correctly named constructs. This construct is being replaced by the functionally identical aws-eventbridge-sns. -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.existing-bus.expected.json b/source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.exist-bus.expected.json similarity index 99% rename from source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.existing-bus.expected.json rename to source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.exist-bus.expected.json index 392c61106..288a2e913 100644 --- a/source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.existing-bus.expected.json +++ b/source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.exist-bus.expected.json @@ -3,7 +3,7 @@ "eventbus7CF8FDD5": { "Type": "AWS::Events::EventBus", "Properties": { - "Name": "existingbuseventbus9E470DE7" + "Name": "existbuseventbus683F9152" } }, "testtestWEncryptionKeyC6B126B6": { diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.existing-bus.ts b/source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.exist-bus.ts similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.existing-bus.ts rename to source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.exist-bus.ts diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.events-rule-no-arg.expected.json b/source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.no-arg.expected.json similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.events-rule-no-arg.expected.json rename to source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.no-arg.expected.json diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.events-rule-no-arg.ts b/source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.no-arg.ts similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.events-rule-no-arg.ts rename to source/patterns/@aws-solutions-constructs/aws-events-rule-sns/test/integ.no-arg.ts diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/README.md b/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/README.md index 17b49af5b..1f14a5332 100644 --- a/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/README.md @@ -7,10 +7,6 @@ > Some of our early constructs don’t meet the naming standards that evolved for the library. We are releasing completely feature compatible versions with corrected names. The underlying implementation code is the same regardless of whether you deploy the construct using the old or new name. We will support both names for all 1.x releases, but in 2.x we will only publish the correctly named constructs. This construct is being replaced by the functionally identical aws-eventbridge-sqs. -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-existing-bus.expected.json b/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.exist-bus.expected.json similarity index 98% rename from source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-existing-bus.expected.json rename to source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.exist-bus.expected.json index 68273ed4a..87e6d5923 100644 --- a/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-existing-bus.expected.json +++ b/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.exist-bus.expected.json @@ -97,7 +97,7 @@ "existingeventbusA5B80487": { "Type": "AWS::Events::EventBus", "Properties": { - "Name": "eventsruleexistingbusexistingeventbusE1A2652B" + "Name": "existbusexistingeventbus2F3AAC82" } }, "constructconstructWEventsRule8EB974AE": { diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-existing-bus.ts b/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.exist-bus.ts similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-existing-bus.ts rename to source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.exist-bus.ts diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-existing-queue.expected.json b/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.exist-queue.expected.json similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-existing-queue.expected.json rename to source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.exist-queue.expected.json diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-existing-queue.ts b/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.exist-queue.ts similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-existing-queue.ts rename to source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.exist-queue.ts diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-new-bus.expected.json b/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.new-bus.expected.json similarity index 99% rename from source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-new-bus.expected.json rename to source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.new-bus.expected.json index f4bd531e1..3284fc7ad 100644 --- a/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-new-bus.expected.json +++ b/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.new-bus.expected.json @@ -241,7 +241,7 @@ "ersqsersqsWCustomEventBus3249194C": { "Type": "AWS::Events::EventBus", "Properties": { - "Name": "eventsrulenewbusersqsersqsWCustomEventBusA92E8C83" + "Name": "newbusersqsersqsWCustomEventBusADE03031" } }, "ersqsersqsWEventsRule017C5D22": { diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-new-bus.ts b/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.new-bus.ts similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-new-bus.ts rename to source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.new-bus.ts diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-no-arg.expected.json b/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.no-arg.expected.json similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-no-arg.expected.json rename to source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.no-arg.expected.json diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-no-arg.ts b/source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.no-arg.ts similarity index 100% rename from source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.events-rule-no-arg.ts rename to source/patterns/@aws-solutions-constructs/aws-events-rule-sqs/test/integ.no-arg.ts diff --git a/source/patterns/@aws-solutions-constructs/aws-events-rule-step-function/README.md b/source/patterns/@aws-solutions-constructs/aws-events-rule-step-function/README.md index 4e39286d1..c4122fef9 100644 --- a/source/patterns/@aws-solutions-constructs/aws-events-rule-step-function/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-events-rule-step-function/README.md @@ -7,10 +7,6 @@ > Some of our early constructs don’t meet the naming standards that evolved for the library. We are releasing completely feature compatible versions with corrected names. The underlying implementation code is the same regardless of whether you deploy the construct using the old or new name. We will support both names for all 1.x releases, but in 2.x we will only publish the correctly named constructs. This construct is being replaced by the functionally identical aws-eventbridge-stepfunctions. -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-kinesisstreams-gluejob/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-kinesisstreams-gluejob/lib/index.ts index 26cf22f7a..218e1b4ce 100644 --- a/source/patterns/@aws-solutions-constructs/aws-kinesisstreams-gluejob/lib/index.ts +++ b/source/patterns/@aws-solutions-constructs/aws-kinesisstreams-gluejob/lib/index.ts @@ -126,6 +126,11 @@ export class KinesisstreamsToGluejob extends Construct { public readonly glueJobRole: IRole; public readonly database: glue.CfnDatabase; public readonly table: glue.CfnTable; + /** + * This property is only set if the Glue Job is created by the construct. If an exisiting Glue Job + * configuraton is supplied, the construct does not create an S3 bucket and hence the @outputBucket + * property is undefined + */ public readonly outputBucket?: [Bucket, (Bucket | undefined)?]; public readonly cloudwatchAlarms?: cloudwatch.Alarm[]; @@ -159,7 +164,7 @@ export class KinesisstreamsToGluejob extends Construct { }); } - [ this.glueJob, this.glueJobRole ] = defaults.buildGlueJob(this, { + [ this.glueJob, this.glueJobRole, this.outputBucket ] = defaults.buildGlueJob(this, { existingCfnJob: props.existingGlueJob, glueJobProps: props.glueJobProps, table: this.table!, diff --git a/source/patterns/@aws-solutions-constructs/aws-kinesisstreams-kinesisfirehose-s3/README.md b/source/patterns/@aws-solutions-constructs/aws-kinesisstreams-kinesisfirehose-s3/README.md index d766b0710..eff9cab29 100644 --- a/source/patterns/@aws-solutions-constructs/aws-kinesisstreams-kinesisfirehose-s3/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-kinesisstreams-kinesisfirehose-s3/README.md @@ -5,10 +5,6 @@ ![Stability: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge) -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-kinesisstreams-lambda/README.md b/source/patterns/@aws-solutions-constructs/aws-kinesisstreams-lambda/README.md index 87350ef62..76e2ff3e4 100644 --- a/source/patterns/@aws-solutions-constructs/aws-kinesisstreams-lambda/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-kinesisstreams-lambda/README.md @@ -5,10 +5,6 @@ ![Stability: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge) -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-lambda-eventbridge/README.md b/source/patterns/@aws-solutions-constructs/aws-lambda-eventbridge/README.md index a059141bb..a628dfbeb 100755 --- a/source/patterns/@aws-solutions-constructs/aws-lambda-eventbridge/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-lambda-eventbridge/README.md @@ -5,6 +5,10 @@ ![Stability: Experimental](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) +> All classes are under active development and subject to non-backward compatible changes or removal in any +> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. +> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. + --- @@ -85,4 +89,4 @@ Out of the box implementation of the Construct without any override will set the ![Architecture Diagram](architecture.png) *** -© Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. \ No newline at end of file +© Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. diff --git a/source/patterns/@aws-solutions-constructs/aws-lambda-sns/README.md b/source/patterns/@aws-solutions-constructs/aws-lambda-sns/README.md index bd692bc9b..8c743966d 100644 --- a/source/patterns/@aws-solutions-constructs/aws-lambda-sns/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-lambda-sns/README.md @@ -5,10 +5,6 @@ ![Stability: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge) -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-lambda-step-function/README.md b/source/patterns/@aws-solutions-constructs/aws-lambda-step-function/README.md index 96e320876..bbe80da74 100644 --- a/source/patterns/@aws-solutions-constructs/aws-lambda-step-function/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-lambda-step-function/README.md @@ -7,10 +7,6 @@ > Some of our early constructs don’t meet the naming standards that evolved for the library. We are releasing completely feature compatible versions with corrected names. The underlying implementation code is the same regardless of whether you deploy the construct using the old or new name. We will support both names for all 1.x releases, but in 2.x we will only publish the correctly named constructs. This construct is being replaced by the functionally identical aws-lambda-stepfunctions. -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-lambda-stepfunctions/README.md b/source/patterns/@aws-solutions-constructs/aws-lambda-stepfunctions/README.md index 88d434efc..0583f3a77 100644 --- a/source/patterns/@aws-solutions-constructs/aws-lambda-stepfunctions/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-lambda-stepfunctions/README.md @@ -5,10 +5,6 @@ ![Stability: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge) -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/.eslintignore b/source/patterns/@aws-solutions-constructs/aws-route53-alb/.eslintignore new file mode 100644 index 000000000..e6f7801ea --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/.eslintignore @@ -0,0 +1,4 @@ +lib/*.js +test/*.js +*.d.ts +coverage diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/.gitignore b/source/patterns/@aws-solutions-constructs/aws-route53-alb/.gitignore new file mode 100644 index 000000000..6773cabd2 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/.gitignore @@ -0,0 +1,15 @@ +lib/*.js +test/*.js +*.js.map +*.d.ts +node_modules +*.generated.ts +dist +.jsii + +.LAST_BUILD +.nyc_output +coverage +.nycrc +.LAST_PACKAGE +*.snk \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/.npmignore b/source/patterns/@aws-solutions-constructs/aws-route53-alb/.npmignore new file mode 100644 index 000000000..f66791629 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/.npmignore @@ -0,0 +1,21 @@ +# Exclude typescript source and config +*.ts +tsconfig.json +coverage +.nyc_output +*.tgz +*.snk +*.tsbuildinfo + +# Include javascript files and typescript declarations +!*.js +!*.d.ts + +# Exclude jsii outdir +dist + +# Include .jsii +!.jsii + +# Include .jsii +!.jsii \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/README.md b/source/patterns/@aws-solutions-constructs/aws-route53-alb/README.md new file mode 100644 index 000000000..607ad807d --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/README.md @@ -0,0 +1,95 @@ +# aws-route53-alb module + + +--- + +![Stability: Experimental](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) + +> All classes are under active development and subject to non-backward compatible changes or removal in any +> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. +> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. + +--- + + +| **Reference Documentation**:| https://docs.aws.amazon.com/solutions/latest/constructs/| +|:-------------|:-------------| +
+ +| **Language** | **Package** | +|:-------------|-----------------| +|![Python Logo](https://docs.aws.amazon.com/cdk/api/latest/img/python32.png) Python|`aws_solutions_constructs.aws_route53_alb`| +|![Typescript Logo](https://docs.aws.amazon.com/cdk/api/latest/img/typescript32.png) Typescript|`@aws-solutions-constructs/aws-route53-alb`| +|![Java Logo](https://docs.aws.amazon.com/cdk/api/latest/img/java32.png) Java|`software.amazon.awsconstructs.services.route53alb`| + +This AWS Solutions Construct implements an Amazon Route53 Hosted Zone routing to an Application Load Balancer + +Here is a minimal deployable pattern definition in Typescript: + +``` typescript +import { Route53ToAlb } from '@aws-solutions-constructs/aws-route53-alb'; + +new Route53ToAlb(this, 'Route53ToAlbPattern', { + privateHostedZoneProps: { + zoneName: 'www.example.com', + } + publicApi: false, +}); + +``` + +## Initializer + +``` text +new Route53ToAlb(scope: Construct, id: string, props: Route53ToAlbProps); +``` + +_Parameters_ + +* scope [`Construct`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.Construct.html) +* id `string` +* props [`Route53ToAlbProps`](#pattern-construct-props) + +## Pattern Construct Props + +This construct cannot create a new Public Hosted Zone, if you are creating a public API you must supply an existing Public Hosted Zone that will be reconfigured with a new Alias record. Public Hosted Zones are configured with public domain names and are not well suited to be launched and torn down dynamically, so this construct will only reconfigure existing Public Hosted Zones. + +This construct can create Private Hosted Zones. If you want a Private Hosted Zone, then you can either provide an existing Private Hosted Zone or a privateHostedZoneProps value with at least the Domain Name defined. + +| **Name** | **Type** | **Description** | +|:-------------|:----------------|-----------------| +| privateHostedZoneProps? | [route53.PrivateHostedZoneProps](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-route53.PrivateHostedZoneProps.html) | Optional custom properties for a new Private Hosted Zone. Cannot be specified for a public API. Cannot specify a VPC, it will use the VPC in existingVpc or the VPC created by the construct. Providing both this and existingHostedZoneInterfaceis an error. | +| existingHostedZoneInterface? | [route53.IHostedZone](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-route53.IHostedZone.html) | Existing Public or Private Hosted Zone (type must match publicApi setting). Specifying both this and privateHostedZoneProps is an error. If this is a Private Hosted Zone, the associated VPC must be provided as the existingVpc property | +| loadBalancerProps? | [elasticloadbalancingv2.ApplicationLoadBalancerProps](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-elasticloadbalancingv2.ApplicationLoadBalancerProps.html) | Optional custom properties for a new loadBalancer. Providing both this and existingLoadBalancer is an error. This cannot specify a VPC, it will use the VPC in existingVpc or the VPC created by the construct. | +| existingLoadBalancerObj? | [elasticloadbalancingv2.ApplicationLoadBalancer](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-elasticloadbalancingv2.ApplicationLoadBalancer.html) | Existing Application Load Balancer to incorporate into the construct architecture. Providing both this and loadBalancerProps is an error. The VPC containing this loadBalancer must match the VPC provided in existingVpc. | +| vpcProps? | [ec2.VpcProps](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ec2.VpcProps.html) | Optional custom properties for a VPC the construct will create. This VPC will be used by the new ALB and any Private Hosted Zone the construct creates (that's why loadBalancerProps and privateHostedZoneProps can't include a VPC). Providing both this and existingVpc is an error. | +| existingVpc? | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ec2.IVpc.html) | An existing VPC in which to deploy the construct. Providing both this and vpcProps is an error. If the client provides an existing load balancer and/or existing Private Hosted Zone, those constructs must exist in this VPC. | +| logAccessLogs? | boolean| Whether to turn on Access Logs for the Application Load Balancer. Uses an S3 bucket with associated storage costs.Enabling Access Logging is a best practice. default - true | +| loggingBucketProps? | [s3.BucketProps](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.BucketProps.html) | Optional properties to customize the bucket used to store the ALB Access Logs. Supplying this and setting logAccessLogs to false is an error. @default - none | + +| publicApi | boolean | Whether the construct is deploying a private or public API. This has implications for the Hosted Zone, VPC and ALB. | + + +## Pattern Properties + +| **Name** | **Type** | **Description** | +|:-------------|:----------------|-----------------| +| hostedZone | [route53.IHostedZone](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-route53.IHostedZone.html) | The hosted zone used by the construct (whether created by the construct or providedb by the client) | +| vpc | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ec2.IVpc.html) | The VPC used by the construct (whether created by the construct or providedb by the client) | +| loadBalancer | [elasticloadbalancingv2.ApplicationLoadBalancer](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-elasticloadbalancingv2.ApplicationLoadBalancer.html) | The Load Balancer used by the construct (whether created by the construct or providedb by the client) | + +## Default settings + +Out of the box implementation of the Construct without any override will set the following defaults: + +### Amazon Route53 +* Adds an ALIAS record to the new or provided Hosted Zone that routes to the construct's ALB + +### Application Load Balancer +* Creates an Application Load Balancer with no Listener or target. The consruct can incorporate an existing, fully configured ALB if provided. + +## Architecture +![Architecture