fix(core): Fix creation of LogGroup for Route53 hosted zone Logging (#356)

naveenkoppula · web-flow · commit 4ff03a8153ff · 2020-08-26T14:46:48.000+05:30
* Fix creation of LogGroup for Route53 hosted zone Logging (v117)
diff --git a/src/deployments/cdk/src/apps/phase-0.ts b/src/deployments/cdk/src/apps/phase-0.ts
@@ -1,8 +1,5 @@
 import * as cdk from '@aws-cdk/core';
 import * as accessanalyzer from '@aws-cdk/aws-accessanalyzer';
-import * as iam from '@aws-cdk/aws-iam';
-import { LogGroup } from '@aws-accelerator/custom-resource-logs-log-group';
-import { LogResourcePolicy } from '@aws-accelerator/custom-resource-logs-resource-policy';
 import { createName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator';
 import * as outputKeys from '@aws-accelerator/common-outputs/src/stack-output';
 import * as artifactsDeployment from '../deployments/artifacts';
@@ -15,14 +12,20 @@ import * as madDeployment from '../deployments/mad';
 import * as secretsDeployment from '../deployments/secrets';
 import * as guardDutyDeployment from '../deployments/guardduty';
 import { PhaseInput } from './shared';
-import { DNS_LOGGING_LOG_GROUP_REGION } from '@aws-accelerator/common/src/util/constants';
-import { createR53LogGroupName } from '../common/r53-zones';
 import * as accountWarming from '../deployments/account-warming';
 import * as passwordPolicy from '../deployments/iam-password-policy';
 import * as transitGateway from '../deployments/transit-gateway';
 import { getAccountId } from '../utils/accounts';
 import * as rsyslogDeployment from '../deployments/rsyslog';
-import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role';
+
+/**********************************************************
+ * DO NOT DEPEND ON OUTPUTS IN PHASE 0                    *
+ * SINCE WE ARE CREATING CENTRAL BUCKET IN PHASE-0        *
+ * AND FRESH INSTALL WILL FAIL SINCE WE WILL NOT HAVE ANY *
+ * OUTPUTS CREATED IN PHASE -1                            *
+ * (EXCEPT) ACCOUNTWARMING SINCE WE DON'T NEED OUTPUTS    *
+ * ACCOUNTWARMING IN FIRST RUN                            *
+ **********************************************************/
 
 /**
  * This is the main entry point to deploy phase 0.
@@ -175,56 +178,6 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
     logBucket,
   });
 
