fix(core): Moving zones configuration to Vpc Config (#528)

* fix(core): Moving zones configuration to Vpc Config
* remove zones from global-options
* Update example config files
* Fix association of private hosted zones to VPC
* Fix adding zones to multiple vpcs in same account

Co-authored-by: Brian969 <56414362+Brian969@users.noreply.github.com>

Author: naveenkoppula

reference-artifacts/config.example.json

@@ -86,17 +86,6 @@
         "report-versioning": "OVERWRITE_REPORT"
       }
     },
-    "zones": [
-      {
-        "account": "shared-network",
-        "resolver-vpc": "Endpoint",
-        "region": "ca-central-1",
-        "names": {
-          "public": ["cloud-hosted-publicdomain.example.ca"],
-          "private": ["cloud-hosted-privatedomain.example.ca"]
-        }
-      }
-    ],
     "vpc-flow-logs": {
       "filter": "ALL",
       "interval": 60,
@@ -734,7 +723,12 @@
               "zone": "on-premise-privatedomain2.example.ca",
               "outbound-ips": ["10.254.254.1", "10.254.253.1"]
             }
-          ]
+          ],
+          "zones": {
+            "public": ["cloud-hosted-publicdomain.example.ca"],
+            "private": ["cloud-hosted-privatedomain.example.ca"]
+          },
+          "central-endpoint": true
         }
       ],
       "deployments": {

reference-artifacts/config.lite-example.json

@@ -86,17 +86,6 @@
         "report-versioning": "OVERWRITE_REPORT"
       }
     },
-    "zones": [
-      {
-        "account": "shared-network",
-        "resolver-vpc": "Endpoint",
-        "region": "ca-central-1",
-        "names": {
-          "public": ["cloud-hosted-publicdomain.example.ca"],
-          "private": ["cloud-hosted-privatedomain.example.ca"]
-        }
-      }
-    ],
     "vpc-flow-logs": {
       "filter": "ALL",
       "interval": 60,
@@ -674,7 +663,12 @@
               "zone": "on-premise-privatedomain2.example.ca",
               "outbound-ips": ["10.254.254.1", "10.254.253.1"]
             }
-          ]
+          ],
+          "zones": {
+            "public": ["cloud-hosted-publicdomain.example.ca"],
+            "private": ["cloud-hosted-privatedomain.example.ca"]
+          },
+          "central-endpoint": true
         }
       ],
       "deployments": {

src/deployments/cdk/src/apps/phase-0.ts

@@ -40,7 +40,6 @@ import * as cleanup from '../deployments/cleanup';
  * - create firewalls (step 1);
  * - create budgets (step 1);
  * - create transit gateways (step 1);
- * - create Route53 DNS logging log group;
  * - enable Macie (step 1);
  * - enable GuardDuty;
  * - enable Access Analyzer;

src/deployments/cdk/src/apps/phase-1.ts

@@ -5,20 +5,17 @@ import { pascalCase } from 'pascal-case';
 import { getAccountId, Account } from '../utils/accounts';
 import { VpcProps, VpcStack, Vpc } from '../common/vpc';
 import { Limit } from '../utils/limits';
-import { NestedStack } from '@aws-cdk/aws-cloudformation';
 import {
-  InterfaceEndpointConfig,
   PeeringConnectionConfig,
   IamConfig,
   IamConfigType,
   IamPolicyConfigType,
   VpcConfig,
 } from '@aws-accelerator/common-config';
-import { InterfaceEndpoint } from '../common/interface-endpoints';
 import { IamAssets } from '../common/iam-assets';
 import { STS } from '@aws-accelerator/common/src/aws/sts';
 import { S3 } from '@aws-accelerator/common/src/aws/s3';
-import { createRoleName, createName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator';
+import { createRoleName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator';
 import { CentralBucketOutput, LogBucketOutput } from '../deployments/defaults/outputs';
 import * as budget from '../deployments/billing/budget';
 import * as certificates from '../deployments/certificates';
@@ -34,10 +31,6 @@ import { getIamUserPasswordSecretValue } from '../deployments/iam';
 import * as cwlCentralLoggingToS3 from '../deployments/central-services/central-logging-s3';
 import * as vpcDeployment from '../deployments/vpc';
 import * as transitGateway from '../deployments/transit-gateway';
-import { DNS_LOGGING_LOG_GROUP_REGION } from '@aws-accelerator/common/src/util/constants';
-import { LogGroup } from '@aws-accelerator/custom-resource-logs-log-group';
-import { LogResourcePolicy } from '@aws-accelerator/custom-resource-logs-resource-policy';
-import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role';
 import * as centralEndpoints from '../deployments/central-endpoints';
 import { VpcOutputFinder, VpcSubnetOutput } from '@aws-accelerator/common-outputs/src/vpc';
 
