From 6a9278f303d5d7348fc13fade22da7a9b13b9793 Mon Sep 17 00:00:00 2001 From: Luca Pizzini Date: Sun, 10 Dec 2023 15:59:57 +0100 Subject: [PATCH 1/3] fix(logs): missing KMS key policy statement --- ...efaultTestDeployAssert5281D6CD.assets.json | 19 ++ ...aultTestDeployAssert5281D6CD.template.json | 36 +++ ...-cdk-log-group-encrypted-integ.assets.json | 19 ++ ...dk-log-group-encrypted-integ.template.json | 136 +++++++++++ .../cdk.out | 1 + .../integ.json | 12 + .../manifest.json | 119 +++++++++ .../tree.json | 231 ++++++++++++++++++ .../test/integ.log-group-encrypted.ts | 23 ++ .../aws-cdk-lib/aws-logs/lib/log-group.ts | 19 ++ .../aws-logs/test/loggroup.test.ts | 78 +++++- 11 files changed, 692 insertions(+), 1 deletion(-) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/tree.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.assets.json new file mode 100644 index 0000000000000..978f3f8674e97 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.assets.json @@ -0,0 +1,19 @@ +{ + "version": "34.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.assets.json new file mode 100644 index 0000000000000..123378238a2dc --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.assets.json @@ -0,0 +1,19 @@ +{ + "version": "34.0.0", + "files": { + "4af042c9eb0784e5918f2db1d24ffaa1f02db6e89f49b1d8910845a62c29faf7": { + "source": { + "path": "aws-cdk-log-group-encrypted-integ.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "4af042c9eb0784e5918f2db1d24ffaa1f02db6e89f49b1d8910845a62c29faf7.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json new file mode 100644 index 0000000000000..0a696467ba4e4 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json @@ -0,0 +1,136 @@ +{ + "Resources": { + "Key961B73FD": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": [ + "kms:Decrypt*", + "kms:Describe*", + "kms:Encrypt*", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Condition": { + "ArnLike": { + "kms:EncryptionContext:aws:logs:arn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":*" + ] + ] + } + } + }, + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "logs.", + { + "Ref": "AWS::Region" + }, + ".amazonaws.com" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "LogGroupF5B46931": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "KmsKeyId": { + "Fn::GetAtt": [ + "Key961B73FD", + "Arn" + ] + }, + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/cdk.out new file mode 100644 index 0000000000000..2313ab5436501 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"34.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/integ.json new file mode 100644 index 0000000000000..4aba837a3e73f --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "34.0.0", + "testCases": { + "LogGroupEncryptedInteg/DefaultTest": { + "stacks": [ + "aws-cdk-log-group-encrypted-integ" + ], + "assertionStack": "LogGroupEncryptedInteg/DefaultTest/DeployAssert", + "assertionStackName": "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/manifest.json new file mode 100644 index 0000000000000..94cf6c7a9abf7 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/manifest.json @@ -0,0 +1,119 @@ +{ + "version": "34.0.0", + "artifacts": { + "aws-cdk-log-group-encrypted-integ.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "aws-cdk-log-group-encrypted-integ.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "aws-cdk-log-group-encrypted-integ": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "aws-cdk-log-group-encrypted-integ.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/4af042c9eb0784e5918f2db1d24ffaa1f02db6e89f49b1d8910845a62c29faf7.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "aws-cdk-log-group-encrypted-integ.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "aws-cdk-log-group-encrypted-integ.assets" + ], + "metadata": { + "/aws-cdk-log-group-encrypted-integ/Key/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "Key961B73FD" + } + ], + "/aws-cdk-log-group-encrypted-integ/LogGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "LogGroupF5B46931" + } + ], + "/aws-cdk-log-group-encrypted-integ/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/aws-cdk-log-group-encrypted-integ/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "aws-cdk-log-group-encrypted-integ" + }, + "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "LogGroupEncryptedIntegDefaultTestDeployAssert5281D6CD.assets" + ], + "metadata": { + "/LogGroupEncryptedInteg/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/LogGroupEncryptedInteg/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "LogGroupEncryptedInteg/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/tree.json