Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(redshift): deploy fails when creating logging bucket without s3 key #21243

Merged
merged 6 commits into from
Aug 8, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions packages/@aws-cdk/aws-redshift/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,29 @@ A default database named `default_db` will be created in the cluster. To change
By default, the cluster will not be publicly accessible.
Depending on your use case, you can make the cluster publicly accessible with the `publiclyAccessible` property.

## Adding a logging bucket for database audit logging to S3

Amazon Redshift logs information about connections and user activities in your database. These logs help you to monitor the database for security and troubleshooting purposes, a process called database auditing. To send these logs to an S3 bucket, specify the `loggingProperties` when creating a new cluster.

```ts
import * as ec2 from '@aws-cdk/aws-ec2';
import * as s3 from '@aws-cdk/aws-s3';

const vpc = new ec2.Vpc(this, 'Vpc');
const bucket = s3.Bucket.fromBucketName(stack, 'bucket', 'logging-bucket');

const cluster = new Cluster(this, 'Redshift', {
masterUser: {
masterUsername: 'admin',
},
vpc,
loggingProperties: {
loggingBucket = bucket,
loggingKeyPrefix: 'prefix',
}
});
```

## Connecting

To control who can access the cluster, use the `.connections` attribute. Redshift Clusters have
Expand Down
55 changes: 41 additions & 14 deletions packages/@aws-cdk/aws-redshift/lib/cluster.ts
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,24 @@ export interface Login {
readonly encryptionKey?: kms.IKey;
}

/**
* Logging bucket and S3 prefix combination
*/
export interface LoggingProperties {
/**
* Bucket to send logs to.
* Logging information includes queries and connection attempts, for the specified Amazon Redshift cluster.
*
*/
readonly loggingBucket: s3.IBucket

/**
* Prefix used for logging.
*
*/
readonly loggingKeyPrefix: string
}

/**
* Options to add the multi user rotation
*/
Expand Down Expand Up @@ -294,19 +312,11 @@ export interface ClusterProps {
readonly defaultDatabaseName?: string;

/**
* Bucket to send logs to.
* Logging information includes queries and connection attempts, for the specified Amazon Redshift cluster.
*
* @default - No Logs
*/
readonly loggingBucket?: s3.IBucket

/**
* Prefix used for logging
* Bucket details for log files to be sent to, including prefix.
*
* @default - no prefix
* @default - No logging bucket is used
*/
readonly loggingKeyPrefix?: string
readonly loggingProperties?: LoggingProperties;

/**
* The removal policy to apply when the cluster and its instances are removed
Expand Down Expand Up @@ -475,11 +485,28 @@ export class Cluster extends ClusterBase {
this.multiUserRotationApplication = secretsmanager.SecretRotationApplication.REDSHIFT_ROTATION_MULTI_USER;

let loggingProperties;
if (props.loggingBucket) {
if (props.loggingProperties) {
loggingProperties = {
bucketName: props.loggingBucket.bucketName,
s3KeyPrefix: props.loggingKeyPrefix,
bucketName: props.loggingProperties.loggingBucket.bucketName,
s3KeyPrefix: props.loggingProperties.loggingKeyPrefix,
};
props.loggingProperties.loggingBucket.addToResourcePolicy(
new iam.PolicyStatement(
{
actions: [
's3:GetBucketAcl',
's3:PutObject',
],
resources: [
props.loggingProperties.loggingBucket.arnForObjects('*'),
props.loggingProperties.loggingBucket.bucketArn,
],
principals: [
new iam.ServicePrincipal('redshift.amazonaws.com'),
],
},
),
);
}

const cluster = new CfnCluster(this, 'Resource', {
Expand Down
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-redshift/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@
"@aws-cdk/integ-runner": "0.0.0",
"@aws-cdk/cfn2ts": "0.0.0",
"@aws-cdk/pkglint": "0.0.0",
"@aws-cdk/integ-tests": "0.0.0",
"@types/jest": "^27.5.2",
"aws-sdk": "^2.848.0",
"jest": "^27.5.1"
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{}
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"version": "20.0.0",
"files": {
"941d95acb9a710e3df3e05301e7debabdecabed59c6b395b0265d4d3be632c5f": {
"source": {
"path": "aws-cdk-redshift-cluster-loggingbucket.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "941d95acb9a710e3df3e05301e7debabdecabed59c6b395b0265d4d3be632c5f.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
}
},
"dockerImages": {}
}
Loading