@@ -197,8 +190,10 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
   };
 
   const subscriptionCheckDone: string[] = [];
+  const dnsLogGroupsAccountAndRegion: { [accoutKey: string]: boolean } = {};
   // Create all the VPCs for accounts and organizational units
   for (const { ouKey, accountKey, vpcConfig, deployments } of acceleratorConfig.getVpcConfigs()) {
+    let createPolicy = false;
     if (!limiter.create(accountKey, Limit.VpcPerRegion, vpcConfig.region)) {
       console.log(
         `Skipping VPC "${vpcConfig.name}" deployment. Reached maximum VPCs per region for account "${accountKey}" and region "${vpcConfig.region}`,
@@ -272,6 +267,22 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
       vpcConfig,
       vpcId: vpc!.id,
     });
+
+    // Create DNS Query Logging Log Group
+    if (vpcConfig.zones && vpcConfig.zones.public.length > 0) {
+      if (!dnsLogGroupsAccountAndRegion[accountKey]) {
+        createPolicy = true;
+        dnsLogGroupsAccountAndRegion[accountKey] = true;
+      }
+      await centralEndpoints.createDnsQueryLogGroup({
+        acceleratorPrefix: context.acceleratorPrefix,
+        accountKey,
+        accountStacks,
+        outputs,
+        vpcConfig,
+        createPolicy,
+      });
+    }
   }
 
   // Create the firewall
@@ -471,57 +482,6 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
     outputs,
   });
 
-  /**
-   * Code to create LogGroups required for DNS Logging
-   */
-  const globalOptionsConfig = acceleratorConfig['global-options'];
-  const zoneConfig = globalOptionsConfig.zones.find(zc => zc.names);
-  const zonesAccountKey = zoneConfig?.account!;
-
-  const zonesStack = accountStacks.getOrCreateAccountStack(zonesAccountKey, DNS_LOGGING_LOG_GROUP_REGION);
-  const logGroupLambdaRoleOutput = IamRoleOutputFinder.tryFindOneByName({
-    outputs,
-    accountKey: zonesAccountKey,
-    roleKey: 'LogGroupRole',
-  });
-  if (logGroupLambdaRoleOutput) {
-    const logGroups =
-      zoneConfig?.names?.public.map(phz => {
-        const logGroupName = centralEndpoints.createR53LogGroupName({
-          acceleratorPrefix: context.acceleratorPrefix,
-          domain: phz,
-        });
-        return new LogGroup(zonesStack, `Route53HostedZoneLogGroup${pascalCase(phz)}`, {
-          logGroupName,
-          roleArn: logGroupLambdaRoleOutput.roleArn,
-        });
-      }) || [];
-
-    if (logGroups.length > 0) {
-      const wildcardLogGroupName = centralEndpoints.createR53LogGroupName({
-        acceleratorPrefix: context.acceleratorPrefix,
-        domain: '*',
-      });
-
-      // Allow r53 services to write to the log group
-      const logGroupPolicy = new LogResourcePolicy(zonesStack, 'R53LogGroupPolicy', {
-        policyName: createName({
-          name: 'query-logging-pol',
-        }),
-        policyStatements: [
-          new iam.PolicyStatement({
-            actions: ['logs:CreateLogStream', 'logs:PutLogEvents'],
-            principals: [new iam.ServicePrincipal('route53.amazonaws.com')],
-            resources: [`arn:aws:logs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:log-group:${wildcardLogGroupName}`],
-          }),
-        ],
-      });
-      for (const logGroup of logGroups) {
-        logGroupPolicy.node.addDependency(logGroup);
-      }
-    }
-  }
-
   /**
    * DisAssociate HostedZone to VPC
    * - On Adding of InterfaceEndpoint in local VPC whose use-central-endpoint: true and Endpoint also esists in Central VPC

