Merge pull request #137 from guardian/aa-byo

update GuLogShippingPolicy to bring it's own parameter
guardian · Jan 13, 2021 · d240cb1 · d240cb1
2 parents 404bd66 + e327905
commit d240cb1
Show file tree

Hide file tree

Showing 5 changed files with 80 additions and 73 deletions.
diff --git a/src/constructs/iam/policies/log-shipping.test.ts b/src/constructs/iam/policies/log-shipping.test.ts
@@ -6,12 +6,12 @@ describe("The GuLogShippingPolicy class", () => {
   it("sets default props", () => {
     const stack = simpleGuStackForTesting();
 
-    const logShippingPolicy = new GuLogShippingPolicy(stack, "LogShippingPolicy", { loggingStreamName: "test" });
+    const logShippingPolicy = new GuLogShippingPolicy(stack);
 
     attachPolicyToTestRole(stack, logShippingPolicy);
 
     expect(stack).toHaveResource("AWS::IAM::Policy", {
-      PolicyName: "log-shipping-policy",
+      PolicyName: "GuLogShippingPolicy981BFE5A",
       PolicyDocument: {
         Version: "2012-10-17",
         Statement: [
@@ -30,7 +30,10 @@ describe("The GuLogShippingPolicy class", () => {
                   {
                     Ref: "AWS::AccountId",
                   },
-                  ":stream/test",
+                  ":stream/",
+                  {
+                    Ref: "LoggingStreamName",
+                  },
                 ],
               ],
             },
@@ -44,7 +47,6 @@ describe("The GuLogShippingPolicy class", () => {
     const stack = simpleGuStackForTesting();
 
     const logShippingPolicy = new GuLogShippingPolicy(stack, "LogShippingPolicy", {
-      loggingStreamName: "test",
       policyName: "test",
     });
 
@@ -70,7 +72,10 @@ describe("The GuLogShippingPolicy class", () => {
                   {
                     Ref: "AWS::AccountId",
                   },
-                  ":stream/test",
+                  ":stream/",
+                  {
+                    Ref: "LoggingStreamName",
+                  },
                 ],
               ],
             },

diff --git a/src/constructs/iam/policies/log-shipping.ts b/src/constructs/iam/policies/log-shipping.ts
@@ -1,31 +1,24 @@
-import type { PolicyProps } from "@aws-cdk/aws-iam";
 import { Effect, PolicyStatement } from "@aws-cdk/aws-iam";
 import type { GuStack } from "../../core";
+import { GuSSMParameter } from "../../core";
 import type { GuPolicyProps } from "./base-policy";
 import { GuPolicy } from "./base-policy";
 
-export interface GuLogShippingPolicyProps extends GuPolicyProps {
-  loggingStreamName: string;
-}
-
 export class GuLogShippingPolicy extends GuPolicy {
-  private static getDefaultProps(scope: GuStack, props: GuLogShippingPolicyProps): PolicyProps {
-    return {
-      policyName: "log-shipping-policy",
-      statements: [
-        new PolicyStatement({
-          effect: Effect.ALLOW,
-          actions: ["kinesis:Describe*", "kinesis:Put*"],
-          resources: [`arn:aws:kinesis:${scope.region}:${scope.account}:stream/${props.loggingStreamName}`],
-        }),
-      ],
-    };
-  }
+  constructor(scope: GuStack, id: string = "GuLogShippingPolicy", props?: GuPolicyProps) {
+    super(scope, id, { ...props });
 
-  constructor(scope: GuStack, id: string, props: GuLogShippingPolicyProps) {
-    super(scope, id, {
-      ...GuLogShippingPolicy.getDefaultProps(scope, props),
-      ...props,
+    const loggingStreamNameParam = new GuSSMParameter(scope, "LoggingStreamName", {
+      description: "SSM parameter containing the Name (not ARN) on the kinesis stream",
+      default: "/account/services/logging.stream.name",
     });
+
+    this.addStatements(
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: ["kinesis:Describe*", "kinesis:Put*"],
+        resources: [`arn:aws:kinesis:${scope.region}:${scope.account}:stream/${loggingStreamNameParam.valueAsString}`],
+      })
+    );
   }
 }
diff --git a/src/patterns/__snapshots__/instance-role.test.ts.snap b/src/patterns/__snapshots__/instance-role.test.ts.snap
@@ -220,6 +220,12 @@ Object {
 exports[`The InstanceRole construct should create an additional logging policy if logging stream is specified 1`] = `
 Object {
   "Parameters": Object {
+    "LoggingStreamName": Object {
+      "Default": "/account/services/logging.stream.name",
+      "Description": "SSM parameter containing the Name (not ARN) on the kinesis stream",
+      "NoEcho": true,
+      "Type": "AWS::SSM::Parameter::Value<String>",
+    },
     "Stack": Object {
       "Default": "deploy",
       "Description": "Name of this stack",
@@ -283,6 +289,48 @@ Object {
       },
       "Type": "AWS::IAM::Policy",
     },
+    "GuLogShippingPolicy981BFE5A": Object {
+      "Properties": Object {
+        "PolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": Array [
+                "kinesis:Describe*",
+                "kinesis:Put*",
+              ],
+              "Effect": "Allow",
+              "Resource": Object {
+                "Fn::Join": Array [
+                  "",
+                  Array [
+                    "arn:aws:kinesis:",
+                    Object {
+                      "Ref": "AWS::Region",
+                    },
+                    ":",
+                    Object {
+                      "Ref": "AWS::AccountId",
+                    },
+                    ":stream/",
+                    Object {
+                      "Ref": "LoggingStreamName",
+                    },
+                  ],
+                ],
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "GuLogShippingPolicy981BFE5A",
+        "Roles": Array [
+          Object {
+            "Ref": "InstanceRole",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
     "InstanceRole": Object {
       "Properties": Object {
         "AssumeRolePolicyDocument": Object {
@@ -329,45 +377,6 @@ Object {
       },
       "Type": "AWS::IAM::Role",
     },
-    "LogShippingPolicyBCA13F45": Object {
-      "Properties": Object {
-        "PolicyDocument": Object {
-          "Statement": Array [
-            Object {
-              "Action": Array [
-                "kinesis:Describe*",
-                "kinesis:Put*",
-              ],
-              "Effect": "Allow",
-              "Resource": Object {
-                "Fn::Join": Array [
-                  "",
-                  Array [
-                    "arn:aws:kinesis:",
-                    Object {
-                      "Ref": "AWS::Region",
-                    },
-                    ":",
-                    Object {
-                      "Ref": "AWS::AccountId",
-                    },
-                    ":stream/my-logging-stream",
-                  ],
-                ],
-              },
-            },
-          ],
-          "Version": "2012-10-17",
-        },
-        "PolicyName": "log-shipping-policy",
-        "Roles": Array [
-          Object {
-            "Ref": "InstanceRole",
-          },
-        ],
-      },
-      "Type": "AWS::IAM::Policy",
-    },
     "ParameterStoreRead9D2F4FAB": Object {
       "Properties": Object {
         "PolicyDocument": Object {