Diagram](architecture.png) + +*** +© Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/architecture.png b/source/patterns/@aws-solutions-constructs/aws-route53-alb/architecture.png new file mode 100644 index 000000000..0a2858f5d Binary files /dev/null and b/source/patterns/@aws-solutions-constructs/aws-route53-alb/architecture.png differ diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-route53-alb/lib/index.ts new file mode 100644 index 000000000..0f2d0ba97 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/lib/index.ts @@ -0,0 +1,175 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +// Imports +import * as defaults from "@aws-solutions-constructs/core"; +import * as elb from "@aws-cdk/aws-elasticloadbalancingv2"; +import * as s3 from "@aws-cdk/aws-s3"; +import * as r53 from "@aws-cdk/aws-route53"; +import * as r53t from '@aws-cdk/aws-route53-targets'; +// Note: To ensure CDKv2 compatibility, keep the import statement for Construct separate +import { Construct } from '@aws-cdk/core'; +import * as ec2 from '@aws-cdk/aws-ec2'; + +export interface Route53ToAlbProps { + /** + * Custom properties for a new Private Hosted Zone. Cannot be specified for a + * public API. Cannot specify a VPC + * + * @default - None + */ + readonly privateHostedZoneProps?: r53.PrivateHostedZoneProps | any, + /** + * Existing Public or Private Hosted Zone. If a Private Hosted Zone, must + * exist in the same VPC specified in existingVpc + * + * @default - None + */ + readonly existingHostedZoneInterface?: r53.IHostedZone, + /** + * Custom properties for a new ALB. Providing both this and existingLoadBalancerObj + * is an error. These properties cannot include a VPC. + * + * @default - None + */ + readonly loadBalancerProps?: elb.ApplicationLoadBalancerProps | any, + /** + * An existing Application Load Balancer. Providing both this and loadBalancerProps + * is an error. This ALB must exist in the same VPC specified in existingVPC + * + * @default - None + */ + readonly existingLoadBalancerObj?: elb.ApplicationLoadBalancer, + /** + * Whether to turn on Access Logs for the Application Load Balancer. Uses an S3 bucket + * with associated storage costs. Enabling Access Logging is a best practice. + * + * @default - true + */ + readonly logAccessLogs?: boolean, + /** + * Optional properties to customize the bucket used to store the ALB Access + * Logs. Supplying this and setting logAccessLogs to false is an error. + * + * @default - none + */ + readonly loggingBucketProps?: s3.BucketProps, + /** + * Custom properties for a new VPC. Providing both this and existingVpc is + * an error. If an existingAlb or existing Private Hosted Zone is provided, those + * already exist in a VPC so this value cannot be provided. + * + * @default - None + */ + readonly vpcProps?: ec2.VpcProps, + /** + * An existing VPC. Providing both this and vpcProps is an error. If an existingAlb or existing + * Private Hosted Zone is provided, this value must be the VPC associated with those resources. + * + * @default - None + */ + readonly existingVpc?: ec2.IVpc, + /** + * Whether to create a public or private API. This value has implications + * for the VPC, the type of Hosted Zone and the Application Load Balancer + * + * @default - None + */ + readonly publicApi: boolean +} + +/** + * @summary Configures a Route53 Hosted Zone to route to an Application Load Balancer + */ +export class Route53ToAlb extends Construct { + public readonly hostedZone: r53.IHostedZone; + public readonly vpc: ec2.IVpc; + public readonly loadBalancer: elb.ApplicationLoadBalancer; + + /** + * @summary Constructs a new instance of the Route53ToAlb class. + * @param {cdk.App} scope - represents the scope for all the resources. + * @param {string} id - this is a a scope-unique id. + * @param {Route53ToAlbProps} props - user provided props for the construct. + * @access public + */ + constructor(scope: Construct, id: string, props: Route53ToAlbProps) { + super(scope, id); + defaults.CheckProps(props); + + if ((props?.logAccessLogs === false) && (props.loggingBucketProps)) { + throw new Error('If logAccessLogs is false, supplying loggingBucketProps is invalid.'); + } + + if (props?.loadBalancerProps?.vpc) { + throw new Error('Specify any existing VPC at the construct level, not within loadBalancerProps.'); + } + + if (props.existingLoadBalancerObj && !props.existingVpc) { + throw new Error('An existing ALB already exists in a VPC, so that VPC must be passed to the construct in props.existingVpc'); + } + + if (props.existingHostedZoneInterface && !props.publicApi && !props.existingVpc) { + throw new Error('An existing Private Hosted Zone already exists in a VPC, so that VPC must be passed to the construct in props.existingVpc'); + } + + if (props.existingVpc) { + this.vpc = props.existingVpc; + } else { + this.vpc = defaults.buildVpc(scope, { + defaultVpcProps: props.publicApi ? + defaults.DefaultPublicPrivateVpcProps() : + // If this is an internal app, we're going to turn on DNS + // by default to allow gateway and interface service endpoints + defaults.overrideProps(defaults.DefaultIsolatedVpcProps(), { enableDnsHostnames: true, enableDnsSupport: true, }), + userVpcProps: props.vpcProps, + }); + } + + if (props.existingHostedZoneInterface) { + this.hostedZone = props.existingHostedZoneInterface; + } else { + if (props.publicApi) { + throw new Error('Public APIs require an existingHostedZone be passed in the Props object.'); + } else { + if (!props.privateHostedZoneProps) { + throw new Error('Must supply privateHostedZoneProps to create a private API'); + } + if (props.privateHostedZoneProps.vpc) { + throw new Error('All VPC specs must be provided at the Construct level in Route53ToAlbProps'); + } + const manufacturedProps: r53.PrivateHostedZoneProps = defaults.overrideProps(props.privateHostedZoneProps, { vpc: this.vpc }); + this.hostedZone = new r53.PrivateHostedZone(this, `${id}-zone`, manufacturedProps); + } + } + + this.loadBalancer = defaults.ObtainAlb( + this, + id, + this.vpc, + props.publicApi, + props.existingLoadBalancerObj, + props.loadBalancerProps, + props.logAccessLogs, + props.loggingBucketProps + ); + + // Add the ALB to the HostedZone as a target + const hostedZoneTarget = new r53t.LoadBalancerTarget(this.loadBalancer); + + new r53.ARecord(this, `${id}-alias`, { + target: { aliasTarget: hostedZoneTarget }, + zone: this.hostedZone + }); + } +} diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/package.json b/source/patterns/@aws-solutions-constructs/aws-route53-alb/package.json new file mode 100644 index 000000000..43f2be976 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/package.json @@ -0,0 +1,109 @@ +{ + "name": "@aws-solutions-constructs/aws-route53-alb", + "version": "0.0.0", + "description": "CDK constructs for defining an interaction between an Amazon Route53 domain and an Application Load Balancer.", + "main": "lib/index.js", + "types": "lib/index.d.ts", + "repository": { + "type": "git", + "url": "https://github.com/awslabs/aws-solutions-constructs.git", + "directory": "source/patterns/@aws-solutions-constructs/aws-route53-alb" + }, + "author": { + "name": "Amazon Web Services", + "url": "https://aws.amazon.com", + "organization": true + }, + "license": "Apache-2.0", + "scripts": { + "build": "tsc -b .", + "lint": "eslint -c ../eslintrc.yml --ext=.js,.ts . && tslint --project .", + "lint-fix": "eslint -c ../eslintrc.yml --ext=.js,.ts --fix .", + "test": "jest --coverage", + "clean": "tsc -b --clean", + "watch": "tsc -b -w", + "integ": "cdk-integ", + "integ-assert": "cdk-integ-assert", + "integ-no-clean": "cdk-integ --no-clean", + "jsii": "jsii", + "jsii-pacmak": "jsii-pacmak", + "build+lint+test": "npm run jsii && npm run lint && npm test && npm run integ-assert", + "snapshot-update": "npm run jsii && npm test -- -u && npm run integ-assert" + }, + "jsii": { + "outdir": "dist", + "targets": { + "java": { + "package": "software.amazon.awsconstructs.services.route53alb", + "maven": { + "groupId": "software.amazon.awsconstructs", + "artifactId": "route53alb" + } + }, + "dotnet": { + "namespace": "Amazon.Constructs.AWS.Route53Alb", + "packageId": "Amazon.Constructs.AWS.Route53Alb", + "signAssembly": true, + "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png" + }, + "python": { + "distName": "aws-solutions-constructs.aws_route53_alb", + "module": "aws_solutions_constructs.aws_route53_alb" + } + } + }, + "dependencies": { + "@aws-cdk/aws-ec2": "0.0.0", + "@aws-cdk/aws-elasticloadbalancingv2": "0.0.0", + "@aws-cdk/aws-route53": "0.0.0", + "@aws-cdk/aws-route53-targets": "0.0.0", + "@aws-cdk/aws-s3": "0.0.0", + "@aws-cdk/core": "0.0.0", + "@aws-solutions-constructs/core": "0.0.0", + "constructs": "^3.2.0" + }, + "devDependencies": { + "@aws-cdk/assert": "0.0.0", + "@types/jest": "^26.0.22", + "@aws-cdk/aws-ec2": "0.0.0", + "@aws-cdk/aws-elasticloadbalancingv2": "0.0.0", + "@aws-cdk/aws-route53": "0.0.0", + "@aws-cdk/aws-route53-targets": "0.0.0", + "@aws-cdk/aws-s3": "0.0.0", + "@aws-cdk/core": "0.0.0", + "@aws-solutions-constructs/core": "0.0.0", + "constructs": "3.2.0", + "@types/node": "^10.3.0" + }, + "jest": { + "moduleFileExtensions": [ + "js" + ], + "coverageReporters": [ + "text", + [ + "lcov", + { + "projectRoot": "../../../../" + } + ] + ] + }, + "peerDependencies": { + "@aws-cdk/aws-ec2": "0.0.0", + "@aws-cdk/aws-elasticloadbalancingv2": "0.0.0", + "@aws-cdk/aws-route53": "0.0.0", + "@aws-cdk/aws-route53-targets": "0.0.0", + "@aws-cdk/core": "0.0.0", + "@aws-solutions-constructs/core": "0.0.0", + "constructs": "^3.2.0" + }, + "keywords": [ + "aws", + "cdk", + "awscdk", + "AWS Solutions Constructs", + "Amazon Route53", + "Application Load Balancing" + ] +} \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApi.expected.json b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApi.expected.json new file mode 100644 index 000000000..c636b74f1 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApi.expected.json @@ -0,0 +1,561 @@ +{ + "Description": "Integration Test for aws-route53-alb", + "Resources": { + "privateapistackprivateapistackzone3E5194E7": { + "Type": "AWS::Route53::HostedZone", + "Properties": { + "Name": "www.example.com.", + "VPCs": [ + { + "VPCId": { + "Ref": "Vpc8378EB38" + }, + "VPCRegion": "us-east-1" + } + ] + } + }, + "privateapistackprivateapistackalb7242E759": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "LoadBalancerAttributes": [ + { + "Key": "deletion_protection.enabled", + "Value": "false" + }, + { + "Key": "access_logs.s3.enabled", + "Value": "true" + }, + { + "Key": "access_logs.s3.bucket", + "Value": { + "Ref": "privateapistack09C932BB" + } + }, + { + "Key": "access_logs.s3.prefix", + "Value": "" + } + ], + "Scheme": "internal", + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "privateapistackprivateapistackalbSecurityGroup5A8A9725", + "GroupId" + ] + } + ], + "Subnets": [ + { + "Ref": "VpcisolatedSubnet1SubnetE62B1B9B" + }, + { + "Ref": "VpcisolatedSubnet2Subnet39217055" + }, + { + "Ref": "VpcisolatedSubnet3Subnet44F2537D" + } + ], + "Type": "application" + }, + "DependsOn": [ + "privateapistackPolicy98558170", + "privateapistack09C932BB" + ] + }, + "privateapistackprivateapistackalbSecurityGroup5A8A9725": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Automatically created Security Group for ELB deployPrivateApiprivateapistackprivateapistackalb5DF93E18", + "SecurityGroupEgress": [ + { + "CidrIp": "255.255.255.255/32", + "Description": "Disallow all traffic", + "FromPort": 252, + "IpProtocol": "icmp", + "ToPort": 86 + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + }, + "DependsOn": [ + "privateapistackPolicy98558170", + "privateapistack09C932BB" + ], + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W29", + "reason": "CDK created rule that blocks all traffic." + } + ] + } + } + }, + "privateapistack09C932BB": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "VersioningConfiguration": { + "Status": "Enabled" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W35", + "reason": "This is a log bucket for an Application Load Balancer" + } + ] + } + } + }, + "privateapistackPolicy98558170": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "privateapistack09C932BB" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "privateapistack09C932BB", + "Arn" + ] + }, + "/*" + ] + ] + }, + { + "Fn::GetAtt": [ + "privateapistack09C932BB", + "Arn" + ] + } + ], + "Sid": "HttpsOnly" + }, + { + "Action": [ + "s3:PutObject", + "s3:Abort*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::127311923021:root" + ] + ] + } + }, + "Resource": { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "privateapistack09C932BB", + "Arn" + ] + }, + "/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" + ] + ] + } + } + ], + "Version": "2012-10-17" + } + } + }, + "privateapistackprivateapistackalias54E3713F": { + "Type": "AWS::Route53::RecordSet", + "Properties": { + "Name": "www.example.com.", + "Type": "A", + "AliasTarget": { + "DNSName": { + "Fn::Join": [ + "", + [ + "dualstack.", + { + "Fn::GetAtt": [ + "privateapistackprivateapistackalb7242E759", + "DNSName" + ] + } + ] + ] + }, + "HostedZoneId": { + "Fn::GetAtt": [ + "privateapistackprivateapistackalb7242E759", + "CanonicalHostedZoneID" + ] + } + }, + "HostedZoneId": { + "Ref": "privateapistackprivateapistackzone3E5194E7" + } + } + }, + "Vpc8378EB38": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsHostnames": true, + "EnableDnsSupport": true, + "InstanceTenancy": "default", + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApi/Vpc" + } + ] + } + }, + "VpcisolatedSubnet1SubnetE62B1B9B": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.0.0/18", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "isolated" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Isolated" + }, + { + "Key": "Name", + "Value": "deployPrivateApi/Vpc/isolatedSubnet1" + } + ] + } + }, + "VpcisolatedSubnet1RouteTableE442650B": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApi/Vpc/isolatedSubnet1" + } + ] + } + }, + "VpcisolatedSubnet1RouteTableAssociationD259E31A": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcisolatedSubnet1RouteTableE442650B" + }, + "SubnetId": { + "Ref": "VpcisolatedSubnet1SubnetE62B1B9B" + } + } + }, + "VpcisolatedSubnet2Subnet39217055": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.64.0/18", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "isolated" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Isolated" + }, + { + "Key": "Name", + "Value": "deployPrivateApi/Vpc/isolatedSubnet2" + } + ] + } + }, + "VpcisolatedSubnet2RouteTable334F9764": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApi/Vpc/isolatedSubnet2" + } + ] + } + }, + "VpcisolatedSubnet2RouteTableAssociation25A4716F": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcisolatedSubnet2RouteTable334F9764" + }, + "SubnetId": { + "Ref": "VpcisolatedSubnet2Subnet39217055" + } + } + }, + "VpcisolatedSubnet3Subnet44F2537D": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.128.0/18", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "isolated" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Isolated" + }, + { + "Key": "Name", + "Value": "deployPrivateApi/Vpc/isolatedSubnet3" + } + ] + } + }, + "VpcisolatedSubnet3RouteTableA2F6BBC0": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApi/Vpc/isolatedSubnet3" + } + ] + } + }, + "VpcisolatedSubnet3RouteTableAssociationDC010BEB": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcisolatedSubnet3RouteTableA2F6BBC0" + }, + "SubnetId": { + "Ref": "VpcisolatedSubnet3Subnet44F2537D" + } + } + }, + "VpcFlowLogIAMRole6A475D41": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "vpc-flow-logs.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApi/Vpc" + } + ] + } + }, + "VpcFlowLogIAMRoleDefaultPolicy406FB995": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogStreams" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "VpcFlowLogLogGroup7B5C56B9", + "Arn" + ] + } + }, + { + "Action": "iam:PassRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "VpcFlowLogIAMRole6A475D41", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "VpcFlowLogIAMRoleDefaultPolicy406FB995", + "Roles": [ + { + "Ref": "VpcFlowLogIAMRole6A475D41" + } + ] + } + }, + "VpcFlowLogLogGroup7B5C56B9": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W84", + "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)" + } + ] + } + } + }, + "VpcFlowLog8FF33A73": { + "Type": "AWS::EC2::FlowLog", + "Properties": { + "ResourceId": { + "Ref": "Vpc8378EB38" + }, + "ResourceType": "VPC", + "TrafficType": "ALL", + "DeliverLogsPermissionArn": { + "Fn::GetAtt": [ + "VpcFlowLogIAMRole6A475D41", + "Arn" + ] + }, + "LogDestinationType": "cloud-watch-logs", + "LogGroupName": { + "Ref": "VpcFlowLogLogGroup7B5C56B9" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApi/Vpc" + } + ] + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store." + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApi.ts b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApi.ts new file mode 100644 index 000000000..d42a2a964 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApi.ts @@ -0,0 +1,42 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +// Imports +import { App, Stack, Aws } from "@aws-cdk/core"; +import { Route53ToAlb, Route53ToAlbProps } from "../lib"; +import { generateIntegStackName } from '@aws-solutions-constructs/core'; +import * as defaults from '@aws-solutions-constructs/core'; +import { CfnSecurityGroup } from "@aws-cdk/aws-ec2"; + +// Setup +const app = new App(); +const stack = new Stack(app, generateIntegStackName(__filename), { + env: { account: Aws.ACCOUNT_ID, region: 'us-east-1' }, +}); +stack.templateOptions.description = 'Integration Test for aws-route53-alb'; + +// Definitions +const props: Route53ToAlbProps = { + publicApi: false, + privateHostedZoneProps: { + zoneName: 'www.example.com' + } +}; + +const testConstruct = new Route53ToAlb(stack, 'private-api-stack', props); + +const newSecurityGroup = testConstruct.loadBalancer.connections.securityGroups[0].node.defaultChild as CfnSecurityGroup; +defaults.addCfnSuppressRules(newSecurityGroup, [{ id: 'W29', reason: 'CDK created rule that blocks all traffic.'}]); + +// Synth +app.synth(); \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApiExistingZone.expected.json b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApiExistingZone.expected.json new file mode 100644 index 000000000..66affb07f --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApiExistingZone.expected.json @@ -0,0 +1,940 @@ +{ + "Description": "Integration Test for aws-route53-alb", + "Resources": { + "Vpc8378EB38": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "172.168.0.0/16", + "EnableDnsHostnames": true, + "EnableDnsSupport": true, + "InstanceTenancy": "default", + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc" + } + ] + } + }, + "VpcPublicSubnet1Subnet5C2D37C4": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.0.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PublicSubnet1" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W33", + "reason": "Allow Public Subnets to have MapPublicIpOnLaunch set to true" + } + ] + } + } + }, + "VpcPublicSubnet1RouteTable6C95E38E": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet1RouteTableAssociation97140677": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + } + } + }, + "VpcPublicSubnet1DefaultRoute3DA9E72A": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet1EIPD7E02669": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet1NATGateway4D7517AA": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + }, + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet1EIPD7E02669", + "AllocationId" + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet2Subnet691E08A3": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.32.