From c092a5a616b6c6758baa4ffa86399f6d0e359e43 Mon Sep 17 00:00:00 2001 From: Momo Kornher Date: Mon, 5 Dec 2022 13:09:50 +0000 Subject: [PATCH] chore(region-info): register me-central-1 (#23210) New Regions now use a service principal for elasticloadbalancing logdelivery. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../lib/shared/base-load-balancer.ts | 28 +++++++++++-------- .../region-info/build-tools/fact-tables.ts | 3 ++ .../@aws-cdk/region-info/lib/aws-entities.ts | 2 +- .../@aws-cdk/region-info/lib/region-info.ts | 1 - 4 files changed, 21 insertions(+), 13 deletions(-) diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts index f694dc6ff5b9f..f4740b69ffb94 100644 --- a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts +++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts @@ -251,18 +251,8 @@ export abstract class BaseLoadBalancer extends Resource { this.setAttribute('access_logs.s3.bucket', bucket.bucketName.toString()); this.setAttribute('access_logs.s3.prefix', prefix); - const region = Stack.of(this).region; - if (Token.isUnresolved(region)) { - throw new Error('Region is required to enable ELBv2 access logging'); - } - - const account = RegionInfo.get(region).elbv2Account; - if (!account) { - throw new Error(`Cannot enable access logging; don't know ELBv2 account for region ${region}`); - } - const logsDeliveryServicePrincipal = new ServicePrincipal('delivery.logs.amazonaws.com'); - bucket.grantPut(new iam.AccountPrincipal(account), `${(prefix ? prefix + '/' : '')}AWSLogs/${Stack.of(this).account}/*`); + bucket.grantPut(this.resourcePolicyPrincipal(), `${(prefix ? prefix + '/' : '')}AWSLogs/${Stack.of(this).account}/*`); bucket.addToResourcePolicy( new PolicyStatement({ actions: ['s3:PutObject'], @@ -303,6 +293,22 @@ export abstract class BaseLoadBalancer extends Resource { this.setAttribute(key, undefined); } + protected resourcePolicyPrincipal(): iam.IPrincipal { + const region = Stack.of(this).region; + if (Token.isUnresolved(region)) { + throw new Error('Region is required to enable ELBv2 access logging'); + } + + const account = RegionInfo.get(region).elbv2Account; + if (!account) { + // New Regions use a service principal + // https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy + return new iam.ServicePrincipal('logdelivery.elasticloadbalancing.amazonaws.com'); + } + + return new iam.AccountPrincipal(account); + } + protected validateLoadBalancer(): string[] { const ret = new Array(); diff --git a/packages/@aws-cdk/region-info/build-tools/fact-tables.ts b/packages/@aws-cdk/region-info/build-tools/fact-tables.ts index 0611e73e8d3f8..6d4e624526393 100644 --- a/packages/@aws-cdk/region-info/build-tools/fact-tables.ts +++ b/packages/@aws-cdk/region-info/build-tools/fact-tables.ts @@ -25,6 +25,7 @@ export const AWS_CDK_METADATA = new Set([ 'eu-north-1', 'eu-south-1', 'me-south-1', + // 'me-central-1', 'sa-east-1', ]); @@ -52,6 +53,7 @@ export const ROUTE_53_BUCKET_WEBSITE_ZONE_IDS: { [region: string]: string } = { 'eu-west-2': 'Z3GKZC51ZF0DB4', 'eu-west-3': 'Z3R1K369G5AVDG', 'me-south-1': 'Z1MPMWCPA7YB62', + 'me-central-1': 'Z06143092I8HRXZRUZROF', 'sa-east-1': 'Z7KQH4QJS55SO', 'us-east-1': 'Z3AQBSTGFYJSTF', 'us-east-2': 'Z2O1EMRO9K5GLX', @@ -104,6 +106,7 @@ export const PARTITION_MAP: { [region: string]: Region } = { // https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions // https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy +// Any not listed regions use the service principal "logdelivery.elasticloadbalancing.amazonaws.com" export const ELBV2_ACCOUNTS: { [region: string]: string } = { 'af-south-1': '098369216593', 'ap-east-1': '754344448648', diff --git a/packages/@aws-cdk/region-info/lib/aws-entities.ts b/packages/@aws-cdk/region-info/lib/aws-entities.ts index 1c2ee921d3d08..03c3072042e22 100644 --- a/packages/@aws-cdk/region-info/lib/aws-entities.ts +++ b/packages/@aws-cdk/region-info/lib/aws-entities.ts @@ -70,7 +70,7 @@ export const AWS_REGIONS = AWS_REGIONS_AND_RULES .sort() as readonly string[]; /** - * Possibly non-exaustive list of all service names, used to locate service principals. + * Possibly non-exhaustive list of all service names, used to locate service principals. * * Not in the list ==> default service principal mappings. */ diff --git a/packages/@aws-cdk/region-info/lib/region-info.ts b/packages/@aws-cdk/region-info/lib/region-info.ts index b02e156f6b966..2b767c540679e 100644 --- a/packages/@aws-cdk/region-info/lib/region-info.ts +++ b/packages/@aws-cdk/region-info/lib/region-info.ts @@ -131,7 +131,6 @@ export class RegionInfo { /** * The account ID for ELBv2 in this region - * */ public get elbv2Account(): string | undefined { return Fact.find(this.name, FactName.ELBV2_ACCOUNT);