diff --git a/src/patterns/instance-role.test.ts b/src/patterns/instance-role.test.ts
@@ -1,13 +1,13 @@
 import "@aws-cdk/assert/jest";
 import { SynthUtils } from "@aws-cdk/assert";
-import { simpleGuStackForTesting } from "../../test/utils/simple-gu-stack";
+import { simpleGuStackForTesting } from "../../test/utils";
 import { GuGetS3ObjectPolicy } from "../constructs/iam";
 import { InstanceRole } from "./instance-role";
 
 describe("The InstanceRole construct", () => {
   it("should create the correct resources with minimal config", () => {
     const stack = simpleGuStackForTesting();
-    new InstanceRole(stack, "InstanceRole", { bucketName: "test" });
+    new InstanceRole(stack, "InstanceRole", { bucketName: "test", withoutLogShipping: true });
 
     expect(SynthUtils.toCloudFormation(stack)).toMatchSnapshot();
     expect(stack).toCountResources("AWS::IAM::Role", 1);
@@ -16,7 +16,7 @@ describe("The InstanceRole construct", () => {
 
   it("should create an additional logging policy if logging stream is specified", () => {
     const stack = simpleGuStackForTesting();
-    new InstanceRole(stack, "InstanceRole", { bucketName: "test", loggingStreamName: "my-logging-stream" });
+    new InstanceRole(stack, "InstanceRole", { bucketName: "test" });
 
     expect(SynthUtils.toCloudFormation(stack)).toMatchSnapshot();
     expect(stack).toCountResources("AWS::IAM::Role", 1);
@@ -28,6 +28,7 @@ describe("The InstanceRole construct", () => {
 
     new InstanceRole(stack, "InstanceRole", {
       bucketName: "test",
+      withoutLogShipping: true,
       additionalPolicies: [new GuGetS3ObjectPolicy(stack, "GetConfigPolicy", { bucketName: "config" })],
     });
 

diff --git a/src/patterns/instance-role.ts b/src/patterns/instance-role.ts
@@ -1,6 +1,6 @@
 import { ServicePrincipal } from "@aws-cdk/aws-iam";
 import type { GuStack } from "../constructs/core";
-import type { GuGetS3ObjectPolicyProps, GuLogShippingPolicyProps, GuPolicy } from "../constructs/iam";
+import type { GuGetS3ObjectPolicyProps, GuPolicy } from "../constructs/iam";
 import {
   GuDescribeEC2Policy,
   GuGetS3ObjectPolicy,
@@ -10,7 +10,8 @@ import {
   GuSSMRunCommandPolicy,
 } from "../constructs/iam";
 
-interface InstanceRoleProps extends GuGetS3ObjectPolicyProps, Partial<GuLogShippingPolicyProps> {
+interface InstanceRoleProps extends GuGetS3ObjectPolicyProps {
+  withoutLogShipping?: boolean; // optional to have log shipping added by default, you have to opt out
   additionalPolicies?: GuPolicy[];
 }
 
@@ -29,9 +30,7 @@ export class InstanceRole extends GuRole {
       new GuGetS3ObjectPolicy(scope, "GetDistributablesPolicy", props),
       new GuDescribeEC2Policy(scope),
       new GuParameterStoreReadPolicy(scope),
-      ...(props.loggingStreamName
-        ? [new GuLogShippingPolicy(scope, "LogShippingPolicy", props as GuLogShippingPolicyProps)]
-        : []),
+      ...(props.withoutLogShipping ? [] : [new GuLogShippingPolicy(scope)]),
       ...(props.additionalPolicies ? props.additionalPolicies : []),
     ];