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PublicSubnet2" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W33", + "reason": "Allow Public Subnets to have MapPublicIpOnLaunch set to true" + } + ] + } + } + }, + "VpcPublicSubnet2RouteTable94F7E489": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PublicSubnet2" + } + ] + } + }, + "VpcPublicSubnet2RouteTableAssociationDD5762D8": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + } + } + }, + "VpcPublicSubnet2DefaultRoute97F91067": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet2EIP3C605A87": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PublicSubnet2" + } + ] + } + }, + "VpcPublicSubnet2NATGateway9182C01D": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "SubnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + }, + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet2EIP3C605A87", + "AllocationId" + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PublicSubnet2" + } + ] + } + }, + "VpcPublicSubnet3SubnetBE12F0B6": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.64.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PublicSubnet3" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W33", + "reason": "Allow Public Subnets to have MapPublicIpOnLaunch set to true" + } + ] + } + } + }, + "VpcPublicSubnet3RouteTable93458DBB": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PublicSubnet3" + } + ] + } + }, + "VpcPublicSubnet3RouteTableAssociation1F1EDF02": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet3RouteTable93458DBB" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet3SubnetBE12F0B6" + } + } + }, + "VpcPublicSubnet3DefaultRoute4697774F": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet3RouteTable93458DBB" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet3EIP3A666A23": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PublicSubnet3" + } + ] + } + }, + "VpcPublicSubnet3NATGateway7640CD1D": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "SubnetId": { + "Ref": "VpcPublicSubnet3SubnetBE12F0B6" + }, + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet3EIP3A666A23", + "AllocationId" + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PublicSubnet3" + } + ] + } + }, + "VpcPrivateSubnet1Subnet536B997A": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.96.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PrivateSubnet1" + } + ] + } + }, + "VpcPrivateSubnet1RouteTableB2C5B500": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PrivateSubnet1" + } + ] + } + }, + "VpcPrivateSubnet1RouteTableAssociation70C59FA6": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet1Subnet536B997A" + } + } + }, + "VpcPrivateSubnet1DefaultRouteBE02A9ED": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet1NATGateway4D7517AA" + } + } + }, + "VpcPrivateSubnet2Subnet3788AAA1": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.128.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PrivateSubnet2" + } + ] + } + }, + "VpcPrivateSubnet2RouteTableA678073B": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PrivateSubnet2" + } + ] + } + }, + "VpcPrivateSubnet2RouteTableAssociationA89CAD56": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + } + } + }, + "VpcPrivateSubnet2DefaultRoute060D2087": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet2NATGateway9182C01D" + } + } + }, + "VpcPrivateSubnet3SubnetF258B56E": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.160.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PrivateSubnet3" + } + ] + } + }, + "VpcPrivateSubnet3RouteTableD98824C7": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc/PrivateSubnet3" + } + ] + } + }, + "VpcPrivateSubnet3RouteTableAssociation16BDDC43": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet3RouteTableD98824C7" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet3SubnetF258B56E" + } + } + }, + "VpcPrivateSubnet3DefaultRoute94B74F0D": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet3RouteTableD98824C7" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet3NATGateway7640CD1D" + } + } + }, + "VpcIGWD7BA715C": { + "Type": "AWS::EC2::InternetGateway", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc" + } + ] + } + }, + "VpcVPCGWBF912B6E": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "InternetGatewayId": { + "Ref": "VpcIGWD7BA715C" + } + } + }, + "VpcFlowLogIAMRole6A475D41": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "vpc-flow-logs.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc" + } + ] + } + }, + "VpcFlowLogIAMRoleDefaultPolicy406FB995": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogStreams" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "VpcFlowLogLogGroup7B5C56B9", + "Arn" + ] + } + }, + { + "Action": "iam:PassRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "VpcFlowLogIAMRole6A475D41", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "VpcFlowLogIAMRoleDefaultPolicy406FB995", + "Roles": [ + { + "Ref": "VpcFlowLogIAMRole6A475D41" + } + ] + } + }, + "VpcFlowLogLogGroup7B5C56B9": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W84", + "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)" + } + ] + } + } + }, + "VpcFlowLog8FF33A73": { + "Type": "AWS::EC2::FlowLog", + "Properties": { + "ResourceId": { + "Ref": "Vpc8378EB38" + }, + "ResourceType": "VPC", + "TrafficType": "ALL", + "DeliverLogsPermissionArn": { + "Fn::GetAtt": [ + "VpcFlowLogIAMRole6A475D41", + "Arn" + ] + }, + "LogDestinationType": "cloud-watch-logs", + "LogGroupName": { + "Ref": "VpcFlowLogLogGroup7B5C56B9" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPrivateApiExistingZone/Vpc" + } + ] + } + }, + "newzone1D011936": { + "Type": "AWS::Route53::HostedZone", + "Properties": { + "Name": "www.test-example.com.", + "VPCs": [ + { + "VPCId": { + "Ref": "Vpc8378EB38" + }, + "VPCRegion": "us-east-1" + } + ] + } + }, + "existingzonestackexistingzonestackalbCFB3D7E4": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "LoadBalancerAttributes": [ + { + "Key": "deletion_protection.enabled", + "Value": "false" + }, + { + "Key": "access_logs.s3.enabled", + "Value": "true" + }, + { + "Key": "access_logs.s3.bucket", + "Value": { + "Ref": "existingzonestackEFB9F5B3" + } + }, + { + "Key": "access_logs.s3.prefix", + "Value": "" + } + ], + "Scheme": "internal", + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "existingzonestackexistingzonestackalbSecurityGroup6F32DCA5", + "GroupId" + ] + } + ], + "Subnets": [ + { + "Ref": "VpcPrivateSubnet1Subnet536B997A" + }, + { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + }, + { + "Ref": "VpcPrivateSubnet3SubnetF258B56E" + } + ], + "Type": "application" + }, + "DependsOn": [ + "existingzonestackPolicyFEC9C88E", + "existingzonestackEFB9F5B3" + ] + }, + "existingzonestackexistingzonestackalbSecurityGroup6F32DCA5": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Automatically created Security Group for ELB deployPrivateApiExistingZoneexistingzonestackexistingzonestackalbFBEA12EB", + "SecurityGroupEgress": [ + { + "CidrIp": "255.255.255.255/32", + "Description": "Disallow all traffic", + "FromPort": 252, + "IpProtocol": "icmp", + "ToPort": 86 + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + }, + "DependsOn": [ + "existingzonestackPolicyFEC9C88E", + "existingzonestackEFB9F5B3" + ], + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W29", + "reason": "CDK created rule that blocks all traffic." + } + ] + } + } + }, + "existingzonestackEFB9F5B3": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "VersioningConfiguration": { + "Status": "Enabled" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W35", + "reason": "This is a log bucket for an Application Load Balancer" + } + ] + } + } + }, + "existingzonestackPolicyFEC9C88E": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "existingzonestackEFB9F5B3" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "existingzonestackEFB9F5B3", + "Arn" + ] + }, + "/*" + ] + ] + }, + { + "Fn::GetAtt": [ + "existingzonestackEFB9F5B3", + "Arn" + ] + } + ], + "Sid": "HttpsOnly" + }, + { + "Action": [ + "s3:PutObject", + "s3:Abort*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::127311923021:root" + ] + ] + } + }, + "Resource": { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "existingzonestackEFB9F5B3", + "Arn" + ] + }, + "/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" + ] + ] + } + } + ], + "Version": "2012-10-17" + } + } + }, + "existingzonestackexistingzonestackalias77D2E65D": { + "Type": "AWS::Route53::RecordSet", + "Properties": { + "Name": "www.test-example.com.", + "Type": "A", + "AliasTarget": { + "DNSName": { + "Fn::Join": [ + "", + [ + "dualstack.", + { + "Fn::GetAtt": [ + "existingzonestackexistingzonestackalbCFB3D7E4", + "DNSName" + ] + } + ] + ] + }, + "HostedZoneId": { + "Fn::GetAtt": [ + "existingzonestackexistingzonestackalbCFB3D7E4", + "CanonicalHostedZoneID" + ] + } + }, + "HostedZoneId": { + "Ref": "newzone1D011936" + } + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store." + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApiExistingZone.ts b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApiExistingZone.ts new file mode 100644 index 000000000..85c8ffee8 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPrivateApiExistingZone.ts @@ -0,0 +1,55 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +// Imports +import { App, Stack, Aws } from "@aws-cdk/core"; +import * as defaults from '@aws-solutions-constructs/core'; +import { PrivateHostedZone } from "@aws-cdk/aws-route53"; +import { Route53ToAlb, Route53ToAlbProps } from "../lib"; +import { CfnSecurityGroup } from "@aws-cdk/aws-ec2"; + +// Setup +const app = new App(); +const stack = new Stack(app, defaults.generateIntegStackName(__filename), { + env: { account: Aws.ACCOUNT_ID, region: 'us-east-1' }, +}); +stack.templateOptions.description = 'Integration Test for aws-route53-alb'; + +const newVpc = defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + constructVpcProps: { + enableDnsHostnames: true, + enableDnsSupport: true, + cidr: '172.168.0.0/16', + }, +}); + +const newZone = new PrivateHostedZone(stack, 'new-zone', { + zoneName: 'www.test-example.com', + vpc: newVpc, +}); + +// Definitions +const props: Route53ToAlbProps = { + publicApi: false, + existingHostedZoneInterface: newZone, + existingVpc: newVpc, +}; + +const testConstruct = new Route53ToAlb(stack, 'existing-zone-stack', props); + +const newSecurityGroup = testConstruct.loadBalancer.connections.securityGroups[0].node.defaultChild as CfnSecurityGroup; +defaults.addCfnSuppressRules(newSecurityGroup, [{ id: 'W29', reason: 'CDK created rule that blocks all traffic.'}]); + +// Synth +app.synth(); \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiExistingAlb.expected.json b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiExistingAlb.expected.json new file mode 100644 index 000000000..b6c97fb8b --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiExistingAlb.expected.json @@ -0,0 +1,798 @@ +{ + "Description": "Integration Test for aws-route53-alb", + "Resources": { + "Vpc8378EB38": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "172.168.0.0/16", + "EnableDnsHostnames": true, + "EnableDnsSupport": true, + "InstanceTenancy": "default", + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc" + } + ] + } + }, + "VpcPublicSubnet1Subnet5C2D37C4": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.0.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PublicSubnet1" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W33", + "reason": "Allow Public Subnets to have MapPublicIpOnLaunch set to true" + } + ] + } + } + }, + "VpcPublicSubnet1RouteTable6C95E38E": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet1RouteTableAssociation97140677": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + } + } + }, + "VpcPublicSubnet1DefaultRoute3DA9E72A": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet1EIPD7E02669": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet1NATGateway4D7517AA": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + }, + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet1EIPD7E02669", + "AllocationId" + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet2Subnet691E08A3": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.32.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PublicSubnet2" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W33", + "reason": "Allow Public Subnets to have MapPublicIpOnLaunch set to true" + } + ] + } + } + }, + "VpcPublicSubnet2RouteTable94F7E489": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PublicSubnet2" + } + ] + } + }, + "VpcPublicSubnet2RouteTableAssociationDD5762D8": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + } + } + }, + "VpcPublicSubnet2DefaultRoute97F91067": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet2EIP3C605A87": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PublicSubnet2" + } + ] + } + }, + "VpcPublicSubnet2NATGateway9182C01D": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "SubnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + }, + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet2EIP3C605A87", + "AllocationId" + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PublicSubnet2" + } + ] + } + }, + "VpcPublicSubnet3SubnetBE12F0B6": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.64.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PublicSubnet3" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W33", + "reason": "Allow Public Subnets to have MapPublicIpOnLaunch set to true" + } + ] + } + } + }, + "VpcPublicSubnet3RouteTable93458DBB": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PublicSubnet3" + } + ] + } + }, + "VpcPublicSubnet3RouteTableAssociation1F1EDF02": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet3RouteTable93458DBB" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet3SubnetBE12F0B6" + } + } + }, + "VpcPublicSubnet3DefaultRoute4697774F": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet3RouteTable93458DBB" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet3EIP3A666A23": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PublicSubnet3" + } + ] + } + }, + "VpcPublicSubnet3NATGateway7640CD1D": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "SubnetId": { + "Ref": "VpcPublicSubnet3SubnetBE12F0B6" + }, + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet3EIP3A666A23", + "AllocationId" + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PublicSubnet3" + } + ] + } + }, + "VpcPrivateSubnet1Subnet536B997A": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.96.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PrivateSubnet1" + } + ] + } + }, + "VpcPrivateSubnet1RouteTableB2C5B500": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PrivateSubnet1" + } + ] + } + }, + "VpcPrivateSubnet1RouteTableAssociation70C59FA6": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet1Subnet536B997A" + } + } + }, + "VpcPrivateSubnet1DefaultRouteBE02A9ED": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet1NATGateway4D7517AA" + } + } + }, + "VpcPrivateSubnet2Subnet3788AAA1": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.128.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PrivateSubnet2" + } + ] + } + }, + "VpcPrivateSubnet2RouteTableA678073B": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PrivateSubnet2" + } + ] + } + }, + "VpcPrivateSubnet2RouteTableAssociationA89CAD56": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + } + } + }, + "VpcPrivateSubnet2DefaultRoute060D2087": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet2NATGateway9182C01D" + } + } + }, + "VpcPrivateSubnet3SubnetF258B56E": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.160.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PrivateSubnet3" + } + ] + } + }, + "VpcPrivateSubnet3RouteTableD98824C7": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc/PrivateSubnet3" + } + ] + } + }, + "VpcPrivateSubnet3RouteTableAssociation16BDDC43": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet3RouteTableD98824C7" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet3SubnetF258B56E" + } + } + }, + "VpcPrivateSubnet3DefaultRoute94B74F0D": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet3RouteTableD98824C7" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet3NATGateway7640CD1D" + } + } + }, + "VpcIGWD7BA715C": { + "Type": "AWS::EC2::InternetGateway", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc" + } + ] + } + }, + "VpcVPCGWBF912B6E": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "InternetGatewayId": { + "Ref": "VpcIGWD7BA715C" + } + } + }, + "VpcFlowLogIAMRole6A475D41": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "vpc-flow-logs.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc" + } + ] + } + }, + "VpcFlowLogIAMRoleDefaultPolicy406FB995": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogStreams" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "VpcFlowLogLogGroup7B5C56B9", + "Arn" + ] + } + }, + { + "Action": "iam:PassRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "VpcFlowLogIAMRole6A475D41", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "VpcFlowLogIAMRoleDefaultPolicy406FB995", + "Roles": [ + { + "Ref": "VpcFlowLogIAMRole6A475D41" + } + ] + } + }, + "VpcFlowLogLogGroup7B5C56B9": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W84", + "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)" + } + ] + } + } + }, + "VpcFlowLog8FF33A73": { + "Type": "AWS::EC2::FlowLog", + "Properties": { + "ResourceId": { + "Ref": "Vpc8378EB38" + }, + "ResourceType": "VPC", + "TrafficType": "ALL", + "DeliverLogsPermissionArn": { + "Fn::GetAtt": [ + "VpcFlowLogIAMRole6A475D41", + "Arn" + ] + }, + "LogDestinationType": "cloud-watch-logs", + "LogGroupName": { + "Ref": "VpcFlowLogLogGroup7B5C56B9" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiExistingAlb/Vpc" + } + ] + } + }, + "newzone1D011936": { + "Type": "AWS::Route53::HostedZone", + "Properties": { + "Name": "www.test-example.com." + } + }, + "testalb9AFCD824": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "LoadBalancerAttributes": [ + { + "Key": "deletion_protection.enabled", + "Value": "false" + } + ], + "Scheme": "internal", + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "testalbSecurityGroup0C84CDF9", + "GroupId" + ] + } + ], + "Subnets": [ + { + "Ref": "VpcPrivateSubnet1Subnet536B997A" + }, + { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + }, + { + "Ref": "VpcPrivateSubnet3SubnetF258B56E" + } + ], + "Type": "application" + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W52", + "reason": "Test ALB only." + } + ] + } + } + }, + "testalbSecurityGroup0C84CDF9": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Automatically created Security Group for ELB deployPublicApiExistingAlbtestalb700DF81E", + "SecurityGroupEgress": [ + { + "CidrIp": "255.255.255.255/32", + "Description": "Disallow all traffic", + "FromPort": 252, + "IpProtocol": "icmp", + "ToPort": 86 + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W29", + "reason": "CDK created rule that blocks all traffic." + } + ] + } + } + }, + "publicapistackpublicapistackalias4096038C": { + "Type": "AWS::Route53::RecordSet", + "Properties": { + "Name": "www.test-example.com.", + "Type": "A", + "AliasTarget": { + "DNSName": { + "Fn::Join": [ + "", + [ + "dualstack.", + { + "Fn::GetAtt": [ + "testalb9AFCD824", + "DNSName" + ] + } + ] + ] + }, + "HostedZoneId": { + "Fn::GetAtt": [ + "testalb9AFCD824", + "CanonicalHostedZoneID" + ] + } + }, + "HostedZoneId": { + "Ref": "newzone1D011936" + } + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store." + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiExistingAlb.ts b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiExistingAlb.ts new file mode 100644 index 000000000..e97ffe3a0 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiExistingAlb.ts @@ -0,0 +1,63 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +// Imports +import { App, Stack, Aws } from "@aws-cdk/core"; +import * as defaults from '@aws-solutions-constructs/core'; +import { ApplicationLoadBalancer } from "@aws-cdk/aws-elasticloadbalancingv2"; +import { PublicHostedZone } from "@aws-cdk/aws-route53"; +import { Route53ToAlb, Route53ToAlbProps } from "../lib"; +import { generateIntegStackName } from '@aws-solutions-constructs/core'; +import { CfnSecurityGroup } from "@aws-cdk/aws-ec2"; + +// Setup +const app = new App(); +const stack = new Stack(app, generateIntegStackName(__filename), { + env: { account: Aws.ACCOUNT_ID, region: 'us-east-1' }, +}); +stack.templateOptions.description = 'Integration Test for aws-route53-alb'; + +const newVpc = defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + constructVpcProps: { + enableDnsHostnames: true, + enableDnsSupport: true, + cidr: '172.168.0.0/16', + }, +}); + +const newZone = new PublicHostedZone(stack, 'new-zone', { + zoneName: 'www.test-example.com', +}); + +const existingAlb = new ApplicationLoadBalancer(stack, 'test-alb', { + vpc: newVpc, +}); + +defaults.addCfnSuppressRules(existingAlb, [{ id: 'W52', reason: 'Test ALB only.'