diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.assets.json new file mode 100644 index 0000000000000..978f3f8674e97 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.assets.json @@ -0,0 +1,19 @@ +{ + "version": "34.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.assets.json new file mode 100644 index 0000000000000..5f07030f10cb3 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.assets.json @@ -0,0 +1,19 @@ +{ + "version": "34.0.0", + "files": { + "f0cf2f654be16769af1d824cd9ce55932678d500cc58f25f4f30b11c8aeaa554": { + "source": { + "path": "aws-cdk-log-group-encrypted-integ.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "f0cf2f654be16769af1d824cd9ce55932678d500cc58f25f4f30b11c8aeaa554.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json new file mode 100644 index 0000000000000..c0a9982083c4d --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json @@ -0,0 +1,137 @@ +{ + "Resources": { + "Key961B73FD": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": [ + "kms:Decrypt*", + "kms:Describe*", + "kms:Encrypt*", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Condition": { + "ArnEquals": { + "kms:EncryptionContext:aws:logs:arn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:aws-cdk-log-group-encrypted-integLogGroupDECB5FC9" + ] + ] + } + } + }, + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "logs.", + { + "Ref": "AWS::Region" + }, + ".amazonaws.com" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "LogGroupF5B46931": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": "aws-cdk-log-group-encrypted-integLogGroupDECB5FC9", + "KmsKeyId": { + "Fn::GetAtt": [ + "Key961B73FD", + "Arn" + ] + }, + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/cdk.out new file mode 100644 index 0000000000000..2313ab5436501 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"34.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/integ.json new file mode 100644 index 0000000000000..4aba837a3e73f --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "34.0.0", + "testCases": { + "LogGroupEncryptedInteg/DefaultTest": { + "stacks": [ + "aws-cdk-log-group-encrypted-integ" + ], + "assertionStack": "LogGroupEncryptedInteg/DefaultTest/DeployAssert", + "assertionStackName": "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/manifest.json new file mode 100644 index 0000000000000..a0323b5b741d2 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/manifest.json @@ -0,0 +1,119 @@ +{ + "version": "34.0.0", + "artifacts": { + "aws-cdk-log-group-encrypted-integ.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "aws-cdk-log-group-encrypted-integ.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "aws-cdk-log-group-encrypted-integ": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "aws-cdk-log-group-encrypted-integ.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f0cf2f654be16769af1d824cd9ce55932678d500cc58f25f4f30b11c8aeaa554.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "aws-cdk-log-group-encrypted-integ.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "aws-cdk-log-group-encrypted-integ.assets" + ], + "metadata": { + "/aws-cdk-log-group-encrypted-integ/Key/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "Key961B73FD" + } + ], + "/aws-cdk-log-group-encrypted-integ/LogGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "LogGroupF5B46931" + } + ], + "/aws-cdk-log-group-encrypted-integ/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/aws-cdk-log-group-encrypted-integ/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "aws-cdk-log-group-encrypted-integ" + }, + "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.assets" + ], + "metadata": { + "/LogGroupEncryptedInteg/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/LogGroupEncryptedInteg/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "LogGroupEncryptedInteg/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/tree.json new file mode 100644 index 0000000000000..ba7e6632cad13 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/tree.json @@ -0,0 +1,232 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "aws-cdk-log-group-encrypted-integ": { + "id": "aws-cdk-log-group-encrypted-integ", + "path": "aws-cdk-log-group-encrypted-integ", + "children": { + "Key": { + "id": "Key", + "path": "aws-cdk-log-group-encrypted-integ/Key", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-log-group-encrypted-integ/Key/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Key", + "aws:cdk:cloudformation:props": { + "keyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": [ + "kms:Decrypt*", + "kms:Describe*", + "kms:Encrypt*", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Condition": { + "ArnLike": { + "kms:EncryptionContext:aws:logs:arn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":*" + ] + ] + } + } + }, + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "logs.", + { + "Ref": "AWS::Region" + }, + ".amazonaws.com" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.CfnKey", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.Key", + "version": "0.0.0" + } + }, + "LogGroup": { + "id": "LogGroup", + "path": "aws-cdk-log-group-encrypted-integ/LogGroup", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-log-group-encrypted-integ/LogGroup/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Logs::LogGroup", + "aws:cdk:cloudformation:props": { + "logGroupName": "aws-cdk-log-group-encrypted-integLogGroupDECB5FC9", + "kmsKeyId": { + "Fn::GetAtt": [ + "Key961B73FD", + "Arn" + ] + }, + "retentionInDays": 731 + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_logs.CfnLogGroup", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_logs.LogGroup", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "aws-cdk-log-group-encrypted-integ/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "aws-cdk-log-group-encrypted-integ/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "LogGroupEncryptedInteg": { + "id": "LogGroupEncryptedInteg", + "path": "LogGroupEncryptedInteg", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "LogGroupEncryptedInteg/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "LogGroupEncryptedInteg/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "LogGroupEncryptedInteg/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "LogGroupEncryptedInteg/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "LogGroupEncryptedInteg/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.ts