Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cloudtrail): Invalid resource for policy when using sendToCloudWatchLogs #1851

Merged
merged 2 commits into from
Feb 25, 2019
Merged

fix(cloudtrail): Invalid resource for policy when using sendToCloudWatchLogs #1851

merged 2 commits into from
Feb 25, 2019

Conversation

RomainMuller
Copy link
Contributor

Sets this.cloudWatchLogsGroupArn before using it, such that a correct
resource ARN is used in the policy generated for CloudTrail to be able
to create and use the required log stream.

Fixes #1848

Pull Request Checklist

  • Testing
    • Unit test added (prefer not to modify an existing test, otherwise, it's probably a breaking change)
    • CLI change?: coordinate update of integration tests with team
    • cdk-init template change?: coordinated update of integration tests with team
  • Docs
    • jsdocs: All public APIs documented
    • README: README and/or documentation topic updated
  • Title and Description
    • Change type: title prefixed with fix, feat will appear in changelog
    • Title: use lower-case and doesn't end with a period
    • Breaking?: last paragraph: "BREAKING CHANGE: <describe what changed + link for details>"
    • Issues: Indicate issues fixed via: "Fixes #xxx" or "Closes #xxx"
  • Sensitive Modules (requires 2 PR approvers)
    • IAM Policy Document (in @aws-cdk/aws-iam)
    • EC2 Security Groups and ACLs (in @aws-cdk/aws-ec2)
    • Grant APIs (only if not based on official documentation with a reference)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.

@RomainMuller
fix(cloudtrail): Invalid resource for policy when using sendToCloudWa…
0fac1e4 
…tchLogs

Sets `this.cloudWatchLogsGroupArn` before using it, such that a correct
resource ARN is used in the policy generated for CloudTrail to be able
to create and use the required log stream.

Fixes #1848
@RomainMuller RomainMuller requested a review from a team as a code owner February 25, 2019 09:55
@RomainMuller RomainMuller mentioned this pull request Feb 25, 2019
Closed
rix0rrr
rix0rrr reviewed Feb 25, 2019
View reviewed changes
packages/@aws-cdk/aws-cloudtrail/lib/index.ts Outdated
@@ -149,14 +149,13 @@ export class CloudTrail extends cdk.Construct {
});
this.cloudWatchLogsGroupArn = logGroup.logGroupArn;

const logsRole = new iam.Role(this, 'LogsRole', {assumedBy: new iam.ServicePrincipal(cloudTrailPrincipal) });
const logsRole = new iam.Role(this, 'LogsRole', { assumedBy: new iam.ServicePrincipal(cloudTrailPrincipal) });
this.cloudWatchLogsRoleArn = logsRole.roleArn;

const streamArn = `${this.cloudWatchLogsRoleArn}:log-stream:*`;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait why was this not a static analysis error?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The field is string | undefined (there is no value if you don't enable CloudWatch/Logs output) - and unassigned it is undefined, which is valid. Interpolating undefined is totally valid (and it'll output a literal undefined).

eladb
eladb reviewed Feb 25, 2019
View reviewed changes
packages/@aws-cdk/aws-cloudtrail/lib/index.ts Outdated
@@ -149,14 +149,13 @@ export class CloudTrail extends cdk.Construct {
});
this.cloudWatchLogsGroupArn = logGroup.logGroupArn;

const logsRole = new iam.Role(this, 'LogsRole', {assumedBy: new iam.ServicePrincipal(cloudTrailPrincipal) });
const logsRole = new iam.Role(this, 'LogsRole', { assumedBy: new iam.ServicePrincipal(cloudTrailPrincipal) });
this.cloudWatchLogsRoleArn = logsRole.roleArn;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is cloudWatchLogsArn optional?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because it is meaningless if you do not enable output in CloudWatch Logs.

@RomainMuller
Copy link
Contributor Author

The real question in fact was why do we have private members that are only ever accessed from the constructor. I'm removing those and that'll make the code a lot safer.

@RomainMuller RomainMuller merged commit 816cfc0 into master Feb 25, 2019
@RomainMuller RomainMuller deleted the rmuller/issue-1848 branch February 25, 2019 11:03
eladb pushed a commit that referenced this pull request Feb 26, 2019
@RomainMuller
fix(cloudtrail): Invalid resource for policy when using sendToCloudWa…
f958e04 
…tchLogs (#1851)

Sets `this.cloudWatchLogsGroupArn` before using it, such that a correct
resource ARN is used in the policy generated for CloudTrail to be able
to create and use the required log stream.

Fixes #1848
@NGL321 NGL321 added the contribution/core This is a PR that came from AWS. label Sep 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eladb eladb eladb approved these changes

@rix0rrr rix0rrr rix0rrr approved these changes

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cloudtrail with sendToCloudWatchLogs: true, invalid Resource for Policy
4 participants
@RomainMuller @rix0rrr @eladb @NGL321