}]); + +// Definitions +const props: Route53ToAlbProps = { + publicApi: true, + existingHostedZoneInterface: newZone, + existingVpc: newVpc, + existingLoadBalancerObj: existingAlb, +}; + +const testConstruct = new Route53ToAlb(stack, 'public-api-stack', props); + +const newSecurityGroup = testConstruct.loadBalancer.connections.securityGroups[0].node.defaultChild as CfnSecurityGroup; +defaults.addCfnSuppressRules(newSecurityGroup, [{ id: 'W29', reason: 'CDK created rule that blocks all traffic.'}]); + +// Synth +app.synth(); \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiNewAlb.expected.json b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiNewAlb.expected.json new file mode 100644 index 000000000..095a9fa5b --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiNewAlb.expected.json @@ -0,0 +1,935 @@ +{ + "Description": "Integration Test for aws-route53-alb", + "Resources": { + "newzone1D011936": { + "Type": "AWS::Route53::HostedZone", + "Properties": { + "Name": "www.test-example.com." + } + }, + "newalbstacknewalbstackalb50B67E3E": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "LoadBalancerAttributes": [ + { + "Key": "deletion_protection.enabled", + "Value": "false" + }, + { + "Key": "access_logs.s3.enabled", + "Value": "true" + }, + { + "Key": "access_logs.s3.bucket", + "Value": { + "Ref": "newalbstackADB02838" + } + }, + { + "Key": "access_logs.s3.prefix", + "Value": "" + } + ], + "Scheme": "internet-facing", + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "newalbstacknewalbstackalbSecurityGroup7BBB827C", + "GroupId" + ] + } + ], + "Subnets": [ + { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + }, + { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + }, + { + "Ref": "VpcPublicSubnet3SubnetBE12F0B6" + } + ], + "Type": "application" + }, + "DependsOn": [ + "newalbstackPolicyB7C2D898", + "newalbstackADB02838", + "VpcPublicSubnet1DefaultRoute3DA9E72A", + "VpcPublicSubnet2DefaultRoute97F91067", + "VpcPublicSubnet3DefaultRoute4697774F" + ] + }, + "newalbstacknewalbstackalbSecurityGroup7BBB827C": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Automatically created Security Group for ELB deployPublicApiNewAlbnewalbstacknewalbstackalbC987D9E9", + "SecurityGroupEgress": [ + { + "CidrIp": "255.255.255.255/32", + "Description": "Disallow all traffic", + "FromPort": 252, + "IpProtocol": "icmp", + "ToPort": 86 + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + }, + "DependsOn": [ + "newalbstackPolicyB7C2D898", + "newalbstackADB02838" + ], + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W29", + "reason": "CDK created rule that blocks all traffic." + } + ] + } + } + }, + "newalbstackADB02838": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "VersioningConfiguration": { + "Status": "Enabled" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W35", + "reason": "This is a log bucket for an Application Load Balancer" + } + ] + } + } + }, + "newalbstackPolicyB7C2D898": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "newalbstackADB02838" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "newalbstackADB02838", + "Arn" + ] + }, + "/*" + ] + ] + }, + { + "Fn::GetAtt": [ + "newalbstackADB02838", + "Arn" + ] + } + ], + "Sid": "HttpsOnly" + }, + { + "Action": [ + "s3:PutObject", + "s3:Abort*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::127311923021:root" + ] + ] + } + }, + "Resource": { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "newalbstackADB02838", + "Arn" + ] + }, + "/AWSLogs/", + { + "Ref": "AWS::AccountId" + }, + "/*" + ] + ] + } + } + ], + "Version": "2012-10-17" + } + } + }, + "newalbstacknewalbstackalias05E0DF53": { + "Type": "AWS::Route53::RecordSet", + "Properties": { + "Name": "www.test-example.com.", + "Type": "A", + "AliasTarget": { + "DNSName": { + "Fn::Join": [ + "", + [ + "dualstack.", + { + "Fn::GetAtt": [ + "newalbstacknewalbstackalb50B67E3E", + "DNSName" + ] + } + ] + ] + }, + "HostedZoneId": { + "Fn::GetAtt": [ + "newalbstacknewalbstackalb50B67E3E", + "CanonicalHostedZoneID" + ] + } + }, + "HostedZoneId": { + "Ref": "newzone1D011936" + } + } + }, + "Vpc8378EB38": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsHostnames": true, + "EnableDnsSupport": true, + "InstanceTenancy": "default", + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc" + } + ] + } + }, + "VpcPublicSubnet1Subnet5C2D37C4": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.0.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PublicSubnet1" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W33", + "reason": "Allow Public Subnets to have MapPublicIpOnLaunch set to true" + } + ] + } + } + }, + "VpcPublicSubnet1RouteTable6C95E38E": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet1RouteTableAssociation97140677": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + } + } + }, + "VpcPublicSubnet1DefaultRoute3DA9E72A": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet1EIPD7E02669": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet1NATGateway4D7517AA": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + }, + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet1EIPD7E02669", + "AllocationId" + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet2Subnet691E08A3": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.32.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PublicSubnet2" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W33", + "reason": "Allow Public Subnets to have MapPublicIpOnLaunch set to true" + } + ] + } + } + }, + "VpcPublicSubnet2RouteTable94F7E489": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PublicSubnet2" + } + ] + } + }, + "VpcPublicSubnet2RouteTableAssociationDD5762D8": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + } + } + }, + "VpcPublicSubnet2DefaultRoute97F91067": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet2EIP3C605A87": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PublicSubnet2" + } + ] + } + }, + "VpcPublicSubnet2NATGateway9182C01D": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "SubnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + }, + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet2EIP3C605A87", + "AllocationId" + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PublicSubnet2" + } + ] + } + }, + "VpcPublicSubnet3SubnetBE12F0B6": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.64.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PublicSubnet3" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W33", + "reason": "Allow Public Subnets to have MapPublicIpOnLaunch set to true" + } + ] + } + } + }, + "VpcPublicSubnet3RouteTable93458DBB": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PublicSubnet3" + } + ] + } + }, + "VpcPublicSubnet3RouteTableAssociation1F1EDF02": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet3RouteTable93458DBB" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet3SubnetBE12F0B6" + } + } + }, + "VpcPublicSubnet3DefaultRoute4697774F": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet3RouteTable93458DBB" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet3EIP3A666A23": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PublicSubnet3" + } + ] + } + }, + "VpcPublicSubnet3NATGateway7640CD1D": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "SubnetId": { + "Ref": "VpcPublicSubnet3SubnetBE12F0B6" + }, + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet3EIP3A666A23", + "AllocationId" + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PublicSubnet3" + } + ] + } + }, + "VpcPrivateSubnet1Subnet536B997A": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.96.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PrivateSubnet1" + } + ] + } + }, + "VpcPrivateSubnet1RouteTableB2C5B500": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PrivateSubnet1" + } + ] + } + }, + "VpcPrivateSubnet1RouteTableAssociation70C59FA6": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet1Subnet536B997A" + } + } + }, + "VpcPrivateSubnet1DefaultRouteBE02A9ED": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet1NATGateway4D7517AA" + } + } + }, + "VpcPrivateSubnet2Subnet3788AAA1": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.128.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PrivateSubnet2" + } + ] + } + }, + "VpcPrivateSubnet2RouteTableA678073B": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PrivateSubnet2" + } + ] + } + }, + "VpcPrivateSubnet2RouteTableAssociationA89CAD56": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + } + } + }, + "VpcPrivateSubnet2DefaultRoute060D2087": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet2NATGateway9182C01D" + } + } + }, + "VpcPrivateSubnet3SubnetF258B56E": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.160.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PrivateSubnet3" + } + ] + } + }, + "VpcPrivateSubnet3RouteTableD98824C7": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc/PrivateSubnet3" + } + ] + } + }, + "VpcPrivateSubnet3RouteTableAssociation16BDDC43": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet3RouteTableD98824C7" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet3SubnetF258B56E" + } + } + }, + "VpcPrivateSubnet3DefaultRoute94B74F0D": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet3RouteTableD98824C7" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet3NATGateway7640CD1D" + } + } + }, + "VpcIGWD7BA715C": { + "Type": "AWS::EC2::InternetGateway", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc" + } + ] + } + }, + "VpcVPCGWBF912B6E": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "InternetGatewayId": { + "Ref": "VpcIGWD7BA715C" + } + } + }, + "VpcFlowLogIAMRole6A475D41": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "vpc-flow-logs.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc" + } + ] + } + }, + "VpcFlowLogIAMRoleDefaultPolicy406FB995": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogStreams" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "VpcFlowLogLogGroup7B5C56B9", + "Arn" + ] + } + }, + { + "Action": "iam:PassRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "VpcFlowLogIAMRole6A475D41", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "VpcFlowLogIAMRoleDefaultPolicy406FB995", + "Roles": [ + { + "Ref": "VpcFlowLogIAMRole6A475D41" + } + ] + } + }, + "VpcFlowLogLogGroup7B5C56B9": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W84", + "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)" + } + ] + } + } + }, + "VpcFlowLog8FF33A73": { + "Type": "AWS::EC2::FlowLog", + "Properties": { + "ResourceId": { + "Ref": "Vpc8378EB38" + }, + "ResourceType": "VPC", + "TrafficType": "ALL", + "DeliverLogsPermissionArn": { + "Fn::GetAtt": [ + "VpcFlowLogIAMRole6A475D41", + "Arn" + ] + }, + "LogDestinationType": "cloud-watch-logs", + "LogGroupName": { + "Ref": "VpcFlowLogLogGroup7B5C56B9" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployPublicApiNewAlb/Vpc" + } + ] + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store." + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiNewAlb.ts b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiNewAlb.ts new file mode 100644 index 000000000..35f8e4d91 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployPublicApiNewAlb.ts @@ -0,0 +1,44 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +// Imports +import { App, Stack, Aws } from "@aws-cdk/core"; +import * as defaults from '@aws-solutions-constructs/core'; +import { PublicHostedZone } from "@aws-cdk/aws-route53"; +import { Route53ToAlb, Route53ToAlbProps } from "../lib"; +import { CfnSecurityGroup } from "@aws-cdk/aws-ec2"; + +// Setup +const app = new App(); +const stack = new Stack(app, defaults.generateIntegStackName(__filename), { + env: { account: Aws.ACCOUNT_ID, region: 'us-east-1' }, +}); +stack.templateOptions.description = 'Integration Test for aws-route53-alb'; + +const newZone = new PublicHostedZone(stack, 'new-zone', { + zoneName: 'www.test-example.com', +}); + +// Definitions +const props: Route53ToAlbProps = { + publicApi: true, + existingHostedZoneInterface: newZone, +}; + +const testConstruct = new Route53ToAlb(stack, 'new-alb-stack', props); + +const newSecurityGroup = testConstruct.loadBalancer.connections.securityGroups[0].node.defaultChild as CfnSecurityGroup; +defaults.addCfnSuppressRules(newSecurityGroup, [{ id: 'W29', reason: 'CDK created rule that blocks all traffic.'}]); + +// Synth +app.synth(); \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployWithoutLogging.expected.json b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployWithoutLogging.expected.json new file mode 100644 index 000000000..ff6a4e693 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployWithoutLogging.expected.json @@ -0,0 +1,427 @@ +{ + "Description": "Integration Test for aws-route53-alb", + "Resources": { + "nologgingstacknologgingstackzoneE11B9175": { + "Type": "AWS::Route53::HostedZone", + "Properties": { + "Name": "www.example.com.", + "VPCs": [ + { + "VPCId": { + "Ref": "Vpc8378EB38" + }, + "VPCRegion": "us-east-1" + } + ] + } + }, + "nologgingstacknologgingstackalbFD11E34A": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "LoadBalancerAttributes": [ + { + "Key": "deletion_protection.enabled", + "Value": "false" + } + ], + "Scheme": "internal", + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "nologgingstacknologgingstackalbSecurityGroup1C3487C4", + "GroupId" + ] + } + ], + "Subnets": [ + { + "Ref": "VpcisolatedSubnet1SubnetE62B1B9B" + }, + { + "Ref": "VpcisolatedSubnet2Subnet39217055" + }, + { + "Ref": "VpcisolatedSubnet3Subnet44F2537D" + } + ], + "Type": "application" + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W52", + "reason": "This test is explicitly to test the no logging case." + } + ] + } + } + }, + "nologgingstacknologgingstackalbSecurityGroup1C3487C4": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Automatically created Security Group for ELB deployWithoutLoggingnologgingstacknologgingstackalbBA718BE3", + "SecurityGroupEgress": [ + { + "CidrIp": "255.255.255.255/32", + "Description": "Disallow all traffic", + "FromPort": 252, + "IpProtocol": "icmp", + "ToPort": 86 + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W29", + "reason": "CDK created rule that blocks all traffic." + } + ] + } + } + }, + "nologgingstacknologgingstackalias0D6EE5FC": { + "Type": "AWS::Route53::RecordSet", + "Properties": { + "Name": "www.example.com.", + "Type": "A", + "AliasTarget": { + "DNSName": { + "Fn::Join": [ + "", + [ + "dualstack.", + { + "Fn::GetAtt": [ + "nologgingstacknologgingstackalbFD11E34A", + "DNSName" + ] + } + ] + ] + }, + "HostedZoneId": { + "Fn::GetAtt": [ + "nologgingstacknologgingstackalbFD11E34A", + "CanonicalHostedZoneID" + ] + } + }, + "HostedZoneId": { + "Ref": "nologgingstacknologgingstackzoneE11B9175" + } + } + }, + "Vpc8378EB38": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsHostnames": true, + "EnableDnsSupport": true, + "InstanceTenancy": "default", + "Tags": [ + { + "Key": "Name", + "Value": "deployWithoutLogging/Vpc" + } + ] + } + }, + "VpcisolatedSubnet1SubnetE62B1B9B": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.0.0/18", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "isolated" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Isolated" + }, + { + "Key": "Name", + "Value": "deployWithoutLogging/Vpc/isolatedSubnet1" + } + ] + } + }, + "VpcisolatedSubnet1RouteTableE442650B": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployWithoutLogging/Vpc/isolatedSubnet1" + } + ] + } + }, + "VpcisolatedSubnet1RouteTableAssociationD259E31A": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcisolatedSubnet1RouteTableE442650B" + }, + "SubnetId": { + "Ref": "VpcisolatedSubnet1SubnetE62B1B9B" + } + } + }, + "VpcisolatedSubnet2Subnet39217055": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.64.0/18", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "isolated" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Isolated" + }, + { + "Key": "Name", + "Value": "deployWithoutLogging/Vpc/isolatedSubnet2" + } + ] + } + }, + "VpcisolatedSubnet2RouteTable334F9764": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployWithoutLogging/Vpc/isolatedSubnet2" + } + ] + } + }, + "VpcisolatedSubnet2RouteTableAssociation25A4716F": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcisolatedSubnet2RouteTable334F9764" + }, + "SubnetId": { + "Ref": "VpcisolatedSubnet2Subnet39217055" + } + } + }, + "VpcisolatedSubnet3Subnet44F2537D": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.128.0/18", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "isolated" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Isolated" + }, + { + "Key": "Name", + "Value": "deployWithoutLogging/Vpc/isolatedSubnet3" + } + ] + } + }, + "VpcisolatedSubnet3RouteTableA2F6BBC0": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployWithoutLogging/Vpc/isolatedSubnet3" + } + ] + } + }, + "VpcisolatedSubnet3RouteTableAssociationDC010BEB": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcisolatedSubnet3RouteTableA2F6BBC0" + }, + "SubnetId": { + "Ref": "VpcisolatedSubnet3Subnet44F2537D" + } + } + }, + "VpcFlowLogIAMRole6A475D41": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "vpc-flow-logs.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployWithoutLogging/Vpc" + } + ] + } + }, + "VpcFlowLogIAMRoleDefaultPolicy406FB995": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogStreams" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "VpcFlowLogLogGroup7B5C56B9", + "Arn" + ] + } + }, + { + "Action": "iam:PassRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "VpcFlowLogIAMRole6A475D41", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "VpcFlowLogIAMRoleDefaultPolicy406FB995", + "Roles": [ + { + "Ref": "VpcFlowLogIAMRole6A475D41" + } + ] + } + }, + "VpcFlowLogLogGroup7B5C56B9": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W84", + "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)" + } + ] + } + } + }, + "VpcFlowLog8FF33A73": { + "Type": "AWS::EC2::FlowLog", + "Properties": { + "ResourceId": { + "Ref": "Vpc8378EB38" + }, + "ResourceType": "VPC", + "TrafficType": "ALL", + "DeliverLogsPermissionArn": { + "Fn::GetAtt": [ + "VpcFlowLogIAMRole6A475D41", + "Arn" + ] + }, + "LogDestinationType": "cloud-watch-logs", + "LogGroupName": { + "Ref": "VpcFlowLogLogGroup7B5C56B9" + }, + "Tags": [ + { + "Key": "Name", + "Value": "deployWithoutLogging/Vpc" + } + ] + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store." + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployWithoutLogging.ts b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployWithoutLogging.ts new file mode 100644 index 000000000..bc4bcf94b --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/integ.deployWithoutLogging.ts @@ -0,0 +1,45 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +// Imports +import { App, Stack, Aws } from "@aws-cdk/core"; +import { Route53ToAlb, Route53ToAlbProps } from "../lib"; +import { generateIntegStackName } from '@aws-solutions-constructs/core'; +import * as defaults from '@aws-solutions-constructs/core'; +import { CfnSecurityGroup } from "@aws-cdk/aws-ec2"; + +// Setup +const app = new App(); +const stack = new Stack(app, generateIntegStackName(__filename), { + env: { account: Aws.ACCOUNT_ID, region: 'us-east-1' }, +}); +stack.templateOptions.description = 'Integration Test for aws-route53-alb'; + +// Definitions +const props: Route53ToAlbProps = { + publicApi: false, + privateHostedZoneProps: { + zoneName: 'www.example.com' + }, + logAccessLogs: false, +}; + +const testConstruct = new Route53ToAlb(stack, 'no-logging-stack', props); + +const newSecurityGroup = testConstruct.loadBalancer.connections.securityGroups[0].node.defaultChild as CfnSecurityGroup; +defaults.addCfnSuppressRules(newSecurityGroup, [{ id: 'W29', reason: 'CDK created rule that blocks all traffic.'