Skip to content

Commit

Permalink
fix(redshift): deploy fails when creating logging bucket without s3 k…
Browse files Browse the repository at this point in the history
…ey (aws#21243)

To send these Amazon Redshift logging information about connections and user activities in your database to an S3 bucket, specify an S3 bucket and prefix using an interface.

CFN documentation has S3KeyPrefix as optional, but testing has shown that key is required and CFN error (same as in below issue) will be thrown when key is not provided.

closes: aws#19514.

BREAKING CHANGE: The way to specify a logging bucket and prefix will change to use an interface.

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
sean-beath authored and jmortlock committed Aug 8, 2022
1 parent bab3179 commit 0274756
Show file tree
Hide file tree
Showing 13 changed files with 2,482 additions and 16 deletions.
23 changes: 23 additions & 0 deletions packages/@aws-cdk/aws-redshift/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,29 @@ A default database named `default_db` will be created in the cluster. To change
By default, the cluster will not be publicly accessible.
Depending on your use case, you can make the cluster publicly accessible with the `publiclyAccessible` property.

## Adding a logging bucket for database audit logging to S3

Amazon Redshift logs information about connections and user activities in your database. These logs help you to monitor the database for security and troubleshooting purposes, a process called database auditing. To send these logs to an S3 bucket, specify the `loggingProperties` when creating a new cluster.

```ts
import * as ec2 from '@aws-cdk/aws-ec2';
import * as s3 from '@aws-cdk/aws-s3';

const vpc = new ec2.Vpc(this, 'Vpc');
const bucket = s3.Bucket.fromBucketName(stack, 'bucket', 'logging-bucket');

const cluster = new Cluster(this, 'Redshift', {
masterUser: {
masterUsername: 'admin',
},
vpc,
loggingProperties: {
loggingBucket = bucket,
loggingKeyPrefix: 'prefix',
}
});
```

## Connecting

To control who can access the cluster, use the `.connections` attribute. Redshift Clusters have
Expand Down
55 changes: 41 additions & 14 deletions packages/@aws-cdk/aws-redshift/lib/cluster.ts
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,24 @@ export interface Login {
readonly encryptionKey?: kms.IKey;
}

/**
* Logging bucket and S3 prefix combination
*/
export interface LoggingProperties {
/**
* Bucket to send logs to.
* Logging information includes queries and connection attempts, for the specified Amazon Redshift cluster.
*
*/
readonly loggingBucket: s3.IBucket

/**
* Prefix used for logging.
*
*/
readonly loggingKeyPrefix: string
}

/**
* Options to add the multi user rotation
*/
Expand Down Expand Up @@ -294,19 +312,11 @@ export interface ClusterProps {
readonly defaultDatabaseName?: string;

/**
* Bucket to send logs to.
* Logging information includes queries and connection attempts, for the specified Amazon Redshift cluster.
*
* @default - No Logs
*/
readonly loggingBucket?: s3.IBucket

/**
* Prefix used for logging
* Bucket details for log files to be sent to, including prefix.
*
* @default - no prefix
* @default - No logging bucket is used
*/
readonly loggingKeyPrefix?: string
readonly loggingProperties?: LoggingProperties;

/**
* The removal policy to apply when the cluster and its instances are removed
Expand Down Expand Up @@ -475,11 +485,28 @@ export class Cluster extends ClusterBase {
this.multiUserRotationApplication = secretsmanager.SecretRotationApplication.REDSHIFT_ROTATION_MULTI_USER;

let loggingProperties;
if (props.loggingBucket) {
if (props.loggingProperties) {
loggingProperties = {
bucketName: props.loggingBucket.bucketName,
s3KeyPrefix: props.loggingKeyPrefix,
bucketName: props.loggingProperties.loggingBucket.bucketName,
s3KeyPrefix: props.loggingProperties.loggingKeyPrefix,
};
props.loggingProperties.loggingBucket.addToResourcePolicy(
new iam.PolicyStatement(
{
actions: [
's3:GetBucketAcl',
's3:PutObject',
],
resources: [
props.loggingProperties.loggingBucket.arnForObjects('*'),
props.loggingProperties.loggingBucket.bucketArn,
],
principals: [
new iam.ServicePrincipal('redshift.amazonaws.com'),
],
},
),
);
}

const cluster = new CfnCluster(this, 'Resource', {
Expand Down
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-redshift/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@
"@aws-cdk/integ-runner": "0.0.0",
"@aws-cdk/cfn2ts": "0.0.0",
"@aws-cdk/pkglint": "0.0.0",
"@aws-cdk/integ-tests": "0.0.0",
"@types/jest": "^27.5.2",
"aws-sdk": "^2.848.0",
"jest": "^27.5.1"
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{}
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"version": "20.0.0",
"files": {
"941d95acb9a710e3df3e05301e7debabdecabed59c6b395b0265d4d3be632c5f": {
"source": {
"path": "aws-cdk-redshift-cluster-loggingbucket.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "941d95acb9a710e3df3e05301e7debabdecabed59c6b395b0265d4d3be632c5f.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
}
},
"dockerImages": {}
}
Loading

0 comments on commit 0274756

Please sign in to comment.