src/deployments/cdk/src/deployments/central-endpoints/dns-query-log-group.ts

@@ -0,0 +1,74 @@
+import * as iam from '@aws-cdk/aws-iam';
+import * as cdk from '@aws-cdk/core';
+
+import { VpcConfig } from '@aws-accelerator/common-config';
+import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role';
+import { StackOutput } from '@aws-accelerator/common-outputs/src/stack-output';
+import { DNS_LOGGING_LOG_GROUP_REGION } from '@aws-accelerator/common/src/util/constants';
+import { pascalCase } from 'pascal-case';
+import { AccountStacks } from '../../common/account-stacks';
+import { createR53LogGroupName } from './step-1';
+import { LogGroup } from '@aws-accelerator/custom-resource-logs-log-group';
+import { LogResourcePolicy } from '@aws-accelerator/custom-resource-logs-resource-policy';
+import { createName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator';
+
+export interface CreateDnsQueryLogGroupProps {
+  vpcConfig: VpcConfig;
+  accountKey: string;
+  accountStacks: AccountStacks;
+  outputs: StackOutput[];
+  acceleratorPrefix: string;
+  createPolicy: boolean;
+}
+
+export async function createDnsQueryLogGroup(props: CreateDnsQueryLogGroupProps) {
+  const { acceleratorPrefix, accountKey, vpcConfig, accountStacks, outputs, createPolicy } = props;
+  if (!vpcConfig.zones || !vpcConfig.zones.public) {
+    return;
+  }
+  const zonesStack = accountStacks.getOrCreateAccountStack(accountKey, DNS_LOGGING_LOG_GROUP_REGION);
+  const logGroupLambdaRoleOutput = IamRoleOutputFinder.tryFindOneByName({
+    outputs,
+    accountKey,
+    roleKey: 'LogGroupRole',
+  });
+
+  if (!logGroupLambdaRoleOutput) {
+    console.warn(`LogGroupRole not found in account "${accountKey}"`);
+    return;
+  }
+  const logGroups =
+    vpcConfig.zones.public.map(phz => {
+      const logGroupName = createR53LogGroupName({
+        acceleratorPrefix,
+        domain: phz,
+      });
+      return new LogGroup(zonesStack, `Route53HostedZoneLogGroup${pascalCase(phz)}`, {
+        logGroupName,
+        roleArn: logGroupLambdaRoleOutput.roleArn,
+      });
+    }) || [];
+  if (logGroups.length > 0 && createPolicy) {
+    const wildcardLogGroupName = createR53LogGroupName({
+      acceleratorPrefix,
+      domain: '*',
+    });
+
+    // Allow r53 services to write to the log group
+    const logGroupPolicy = new LogResourcePolicy(zonesStack, 'R53LogGroupPolicy', {
+      policyName: createName({
+        name: 'query-logging-pol',
+      }),
+      policyStatements: [
+        new iam.PolicyStatement({
+          actions: ['logs:CreateLogStream', 'logs:PutLogEvents'],
+          principals: [new iam.ServicePrincipal('route53.amazonaws.com')],
+          resources: [`arn:aws:logs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:log-group:${wildcardLogGroupName}`],
+        }),
+      ],
+    });
+    for (const logGroup of logGroups) {
+      logGroupPolicy.node.addDependency(logGroup);
+    }
+  }
+}

src/deployments/cdk/src/deployments/central-endpoints/index.ts

@@ -4,3 +4,4 @@ export * from './step-2';
 export * from './step-3';
 export * from './step-4';
 export * from './step-5';
+export * from './dns-query-log-group';