Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(s3): server access logs #5072

Merged
merged 16 commits into from
Jan 13, 2020
Merged

feat(s3): server access logs #5072

merged 16 commits into from
Jan 13, 2020

Conversation

arnulfojr
Copy link
Contributor

@arnulfojr arnulfojr commented Nov 17, 2019
edited
Loading

closes #5071

  • PR title
  • PR description
  • Unit testing
  • Integ testing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@arnulfojr arnulfojr requested a review from eladb as a code owner November 17, 2019 19:39
@mergify
Copy link
Contributor

mergify bot commented Nov 17, 2019

Thanks so much for taking the time to contribute to the AWS CDK ❤️

We will shortly assign someone to review this pull request and help get it
merged. In the meantime, please take a minute to make sure you follow this
checklist:

  • PR title type(scope): text
    • type: fix, feat, refactor go into CHANGELOG, chore is hidden
    • scope: name of module without aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
    • text: use all lower-case, do not end with a period, do not include issue refs
  • PR Description
    • Rationale: describe rationale of change and approach taken
    • Issues: indicate issues fixed via: fixes #xxx or closes #xxx
    • Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>
  • Testing
    • Unit test added. Prefer to add a new test rather than modify existing tests
    • CLI or init templates change? Re-run/add CLI integration tests
  • Documentation
    • README: update module README to describe new features
    • API docs: public APIs must be documented. Copy from official AWS docs when possible
    • Design: for significant features, follow design process

@arnulfojr arnulfojr force-pushed the s3-server-access-logs branch from e2f87dc to 7cc5e96 Compare November 17, 2019 19:41
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

eladb
eladb previously requested changes Nov 18, 2019
View reviewed changes
packages/@aws-cdk/aws-s3/lib/bucket.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-s3/lib/bucket.ts Outdated
* @param logFilePrefix Optional log file prefix.
*/
public enableServerAccessLogs(destinationBucket: IBucket, logFilePrefix?: string): void {
(this.node.defaultChild as CfnBucket).loggingConfiguration = {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

move this to Bucket and don't use node.defaultChild but rather directly reference the resource.

@mergify mergify bot dismissed eladb’s stale review November 18, 2019 09:24

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

eladb
eladb previously requested changes Nov 18, 2019
View reviewed changes
Copy link
Contributor

@eladb eladb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing unit tests to cover both usages (props and method)

@arnulfojr
Copy link
Contributor Author

@eladb yeap, I'll add the unit tests later today

@mergify mergify bot dismissed eladb’s stale review December 2, 2019 15:57

Pull request has been modified.

@arnulfojr arnulfojr force-pushed the s3-server-access-logs branch 3 times, most recently from 2bd9431 to b07655a Compare December 2, 2019 16:02
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@arnulfojr arnulfojr requested a review from eladb December 6, 2019 11:14
eladb
eladb previously requested changes Dec 12, 2019
View reviewed changes
packages/@aws-cdk/aws-s3/lib/bucket.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-s3/lib/bucket.ts Outdated Show resolved Hide resolved
@mergify
Copy link
Contributor

mergify bot commented Dec 16, 2019

Thanks so much for taking the time to contribute to the AWS CDK ❤️

We will shortly assign someone to review this pull request and help get it
merged. In the meantime, please take a minute to make sure you follow this
checklist:

  • PR title type(scope): text
    • type: fix, feat, refactor go into CHANGELOG, chore is hidden
    • scope: name of module without aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
    • text: use all lower-case, do not end with a period, do not include issue refs
  • PR Description
    • Rationale: describe rationale of change and approach taken
    • Issues: indicate issues fixed via: fixes #xxx or closes #xxx
    • Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>
  • Testing
    • Unit test added. Prefer to add a new test rather than modify existing tests
    • CLI or init templates change? Re-run/add CLI integration tests
  • Documentation
    • README: update module README to describe new features
    • API docs: public APIs must be documented. Copy from official AWS docs when possible
    • Design: for significant features, follow design process

2 similar comments
@mergify
Copy link
Contributor

mergify bot commented Dec 16, 2019

Thanks so much for taking the time to contribute to the AWS CDK ❤️

We will shortly assign someone to review this pull request and help get it
merged. In the meantime, please take a minute to make sure you follow this
checklist:

  • PR title type(scope): text
    • type: fix, feat, refactor go into CHANGELOG, chore is hidden
    • scope: name of module without aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
    • text: use all lower-case, do not end with a period, do not include issue refs
  • PR Description
    • Rationale: describe rationale of change and approach taken
    • Issues: indicate issues fixed via: fixes #xxx or closes #xxx
    • Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>
  • Testing
    • Unit test added. Prefer to add a new test rather than modify existing tests
    • CLI or init templates change? Re-run/add CLI integration tests
  • Documentation
    • README: update module README to describe new features
    • API docs: public APIs must be documented. Copy from official AWS docs when possible
    • Design: for significant features, follow design process

@mergify
Copy link
Contributor

mergify bot commented Dec 16, 2019

Thanks so much for taking the time to contribute to the AWS CDK ❤️

We will shortly assign someone to review this pull request and help get it
merged. In the meantime, please take a minute to make sure you follow this
checklist:

  • PR title type(scope): text
    • type: fix, feat, refactor go into CHANGELOG, chore is hidden
    • scope: name of module without aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
    • text: use all lower-case, do not end with a period, do not include issue refs
  • PR Description
    • Rationale: describe rationale of change and approach taken
    • Issues: indicate issues fixed via: fixes #xxx or closes #xxx
    • Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>
  • Testing
    • Unit test added. Prefer to add a new test rather than modify existing tests
    • CLI or init templates change? Re-run/add CLI integration tests
  • Documentation
    • README: update module README to describe new features
    • API docs: public APIs must be documented. Copy from official AWS docs when possible
    • Design: for significant features, follow design process

@arnulfojr arnulfojr force-pushed the s3-server-access-logs branch from 9c07f82 to 6a44bfa Compare December 16, 2019 13:20
@mergify mergify bot dismissed eladb’s stale review December 16, 2019 13:20

Pull request has been modified.