new file mode 100644 index 0000000000000..c31f8f1450dfe --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/tree.json @@ -0,0 +1,231 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "aws-cdk-log-group-encrypted-integ": { + "id": "aws-cdk-log-group-encrypted-integ", + "path": "aws-cdk-log-group-encrypted-integ", + "children": { + "Key": { + "id": "Key", + "path": "aws-cdk-log-group-encrypted-integ/Key", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-log-group-encrypted-integ/Key/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Key", + "aws:cdk:cloudformation:props": { + "keyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": [ + "kms:Decrypt*", + "kms:Describe*", + "kms:Encrypt*", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Condition": { + "ArnLike": { + "kms:EncryptionContext:aws:logs:arn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":*" + ] + ] + } + } + }, + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "logs.", + { + "Ref": "AWS::Region" + }, + ".amazonaws.com" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.CfnKey", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.Key", + "version": "0.0.0" + } + }, + "LogGroup": { + "id": "LogGroup", + "path": "aws-cdk-log-group-encrypted-integ/LogGroup", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-log-group-encrypted-integ/LogGroup/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Logs::LogGroup", + "aws:cdk:cloudformation:props": { + "kmsKeyId": { + "Fn::GetAtt": [ + "Key961B73FD", + "Arn" + ] + }, + "retentionInDays": 731 + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_logs.CfnLogGroup", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_logs.LogGroup", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "aws-cdk-log-group-encrypted-integ/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "aws-cdk-log-group-encrypted-integ/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "LogGroupEncryptedInteg": { + "id": "LogGroupEncryptedInteg", + "path": "LogGroupEncryptedInteg", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "LogGroupEncryptedInteg/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "LogGroupEncryptedInteg/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "LogGroupEncryptedInteg/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "LogGroupEncryptedInteg/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "LogGroupEncryptedInteg/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.ts new file mode 100644 index 0000000000000..d3520aa575e62 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.ts @@ -0,0 +1,23 @@ +import { App, Stack, StackProps } from 'aws-cdk-lib'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; +import { LogGroup } from 'aws-cdk-lib/aws-logs'; +import { Key } from 'aws-cdk-lib/aws-kms'; + +class LogGroupIntegStack extends Stack { + constructor(scope: App, id: string, props?: StackProps) { + super(scope, id, props); + + const key = new Key(this, 'Key'); + + new LogGroup(this, 'LogGroup', { + encryptionKey: key, + }); + } +} + +const app = new App(); +const stack = new LogGroupIntegStack(app, 'aws-cdk-log-group-encrypted-integ'); + +new IntegTest(app, 'LogGroupEncryptedInteg', { testCases: [stack] }); + +app.synth(); \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-logs/lib/log-group.ts b/packages/aws-cdk-lib/aws-logs/lib/log-group.ts index 453ad09fe3989..8838d40a7cb35 100644 --- a/packages/aws-cdk-lib/aws-logs/lib/log-group.ts +++ b/packages/aws-cdk-lib/aws-logs/lib/log-group.ts @@ -534,6 +534,25 @@ export class LogGroup extends LogGroupBase { arnFormat: ArnFormat.COLON_RESOURCE_NAME, }); this.logGroupName = this.getResourceNameAttribute(resource.ref); + + if (props.encryptionKey) { + props.encryptionKey.addToResourcePolicy(new iam.PolicyStatement({ + principals: [new iam.ServicePrincipal(`logs.