}]); + +defaults.addCfnSuppressRules(testConstruct.loadBalancer, [{ id: 'W52', reason: 'This test is explicitly to test the no logging case.'}]); + +// Synth +app.synth(); \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/route53-alb.test.ts b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/route53-alb.test.ts new file mode 100644 index 000000000..2698936e9 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-route53-alb/test/route53-alb.test.ts @@ -0,0 +1,434 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +// Imports +import { Stack } from "@aws-cdk/core"; +import { Route53ToAlb, Route53ToAlbProps } from '../lib'; +import * as r53 from '@aws-cdk/aws-route53'; +import * as elb from '@aws-cdk/aws-elasticloadbalancingv2'; +import '@aws-cdk/assert/jest'; +import * as defaults from '@aws-solutions-constructs/core'; + +// Helper Functions + +function getTestVpc(stack: Stack) { + return defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + constructVpcProps: { + enableDnsHostnames: true, + enableDnsSupport: true, + cidr: '172.168.0.0/16', + }, + }); +} + +test('Test Public API, new VPC', () => { + // Initial Setup + const stack = new Stack(undefined, undefined, { + env: { account: "123456789012", region: 'us-east-1' }, + }); + + const newZone = new r53.PublicHostedZone(stack, 'test-zone', { + zoneName: 'www.example-test.com' + }); + + const props: Route53ToAlbProps = { + publicApi: true, + existingHostedZoneInterface: newZone, + }; + + new Route53ToAlb(stack, 'test-route53-alb', props); + + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::LoadBalancer', { + Scheme: 'internet-facing' + }); + + expect(stack).toHaveResourceLike('AWS::EC2::VPC', { + EnableDnsHostnames: true, + EnableDnsSupport: true, + InstanceTenancy: "default", + }); + + expect(stack).toHaveResourceLike('AWS::Route53::RecordSet', { + Name: 'www.example-test.com.', + Type: 'A' + }); + +}); + +test('Test Private API, existing VPC', () => { + // Initial Setup + const stack = new Stack(undefined, undefined, { + env: { account: "123456789012", region: 'us-east-1' }, + }); + + const testExistingVpc = getTestVpc(stack); + + const newZone = new r53.PrivateHostedZone(stack, 'test-zone', { + zoneName: 'www.example-test.com', + vpc: testExistingVpc + }); + + const props: Route53ToAlbProps = { + publicApi: false, + existingHostedZoneInterface: newZone, + existingVpc: testExistingVpc + }; + + new Route53ToAlb(stack, 'test-route53-alb', props); + + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::LoadBalancer', { + Scheme: 'internal' + }); + + expect(stack).toHaveResourceLike('AWS::EC2::VPC', { + EnableDnsHostnames: true, + EnableDnsSupport: true, + InstanceTenancy: "default", + }); + + expect(stack).toHaveResourceLike('AWS::Route53::RecordSet', { + Name: 'www.example-test.com.', + Type: 'A' + }); + +}); + +test('Test Private API, new VPC', () => { + // Initial Setup + const stack = new Stack(undefined, undefined, { + env: { account: "123456789012", region: 'us-east-1' }, + }); + + const props: Route53ToAlbProps = { + publicApi: false, + privateHostedZoneProps: { + zoneName: 'www.example-test.com', + } + }; + + new Route53ToAlb(stack, 'test-route53-alb', props); + + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::LoadBalancer', { + Scheme: 'internal' + }); + + expect(stack).toHaveResourceLike('AWS::EC2::VPC', { + EnableDnsHostnames: true, + EnableDnsSupport: true, + InstanceTenancy: "default", + }); + + expect(stack).toHaveResourceLike('AWS::Route53::RecordSet', { + Name: 'www.example-test.com.', + Type: 'A' + }); + +}); + +test('Check publicApi and zone props is an error', () => { + // Initial Setup + const stack = new Stack(); + + const testExistingVpc = getTestVpc(stack); + + const props: Route53ToAlbProps = { + publicApi: true, + existingVpc: testExistingVpc, + privateHostedZoneProps: { + zoneName: 'www.example-test.com', + } + }; + + const app = () => { + new Route53ToAlb(stack, 'test-error', props); + }; + // Assertion + expect(app).toThrowError(); +}); + +test('Check no Zone props and no existing zone interface is an error', () => { + // Initial Setup + const stack = new Stack(); + + const testExistingVpc = getTestVpc(stack); + + const props: Route53ToAlbProps = { + publicApi: false, + existingVpc: testExistingVpc, + }; + + const app = () => { + new Route53ToAlb(stack, 'test-error', props); + }; + // Assertion + expect(app).toThrowError(); +}); + +test('Check Zone props with VPC is an error', () => { + // Initial Setup + const stack = new Stack(); + + const testExistingVpc = getTestVpc(stack); + + const props: Route53ToAlbProps = { + publicApi: false, + existingVpc: testExistingVpc, + privateHostedZoneProps: { + zoneName: 'www.example-test.com', + vpc: testExistingVpc + } + }; + + const app = () => { + new Route53ToAlb(stack, 'test-error', props); + }; + // Assertion + expect(app).toThrowError(); + +}); + +test('Test with privateHostedZoneProps', () => { + // Initial Setup + const stack = new Stack(undefined, undefined, { + env: { account: "123456789012", region: 'us-east-1' }, + }); + + const testExistingVpc = getTestVpc(stack); + + const props: Route53ToAlbProps = { + publicApi: false, + existingVpc: testExistingVpc, + privateHostedZoneProps: { + zoneName: 'www.example-test.com', + } + }; + + new Route53ToAlb(stack, 'test-error', props); + + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::LoadBalancer', { + Scheme: 'internal' + }); + + expect(stack).toHaveResourceLike('AWS::EC2::VPC', { + EnableDnsHostnames: true, + EnableDnsSupport: true, + InstanceTenancy: "default", + }); + + expect(stack).toHaveResourceLike('AWS::Route53::RecordSet', { + Name: 'www.example-test.com.', + Type: 'A' + }); +}); + +test('Check that passing an existing hosted Zone without passing an existingVPC is an error', () => { + const stack = new Stack(); + + const testExistingVpc = getTestVpc(stack); + + const newZone = new r53.PrivateHostedZone(stack, 'test-zone', { + zoneName: 'www.example-test.com', + vpc: testExistingVpc + }); + + const props: Route53ToAlbProps = { + publicApi: false, + existingHostedZoneInterface: newZone, + }; + + const app = () => { + new Route53ToAlb(stack, 'test-error', props); + }; + // Assertion + expect(app).toThrowError(); + +}); + +test('Check that passing an existing Load Balancer without passing an existingVPC is an error', () => { + const stack = new Stack(); + + const testExistingVpc = getTestVpc(stack); + + const existingAlb = new elb.ApplicationLoadBalancer(stack, 'test-alb', { + vpc: testExistingVpc + }); + + const props: Route53ToAlbProps = { + publicApi: false, + existingLoadBalancerObj: existingAlb, + privateHostedZoneProps: { + zoneName: 'www.example-test.com', + } + }; + + const app = () => { + new Route53ToAlb(stack, 'test-error', props); + }; + // Assertion + expect(app).toThrowError(); + +}); + +test('Check that passing an existing ALB without passing an existingVPC is an error', () => { + const stack = new Stack(); + + const testExistingVpc = getTestVpc(stack); + + const newZone = new r53.PrivateHostedZone(stack, 'test-zone', { + zoneName: 'www.example-test.com', + vpc: testExistingVpc + }); + + const props: Route53ToAlbProps = { + publicApi: false, + existingHostedZoneInterface: newZone, + }; + + const app = () => { + new Route53ToAlb(stack, 'test-error', props); + }; + // Assertion + expect(app).toThrowError(); + +}); + +test('Check that passing loadBalancerProps with a vpc is an error', () => { + const stack = new Stack(); + + const testExistingVpc = getTestVpc(stack); + + const newZone = new r53.PrivateHostedZone(stack, 'test-zone', { + zoneName: 'www.example-test.com', + vpc: testExistingVpc + }); + + const props: Route53ToAlbProps = { + publicApi: false, + existingHostedZoneInterface: newZone, + loadBalancerProps: { + loadBalancerName: 'my-alb', + vpc: testExistingVpc, + } + }; + + const app = () => { + new Route53ToAlb(stack, 'test-error', props); + }; + // Assertion + expect(app).toThrowError(); + +}); + +test('Test providing loadBalancerProps', () => { + // Initial Setup + const stack = new Stack(undefined, undefined, { + env: { account: "123456789012", region: 'us-east-1' }, + }); + + const testExistingVpc = getTestVpc(stack); + + const newZone = new r53.PrivateHostedZone(stack, 'test-zone', { + zoneName: 'www.example-test.com', + vpc: testExistingVpc + }); + + const props: Route53ToAlbProps = { + publicApi: false, + existingHostedZoneInterface: newZone, + existingVpc: testExistingVpc, + loadBalancerProps: { + loadBalancerName: 'find-this-name' + }, + }; + + new Route53ToAlb(stack, 'test-route53-alb', props); + + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::LoadBalancer', { + Scheme: 'internal', + Name: 'find-this-name' + }); + + expect(stack).toHaveResourceLike('AWS::EC2::VPC', { + EnableDnsHostnames: true, + EnableDnsSupport: true, + InstanceTenancy: "default", + }); + + expect(stack).toHaveResourceLike('AWS::Route53::RecordSet', { + Name: 'www.example-test.com.', + Type: 'A' + }); + +}); + +test('Test providing an existingLoadBalancer', () => { + // Initial Setup + const stack = new Stack(); + + const testExistingVpc = getTestVpc(stack); + + const newZone = new r53.PrivateHostedZone(stack, 'test-zone', { + zoneName: 'www.example-test.com', + vpc: testExistingVpc + }); + + const existingAlb = new elb.ApplicationLoadBalancer(stack, 'test-alb', { + vpc: testExistingVpc, + loadBalancerName: 'find-this-name' + }); + + const props: Route53ToAlbProps = { + publicApi: false, + existingHostedZoneInterface: newZone, + existingVpc: testExistingVpc, + existingLoadBalancerObj: existingAlb, + }; + + new Route53ToAlb(stack, 'test-route53-alb', props); + + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::LoadBalancer', { + Scheme: 'internal', + Name: 'find-this-name' + }); + + expect(stack).toHaveResourceLike('AWS::EC2::VPC', { + EnableDnsHostnames: true, + EnableDnsSupport: true, + InstanceTenancy: "default", + }); + + expect(stack).toHaveResourceLike('AWS::Route53::RecordSet', { + Name: 'www.example-test.com.', + Type: 'A' + }); + +}); + +test('Check publicApi and without an existing hosted zone is an error', () => { + // Initial Setup + const stack = new Stack(); + + const testExistingVpc = getTestVpc(stack); + + const props: Route53ToAlbProps = { + publicApi: true, + existingVpc: testExistingVpc, + }; + + const app = () => { + new Route53ToAlb(stack, 'test-error', props); + }; + // Assertion + expect(app).toThrowError(); +}); diff --git a/source/patterns/@aws-solutions-constructs/aws-s3-step-function/README.md b/source/patterns/@aws-solutions-constructs/aws-s3-step-function/README.md index 0a7319510..5fad7376c 100644 --- a/source/patterns/@aws-solutions-constructs/aws-s3-step-function/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-s3-step-function/README.md @@ -7,10 +7,6 @@ > Some of our early constructs don’t meet the naming standards that evolved for the library. We are releasing completely feature compatible versions with corrected names. The underlying implementation code is the same regardless of whether you deploy the construct using the old or new name. We will support both names for all 1.x releases, but in 2.x we will only publish the correctly named constructs. This construct is being replaced by the functionally identical aws-s3-stepfunctions. -> All classes are under active development and subject to non-backward compatible changes or removal in any -> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. -> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. - --- diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/.eslintignore b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/.eslintignore new file mode 100644 index 000000000..910cb0513 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/.eslintignore @@ -0,0 +1,4 @@ +lib/*.js +test/*.js +*.d.ts +coverage \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/.gitignore b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/.gitignore new file mode 100644 index 000000000..6773cabd2 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/.gitignore @@ -0,0 +1,15 @@ +lib/*.js +test/*.js +*.js.map +*.d.ts +node_modules +*.generated.ts +dist +.jsii + +.LAST_BUILD +.nyc_output +coverage +.nycrc +.LAST_PACKAGE +*.snk \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/.npmignore b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/.npmignore new file mode 100644 index 000000000..f66791629 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/.npmignore @@ -0,0 +1,21 @@ +# Exclude typescript source and config +*.ts +tsconfig.json +coverage +.nyc_output +*.tgz +*.snk +*.tsbuildinfo + +# Include javascript files and typescript declarations +!*.js +!*.d.ts + +# Exclude jsii outdir +dist + +# Include .jsii +!.jsii + +# Include .jsii +!.jsii \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/README.md b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/README.md new file mode 100644 index 000000000..bbcd7e292 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/README.md @@ -0,0 +1,102 @@ +# aws-wafwebacl-alb module + + +--- + +![Stability: Experimental](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) + +> All classes are under active development and subject to non-backward compatible changes or removal in any +> future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. +> This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. + +--- + + +| **Reference Documentation**:| https://docs.aws.amazon.com/solutions/latest/constructs/| +|:-------------|:-------------| +
+ + +| **Language** | **Package** | +|:-------------|-----------------| +|![Python Logo](https://docs.aws.amazon.com/cdk/api/latest/img/python32.png) Python|`aws_solutions_constructs.aws_wafwebacl_alb`| +|![Typescript Logo](https://docs.aws.amazon.com/cdk/api/latest/img/typescript32.png) Typescript|`@aws-solutions-constructs/aws-wafwebacl-alb`| +|![Java Logo](https://docs.aws.amazon.com/cdk/api/latest/img/java32.png) Java|`software.amazon.awsconstructs.services.wafwebaclalb`| + +## Overview +This AWS Solutions Construct implements an AWS WAF web ACL connected to an Application Load Balancer. + +Here is a minimal deployable pattern definition in Typescript: + +``` typescript +import { Route53ToAlb } from '@aws-solutions-constructs/aws-route53-alb'; +import { WafwebaclToAlbProps, WafwebaclToAlb } from "@aws-solutions-constructs/aws-wafwebacl-alb"; + +// A constructed ALB is required to be attached to the WAF Web ACL. +// In this case, we are using this construct to create one. +const r53ToAlb = new Route53ToAlb(this, 'Route53ToAlbPattern', { + privateHostedZoneProps: { + zoneName: 'www.example.com', + }, + publicApi: false, + logAccessLogs: false +}); + +// This construct can only be attached to a configured Application Load Balancer. +new WafwebaclToAlb(this, 'test-wafwebacl-alb', { + existingLoadBalancerObj: r53ToAlb.loadBalancer +}); +``` + +## Initializer + +``` text +new WafwebaclToAlb(scope: Construct, id: string, props: WafwebaclToAlbProps); +``` + +_Parameters_ + +* scope [`Construct`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.Construct.html) +* id `string` +* props [`WafwebaclToAlbProps`](#pattern-construct-props) + +## Pattern Construct Props + +| **Name** | **Type** | **Description** | +|:-------------|:----------------|-----------------| +|existingLoadBalancerObj|[`elbv2.ApplicationLoadBalancer`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-elasticloadbalancingv2.ApplicationLoadBalancer.html)|The existing Application Load Balancer Object that will be protected with the WAF web ACL. *Note that a WAF web ACL can only be added to a configured Application Load Balancer, so this construct only accepts an existing ApplicationLoadBalancer and does not accept applicationLoadBalancerProps.*| +|existingWebaclObj?|[`waf.CfnWebACL`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-waf.CfnWebACL.html)|Existing instance of a WAF web ACL, an error will occur if this and props is set.| +|webaclProps?|[`waf.CfnWebACLProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-waf.CfnWebACLProps.html)|Optional user-provided props to override the default props for the AWS WAF web ACL. To use a different collection of managed rule sets, specify a new rules property. Use our [`wrapManagedRuleSet(managedGroupName: string, vendorName: string, priority: number)`](../core/lib/waf-defaults.ts) function from core to create an array entry from each desired managed rule set.| + +## Pattern Properties + +| **Name** | **Type** | **Description** | +|:-------------|:----------------|-----------------| +|webacl|[`waf.CfnWebACL`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-waf.CfnWebACL.html)|Returns an instance of the waf.CfnWebACL created by the construct.