@arnulfojr arnulfojr force-pushed the s3-server-access-logs branch from 6a44bfa to f4ea18c Compare December 16, 2019 13:22
@arnulfojr arnulfojr requested a review from eladb December 16, 2019 13:23
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@arnulfojr arnulfojr requested a review from eladb January 9, 2020 15:44
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

eladb
eladb previously requested changes Jan 12, 2020
View reviewed changes
Copy link
Contributor

@eladb eladb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry, but I think we need another round... Eventually we'll nail it :-)
happy to send you a PR with my proposal against your branch.

packages/@aws-cdk/aws-s3/lib/bucket.ts Outdated
*/
public allowLogDelivery() {
if (this.accessControl && this.accessControl !== BucketAccessControl.LOG_DELIVERY_WRITE) {
throw new Error("The bucket's ACL has been set and can't be changed");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
throw new Error("The bucket's ACL has been set and can't be changed");
throw new Error("Cannot enable log delivery to this bucket because the bucket's ACL has been set and can't be changed");

packages/@aws-cdk/aws-s3/lib/bucket.ts Outdated
/**
* Grants write permissions for the LogDelivery group to the bucket.
*/
allowLogDelivery(): void;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am still don't feel too good about this. The name is confusing, and users might think that this is how they can enable log delivery.

I am starting to think that maybe we should make this an internal API on Bucket (instead of IBucket). If people want to set the log delivery access control they can use the accessControl property when they create the bucket.

export class Bucket ... {
    /** @internal */
  public _allowLogDelivery() { ... }
};

Then, in the consuming side, you will need to check if your IBucket is a Bucket. Otherwise, you won't be able to use it for log delivery because you can't set it's access control:

if (props.serverAccessLogsBucket instanceof Bucket) {
  props.serverAccessLogsBucket._allowLogDelivery();
}

And that's it. I think it will simplify dramatically.

LMK if you want me to send you a PR with this proposal.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, sounds good. I moved the allowLogDelivery to the Bucket class and set it as a private method. I'm not sure what would be the difference by using the @internal annotation, tho.

@mergify mergify bot dismissed eladb’s stale review January 12, 2020 09:52

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

eladb
eladb previously requested changes Jan 13, 2020
View reviewed changes
Copy link
Contributor

@eladb eladb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, looks better... I really like it that we can do this without extending the surface area.
A few additional minor comments

packages/@aws-cdk/aws-s3/lib/bucket.ts Outdated
Comment on lines 62 to 68
/**
* Optional bucket Access Control.
*
* @default BucketAccessControl.PRIVATE
*/
accessControl?: BucketAccessControl;

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove this please

packages/@aws-cdk/aws-s3/lib/bucket.ts Outdated
Comment on lines 312 to 316
/**
* Optional Bucket access control.
*/
public abstract accessControl?: BucketAccessControl;

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove this please

packages/@aws-cdk/aws-s3/lib/bucket.ts Outdated
@@ -980,6 +1005,7 @@ export class Bucket extends BucketBase {

public readonly encryptionKey?: kms.IKey;
public policy?: BucketPolicy;
public accessControl?: BucketAccessControl;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make this private

packages/@aws-cdk/aws-s3/lib/bucket.ts
@@ -1358,6 +1405,14 @@ export class Bucket extends BucketBase {
routingRules
};
}

private allowLogDelivery() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add docstring that explains what this is doing

@mergify mergify bot dismissed eladb’s stale review January 13, 2020 09:53

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

eladb
eladb previously requested changes Jan 13, 2020
View reviewed changes
Copy link
Contributor

@eladb eladb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a README entry

packages/@aws-cdk/aws-s3/lib/bucket.ts Outdated
@@ -956,6 +968,7 @@ export class Bucket extends BucketBase {
public readonly bucketWebsiteNewUrlFormat = newUrlFormat;
public readonly encryptionKey = attrs.encryptionKey;
public policy?: BucketPolicy = undefined;
public accessControl?: BucketAccessControl = undefined;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
public accessControl?: BucketAccessControl = undefined;

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot dismissed eladb’s stale review January 13, 2020 13:21

Pull request has been modified.

eladb
eladb approved these changes Jan 13, 2020
View reviewed changes
Copy link
Contributor

@eladb eladb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yaaas! Thanks for all your patience

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Jan 13, 2020

Thank you for contributing! Your pull request is now being automatically merged.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Jan 13, 2020

Thank you for contributing! Your pull request is now being automatically merged.

@mergify mergify bot merged commit c9b074b into aws:master Jan 13, 2020
@arnulfojr
Copy link
Contributor Author

@eladb thanks for all the learnings, really insightful :) really appreciate it!

@eladb eladb mentioned this pull request Jan 23, 2020
Closed
2 tasks
This was referenced Mar 2, 2020
Closed
Closed
@laurelmay laurelmay mentioned this pull request Jan 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eladb eladb eladb approved these changes

Assignees

@eladb eladb

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[s3] Add support for S3 server access logs
3 participants
@arnulfojr @aws-cdk-automation @eladb