Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(docdb): allow setting log retention #18120

Merged
merged 3 commits into from
Dec 22, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions packages/@aws-cdk/aws-docdb/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -130,5 +130,7 @@ const cluster = new DatabaseCluster(this, 'Database', {
...,
exportProfilerLogsToCloudWatch: true, // Enable sending profiler logs
exportAuditLogsToCloudWatch: true, // Enable sending audit logs
cloudWatchLogsRetention: logs.RetentionDays.THREE_MONTHS, // Optional - default is to never expire logs
cloudWatchLogsRetentionRole: myLogsPublishingRole, // Optional - a role will be created if not provided
});
```
36 changes: 36 additions & 0 deletions packages/@aws-cdk/aws-docdb/lib/cluster.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
import * as ec2 from '@aws-cdk/aws-ec2';
import { IRole } from '@aws-cdk/aws-iam';
import * as kms from '@aws-cdk/aws-kms';
import * as logs from '@aws-cdk/aws-logs';
import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
import { CfnResource, Duration, RemovalPolicy, Resource, Token } from '@aws-cdk/core';
import { Construct } from 'constructs';
Expand Down Expand Up @@ -164,6 +166,23 @@ export interface DatabaseClusterProps {
* @default false
*/
readonly exportAuditLogsToCloudWatch?: boolean;

/**
* The number of days log events are kept in CloudWatch Logs. When updating
* this property, unsetting it doesn't remove the log retention policy. To
* remove the retention policy, set the value to `Infinity`.
*
* @default - logs never expire
*/
readonly cloudWatchLogsRetention?: logs.RetentionDays;

/**
* The IAM role for the Lambda function associated with the custom resource
* that sets the retention policy.
*
* @default - a new role is created.
*/
readonly cloudWatchLogsRetentionRole?: IRole;
}

/**
Expand Down Expand Up @@ -428,6 +447,8 @@ export class DatabaseCluster extends DatabaseClusterBase {
this.clusterEndpoint = new Endpoint(this.cluster.attrEndpoint, port);
this.clusterReadEndpoint = new Endpoint(this.cluster.attrReadEndpoint, port);

this.setLogRetention(this, props, enableCloudwatchLogsExports);

if (secret) {
this.secret = secret.attach(this);
}
Expand Down Expand Up @@ -470,6 +491,21 @@ export class DatabaseCluster extends DatabaseClusterBase {
});
}

/**
* Sets up CloudWatch log retention if configured.
*/
private setLogRetention(cluster: DatabaseCluster, props: DatabaseClusterProps, cloudwatchLogsExports: string[]) {
if (props.cloudWatchLogsRetention) {
for (const log of cloudwatchLogsExports) {
new logs.LogRetention(cluster, `LogRetention${log}`, {
logGroupName: `/aws/docdb/${cluster.clusterIdentifier}/${log}`,
retention: props.cloudWatchLogsRetention,
role: props.cloudWatchLogsRetentionRole,
});
}
}
}

/**
* Adds the single user rotation of the master password to this cluster.
*
Expand Down
4 changes: 4 additions & 0 deletions packages/@aws-cdk/aws-docdb/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -84,15 +84,19 @@
"dependencies": {
"@aws-cdk/aws-ec2": "0.0.0",
"@aws-cdk/aws-efs": "0.0.0",
"@aws-cdk/aws-iam": "0.0.0",
"@aws-cdk/aws-kms": "0.0.0",
"@aws-cdk/aws-logs": "0.0.0",
"@aws-cdk/aws-secretsmanager": "0.0.0",
"@aws-cdk/core": "0.0.0",
"constructs": "^3.3.69"
},
"peerDependencies": {
"@aws-cdk/aws-ec2": "0.0.0",
"@aws-cdk/aws-efs": "0.0.0",
"@aws-cdk/aws-iam": "0.0.0",
"@aws-cdk/aws-kms": "0.0.0",
"@aws-cdk/aws-logs": "0.0.0",
"@aws-cdk/aws-secretsmanager": "0.0.0",
"@aws-cdk/core": "0.0.0",
"constructs": "^3.3.69"
Expand Down
41 changes: 41 additions & 0 deletions packages/@aws-cdk/aws-docdb/test/cluster.test.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { expect as expectCDK, haveResource, ResourcePart, arrayWith, haveResourceLike, objectLike } from '@aws-cdk/assert-internal';
import * as ec2 from '@aws-cdk/aws-ec2';
import * as kms from '@aws-cdk/aws-kms';
import * as logs from '@aws-cdk/aws-logs';
import * as cdk from '@aws-cdk/core';

import { ClusterParameterGroup, DatabaseCluster, DatabaseSecret } from '../lib';
Expand Down Expand Up @@ -652,6 +653,46 @@ describe('DatabaseCluster', () => {
}));
});

test('can set CloudWatch log retention', () => {
// GIVEN
const stack = testStack();
const vpc = new ec2.Vpc(stack, 'VPC');

// WHEN
new DatabaseCluster(stack, 'Database', {
masterUser: {
username: 'admin',
},
instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL),
vpc,
exportAuditLogsToCloudWatch: true,
exportProfilerLogsToCloudWatch: true,
cloudWatchLogsRetention: logs.RetentionDays.THREE_MONTHS,
});

// THEN
expectCDK(stack).to(haveResource('Custom::LogRetention', {
ServiceToken: {
'Fn::GetAtt': [
'LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A',
'Arn',
],
},
LogGroupName: { 'Fn::Join': ['', ['/aws/docdb/', { Ref: 'DatabaseB269D8BB' }, '/audit']] },
RetentionInDays: 90,
}));
expectCDK(stack).to(haveResource('Custom::LogRetention', {
ServiceToken: {
'Fn::GetAtt': [
'LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aFD4BFC8A',
'Arn',
],
},
LogGroupName: { 'Fn::Join': ['', ['/aws/docdb/', { Ref: 'DatabaseB269D8BB' }, '/profiler']] },
RetentionInDays: 90,
}));
});

test('single user rotation', () => {
// GIVEN
const stack = testStack();
Expand Down