new file mode 100644 index 0000000000000..cf23c9c8b063b --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.ts @@ -0,0 +1,26 @@ +import { App, Stack, StackProps, RemovalPolicy } from 'aws-cdk-lib'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; +import { LogGroup } from 'aws-cdk-lib/aws-logs'; +import { Key } from 'aws-cdk-lib/aws-kms'; + +class LogGroupIntegStack extends Stack { + constructor(scope: App, id: string, props?: StackProps) { + super(scope, id, props); + + const key = new Key(this, 'Key', { + removalPolicy: RemovalPolicy.DESTROY, + }); + + new LogGroup(this, 'LogGroup', { + removalPolicy: RemovalPolicy.DESTROY, + encryptionKey: key, + }); + } +} + +const app = new App(); +const stack = new LogGroupIntegStack(app, 'aws-cdk-log-group-encrypted-integ'); + +new IntegTest(app, 'LogGroupEncryptedInteg', { testCases: [stack] }); + +app.synth(); \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json index 86157f4999268..2fe426bc90528 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json @@ -3,6 +3,7 @@ "LogGroupLambdaAuditF8F47F46": { "Type": "AWS::Logs::LogGroup", "Properties": { + "LogGroupName": "aws-cdk-log-group-integLogGroupLambdaAudit8AB75176", "RetentionInDays": 731 }, "UpdateReplacePolicy": "Retain", @@ -16,6 +17,7 @@ "LogGroupLambdaAC756C5B": { "Type": "AWS::Logs::LogGroup", "Properties": { + "LogGroupName": "aws-cdk-log-group-integLogGroupLambda9924FF7D", "DataProtectionPolicy": { "name": "policy-name", "description": "policy description", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json index 8c2e70be9b477..101e234ed0d0b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json @@ -18,6 +18,7 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::Logs::LogGroup", "aws:cdk:cloudformation:props": { + "logGroupName": "aws-cdk-log-group-integLogGroupLambdaAudit8AB75176", "retentionInDays": 731 } }, @@ -64,6 +65,7 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::Logs::LogGroup", "aws:cdk:cloudformation:props": { + "logGroupName": "aws-cdk-log-group-integLogGroupLambda9924FF7D", "dataProtectionPolicy": { "name": "policy-name", "description": "policy description", diff --git a/packages/aws-cdk-lib/aws-logs/lib/log-group.ts b/packages/aws-cdk-lib/aws-logs/lib/log-group.ts index 453ad09fe3989..1eb67c7ec3c14 100644 --- a/packages/aws-cdk-lib/aws-logs/lib/log-group.ts +++ b/packages/aws-cdk-lib/aws-logs/lib/log-group.ts @@ -9,7 +9,7 @@ import { ILogSubscriptionDestination, SubscriptionFilter } from './subscription- import * as cloudwatch from '../../aws-cloudwatch'; import * as iam from '../../aws-iam'; import * as kms from '../../aws-kms'; -import { Annotations, Arn, ArnFormat, RemovalPolicy, Resource, Stack, Token } from '../../core'; +import { Annotations, Arn, ArnFormat, Lazy, Names, RemovalPolicy, Resource, Stack, Token } from '../../core'; export interface ILogGroup extends iam.IResourceWithPolicy { /** @@ -491,7 +491,9 @@ export class LogGroup extends LogGroupBase { constructor(scope: Construct, id: string, props: LogGroupProps = {}) { super(scope, id, { - physicalName: props.logGroupName, + physicalName: props.logGroupName ?? Lazy.string({ + produce: () => Names.uniqueResourceName(this, { maxLength: 512, allowedSpecialCharacters: '-_' }), + }), }); let retentionInDays = props.retention; @@ -534,6 +536,25 @@ export class LogGroup extends LogGroupBase { arnFormat: ArnFormat.COLON_RESOURCE_NAME, }); this.logGroupName = this.getResourceNameAttribute(resource.ref); + + if (props.encryptionKey) { + props.encryptionKey.addToResourcePolicy(new iam.PolicyStatement({ + principals: [new iam.ServicePrincipal(`logs.${this.env.region}.amazonaws.com`)], + actions: [ + 'kms:Encrypt*', + 'kms:Decrypt*', + 'kms:ReEncrypt*', + 'kms:GenerateDataKey*', + 'kms:Describe*', + ], + resources: ['*'], + conditions: { + ArnEquals: { + 'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:log-group:${this.physicalName}`, + }, + }, + })); + } } } diff --git a/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts b/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts index 84f5b5004327f..6cd8fd1949baf 100644 --- a/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts +++ b/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts @@ -7,7 +7,7 @@ import { App, CfnParameter, Fn, RemovalPolicy, Stack } from '../../core'; import { LogGroup, RetentionDays, LogGroupClass, DataProtectionPolicy, DataIdentifier, ILogGroup, ILogSubscriptionDestination, FilterPattern } from '../lib'; describe('log group', () => { - test('set kms key when provided', () => { + test('set kms key when provided with key policy', () => { // GIVEN const stack = new Stack(); const encryptionKey = new kms.Key(stack, 'Key'); @@ -21,6 +21,82 @@ describe('log group', () => { Template.fromStack(stack).hasResourceProperties('AWS::Logs::LogGroup', { KmsKeyId: { 'Fn::GetAtt': ['Key961B73FD', 'Arn'] }, }); + + Template.fromStack(stack).hasResourceProperties('AWS::KMS::Key', { + KeyPolicy: { + Statement: Match.arrayWith([{ + Action: 'kms:*', + Effect: 'Allow', + Resource: '*', + Principal: { + AWS: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':iam::', + { + Ref: 'AWS::AccountId', + }, + ':root', + ], + ], + }, + }, + }, { + Action: [ + 'kms:Encrypt*', + 'kms:Decrypt*', + 'kms:ReEncrypt*', + 'kms:GenerateDataKey*', + 'kms:Describe*', + ], + Effect: 'Allow', + Resource: '*', + Principal: { + Service: { + 'Fn::Join': [ + '', + [ + 'logs.', + { + Ref: 'AWS::Region', + }, + '.amazonaws.com', + ], + ], + }, + }, + Condition: { + ArnEquals: { + 'kms:EncryptionContext:aws:logs:arn': { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':logs:', + { + Ref: 'AWS::Region', + }, + ':', + { + Ref: 'AWS::AccountId', + }, + ':log-group:LogGroup', + ], + ], + }, + }, + }, + }]), + }, + }); }); test('fixed retention', () => {