| +|loadBalancer|[`elbv2.ApplicationLoadBalancer`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-elasticloadbalancingv2.ApplicationLoadBalancer.html)|Returns an instance of the Application Load Balancer Object created by the pattern. | + +## Default settings + +Out of the box implementation of the Construct without any override will set the following defaults: + +### AWS WAF +* Deploy a WAF web ACL with 7 [AWS managed rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html). + * AWSManagedRulesBotControlRuleSet + * AWSManagedRulesKnownBadInputsRuleSet + * AWSManagedRulesCommonRuleSet + * AWSManagedRulesAnonymousIpList + * AWSManagedRulesAmazonIpReputationList + * AWSManagedRulesAdminProtectionRuleSet + * AWSManagedRulesSQLiRuleSet + + *Note that the default rules can be replaced by specifying the rules property of CfnWebACLProps* +* Send metrics to Amazon CloudWatch + +### Application Load Balancer +* User provided Application Load Balancer object is used as-is + +## Architecture +![Architecture Diagram](architecture.png) + +*** +© Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/architecture.png b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/architecture.png new file mode 100644 index 000000000..039628bf3 Binary files /dev/null and b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/architecture.png differ diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/lib/index.ts new file mode 100644 index 000000000..ce4dbdefa --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/lib/index.ts @@ -0,0 +1,72 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +// Imports +import * as waf from '@aws-cdk/aws-wafv2'; +import * as elbv2 from "@aws-cdk/aws-elasticloadbalancingv2"; +import * as defaults from '@aws-solutions-constructs/core'; +// Note: To ensure CDKv2 compatibility, keep the import statement for Construct separate +import { Construct } from '@aws-cdk/core'; + +/** + * @summary The properties for the WafwebaclToAlb class. + */ +export interface WafwebaclToAlbProps { + /** + * The existing Application Load Balancer instance that will be protected with the WAF web ACL. + */ + readonly existingLoadBalancerObj: elbv2.ApplicationLoadBalancer, + /** + * Existing instance of a WAF web ACL, an error will occur if this and props is set + */ + readonly existingWebaclObj?: waf.CfnWebACL, + /** + * Optional user-provided props to override the default props for the AWS WAF web ACL. + * + * @default - Default properties are used. + */ + readonly webaclProps?: waf.CfnWebACLProps, +} + +/** + * @summary The WafwebaclToAlb class. + */ +export class WafwebaclToAlb extends Construct { + public readonly webacl: waf.CfnWebACL; + public readonly loadBalancer: elbv2.ApplicationLoadBalancer; + /** + * @summary Constructs a new instance of the WafwebaclToAlb class. + * @param {cdk.App} scope - represents the scope for all the resources. + * @param {string} id - this is a a scope-unique id. + * @param {WafwebaclToAlbProps} props - user provided props for the construct. + * @access public + */ + constructor(scope: Construct, id: string, props: WafwebaclToAlbProps) { + super(scope, id); + defaults.CheckProps(props); + + // Build the Web ACL + this.webacl = defaults.buildWebacl(this, 'REGIONAL', { + existingWebaclObj: props.existingWebaclObj, + webaclProps: props.webaclProps, + }); + + // Setup the Web ACL Association + new waf.CfnWebACLAssociation(scope, `${id}-WebACLAssociation`, { + webAclArn: this.webacl.attrArn, + resourceArn: props.existingLoadBalancerObj.loadBalancerArn + }); + + this.loadBalancer = props.existingLoadBalancerObj; + } +} \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/package.json b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/package.json new file mode 100644 index 000000000..ad4d384fe --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/package.json @@ -0,0 +1,102 @@ +{ + "name": "@aws-solutions-constructs/aws-wafwebacl-alb", + "version": "0.0.0", + "description": "CDK constructs for defining an AWS web WAF connected to an Application Load Balancer.", + "main": "lib/index.js", + "types": "lib/index.d.ts", + "repository": { + "type": "git", + "url": "https://github.com/awslabs/aws-solutions-constructs.git", + "directory": "source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb" + }, + "author": { + "name": "Amazon Web Services", + "url": "https://aws.amazon.com", + "organization": true + }, + "license": "Apache-2.0", + "scripts": { + "build": "tsc -b .", + "lint": "eslint -c ../eslintrc.yml --ext=.js,.ts . && tslint --project .", + "lint-fix": "eslint -c ../eslintrc.yml --ext=.js,.ts --fix .", + "test": "jest --coverage", + "clean": "tsc -b --clean", + "watch": "tsc -b -w", + "integ": "cdk-integ", + "integ-assert": "cdk-integ-assert", + "integ-no-clean": "cdk-integ --no-clean", + "jsii": "jsii", + "jsii-pacmak": "jsii-pacmak", + "build+lint+test": "npm run jsii && npm run lint && npm test && npm run integ-assert", + "snapshot-update": "npm run jsii && npm test -- -u && npm run integ-assert" + }, + "jsii": { + "outdir": "dist", + "targets": { + "java": { + "package": "software.amazon.awsconstructs.services.wafwebaclalb", + "maven": { + "groupId": "software.amazon.awsconstructs", + "artifactId": "wafwebaclalb" + } + }, + "dotnet": { + "namespace": "Amazon.Constructs.AWS.WafwebaclAlb", + "packageId": "Amazon.Constructs.AWS.WafwebaclAlb", + "signAssembly": true, + "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png" + }, + "python": { + "distName": "aws-solutions-constructs.aws-wafwebacl-alb", + "module": "aws_solutions_constructs.aws_wafwebacl_alb" + } + } + }, + "dependencies": { + "@aws-cdk/aws-autoscaling": "0.0.0", + "@aws-cdk/aws-ec2": "0.0.0", + "@aws-cdk/aws-elasticloadbalancingv2": "0.0.0", + "@aws-cdk/aws-wafv2": "0.0.0", + "@aws-cdk/core": "0.0.0", + "@aws-solutions-constructs/core": "0.0.0", + "@aws-solutions-constructs/aws-route53-alb": "0.0.0", + "constructs": "^3.2.0" + }, + "devDependencies": { + "@aws-cdk/assert": "0.0.0", + "@types/jest": "^26.0.22", + "@types/node": "^10.3.0" + }, + "jest": { + "moduleFileExtensions": [ + "js" + ], + "coverageReporters": [ + "text", + [ + "lcov", + { + "projectRoot": "../../../../" + } + ] + ] + }, + "peerDependencies": { + "@aws-cdk/aws-autoscaling": "0.0.0", + "@aws-cdk/aws-ec2": "0.0.0", + "@aws-cdk/aws-elasticloadbalancingv2": "0.0.0", + "@aws-cdk/aws-wafv2": "0.0.0", + "@aws-cdk/core": "0.0.0", + "@aws-solutions-constructs/core": "0.0.0", + "@aws-solutions-constructs/aws-route53-alb": "0.0.0", + "constructs": "^3.2.0" + }, + "keywords": [ + "aws", + "cdk", + "awscdk", + "AWS Solutions Constructs", + "AWS WAF Web ACL", + "Application Load Balancer" + ] +} \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/test/integ.no-arguments.expected.json b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/test/integ.no-arguments.expected.json new file mode 100644 index 000000000..fb2c3e0ed --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/test/integ.no-arguments.expected.json @@ -0,0 +1,915 @@ +{ + "Resources": { + "Vpc8378EB38": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "172.168.0.0/16", + "EnableDnsHostnames": true, + "EnableDnsSupport": true, + "InstanceTenancy": "default", + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc" + } + ] + } + }, + "VpcPublicSubnet1Subnet5C2D37C4": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.0.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "no-arguments/Vpc/PublicSubnet1" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W33", + "reason": "Allow Public Subnets to have MapPublicIpOnLaunch set to true" + } + ] + } + } + }, + "VpcPublicSubnet1RouteTable6C95E38E": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet1RouteTableAssociation97140677": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + } + } + }, + "VpcPublicSubnet1DefaultRoute3DA9E72A": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet1EIPD7E02669": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet1NATGateway4D7517AA": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + }, + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet1EIPD7E02669", + "AllocationId" + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet2Subnet691E08A3": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.32.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "no-arguments/Vpc/PublicSubnet2" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W33", + "reason": "Allow Public Subnets to have MapPublicIpOnLaunch set to true" + } + ] + } + } + }, + "VpcPublicSubnet2RouteTable94F7E489": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc/PublicSubnet2" + } + ] + } + }, + "VpcPublicSubnet2RouteTableAssociationDD5762D8": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + } + } + }, + "VpcPublicSubnet2DefaultRoute97F91067": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet2EIP3C605A87": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc/PublicSubnet2" + } + ] + } + }, + "VpcPublicSubnet2NATGateway9182C01D": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "SubnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + }, + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet2EIP3C605A87", + "AllocationId" + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc/PublicSubnet2" + } + ] + } + }, + "VpcPublicSubnet3SubnetBE12F0B6": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.64.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "no-arguments/Vpc/PublicSubnet3" + } + ] + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W33", + "reason": "Allow Public Subnets to have MapPublicIpOnLaunch set to true" + } + ] + } + } + }, + "VpcPublicSubnet3RouteTable93458DBB": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc/PublicSubnet3" + } + ] + } + }, + "VpcPublicSubnet3RouteTableAssociation1F1EDF02": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet3RouteTable93458DBB" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet3SubnetBE12F0B6" + } + } + }, + "VpcPublicSubnet3DefaultRoute4697774F": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet3RouteTable93458DBB" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet3EIP3A666A23": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc/PublicSubnet3" + } + ] + } + }, + "VpcPublicSubnet3NATGateway7640CD1D": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "SubnetId": { + "Ref": "VpcPublicSubnet3SubnetBE12F0B6" + }, + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet3EIP3A666A23", + "AllocationId" + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc/PublicSubnet3" + } + ] + } + }, + "VpcPrivateSubnet1Subnet536B997A": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.96.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "no-arguments/Vpc/PrivateSubnet1" + } + ] + } + }, + "VpcPrivateSubnet1RouteTableB2C5B500": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc/PrivateSubnet1" + } + ] + } + }, + "VpcPrivateSubnet1RouteTableAssociation70C59FA6": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet1Subnet536B997A" + } + } + }, + "VpcPrivateSubnet1DefaultRouteBE02A9ED": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet1NATGateway4D7517AA" + } + } + }, + "VpcPrivateSubnet2Subnet3788AAA1": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.128.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "no-arguments/Vpc/PrivateSubnet2" + } + ] + } + }, + "VpcPrivateSubnet2RouteTableA678073B": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc/PrivateSubnet2" + } + ] + } + }, + "VpcPrivateSubnet2RouteTableAssociationA89CAD56": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + } + } + }, + "VpcPrivateSubnet2DefaultRoute060D2087": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet2NATGateway9182C01D" + } + } + }, + "VpcPrivateSubnet3SubnetF258B56E": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.168.160.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "no-arguments/Vpc/PrivateSubnet3" + } + ] + } + }, + "VpcPrivateSubnet3RouteTableD98824C7": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc/PrivateSubnet3" + } + ] + } + }, + "VpcPrivateSubnet3RouteTableAssociation16BDDC43": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet3RouteTableD98824C7" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet3SubnetF258B56E" + } + } + }, + "VpcPrivateSubnet3DefaultRoute94B74F0D": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet3RouteTableD98824C7" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet3NATGateway7640CD1D" + } + } + }, + "VpcIGWD7BA715C": { + "Type": "AWS::EC2::InternetGateway", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc" + } + ] + } + }, + "VpcVPCGWBF912B6E": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "InternetGatewayId": { + "Ref": "VpcIGWD7BA715C" + } + } + }, + "VpcFlowLogIAMRole6A475D41": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "vpc-flow-logs.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc" + } + ] + } + }, + "VpcFlowLogIAMRoleDefaultPolicy406FB995": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogStreams" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "VpcFlowLogLogGroup7B5C56B9", + "Arn" + ] + } + }, + { + "Action": "iam:PassRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "VpcFlowLogIAMRole6A475D41", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "VpcFlowLogIAMRoleDefaultPolicy406FB995", + "Roles": [ + { + "Ref": "VpcFlowLogIAMRole6A475D41" + } + ] + } + }, + "VpcFlowLogLogGroup7B5C56B9": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain", + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W84", + "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)" + } + ] + } + } + }, + "VpcFlowLog8FF33A73": { + "Type": "AWS::EC2::FlowLog", + "Properties": { + "ResourceId": { + "Ref": "Vpc8378EB38" + }, + "ResourceType": "VPC", + "TrafficType": "ALL", + "DeliverLogsPermissionArn": { + "Fn::GetAtt": [ + "VpcFlowLogIAMRole6A475D41", + "Arn" + ] + }, + "LogDestinationType": "cloud-watch-logs", + "LogGroupName": { + "Ref": "VpcFlowLogLogGroup7B5C56B9" + }, + "Tags": [ + { + "Key": "Name", + "Value": "no-arguments/Vpc" + } + ] + } + }, + "newlbF396DAF2": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "LoadBalancerAttributes": [ + { + "Key": "deletion_protection.enabled", + "Value": "false" + } + ], + "Scheme": "internal", + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "newlbSecurityGroup04195C74", + "GroupId" + ] + } + ], + "Subnets": [ + { + "Ref": "VpcPrivateSubnet1Subnet536B997A" + }, + { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + }, + { + "Ref": "VpcPrivateSubnet3SubnetF258B56E" + } + ], + "Type": "application" + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W52", + "reason": "This test is explicitly to test the no logging case." + } + ] + } + } + }, + "newlbSecurityGroup04195C74": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Automatically created Security Group for ELB noargumentsnewlb0B076C69", + "SecurityGroupEgress": [ + { + "CidrIp": "255.255.255.255/32", + "Description": "Disallow all traffic", + "FromPort": 252, + "IpProtocol": "icmp", + "ToPort": 86 + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + }, + "Metadata": { + "cfn_nag": { + "rules_to_suppress": [ + { + "id": "W29", + "reason": "CDK created rule that blocks all traffic." + } + ] + } + } + }, + "testwafwebaclalbtestwafwebaclalbWebACL994469BE": { + "Type": "AWS::WAFv2::WebACL", + "Properties": { + "DefaultAction": { + "Allow": {} + }, + "Scope": "REGIONAL", + "VisibilityConfig": { + "CloudWatchMetricsEnabled": true, + "MetricName": "webACL", + "SampledRequestsEnabled": true + }, + "Rules": [ + { + "Name": "AWS-AWSManagedRulesBotControlRuleSet", + "OverrideAction": { + "None": {} + }, + "Priority": 0, + "Statement": { + "ManagedRuleGroupStatement": { + "Name": "AWSManagedRulesBotControlRuleSet", + "VendorName": "AWS" + } + }, + "VisibilityConfig": { + "CloudWatchMetricsEnabled": true, + "MetricName": "AWSManagedRulesBotControlRuleSet", + "SampledRequestsEnabled": true + } + }, + { + "Name": "AWS-AWSManagedRulesKnownBadInputsRuleSet", + "OverrideAction": { + "None": {} + }, + "Priority": 1, + "Statement": { + "ManagedRuleGroupStatement": { + "Name": "AWSManagedRulesKnownBadInputsRuleSet", + "VendorName": "AWS" + } + }, + "VisibilityConfig": { + "CloudWatchMetricsEnabled": true, + "MetricName": "AWSManagedRulesKnownBadInputsRuleSet", + "SampledRequestsEnabled": true + } + }, + { + "Name": "AWS-AWSManagedRulesCommonRuleSet", + "OverrideAction": { + "None": {} + }, + "Priority": 2, + "Statement": { + "ManagedRuleGroupStatement": { + "Name": "AWSManagedRulesCommonRuleSet", + "VendorName": "AWS" + } + }, + "VisibilityConfig": { + "CloudWatchMetricsEnabled": true, + "MetricName": "AWSManagedRulesCommonRuleSet", + "SampledRequestsEnabled": true + } + }, + { + "Name": "AWS-AWSManagedRulesAnonymousIpList", + "OverrideAction": { + "None": {} + }, + "Priority": 3, + "Statement": { + "ManagedRuleGroupStatement": { + "Name": "AWSManagedRulesAnonymousIpList", + "VendorName": "AWS" + } + }, + "VisibilityConfig": { + "CloudWatchMetricsEnabled": true, + "MetricName": "AWSManagedRulesAnonymousIpList", + "SampledRequestsEnabled": true + } + }, + { + "Name": "AWS-AWSManagedRulesAmazonIpReputationList", + "OverrideAction": { + "None": {} + }, + "Priority": 4, + "Statement": { + "ManagedRuleGroupStatement": { + "Name": "AWSManagedRulesAmazonIpReputationList", + "VendorName": "AWS" + } + }, + "VisibilityConfig": { + "CloudWatchMetricsEnabled": true, + "MetricName": "AWSManagedRulesAmazonIpReputationList", + "SampledRequestsEnabled": true + } + }, + { + "Name": "AWS-AWSManagedRulesAdminProtectionRuleSet", + "OverrideAction": { + "None": {} + }, + "Priority": 5, + "Statement": { + "ManagedRuleGroupStatement": { + "Name": "AWSManagedRulesAdminProtectionRuleSet", + "VendorName": "AWS" + } + }, + "VisibilityConfig": { + "CloudWatchMetricsEnabled": true, + "MetricName": "AWSManagedRulesAdminProtectionRuleSet", + "SampledRequestsEnabled": true + } + }, + { + "Name": "AWS-AWSManagedRulesSQLiRuleSet", + "OverrideAction": { + "None": {} + }, + "Priority": 6, + "Statement": { + "ManagedRuleGroupStatement": { + "Name": "AWSManagedRulesSQLiRuleSet", + "VendorName": "AWS" + } + }, + "VisibilityConfig": { + "CloudWatchMetricsEnabled": true, + "MetricName": "AWSManagedRulesSQLiRuleSet", + "SampledRequestsEnabled": true + } + } + ] + } + }, + "testwafwebaclalbWebACLAssociation": { + "Type": "AWS::WAFv2::WebACLAssociation", + "Properties": { + "ResourceArn": { + "Ref": "newlbF396DAF2" + }, + "WebACLArn": { + "Fn::GetAtt": [ + "testwafwebaclalbtestwafwebaclalbWebACL994469BE", + "Arn" + ] + } + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store." + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/test/integ.no-arguments.ts b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/test/integ.no-arguments.ts new file mode 100644 index 000000000..dc7574620 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/test/integ.no-arguments.ts @@ -0,0 +1,50 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +/// !cdk-integ * +import { App, Stack } from "@aws-cdk/core"; +import { WafwebaclToAlb } from "../lib"; +import { generateIntegStackName } from '@aws-solutions-constructs/core'; +import { CfnSecurityGroup } from "@aws-cdk/aws-ec2"; +import * as defaults from '@aws-solutions-constructs/core'; +import * as elb from "@aws-cdk/aws-elasticloadbalancingv2"; + +const app = new App(); + +// Empty arguments +const stack = new Stack(app, generateIntegStackName(__filename)); + +const myVpc = defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + constructVpcProps: { + enableDnsHostnames: true, + enableDnsSupport: true, + cidr: '172.168.0.0/16', + } +}); + +const loadBalancer = new elb.ApplicationLoadBalancer(stack, 'new-lb', { + internetFacing: false, + vpc: myVpc +}); + +// This construct can only be attached to a configured Application Load Balancer. +new WafwebaclToAlb(stack, 'test-wafwebacl-alb', { + existingLoadBalancerObj: loadBalancer +}); + +const newSecurityGroup = loadBalancer.connections.securityGroups[0].node.defaultChild as CfnSecurityGroup; +defaults.addCfnSuppressRules(newSecurityGroup, [{ id: 'W29', reason: 'CDK created rule that blocks all traffic.'}]); +defaults.addCfnSuppressRules(loadBalancer, [{ id: 'W52', reason: 'This test is explicitly to test the no logging case.'}]); + +app.synth(); \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/test/test.wafwebacl-alb.test.ts b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/test/test.wafwebacl-alb.test.ts new file mode 100644 index 000000000..4669f3219 --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-alb/test/test.wafwebacl-alb.test.ts @@ -0,0 +1,317 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +// Imports +import * as cdk from "@aws-cdk/core"; +import { WafwebaclToAlb } from "../lib"; +import * as waf from "@aws-cdk/aws-wafv2"; +import * as defaults from '@aws-solutions-constructs/core'; +import * as elb from "@aws-cdk/aws-elasticloadbalancingv2"; +import '@aws-cdk/assert/jest'; + +function deployLoadBalancer(stack: cdk.Stack) { + const myVpc = defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + constructVpcProps: { + enableDnsHostnames: true, + enableDnsSupport: true, + cidr: '172.168.0.0/16', + } + }); + + return new elb.ApplicationLoadBalancer(stack, 'new-lb', { + internetFacing: false, + vpc: myVpc + }); +} + +function deployConstruct(stack: cdk.Stack, webaclProps?: waf.CfnWebACLProps, existingWebaclObj?: waf.CfnWebACL) { + const loadBalancer = deployLoadBalancer(stack); + + return new WafwebaclToAlb(stack, 'test-waf-alb', { + existingLoadBalancerObj: loadBalancer, + webaclProps, + existingWebaclObj + }); +} + +// -------------------------------------------------------------- +// Test error handling for existing WAF web ACL and user provided web ACL props +// -------------------------------------------------------------- +test('Test error handling for existing WAF web ACL and user provider web ACL props', () => { + const stack = new cdk.Stack(); + const props: waf.CfnWebACLProps = { + defaultAction: { + allow: {} + }, + scope: 'REGIONAL', + visibilityConfig: { + cloudWatchMetricsEnabled: false, + metricName: 'webACL', + sampledRequestsEnabled: true + }, + }; + + const wafAcl = new waf.CfnWebACL(stack, 'test-waf', props); + const loadBalancer = deployLoadBalancer(stack); + + expect(() => { + new WafwebaclToAlb(stack, 'test-waf-alb', { + existingLoadBalancerObj: loadBalancer, + existingWebaclObj: wafAcl, + webaclProps: props + }); + }).toThrowError(); +}); + +// -------------------------------------------------------------- +// Test default deployment +// -------------------------------------------------------------- +test('Test default deployment', () => { + const stack = new cdk.Stack(); + const construct = deployConstruct(stack); + + expect(construct.webacl !== null); + expect(construct.loadBalancer !