${this.env.region}.amazonaws.com`)], + actions: [ + 'kms:Encrypt*', + 'kms:Decrypt*', + 'kms:ReEncrypt*', + 'kms:GenerateDataKey*', + 'kms:Describe*', + ], + resources: ['*'], + conditions: { + ArnLike: { + 'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:*`, + }, + }, + })); + } } } diff --git a/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts b/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts index 84f5b5004327f..ee0b50610dcc7 100644 --- a/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts +++ b/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts @@ -7,7 +7,7 @@ import { App, CfnParameter, Fn, RemovalPolicy, Stack } from '../../core'; import { LogGroup, RetentionDays, LogGroupClass, DataProtectionPolicy, DataIdentifier, ILogGroup, ILogSubscriptionDestination, FilterPattern } from '../lib'; describe('log group', () => { - test('set kms key when provided', () => { + test('set kms key when provided with key policy', () => { // GIVEN const stack = new Stack(); const encryptionKey = new kms.Key(stack, 'Key'); @@ -21,6 +21,82 @@ describe('log group', () => { Template.fromStack(stack).hasResourceProperties('AWS::Logs::LogGroup', { KmsKeyId: { 'Fn::GetAtt': ['Key961B73FD', 'Arn'] }, }); + + Template.fromStack(stack).hasResourceProperties('AWS::KMS::Key', { + KeyPolicy: { + Statement: Match.arrayWith([{ + Action: 'kms:*', + Effect: 'Allow', + Resource: '*', + Principal: { + AWS: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':iam::', + { + Ref: 'AWS::AccountId', + }, + ':root', + ], + ], + }, + }, + }, { + Action: [ + 'kms:Encrypt*', + 'kms:Decrypt*', + 'kms:ReEncrypt*', + 'kms:GenerateDataKey*', + 'kms:Describe*', + ], + Effect: 'Allow', + Resource: '*', + Principal: { + Service: { + 'Fn::Join': [ + '', + [ + 'logs.', + { + Ref: 'AWS::Region', + }, + '.amazonaws.com', + ], + ], + }, + }, + Condition: { + ArnLike: { + 'kms:EncryptionContext:aws:logs:arn': { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':logs:', + { + Ref: 'AWS::Region', + }, + ':', + { + Ref: 'AWS::AccountId', + }, + ':*', + ], + ], + }, + }, + }, + }]), + }, + }); }); test('fixed retention', () => { From 1d3526b22989dee9408ca17e4f367330cb69ba91 Mon Sep 17 00:00:00 2001 From: Luca Pizzini Date: Sun, 10 Dec 2023 16:08:04 +0100 Subject: [PATCH 2/3] updated retention policy --- .../aws-cdk-log-group-encrypted-integ.assets.json | 4 ++-- .../aws-cdk-log-group-encrypted-integ.template.json | 8 ++++---- .../integ.log-group-encrypted.js.snapshot/manifest.json | 2 +- .../test/aws-logs/test/integ.log-group-encrypted.ts | 7 +++++-- 4 files changed, 12 insertions(+), 9 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.assets.json index 123378238a2dc..5f07030f10cb3 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.assets.json @@ -1,7 +1,7 @@ { "version": "34.0.0", "files": { - "4af042c9eb0784e5918f2db1d24ffaa1f02db6e89f49b1d8910845a62c29faf7": { + "f0cf2f654be16769af1d824cd9ce55932678d500cc58f25f4f30b11c8aeaa554": { "source": { "path": "aws-cdk-log-group-encrypted-integ.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "4af042c9eb0784e5918f2db1d24ffaa1f02db6e89f49b1d8910845a62c29faf7.json", + "objectKey": "f0cf2f654be16769af1d824cd9ce55932678d500cc58f25f4f30b11c8aeaa554.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json index 0a696467ba4e4..991ddded5e515 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json @@ -81,8 +81,8 @@ "Version": "2012-10-17" } }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" }, "LogGroupF5B46931": { "Type": "AWS::Logs::LogGroup", @@ -95,8 +95,8 @@ }, "RetentionInDays": 731 }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" } }, "Parameters": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/manifest.json index 94cf6c7a9abf7..a0323b5b741d2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/4af042c9eb0784e5918f2db1d24ffaa1f02db6e89f49b1d8910845a62c29faf7.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f0cf2f654be16769af1d824cd9ce55932678d500cc58f25f4f30b11c8aeaa554.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.ts index d3520aa575e62..cf23c9c8b063b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.ts @@ -1,4 +1,4 @@ -import { App, Stack, StackProps } from 'aws-cdk-lib'; +import { App, Stack, StackProps, RemovalPolicy } from 'aws-cdk-lib'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; import { LogGroup } from 'aws-cdk-lib/aws-logs'; import { Key } from 'aws-cdk-lib/aws-kms'; @@ -7,9 +7,12 @@ class LogGroupIntegStack extends Stack { constructor(scope: App, id: string, props?: StackProps) { super(scope, id, props); - const key = new Key(this, 'Key'); + const key = new Key(this, 'Key', { + removalPolicy: RemovalPolicy.DESTROY, + }); new LogGroup(this, 'LogGroup', { + removalPolicy: RemovalPolicy.DESTROY, encryptionKey: key, }); } From cd88c9da39d2fc4733254d972fde295e11fca56d Mon Sep 17 00:00:00 2001 From: Luca Pizzini Date: Sun, 24 Dec 2023 16:24:05 +0100 Subject: [PATCH 3/3] added physicalName in key policy --- .../aws-cdk-log-group-encrypted-integ.template.json | 5 +++-- .../integ.log-group-encrypted.js.snapshot/tree.json | 1 + .../aws-cdk-log-group-integ.template.json | 2 ++ .../test/integ.log-group.js.snapshot/tree.json | 2 ++ packages/aws-cdk-lib/aws-logs/lib/log-group.ts | 10 ++++++---- packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts | 4 ++-- 6 files changed, 16 insertions(+), 8 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json index 991ddded5e515..c0a9982083c4d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json @@ -37,7 +37,7 @@ "kms:ReEncrypt*" ], "Condition": { - "ArnLike": { + "ArnEquals": { "kms:EncryptionContext:aws:logs:arn": { "Fn::Join": [ "", @@ -54,7 +54,7 @@ { "Ref": "AWS::AccountId" }, - ":*" + ":log-group:aws-cdk-log-group-encrypted-integLogGroupDECB5FC9" ] ] } @@ -87,6 +87,7 @@ "LogGroupF5B46931": { "Type": "AWS::Logs::LogGroup", "Properties": { + "LogGroupName": "aws-cdk-log-group-encrypted-integLogGroupDECB5FC9", "KmsKeyId": { "Fn::GetAtt": [ "Key961B73FD", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/tree.json index c31f8f1450dfe..ba7e6632cad13 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/tree.json @@ -118,6 +118,7 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::Logs::LogGroup", "aws:cdk:cloudformation:props": { + "logGroupName": "aws-cdk-log-group-encrypted-integLogGroupDECB5FC9", "kmsKeyId": { "Fn::GetAtt": [ "Key961B73FD", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json index 86157f4999268..2fe426bc90528 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json @@ -3,6 +3,7 @@ "LogGroupLambdaAuditF8F47F46": { "Type": "AWS::Logs::LogGroup", "Properties": { + "LogGroupName": "aws-cdk-log-group-integLogGroupLambdaAudit8AB75176", "RetentionInDays": 731 }, "UpdateReplacePolicy": "Retain", @@ -16,6 +17,7 @@ "LogGroupLambdaAC756C5B": { "Type": "AWS::Logs::LogGroup", "Properties": { + "LogGroupName": "aws-cdk-log-group-integLogGroupLambda9924FF7D", "DataProtectionPolicy": { "name": "policy-name", "description": "policy description", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json index 8c2e70be9b477..101e234ed0d0b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json @@ -18,6 +18,7 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::Logs::LogGroup", "aws:cdk:cloudformation:props": { + "logGroupName": "aws-cdk-log-group-integLogGroupLambdaAudit8AB75176", "retentionInDays": 731 } }, @@ -64,6 +65,7 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::Logs::LogGroup", "aws:cdk:cloudformation:props": { + "logGroupName": "aws-cdk-log-group-integLogGroupLambda9924FF7D", "dataProtectionPolicy": { "name": "policy-name", "description": "policy description", diff --git a/packages/aws-cdk-lib/aws-logs/lib/log-group.ts b/packages/aws-cdk-lib/aws-logs/lib/log-group.ts index 8838d40a7cb35..1eb67c7ec3c14 100644 --- a/packages/aws-cdk-lib/aws-logs/lib/log-group.ts +++ b/packages/aws-cdk-lib/aws-logs/lib/log-group.ts @@ -9,7 +9,7 @@ import { ILogSubscriptionDestination, SubscriptionFilter } from './subscription- import * as cloudwatch from '../../aws-cloudwatch'; import * as iam from '../../aws-iam'; import * as kms from '../../aws-kms'; -import { Annotations, Arn, ArnFormat, RemovalPolicy, Resource, Stack, Token } from '../../core'; +import { Annotations, Arn, ArnFormat, Lazy, Names, RemovalPolicy, Resource, Stack, Token } from '../../core'; export interface ILogGroup extends iam.IResourceWithPolicy { /** @@ -491,7 +491,9 @@ export class LogGroup extends LogGroupBase { constructor(scope: Construct, id: string, props: LogGroupProps = {}) { super(scope, id, { - physicalName: props.logGroupName, + physicalName: props.logGroupName ?? Lazy.string({ + produce: () => Names.uniqueResourceName(this, { maxLength: 512, allowedSpecialCharacters: '-_' }), + }), }); let retentionInDays = props.retention; @@ -547,8 +549,8 @@ export class LogGroup extends LogGroupBase { ], resources: ['*'], conditions: { - ArnLike: { - 'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:*`, + ArnEquals: { + 'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:log-group:${this.physicalName}`, }, }, })); diff --git a/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts b/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts index ee0b50610dcc7..6cd8fd1949baf 100644 --- a/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts +++ b/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts @@ -71,7 +71,7 @@ describe('log group', () => { }, }, Condition: { - ArnLike: { + ArnEquals: { 'kms:EncryptionContext:aws:logs:arn': { 'Fn::Join': [ '', @@ -88,7 +88,7 @@ describe('log group', () => { { Ref: 'AWS::AccountId', }, - ':*', + ':log-group:LogGroup', ], ], },