feat(elasticloadbalancingv2): health check logs for ALB

[ren-yamanashi]

This PR is similar to #30599

Reason for this change

ALB can output health check logs as well as access logs to the S3 bucket, but this is not yet supported by L2 Construct.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-health-check-logging.html

Description of changes

Since health check logs are not supported by NLB, but only by ALB, the logHealthCheckLogs method is added to the ApplicationLoadBalancer instead of the BaseLoadBalancer.

The needed BucketPolicy is described in the documentation only as follows.

{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "logdelivery.elasticloadbalancing.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/prefix/AWSLogs/123456789012/*"
    }
  ]
}

Description of how you validated changes

add unit tests and integ tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[ren-yamanashi]

This code is followed logConnectionLogs method.

see: https://github.com/aws/aws-cdk/blob/v2.230.0/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts#L368

The key point when use resourcePolicyPrincipal method, this public method (logHealthCheckLogs) needs specified region on the stack.

But, based on the documents I think we can choice don't use resourcePolicyPrincipal method like here code.
(see: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-health-check-logging.html)

principals: [new iam.ServicePrincipal('logdelivery.elasticloadbalancing.amazonaws.com')],

And when we choice it, not needs specified region on the stack.

---

Q. Which I choice? Use resourcePolicyPrincipal method? or not use?

Current situation is not same when implementation logConnectionLogs method, so I want advice for you.

[ren-yamanashi]

Based on documents (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-health-check-logging.html) intuitively, you would think two validations are necessary.

1. region for specified bucket is same alb region
2. must use SSE-S3

However, I not implemented the validation logic "the region of the specified bucket is the same as the region of the ALB" for the following reasons.

• Basically, S3 Buckets and ALB created within the same Stack are in the same region.
• The case where they are not in the same region is when an imported S3 Bucket is specified. However, since the ARN for S3 does not include the region, we determined that it would be difficult to verify that they "exist in the same region."

[badmintoncryer]

Does IBucket class have a region information from IBucket.env.region? If it is true, I think we can add a validation for the same region restriction.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[ren-yamanashi]

Similar methods to this one (e.g, logConnectionLogs) have the following code implemented, but this method doesn't.

    // We still need this policy for the bucket using the ACL
    bucket.addToResourcePolicy(
      new PolicyStatement({
        actions: ['s3:PutObject'],
        principals: [logsDeliveryServicePrincipal],
        resources: [
          bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${Stack.of(this).account}/*`),
        ],
        conditions: {
          StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' },
        },
      }),
    );
    bucket.addToResourcePolicy(
      new PolicyStatement({
        actions: ['s3:GetBucketAcl'],
        principals: [logsDeliveryServicePrincipal],
        resources: [bucket.bucketArn],
      }),
    );

Because, if ACL are enabled on the S3 Bucket, health check logs can be logged even without that code.

I think this has been verified in packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.enable-acl.ts integ test, but please comment if verification method is incorrect.

---

I think this has been verified in packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.log.enable-acl.ts integ test

If insufficient permissions, I think integ test will failed.

(In fact, I tried deleting the following permissions and running integ tests, deployment failed)

-   bucket.addToResourcePolicy(
-     new PolicyStatement({
-       actions: ['s3:PutObject'],
-       principals: [this.resourcePolicyPrincipal()],
-       resources: [
-         bucket.arnForObjects(
-           `${prefix ? prefix + '/' : ''}AWSLogs/${Stack.of(this).account}/*`,
-         ),
-       ],
-     }),
-   );

[badmintoncryer]

Because the official docs does not mention about bucket policy relates to ACL, I think you don't need to add these policies.

[badmintoncryer]

Thank you for your contribution! I've added some comments.

[badmintoncryer]

Is this feature flag is essential?

[badmintoncryer]

Is this feature flag essential?

[badmintoncryer]

Is this option needed?

[badmintoncryer]

I'm curious that why is this dependency needed?

[badmintoncryer]

Does IBucket class have a region information from IBucket.env.region? If it is true, I think we can add a validation for the same region restriction.

[badmintoncryer]

I think it might be better to add a description about when the bucket encryption using KMS keys is unsupported.

[badmintoncryer]

Because the official docs does not mention about bucket policy relates to ACL, I think you don't need to add these policies.