== null); + + expect(stack).toHaveResource("AWS::WAFv2::WebACL", { + Rules: [ + { + Name: "AWS-AWSManagedRulesBotControlRuleSet", + OverrideAction: { + None: {} + }, + Priority: 0, + Statement: { + ManagedRuleGroupStatement: { + Name: "AWSManagedRulesBotControlRuleSet", + VendorName: "AWS" + } + }, + VisibilityConfig: { + CloudWatchMetricsEnabled: true, + MetricName: "AWSManagedRulesBotControlRuleSet", + SampledRequestsEnabled: true + } + }, + { + Name: "AWS-AWSManagedRulesKnownBadInputsRuleSet", + OverrideAction: { + None: {} + }, + Priority: 1, + Statement: { + ManagedRuleGroupStatement: { + Name: "AWSManagedRulesKnownBadInputsRuleSet", + VendorName: "AWS" + } + }, + VisibilityConfig: { + CloudWatchMetricsEnabled: true, + MetricName: "AWSManagedRulesKnownBadInputsRuleSet", + SampledRequestsEnabled: true + } + }, + { + Name: "AWS-AWSManagedRulesCommonRuleSet", + OverrideAction: { + None: {} + }, + Priority: 2, + Statement: { + ManagedRuleGroupStatement: { + Name: "AWSManagedRulesCommonRuleSet", + VendorName: "AWS" + } + }, + VisibilityConfig: { + CloudWatchMetricsEnabled: true, + MetricName: "AWSManagedRulesCommonRuleSet", + SampledRequestsEnabled: true + } + }, + { + Name: "AWS-AWSManagedRulesAnonymousIpList", + OverrideAction: { + None: {} + }, + Priority: 3, + Statement: { + ManagedRuleGroupStatement: { + Name: "AWSManagedRulesAnonymousIpList", + VendorName: "AWS" + } + }, + VisibilityConfig: { + CloudWatchMetricsEnabled: true, + MetricName: "AWSManagedRulesAnonymousIpList", + SampledRequestsEnabled: true + } + }, + { + Name: "AWS-AWSManagedRulesAmazonIpReputationList", + OverrideAction: { + None: {} + }, + Priority: 4, + Statement: { + ManagedRuleGroupStatement: { + Name: "AWSManagedRulesAmazonIpReputationList", + VendorName: "AWS" + } + }, + VisibilityConfig: { + CloudWatchMetricsEnabled: true, + MetricName: "AWSManagedRulesAmazonIpReputationList", + SampledRequestsEnabled: true + } + }, + { + Name: "AWS-AWSManagedRulesAdminProtectionRuleSet", + OverrideAction: { + None: {} + }, + Priority: 5, + Statement: { + ManagedRuleGroupStatement: { + Name: "AWSManagedRulesAdminProtectionRuleSet", + VendorName: "AWS" + } + }, + VisibilityConfig: { + CloudWatchMetricsEnabled: true, + MetricName: "AWSManagedRulesAdminProtectionRuleSet", + SampledRequestsEnabled: true + } + }, + { + Name: "AWS-AWSManagedRulesSQLiRuleSet", + OverrideAction: { + None: {} + }, + Priority: 6, + Statement: { + ManagedRuleGroupStatement: { + Name: "AWSManagedRulesSQLiRuleSet", + VendorName: "AWS" + } + }, + VisibilityConfig: { + CloudWatchMetricsEnabled: true, + MetricName: "AWSManagedRulesSQLiRuleSet", + SampledRequestsEnabled: true + } + } + ] + }); +}); + +// -------------------------------------------------------------- +// Test web acl with user provided acl props +// -------------------------------------------------------------- +test('Test user provided acl props', () => { + const stack = new cdk.Stack(); + const webaclProps: waf.CfnWebACLProps = { + defaultAction: { + allow: {} + }, + scope: 'REGIONAL', + visibilityConfig: { + cloudWatchMetricsEnabled: false, + metricName: 'webACL', + sampledRequestsEnabled: true + }, + rules: [ + defaults.wrapManagedRuleSet("AWSManagedRulesCommonRuleSet", "AWS", 0), + defaults.wrapManagedRuleSet("AWSManagedRulesWordPressRuleSet", "AWS", 1), + ] + }; + + deployConstruct(stack, webaclProps); + + expect(stack).toHaveResource("AWS::WAFv2::WebACL", { + VisibilityConfig: { + CloudWatchMetricsEnabled: false, + MetricName: "webACL", + SampledRequestsEnabled: true + }, + Rules: [ + { + Name: "AWS-AWSManagedRulesCommonRuleSet", + OverrideAction: { + None: {} + }, + Priority: 0, + Statement: { + ManagedRuleGroupStatement: { + Name: "AWSManagedRulesCommonRuleSet", + VendorName: "AWS" + } + }, + VisibilityConfig: { + CloudWatchMetricsEnabled: true, + MetricName: "AWSManagedRulesCommonRuleSet", + SampledRequestsEnabled: true + } + }, + { + Name: "AWS-AWSManagedRulesWordPressRuleSet", + OverrideAction: { + None: {} + }, + Priority: 1, + Statement: { + ManagedRuleGroupStatement: { + Name: "AWSManagedRulesWordPressRuleSet", + VendorName: "AWS" + } + }, + VisibilityConfig: { + CloudWatchMetricsEnabled: true, + MetricName: "AWSManagedRulesWordPressRuleSet", + SampledRequestsEnabled: true + } + } + ] + }); +}); + +// -------------------------------------------------------------- +// Test existing web ACL +// -------------------------------------------------------------- +test('Test existing web ACL', () => { + const stack = new cdk.Stack(); + const webacl: waf.CfnWebACL = new waf.CfnWebACL(stack, 'test-webacl', { + defaultAction: { + allow: {} + }, + scope: 'REGIONAL', + visibilityConfig: { + cloudWatchMetricsEnabled: true, + metricName: 'webACL', + sampledRequestsEnabled: true + }, + }); + + deployConstruct(stack, undefined, webacl); + + expect(stack).toHaveResource("AWS::WAFv2::WebACL", { + VisibilityConfig: { + CloudWatchMetricsEnabled: true, + MetricName: "webACL", + SampledRequestsEnabled: true + } + }); + + expect(stack).toCountResources("AWS::WAFv2::WebACL", 1); +}); diff --git a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-apigateway/README.md b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-apigateway/README.md index 6c5ddb9ac..4dda43370 100644 --- a/source/patterns/@aws-solutions-constructs/aws-wafwebacl-apigateway/README.md +++ b/source/patterns/@aws-solutions-constructs/aws-wafwebacl-apigateway/README.md @@ -89,7 +89,7 @@ Out of the box implementation of the Construct without any override will set the * AWSManagedRulesAdminProtectionRuleSet * AWSManagedRulesSQLiRuleSet - *Note that the default rules can be replaced by specifying the rules property of CfnWebACLProps* + *Note that the default rules can be replaced by specifying the rules property of CfnWebACLProps* * Send metrics to Amazon CloudWatch ### Amazon API Gateway diff --git a/source/patterns/@aws-solutions-constructs/core/index.ts b/source/patterns/@aws-solutions-constructs/core/index.ts index 1a22a80fc..2d4b451df 100644 --- a/source/patterns/@aws-solutions-constructs/core/index.ts +++ b/source/patterns/@aws-solutions-constructs/core/index.ts @@ -11,6 +11,8 @@ * and limitations under the License. */ +export * from './lib/alb-defaults'; +export * from './lib/alb-helper'; export * from './lib/apigateway-defaults'; export * from './lib/apigateway-helper'; export * from './lib/dynamodb-table-defaults'; diff --git a/source/patterns/@aws-solutions-constructs/core/lib/alb-defaults.ts b/source/patterns/@aws-solutions-constructs/core/lib/alb-defaults.ts new file mode 100644 index 000000000..5659e534f --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/core/lib/alb-defaults.ts @@ -0,0 +1,21 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import * as elb from "@aws-cdk/aws-elasticloadbalancingv2"; + +export function DefaultListenerProps(loadBalancer: elb.ApplicationLoadBalancer): elb.ApplicationListenerProps { + return { + loadBalancer, + protocol: elb.ApplicationProtocol.HTTPS, + }; +} \ No newline at end of file diff --git a/source/patterns/@aws-solutions-constructs/core/lib/alb-helper.ts b/source/patterns/@aws-solutions-constructs/core/lib/alb-helper.ts new file mode 100644 index 000000000..7034fbfba --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/core/lib/alb-helper.ts @@ -0,0 +1,152 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import * as elb from "@aws-cdk/aws-elasticloadbalancingv2"; +import { Construct } from "@aws-cdk/core"; +import * as ec2 from "@aws-cdk/aws-ec2"; +import * as s3 from "@aws-cdk/aws-s3"; +import * as lambda from "@aws-cdk/aws-lambda"; +import { ApplicationProtocol, ListenerAction, } from "@aws-cdk/aws-elasticloadbalancingv2"; +import * as elbt from "@aws-cdk/aws-elasticloadbalancingv2-targets"; +import { overrideProps, printWarning } from "./utils"; +import { DefaultListenerProps } from "./alb-defaults"; +import { createAlbLoggingBucket } from "./s3-bucket-helper"; +import { DefaultLoggingBucketProps } from "./s3-bucket-defaults"; + +// Returns the correct ALB Load Balancer to use in this construct, either an existing +// one provided as an argument or create new one otherwise. +export function ObtainAlb( + scope: Construct, + id: string, + vpc: ec2.IVpc, + publicApi: boolean, + existingLoadBalancerInterface?: elb.ApplicationLoadBalancer, + loadBalancerProps?: elb.ApplicationLoadBalancerProps | any, + logAccessLogs?: boolean, + loggingBucketProps?: s3.BucketProps +): elb.ApplicationLoadBalancer { + let loadBalancer: elb.ApplicationLoadBalancer; + + if (existingLoadBalancerInterface) { + loadBalancer = existingLoadBalancerInterface; + } else { + const consolidatedProps = loadBalancerProps + ? overrideProps(loadBalancerProps, { vpc, internetFacing: publicApi }) + : { vpc, internetFacing: publicApi }; + loadBalancer = new elb.ApplicationLoadBalancer( + scope, + `${id}-alb`, + consolidatedProps + ); + if (logAccessLogs === undefined || logAccessLogs === true) { + const consolidatedLoggingBucketProps = loggingBucketProps + ? overrideProps(DefaultLoggingBucketProps(), loggingBucketProps) + : DefaultLoggingBucketProps(); + const loggingBucket = createAlbLoggingBucket(scope, id, consolidatedLoggingBucketProps); + loadBalancer.logAccessLogs(loggingBucket); + } + } + return loadBalancer; +} + +export function AddListener( + scope: Construct, + loadBalancer: elb.ApplicationLoadBalancer, + targetGroup: elb.ApplicationTargetGroup, + listenerProps: elb.ApplicationListenerProps | any +): elb.ApplicationListener { + let consolidatedListenerProps: elb.ApplicationListenerProps; + + consolidatedListenerProps = overrideProps( + DefaultListenerProps(loadBalancer), + listenerProps + ); + + // create the listener + const listener = new elb.ApplicationListener( + scope, + "listener", + consolidatedListenerProps + ); + loadBalancer.listeners.push(listener); + + if (consolidatedListenerProps.protocol === elb.ApplicationProtocol.HTTP) { + // This will use core.printWarning in the actual construct + printWarning( + "AWS recommends encrypting traffic to an Application Load Balancer using HTTPS." + ); + if (listenerProps.certificates?.length > 0) { + throw new Error("HTTP listeners cannot use a certificate"); + } + } else { + if (!listenerProps.certificates || listenerProps.certificates.length === 0) { + throw new Error("A listener using HTTPS protocol requires a certificate"); + } + + listener.addCertificates("listener-cert-add", listenerProps.certificates); + } + + if (consolidatedListenerProps.protocol === elb.ApplicationProtocol.HTTPS) { + const opt: elb.RedirectOptions = { + port: "443", + protocol: "HTTPS", + }; + + const httpListener = new elb.ApplicationListener( + scope, + "redirect-listener", + { + loadBalancer, + protocol: ApplicationProtocol.HTTP, + defaultAction: ListenerAction.redirect(opt), + } + ); + loadBalancer.listeners.push(httpListener); + } + + AddTarget(scope, targetGroup, listener); + return listener; +} + +export function CreateLambdaTargetGroup( + scope: Construct, + id: string, + lambdaFunction: lambda.IFunction, + targetProps?: elb.ApplicationTargetGroupProps +): elb.ApplicationTargetGroup { + const lambdaTarget = new elbt.LambdaTarget(lambdaFunction); + return new elb.ApplicationTargetGroup(scope, `${id}-tg`, { + targets: [lambdaTarget], + targetGroupName: targetProps ? targetProps.targetGroupName : undefined, + healthCheck: targetProps ? targetProps.healthCheck : undefined + }); +} + +export function AddTarget( + scope: Construct, + targetGroup: elb.ApplicationTargetGroup, + listener: elb.ApplicationListener, + ruleProps?: elb.AddRuleProps +) { + // AddRuleProps includes conditions and priority, combine that with targetGroups and + // we can assemble AddApplicationTargetGroupProps + if (ruleProps) { + const consolidatedTargetProps = overrideProps(ruleProps, { targetGroups: [targetGroup] }); + listener.addTargetGroups(`${scope.node.id}-targets`, consolidatedTargetProps); + } else { + listener.addTargetGroups("targets", { + targetGroups: [targetGroup], + }); + } + return; +} diff --git a/source/patterns/@aws-solutions-constructs/core/lib/apigateway-helper.ts b/source/patterns/@aws-solutions-constructs/core/lib/apigateway-helper.ts index e3ca929d7..afed0155e 100644 --- a/source/patterns/@aws-solutions-constructs/core/lib/apigateway-helper.ts +++ b/source/patterns/@aws-solutions-constructs/core/lib/apigateway-helper.ts @@ -77,7 +77,7 @@ function configureCloudwatchRoleForApi(scope: Construct, _api: api.RestApi): iam * @param apiGatewayProps - (optional) user-specified properties to override the default properties. */ function configureLambdaRestApi(scope: Construct, defaultApiGatewayProps: api.LambdaRestApiProps, - apiGatewayProps?: api.LambdaRestApiProps): [api.RestApi, iam.Role] { + apiGatewayProps?: api.LambdaRestApiProps): [api.RestApi, iam.Role | undefined] { // API Gateway doesn't allow both endpointTypes and endpointConfiguration, check whether endPointTypes exists if (apiGatewayProps?.endpointTypes) { @@ -88,14 +88,18 @@ function configureLambdaRestApi(scope: Construct, defaultApiGatewayProps: api.La let _api: api.RestApi; if (apiGatewayProps) { // If property overrides have been provided, incorporate them and deploy - const _apiGatewayProps = overrideProps(defaultApiGatewayProps, apiGatewayProps); + const _apiGatewayProps = overrideProps(defaultApiGatewayProps, { ...apiGatewayProps, cloudWatchRole: false }); _api = new api.LambdaRestApi(scope, 'LambdaRestApi', _apiGatewayProps); } else { // If no property overrides, deploy using the default configuration _api = new api.LambdaRestApi(scope, 'LambdaRestApi', defaultApiGatewayProps); } // Configure API access logging - const cwRole = configureCloudwatchRoleForApi(scope, _api); + let cwRole; + + if (apiGatewayProps?.cloudWatchRole !== false) { + cwRole = configureCloudwatchRoleForApi(scope, _api); + } let usagePlanProps: api.UsagePlanProps = { apiStages: [{ @@ -123,7 +127,7 @@ function configureLambdaRestApi(scope: Construct, defaultApiGatewayProps: api.La * @param apiGatewayProps - (optional) user-specified properties to override the default properties. */ function configureRestApi(scope: Construct, defaultApiGatewayProps: api.RestApiProps, - apiGatewayProps?: api.RestApiProps): [api.RestApi, iam.Role] { + apiGatewayProps?: api.RestApiProps): [api.RestApi, iam.Role | undefined] { // API Gateway doesn't allow both endpointTypes and endpointConfiguration, check whether endPointTypes exists if (apiGatewayProps?.endpointTypes) { @@ -134,14 +138,19 @@ function configureRestApi(scope: Construct, defaultApiGatewayProps: api.RestApiP let _api: api.RestApi; if (apiGatewayProps) { // If property overrides have been provided, incorporate them and deploy - const _apiGatewayProps = overrideProps(defaultApiGatewayProps, apiGatewayProps); + const _apiGatewayProps = overrideProps(defaultApiGatewayProps, { ...apiGatewayProps, cloudWatchRole: false }); _api = new api.RestApi(scope, 'RestApi', _apiGatewayProps); } else { // If no property overrides, deploy using the default configuration _api = new api.RestApi(scope, 'RestApi', defaultApiGatewayProps); } + + let cwRole; + // Configure API access logging - const cwRole = configureCloudwatchRoleForApi(scope, _api); + if (apiGatewayProps?.cloudWatchRole !== false) { + cwRole = configureCloudwatchRoleForApi(scope, _api); + } let usagePlanProps: api.UsagePlanProps = { apiStages: [{ @@ -170,7 +179,7 @@ function configureRestApi(scope: Construct, defaultApiGatewayProps: api.RestApiP * @param apiGatewayProps - (optional) user-specified properties to override the default properties. */ export function GlobalLambdaRestApi(scope: Construct, _existingLambdaObj: lambda.Function, - apiGatewayProps?: api.LambdaRestApiProps, logGroupProps?: logs.LogGroupProps): [api.RestApi, iam.Role, logs.LogGroup] { + apiGatewayProps?: api.LambdaRestApiProps, logGroupProps?: logs.LogGroupProps): [api.RestApi, iam.Role | undefined, logs.LogGroup] { // Configure log group for API Gateway AccessLogging const logGroup = buildLogGroup(scope, 'ApiAccessLogGroup', logGroupProps); @@ -186,7 +195,7 @@ export function GlobalLambdaRestApi(scope: Construct, _existingLambdaObj: lambda * @param apiGatewayProps - (optional) user-specified properties to override the default properties. */ export function RegionalLambdaRestApi(scope: Construct, _existingLambdaObj: lambda.Function, - apiGatewayProps?: api.LambdaRestApiProps, logGroupProps?: logs.LogGroupProps): [api.RestApi, iam.Role, logs.LogGroup] { + apiGatewayProps?: api.LambdaRestApiProps, logGroupProps?: logs.LogGroupProps): [api.RestApi, iam.Role | undefined, logs.LogGroup] { // Configure log group for API Gateway AccessLogging const logGroup = buildLogGroup(scope, 'ApiAccessLogGroup', logGroupProps); @@ -201,7 +210,7 @@ export function RegionalLambdaRestApi(scope: Construct, _existingLambdaObj: lamb * @param apiGatewayProps - (optional) user-specified properties to override the default properties. */ export function GlobalRestApi(scope: Construct, apiGatewayProps?: api.RestApiProps, - logGroupProps?: logs.LogGroupProps): [api.RestApi, iam.Role, logs.LogGroup] { + logGroupProps?: logs.LogGroupProps): [api.RestApi, iam.Role | undefined, logs.LogGroup] { // Configure log group for API Gateway AccessLogging const logGroup = buildLogGroup(scope, 'ApiAccessLogGroup', logGroupProps); @@ -216,7 +225,7 @@ export function GlobalRestApi(scope: Construct, apiGatewayProps?: api.RestApiPro * @param apiGatewayProps - (optional) user-specified properties to override the default properties. */ export function RegionalRestApi(scope: Construct, apiGatewayProps?: api.RestApiProps, - logGroupProps?: logs.LogGroupProps): [api.RestApi, iam.Role, logs.LogGroup] { + logGroupProps?: logs.LogGroupProps): [api.RestApi, iam.Role | undefined, logs.LogGroup] { // Configure log group for API Gateway AccessLogging const logGroup = buildLogGroup(scope, 'ApiAccessLogGroup', logGroupProps); diff --git a/source/patterns/@aws-solutions-constructs/core/lib/cloudfront-distribution-helper.ts b/source/patterns/@aws-solutions-constructs/core/lib/cloudfront-distribution-helper.ts index 7c50b262e..11cf3867e 100644 --- a/source/patterns/@aws-solutions-constructs/core/lib/cloudfront-distribution-helper.ts +++ b/source/patterns/@aws-solutions-constructs/core/lib/cloudfront-distribution-helper.ts @@ -65,12 +65,13 @@ function defaultCloudfrontFunction(scope: Construct): cloudfront.Function { export function CloudFrontDistributionForApiGateway(scope: Construct, apiEndPoint: api.RestApi, cloudFrontDistributionProps?: cloudfront.DistributionProps | any, - httpSecurityHeaders: boolean = true): [cloudfront.Distribution, - cloudfront.Function?, s3.Bucket?] { + httpSecurityHeaders: boolean = true, + cloudFrontLoggingBucketProps?: s3.BucketProps +): [cloudfront.Distribution, cloudfront.Function?, s3.Bucket?] { const cloudfrontFunction = getCloudfrontFunction(httpSecurityHeaders, scope); - const loggingBucket = getLoggingBucket(cloudFrontDistributionProps, scope); + const loggingBucket = getLoggingBucket(cloudFrontDistributionProps, scope, cloudFrontLoggingBucketProps); const defaultprops = DefaultCloudFrontWebDistributionForApiGatewayProps(apiEndPoint, loggingBucket, httpSecurityHeaders, cloudfrontFunction); @@ -85,12 +86,13 @@ export function CloudFrontDistributionForApiGateway(scope: Construct, export function CloudFrontDistributionForS3(scope: Construct, sourceBucket: s3.IBucket, cloudFrontDistributionProps?: cloudfront.DistributionProps | any, - httpSecurityHeaders: boolean = true): [cloudfront.Distribution, + httpSecurityHeaders: boolean = true, + cloudFrontLoggingBucketProps?: s3.BucketProps): [cloudfront.Distribution, cloudfront.Function?, s3.Bucket?] { const cloudfrontFunction = getCloudfrontFunction(httpSecurityHeaders, scope); - const loggingBucket = getLoggingBucket(cloudFrontDistributionProps, scope); + const loggingBucket = getLoggingBucket(cloudFrontDistributionProps, scope, cloudFrontLoggingBucketProps); const defaultprops = DefaultCloudFrontWebDistributionForS3Props(sourceBucket, loggingBucket, httpSecurityHeaders, cloudfrontFunction); @@ -116,12 +118,13 @@ export function CloudFrontDistributionForS3(scope: Construct, export function CloudFrontDistributionForMediaStore(scope: Construct, mediaStoreContainer: mediastore.CfnContainer, cloudFrontDistributionProps?: cloudfront.DistributionProps | any, - httpSecurityHeaders: boolean = true): [cloudfront.Distribution, + httpSecurityHeaders: boolean = true, + cloudFrontLoggingBucketProps?: s3.BucketProps): [cloudfront.Distribution, s3.Bucket | undefined, cloudfront.OriginRequestPolicy, cloudfront.Function?] { let originRequestPolicy: cloudfront.OriginRequestPolicy; - const loggingBucket = getLoggingBucket(cloudFrontDistributionProps, scope); + const loggingBucket = getLoggingBucket(cloudFrontDistributionProps, scope, cloudFrontLoggingBucketProps); if (cloudFrontDistributionProps && cloudFrontDistributionProps.defaultBehavior @@ -183,12 +186,23 @@ export function CloudFrontOriginAccessIdentity(scope: Construct, comment?: strin }); } -function getLoggingBucket(cloudFrontDistributionProps: cloudfront.DistributionProps | any, scope: Construct): s3.Bucket | undefined { +function getLoggingBucket( + cloudFrontDistributionProps: cloudfront.DistributionProps | any, scope: Construct, + cloudFrontLoggingBucketProps?: s3.BucketProps +): s3.Bucket | undefined { const isLoggingDisabled = cloudFrontDistributionProps?.enableLogging === false; const userSuppliedLogBucket = cloudFrontDistributionProps?.logBucket; + + if (userSuppliedLogBucket && cloudFrontLoggingBucketProps) { + throw Error('Either cloudFrontDistributionProps.logBucket or cloudFrontLoggingBucketProps can be set.'); + } + return isLoggingDisabled ? undefined - : userSuppliedLogBucket ?? createLoggingBucket(scope, 'CloudfrontLoggingBucket', DefaultS3Props()); + : userSuppliedLogBucket ?? createLoggingBucket( + scope, + 'CloudfrontLoggingBucket', + cloudFrontLoggingBucketProps ? overrideProps(DefaultS3Props(), cloudFrontLoggingBucketProps) : DefaultS3Props()); } function getCloudfrontFunction(httpSecurityHeaders: boolean, scope: Construct) { diff --git a/source/patterns/@aws-solutions-constructs/core/lib/glue-job-helper.ts b/source/patterns/@aws-solutions-constructs/core/lib/glue-job-helper.ts index 51bc469ca..e76294544 100644 --- a/source/patterns/@aws-solutions-constructs/core/lib/glue-job-helper.ts +++ b/source/patterns/@aws-solutions-constructs/core/lib/glue-job-helper.ts @@ -78,7 +78,7 @@ export interface BuildGlueJobProps { readonly outputDataStore?: SinkDataStoreProps } -export function buildGlueJob(scope: Construct, props: BuildGlueJobProps): [glue.CfnJob, IRole] { +export function buildGlueJob(scope: Construct, props: BuildGlueJobProps): [glue.CfnJob, IRole, [Bucket, (Bucket | undefined)?]