feat: Add Fastly Logs IAM and related constructs #761
Conversation
There was a problem hiding this comment.
This looks great! Thanks for the contribution!
I'm not sure how semantic-release will parse these commits as they're not following the angular commit message conventions, I suspect you'll end up needing to squash and merge. There is a beta release channel available if needed.
I'd recommend configuring your IDE to format on save to avoid CI failing on linting errors; you can run npm run lint --fix to fix them.
|
@akash1810 we missed the requirement for angular commit messages - have we considered adding a commit hook if that's a pretty strict expectation for contributors? |
IIRC we discussed commit hooks in the early days and opted against after experience on other repositories (they're more restrictive than helpful); keen to hear from @jacobwinch and @sihil to see if this still holds. I'm not too sure how semantic-release will parse this PR, either:
I'm really interested to find out! Happy to merge as is and we can update any docs to reflect our new learning. I think a sure fire way to make semantic-release happy is to squash and merge. |
It's a tempting option to experiment, but I think our commits are not ideal for the history in this case so I was always assuming it'd be a squash and merge for this PR! |
|
A new required status check has been added to this repository, this branch now needs rebasing against |
jfsoul
force-pushed
the
fh-js-cdk-fastly-logs-s3
branch
from
efb82ed to
c493d61
Compare
| @@ -1,6 +1,7 @@ | |||
| export interface SsmParameterPath { | |||
| path: string; | |||
| description: string; | |||
| optional?: boolean; | |||
There was a problem hiding this comment.
The account-readiness CLI command currently expects all these parameters to be required, but actually we're introducing an optional, account-wide parameter here (account-wide because you might have multiple instances of the fastly IAM logging construct in a single account)
| | /account/services/artifact.bucket | DistributionBucketName | String | GuGetDistributablePolicy | | ||
| | /account/services/logging.stream.name | LoggingStreamName | String | GuLogShippingPolicy | | ||
| | /account/services/anghammarad.topic.arn | AnghammaradSnsArn | String | AnghammaradSenderPolicy | | ||
| | /account/external/fastly/customer.id | GuFastlyCustomerIdParameter | String | GuFastlyLogsIam | |
There was a problem hiding this comment.
We should really auto-generate this list!
| const stack = simpleGuStackForTesting(); | ||
| new GuFastlyLogsIam(stack, "FastlyS3LoggingIam", { | ||
| bucketName: "test", | ||
| path: "", |
There was a problem hiding this comment.
Can we avoid the empty string at all?
| * | ||
| * See https://docs.fastly.com/en/guides/creating-an-aws-iam-role-for-fastly-logging | ||
| */ | ||
| export class GuFastlyLogsIam { |
There was a problem hiding this comment.
I think this should be extend GuRole rather than being a plain class.
There was a problem hiding this comment.
I've made that change, although it doesn't make a whole lot of sense now because I have a policy being created inside a role constructor. I think semantically it was correct before - a construct formed of 2 resources (policy + role) which both used Gu constructs themselves (but the containing construct was its own entity).
Tempted to revert to previous implementation now!
There was a problem hiding this comment.
Extending GuRole follows the current convention of the repo, for example the GuInstanceRole. This also makes me realise that this should probably be called GuFastlyLogRole too!
To nitpick a little:
I think semantically it was correct before - a construct formed of 2 resources
This isn't correct as before we had a vanilla class formed of two resources. In CDK there is a Construct class which almost everything extends from 🤯 .
I think generally we'd only create vanilla classes for patterns, rather than constructs - but even then, I think patterns could extend Construct (see this example of a pattern from AWS).
One of the benefits from using the Construct type is you can hook into validate more easily. Additionally any exceptions that you might throw in the constructor of a Construct get pretty printed with a breadcrumb so it's a little easier to debug.
| }); | ||
| const policy = new GuPutS3ObjectsPolicy(scope, "GuFastlyLogsIamRolePolicy", { | ||
| bucketName: props.bucketName, | ||
| paths: props.path ? [props.path] : undefined, |
There was a problem hiding this comment.
minor: I've recently started to set defaults via destructuring and find it more explicit and easier to follow, e.g.
const { path = "*" } = props;Not massive, but this method would make the description of path above more true, specifically @default - '*' as at the moment it defaults to undefined, and its GuPutS3ObjectsPolicy that is setting it to * (obviously you can use * in the ternary too).
jfsoul
changed the title
|
🎉 This PR is included in version 33.2.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
What does this change?
Adds an s3 put object construct, and creates a Fastly Logs IAM pattern. This is specifically to allow Fastly to log directly to s3 rather than using keys and having to keep them rotated. See documentation: https://docs.fastly.com/en/guides/creating-an-aws-iam-role-for-fastly-logging
Does this change require changes to existing projects or CDK CLI?
No
Does this change require changes to the library documentation?
Yes
How to test
Snapshot test added
How can we measure success?
Manual key rotation is no longer needed, so less security issues.
Paired with @jfsoul