?] { if (!props.existingCfnJob) { if (props.glueJobProps) { if (props.glueJobProps.glueVersion === '2.0' && props.glueJobProps.maxCapacity) { @@ -101,7 +101,7 @@ export function buildGlueJob(scope: Construct, props: BuildGlueJobProps): [glue. } export function deployGlueJob(scope: Construct, glueJobProps: glue.CfnJobProps, database: glue.CfnDatabase, table: glue.CfnTable, - outputDataStore: SinkDataStoreProps): [glue.CfnJob, IRole] { + outputDataStore: SinkDataStoreProps): [glue.CfnJob, IRole, [Bucket, (Bucket | undefined)?]] { let _glueSecurityConfigName: string; @@ -183,7 +183,7 @@ export function deployGlueJob(scope: Construct, glueJobProps: glue.CfnJobProps, _scriptBucketLocation.grantRead(_jobRole); const _glueJob: glue.CfnJob = new glue.CfnJob(scope, 'KinesisETLJob', _newGlueJobProps); - return [_glueJob, _jobRole]; + return [_glueJob, _jobRole, _outputLocation]; } /** diff --git a/source/patterns/@aws-solutions-constructs/core/lib/s3-bucket-defaults.ts b/source/patterns/@aws-solutions-constructs/core/lib/s3-bucket-defaults.ts index 2ce73bea4..2a7c5c476 100644 --- a/source/patterns/@aws-solutions-constructs/core/lib/s3-bucket-defaults.ts +++ b/source/patterns/@aws-solutions-constructs/core/lib/s3-bucket-defaults.ts @@ -26,5 +26,14 @@ export function DefaultS3Props(loggingBucket ?: Bucket, lifecycleRules?: s3.Life } as BucketProps; } +export function DefaultLoggingBucketProps(): s3.BucketProps { + return { + encryption: s3.BucketEncryption.S3_MANAGED, + versioned: true, + blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, + removalPolicy: RemovalPolicy.RETAIN, + } as BucketProps; +} + // Default event types to trigger S3 notifications export const defaultS3NotificationEventTypes = [s3.EventType.OBJECT_CREATED]; diff --git a/source/patterns/@aws-solutions-constructs/core/lib/s3-bucket-helper.ts b/source/patterns/@aws-solutions-constructs/core/lib/s3-bucket-helper.ts index d65c9ca8e..5c56a15ad 100644 --- a/source/patterns/@aws-solutions-constructs/core/lib/s3-bucket-helper.ts +++ b/source/patterns/@aws-solutions-constructs/core/lib/s3-bucket-helper.ts @@ -100,6 +100,28 @@ export function createLoggingBucket(scope: Construct, return loggingBucket; } +export function createAlbLoggingBucket(scope: Construct, + bucketId: string, + loggingBucketProps: s3.BucketProps): s3.Bucket { + + // Create the Logging Bucket + const loggingBucket: s3.Bucket = new s3.Bucket(scope, bucketId, loggingBucketProps); + + applySecureBucketPolicy(loggingBucket); + + // Extract the CfnBucket from the loggingBucket + const loggingBucketResource = loggingBucket.node.findChild('Resource') as s3.CfnBucket; + + addCfnSuppressRules(loggingBucketResource, [ + { + id: 'W35', + reason: "This is a log bucket for an Application Load Balancer" + } + ]); + + return loggingBucket; +} + function s3BucketWithLogging(scope: Construct, s3BucketProps?: s3.BucketProps, bucketId?: string, diff --git a/source/patterns/@aws-solutions-constructs/core/package.json b/source/patterns/@aws-solutions-constructs/core/package.json index 689afee3d..a65fab13b 100644 --- a/source/patterns/@aws-solutions-constructs/core/package.json +++ b/source/patterns/@aws-solutions-constructs/core/package.json @@ -55,6 +55,8 @@ "@aws-cdk/aws-cloudfront": "0.0.0", "@aws-cdk/aws-cloudfront-origins": "0.0.0", "@aws-cdk/aws-dynamodb": "0.0.0", + "@aws-cdk/aws-elasticloadbalancingv2": "0.0.0", + "@aws-cdk/aws-elasticloadbalancingv2-targets": "0.0.0", "@aws-cdk/aws-glue": "0.0.0", "@aws-cdk/aws-iot": "0.0.0", "@aws-cdk/aws-kinesis": "0.0.0", diff --git a/source/patterns/@aws-solutions-constructs/core/test/alb-helper.test.ts b/source/patterns/@aws-solutions-constructs/core/test/alb-helper.test.ts new file mode 100644 index 000000000..8e8a504cc --- /dev/null +++ b/source/patterns/@aws-solutions-constructs/core/test/alb-helper.test.ts @@ -0,0 +1,390 @@ +/** + * Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance + * with the License. A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES + * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions + * and limitations under the License. + */ + +import { Stack } from '@aws-cdk/core'; +import * as elb from "@aws-cdk/aws-elasticloadbalancingv2"; +import * as acm from "@aws-cdk/aws-certificatemanager"; +import * as lambda from "@aws-cdk/aws-lambda"; +import * as defaults from '../index'; +import '@aws-cdk/assert/jest'; + +test('Test ObtainAlb with existing ALB', () => { + const stack = new Stack(); + // Build VPC + const vpc = defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + }); + + const existingLoadBalancer = new elb.ApplicationLoadBalancer(stack, 'load-balancer', { + vpc, + internetFacing: true, + loadBalancerName: 'unique-name' + }); + + defaults.ObtainAlb(stack, 'test', vpc, true, existingLoadBalancer); + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::LoadBalancer', { + Name: "unique-name", + }); +}); + +test('Test ObtainAlb for new ALB with provided props', () => { + const stack = new Stack(undefined, undefined, { + env: { account: "123456789012", region: 'us-east-1' }, + }); + // Build VPC + const vpc = defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + }); + + defaults.ObtainAlb(stack, 'test', vpc, true, undefined, { + loadBalancerName: 'new-loadbalancer', + vpc, + internetFacing: true + }); + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::LoadBalancer', { + Name: "new-loadbalancer", + Scheme: "internet-facing", + }); +}); + +test('Test ObtainAlb for new ALB with default props', () => { + const stack = new Stack(undefined, undefined, { + env: { account: "123456789012", region: 'us-east-1' }, + }); + // Build VPC + const vpc = defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + }); + + defaults.ObtainAlb(stack, 'test', vpc, false); + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::LoadBalancer', { + Scheme: "internal", + }); +}); + +test('Test ObtainAlb for new ALB with default props', () => { + const stack = new Stack(); + + const testFunction = new lambda.Function(stack, 'test-function', { + code: lambda.Code.fromAsset(`${__dirname}/lambda`), + runtime: lambda.Runtime.NODEJS_14_X, + handler: "index.handler", + }); + + defaults.CreateLambdaTargetGroup(stack, 'test-target', testFunction); + + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::TargetGroup', { + TargetType: "lambda" + }); +}); + +test('Test ObtainAlb for new ALB with custom props', () => { + const stack = new Stack(); + + const testFunction = new lambda.Function(stack, 'test-function', { + code: lambda.Code.fromAsset(`${__dirname}/lambda`), + runtime: lambda.Runtime.NODEJS_14_X, + handler: "index.handler", + }); + + defaults.CreateLambdaTargetGroup(stack, 'test-target', testFunction, { + targetGroupName: 'test-target-group' + }); + + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::TargetGroup', { + TargetType: "lambda", + Name: 'test-target-group' + }); +}); + +test('Test Add Target without ruleProps', () => { + const stack = new Stack(); + + const testFunction = new lambda.Function(stack, 'test-function', { + code: lambda.Code.fromAsset(`${__dirname}/lambda`), + runtime: lambda.Runtime.NODEJS_14_X, + handler: "index.handler", + }); + + const targetGroup = defaults.CreateLambdaTargetGroup(stack, 'test-target', testFunction, { + targetGroupName: 'test-target-group' + }); + + // Build VPC + const vpc = defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + }); + + const existingLoadBalancer = new elb.ApplicationLoadBalancer(stack, 'load-balancer', { + vpc, + internetFacing: true, + loadBalancerName: 'unique-name' + }); + + const testListener = new elb.ApplicationListener(stack, 'test-listener', { + loadBalancer: existingLoadBalancer, + protocol: elb.ApplicationProtocol.HTTP + }); + + defaults.AddTarget(stack, targetGroup, testListener); + + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::Listener', { + DefaultActions: [ + { + TargetGroupArn: { + Ref: "testtargettgB2EE41CA" + }, + Type: "forward" + } + ], + }); +}); + +test('Test Add Target with ruleProps', () => { + const stack = new Stack(); + + const testFunction = new lambda.Function(stack, 'test-function', { + code: lambda.Code.fromAsset(`${__dirname}/lambda`), + runtime: lambda.Runtime.NODEJS_14_X, + handler: "index.handler", + }); + + const targetGroup = defaults.CreateLambdaTargetGroup(stack, 'test-target', testFunction, { + targetGroupName: 'test-target-group' + }); + + const secondTargetGroup = defaults.CreateLambdaTargetGroup(stack, 'second-target', testFunction, { + targetGroupName: 'second-target-group' + }); + + // Build VPC + const vpc = defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + }); + + const existingLoadBalancer = new elb.ApplicationLoadBalancer(stack, 'load-balancer', { + vpc, + internetFacing: true, + loadBalancerName: 'unique-name' + }); + + const testListener = new elb.ApplicationListener(stack, 'test-listener', { + loadBalancer: existingLoadBalancer, + protocol: elb.ApplicationProtocol.HTTP + }); + + // The first target is default and can't have rules, so + // we need to add 2 targets + defaults.AddTarget(stack, targetGroup, testListener); + defaults.AddTarget(stack, secondTargetGroup, testListener, { + conditions: [elb.ListenerCondition.pathPatterns(["*admin*"])], + priority: 10 + }); + + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::ListenerRule', { + Actions: [ + { + TargetGroupArn: { + Ref: "secondtargettg0CE37E1F" + }, + Type: "forward" + } + ], + Conditions: [ + { + Field: "path-pattern", + PathPatternConfig: { + Values: [ + "*admin*" + ] + } + } + ] + }); +}); + +test('Test AddListener with defaults', () => { + const stack = new Stack(); + const testFunction = new lambda.Function(stack, 'test-function', { + code: lambda.Code.fromAsset(`${__dirname}/lambda`), + runtime: lambda.Runtime.NODEJS_14_X, + handler: "index.handler", + }); + + const targetGroup = defaults.CreateLambdaTargetGroup(stack, 'test-target', testFunction, { + targetGroupName: 'test-target-group' + }); + + // Build VPC + const vpc = defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + }); + + const existingLoadBalancer = new elb.ApplicationLoadBalancer(stack, 'load-balancer', { + vpc, + internetFacing: true, + loadBalancerName: 'unique-name' + }); + + const cert = acm.Certificate.fromCertificateArn( + stack, + 'not-really-a-cert', + "arn:aws:acm:us-east-1:123456789012:certificate/85c52dc8-1b37-4afd-a7aa-f03aac2db0cc" + ); + + defaults.AddListener(stack, existingLoadBalancer, targetGroup, { + certificates: [ cert ], + }); + + // This should create 2 listeners, HTTPS plus redirect of HTTP + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::Listener', { + Protocol: 'HTTPS', + }); + + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::Listener', { + Protocol: 'HTTP', + }); +}); + +test('Test AddListener with no cert for an HTTPS listener', () => { + const stack = new Stack(); + const testFunction = new lambda.Function(stack, 'test-function', { + code: lambda.Code.fromAsset(`${__dirname}/lambda`), + runtime: lambda.Runtime.NODEJS_14_X, + handler: "index.handler", + }); + + const targetGroup = defaults.CreateLambdaTargetGroup(stack, 'test-target', testFunction, { + targetGroupName: 'test-target-group' + }); + + // Build VPC + const vpc = defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + }); + + const existingLoadBalancer = new elb.ApplicationLoadBalancer(stack, 'load-balancer', { + vpc, + internetFacing: true, + loadBalancerName: 'unique-name' + }); + + const app = () => { + defaults.AddListener(stack, existingLoadBalancer, targetGroup, {}); + }; + expect(app).toThrowError(); +}); + +test('Test AddListener error for HTTP with a cert', () => { + const stack = new Stack(); + const testFunction = new lambda.Function(stack, 'test-function', { + code: lambda.Code.fromAsset(`${__dirname}/lambda`), + runtime: lambda.Runtime.NODEJS_14_X, + handler: "index.handler", + }); + + const targetGroup = defaults.CreateLambdaTargetGroup(stack, 'test-target', testFunction, { + targetGroupName: 'test-target-group' + }); + + // Build VPC + const vpc = defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + }); + + const existingLoadBalancer = new elb.ApplicationLoadBalancer(stack, 'load-balancer', { + vpc, + internetFacing: true, + loadBalancerName: 'unique-name' + }); + + const cert = acm.Certificate.fromCertificateArn( + stack, + 'not-really-a-cert', + "arn:aws:acm:us-east-1:123456789012:certificate/85c52dc8-1b37-4afd-a7aa-f03aac2db0cc" + ); + + const app = () => { + defaults.AddListener(stack, existingLoadBalancer, targetGroup, { + certificates: [ cert ], + protocol: elb.ApplicationProtocol.HTTP, + }); + }; + expect(app).toThrowError(); + +}); + +test('Test AddListener for HTTP Listener', () => { + const stack = new Stack(); + const testFunction = new lambda.Function(stack, 'test-function', { + code: lambda.Code.fromAsset(`${__dirname}/lambda`), + runtime: lambda.Runtime.NODEJS_14_X, + handler: "index.handler", + }); + + const targetGroup = defaults.CreateLambdaTargetGroup(stack, 'test-target', testFunction, { + targetGroupName: 'test-target-group' + }); + + // Build VPC + const vpc = defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + }); + + const existingLoadBalancer = new elb.ApplicationLoadBalancer(stack, 'load-balancer', { + vpc, + internetFacing: true, + loadBalancerName: 'unique-name' + }); + + defaults.AddListener(stack, existingLoadBalancer, targetGroup, { + protocol: elb.ApplicationProtocol.HTTP, + }); + + expect(stack).toHaveResourceLike('AWS::ElasticLoadBalancingV2::Listener', { + Protocol: 'HTTP', + }); + expect(stack).not.toHaveResourceLike('AWS::ElasticLoadBalancingV2::Listener', { + Protocol: 'HTTPS', + }); +}); + +test('Test with custom logging bucket props', () => { + // Creating ALB logging requires a region and account (but + // these can be fake in unit tests) + const stack = new Stack(undefined, undefined, { + env: { account: "123456789012", region: 'us-east-1' }, + }); + // Build VPC + const vpc = defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + }); + + const testName = 'test-name'; + + defaults.ObtainAlb(stack, 'test', vpc, false, undefined, undefined, true, { bucketName: testName }); + expect(stack).toHaveResourceLike('AWS::S3::Bucket', { + BucketName: testName + }); +}); + +test('Test with no logging', () => { + const stack = new Stack(); + // Build VPC + const vpc = defaults.buildVpc(stack, { + defaultVpcProps: defaults.DefaultPublicPrivateVpcProps(), + }); + + defaults.ObtainAlb(stack, 'test', vpc, false, undefined, undefined, false); + expect(stack).not.toHaveResourceLike('AWS::S3::Bucket', {}); +}); diff --git a/source/patterns/@aws-solutions-constructs/core/test/apigateway-helper.test.ts b/source/patterns/@aws-solutions-constructs/core/test/apigateway-helper.test.ts index f6580cdf9..fd172e6b8 100644 --- a/source/patterns/@aws-solutions-constructs/core/test/apigateway-helper.test.ts +++ b/source/patterns/@aws-solutions-constructs/core/test/apigateway-helper.test.ts @@ -201,6 +201,15 @@ test('Test default RestApi deployment w/ ApiGatewayProps', () => { }); }); +test('Test default RestApi deployment w/ cloudWatchRole set to false', () => { + const stack = new Stack(); + setupRestApi(stack, { + cloudWatchRole: false + }); + + expect(stack).not.toHaveResourceLike("AWS::ApiGateway::Account", {}); +}); + test('Test default RestApi deployment for Cloudwatch loggroup', () => { const stack = new Stack(); deployRegionalApiGateway(stack); diff --git a/source/patterns/@aws-solutions-constructs/core/test/glue-job-helper.test.ts b/source/patterns/@aws-solutions-constructs/core/test/glue-job-helper.test.ts index 732f893ff..5b0629469 100644 --- a/source/patterns/@aws-solutions-constructs/core/test/glue-job-helper.test.ts +++ b/source/patterns/@aws-solutions-constructs/core/test/glue-job-helper.test.ts @@ -42,7 +42,7 @@ test('Test deployment with role creation', () => { const _database = defaults.createGlueDatabase(stack, defaults.DefaultGlueDatabaseProps()); - defaults.buildGlueJob(stack, { + const _glueJob = defaults.buildGlueJob(stack, { glueJobProps: cfnJobProps, database: _database, table: defaults.createGlueTable(stack, _database, undefined, [{ @@ -52,6 +52,8 @@ test('Test deployment with role creation', () => { }], 'kinesis', {STREAM_NAME: 'testStream'}) }); + expect(_glueJob[2]?.[0]).toBeDefined(); + expect(_glueJob[2]?.[0]).toBeInstanceOf(Bucket); expect(stack).toHaveResourceLike('AWS::Glue::Job', { Type: "AWS::Glue::Job", Properties: { @@ -99,7 +101,7 @@ test('Create a Glue Job outside the construct', () => { const _database = defaults.createGlueDatabase(stack, defaults.DefaultGlueDatabaseProps()); - defaults.buildGlueJob(stack, { + const _glueJob = defaults.buildGlueJob(stack, { existingCfnJob: _existingCfnJob, outputDataStore: { datastoreType: defaults.SinkStoreType.S3 @@ -111,6 +113,8 @@ test('Create a Glue Job outside the construct', () => { comment: "" }], 'kinesis', {STREAM_NAME: 'testStream'}) }); + + expect(_glueJob[2]).not.toBeDefined(); expect(stack).toHaveResourceLike('AWS::Glue::Job', { Type: "AWS::Glue::Job", Properties: { diff --git a/source/patterns/@aws-solutions-constructs/core/test/s3-bucket.test.ts b/source/patterns/@aws-solutions-constructs/core/test/s3-bucket.test.ts index 513fda070..996dc03f3 100644 --- a/source/patterns/@aws-solutions-constructs/core/test/s3-bucket.test.ts +++ b/source/patterns/@aws-solutions-constructs/core/test/s3-bucket.test.ts @@ -142,3 +142,15 @@ test('test s3Bucket override serverAccessLogsBucket', () => { } }); }); + +test('test createAlbLoggingBucket()', () => { + const stack = new Stack(); + + defaults.createAlbLoggingBucket(stack, 'test-bucket', { + bucketName: 'test-name' + }); + + expect(stack).toHaveResource("AWS::S3::Bucket", { + BucketName: 'test-name' + }); +});