-  /**
-   * Code to create LogGroups required for DNS Logging
-   */
-  const globalOptionsConfig = acceleratorConfig['global-options'];
-  const zonesConfig = globalOptionsConfig.zones;
-  const zonesAccountKey = zonesConfig.account;
-
-  const zonesStack = accountStacks.getOrCreateAccountStack(zonesAccountKey, DNS_LOGGING_LOG_GROUP_REGION);
-  const logGroupLambdaRoleOutput = IamRoleOutputFinder.tryFindOneByName({
-    outputs,
-    accountKey: zonesAccountKey,
-    roleKey: 'LogGroupRole',
-  });
-  if (logGroupLambdaRoleOutput) {
-    const logGroups = zonesConfig.names.public.map(phz => {
-      const logGroupName = createR53LogGroupName({
-        acceleratorPrefix: context.acceleratorPrefix,
-        domain: phz,
-      });
-      return new LogGroup(zonesStack, `Route53HostedZoneLogGroup`, {
-        logGroupName,
-        roleArn: logGroupLambdaRoleOutput.roleArn,
-      });
-    });
-
-    if (logGroups.length > 0) {
-      const wildcardLogGroupName = createR53LogGroupName({
-        acceleratorPrefix: context.acceleratorPrefix,
-        domain: '*',
-      });
-
-      // Allow r53 services to write to the log group
-      const logGroupPolicy = new LogResourcePolicy(zonesStack, 'R53LogGroupPolicy', {
-        policyName: createName({
-          name: 'query-logging-pol',
-        }),
-        policyStatements: [
-          new iam.PolicyStatement({
-            actions: ['logs:CreateLogStream', 'logs:PutLogEvents'],
-            principals: [new iam.ServicePrincipal('route53.amazonaws.com')],
-            resources: [`arn:aws:logs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:log-group:${wildcardLogGroupName}`],
-          }),
-        ],
-      });
-      for (const logGroup of logGroups) {
-        logGroupPolicy.node.addDependency(logGroup);
-      }
-    }
-  }
-
   // TODO Deprecate these outputs
   const logArchiveAccountKey = acceleratorConfig['global-options']['central-log-services'].account;
   const logArchiveStack = accountStacks.getOrCreateAccountStack(logArchiveAccountKey);
diff --git a/src/deployments/cdk/src/apps/phase-1.ts b/src/deployments/cdk/src/apps/phase-1.ts
@@ -18,7 +18,7 @@ import { InterfaceEndpoint } from '../common/interface-endpoints';
 import { IamAssets } from '../common/iam-assets';
 import { STS } from '@aws-accelerator/common/src/aws/sts';
 import { S3 } from '@aws-accelerator/common/src/aws/s3';
-import { createRoleName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator';
+import { createRoleName, createName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator';
 import { CentralBucketOutput, LogBucketOutput } from '../deployments/defaults/outputs';
 import * as budget from '../deployments/billing/budget';
 import * as certificates from '../deployments/certificates';
@@ -33,6 +33,11 @@ import { PhaseInput } from './shared';
 import { getIamUserPasswordSecretValue } from '../deployments/iam';
 import * as cwlCentralLoggingToS3 from '../deployments/central-services/central-logging-s3';
 import * as vpcDeployment from '../deployments/vpc';
+import { DNS_LOGGING_LOG_GROUP_REGION } from '@aws-accelerator/common/src/util/constants';
+import { createR53LogGroupName } from '../common/r53-zones';
+import { LogGroup } from '@aws-accelerator/custom-resource-logs-log-group';
+import { LogResourcePolicy } from '@aws-accelerator/custom-resource-logs-resource-policy';
+import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role';
 
 export interface IamPolicyArtifactsOutput {
   bucketArn: string;
@@ -447,4 +452,54 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
     config: acceleratorConfig,
     accounts,
   });
+
+  /**
+   * Code to create LogGroups required for DNS Logging
+   */
+  const globalOptionsConfig = acceleratorConfig['global-options'];
+  const zonesConfig = globalOptionsConfig.zones;
+  const zonesAccountKey = zonesConfig.account;
+
+  const zonesStack = accountStacks.getOrCreateAccountStack(zonesAccountKey, DNS_LOGGING_LOG_GROUP_REGION);
+  const logGroupLambdaRoleOutput = IamRoleOutputFinder.tryFindOneByName({
+    outputs,
+    accountKey: zonesAccountKey,
+    roleKey: 'LogGroupRole',
+  });
+  if (logGroupLambdaRoleOutput) {
+    const logGroups = zonesConfig.names.public.map(phz => {
+      const logGroupName = createR53LogGroupName({
+        acceleratorPrefix: context.acceleratorPrefix,
+        domain: phz,
+      });
+      return new LogGroup(zonesStack, `Route53HostedZoneLogGroup`, {
+        logGroupName,
+        roleArn: logGroupLambdaRoleOutput.roleArn,
+      });
+    });
+
+    if (logGroups.length > 0) {
+      const wildcardLogGroupName = createR53LogGroupName({
+        acceleratorPrefix: context.acceleratorPrefix,
+        domain: '*',
+      });
+
+      // Allow r53 services to write to the log group
+      const logGroupPolicy = new LogResourcePolicy(zonesStack, 'R53LogGroupPolicy', {
+        policyName: createName({
+          name: 'query-logging-pol',
+        }),
+        policyStatements: [
+          new iam.PolicyStatement({
+            actions: ['logs:CreateLogStream', 'logs:PutLogEvents'],
+            principals: [new iam.ServicePrincipal('route53.amazonaws.com')],
+            resources: [`arn:aws:logs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:log-group:${wildcardLogGroupName}`],
+          }),
+        ],
+      });
+      for (const logGroup of logGroups) {
+        logGroupPolicy.node.addDependency(logGroup);
+      }
+    }
+  }
 }
diff --git a/src/deployments/cdk/test/apps/__snapshots__/unsupported-changed.spec.ts.snap b/src/deployments/cdk/test/apps/__snapshots__/unsupported-changed.spec.ts.snap
@@ -534,8 +534,6 @@ exports[`there should not be any unsupported resource changes for AWS::Budgets::
 
 exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase0 1`] = `Array []`;
 
-exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase0UsEast1 1`] = `Array []`;
-
 exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1 1`] = `
 Array [
   Object {
@@ -610,6 +608,8 @@ exports[`there should not be any unsupported resource changes for AWS::Budgets::
 
 exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`;
 
+exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1UsEast1 1`] = `Array []`;
+
 exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`;
 
 exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`;
@@ -809,8 +809,6 @@ exports[`there should not be any unsupported resource changes for AWS::Directory
 
 exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase0 1`] = `Array []`;
 
-exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase0UsEast1 1`] = `Array []`;
-
 exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1 1`] = `Array []`;
 
 exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`;
@@ -819,6 +817,8 @@ exports[`there should not be any unsupported resource changes for AWS::Directory
 
 exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`;
 
+exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1UsEast1 1`] = `Array []`;
+
 exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`;
 
 exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`;
@@ -1072,8 +1072,6 @@ exports[`there should not be any unsupported resource changes for AWS::EC2::Inst
 
 exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase0 1`] = `Array []`;
 
-exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase0UsEast1 1`] = `Array []`;
-
 exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1 1`] = `Array []`;
 
 exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`;
@@ -1082,6 +1080,8 @@ exports[`there should not be any unsupported resource changes for AWS::EC2::Inst
 
 exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`;
 
+exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1UsEast1 1`] = `Array []`;
+
 exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`;
 
 exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`;
@@ -1205,8 +1205,6 @@ Array [
 ]
 `;
 
-exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase0UsEast1 1`] = `Array []`;
-
 exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1 1`] = `Array []`;
 
 exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`;
@@ -1215,6 +1213,8 @@ exports[`there should not be any unsupported resource changes for AWS::EC2::Tran
 
 exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`;
 
+exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1UsEast1 1`] = `Array []`;
+
 exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`;
 
 exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`;
@@ -1334,8 +1334,6 @@ exports[`there should not be any unsupported resource changes for AWS::ElasticLo
 
 exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase0 1`] = `Array []`;
 
-exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase0UsEast1 1`] = `Array []`;
-
 exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1 1`] = `Array []`;
 
 exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`;
@@ -1344,6 +1342,8 @@ exports[`there should not be any unsupported resource changes for AWS::ElasticLo
 
 exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`;
 
+exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1UsEast1 1`] = `Array []`;
+
 exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`;
 
 exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`;
@@ -1529,8 +1529,6 @@ exports[`there should not be any unsupported resource changes for AWS::S3::Bucke
 
 exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase0 1`] = `Array []`;
 
-exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase0UsEast1 1`] = `Array []`;
-
 exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1 1`] = `
 Array [
   Object {
@@ -1549,6 +1547,8 @@ exports[`there should not be any unsupported resource changes for AWS::S3::Bucke
 
 exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`;
 
+exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1UsEast1 1`] = `Array []`;
+
 exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`;
 
 exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`;
@@ -1724,8 +1724,6 @@ exports[`there should not be any unsupported resource changes for AWS::SecretsMa
 
 exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase0 1`] = `Array []`;
 
-exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase0UsEast1 1`] = `Array []`;
-
 exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1 1`] = `Array []`;
 
 exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`;
@@ -1734,6 +1732,8 @@ exports[`there should not be any unsupported resource changes for AWS::SecretsMa
 
 exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`;
 
+exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1UsEast1 1`] = `Array []`;
+
 exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`;
 
 exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`;
@@ -1901,8 +1901,6 @@ exports[`there should not be any unsupported resource changes for AWS::SecretsMa
 
 exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase0 1`] = `Array []`;
 
-exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase0UsEast1 1`] = `Array []`;
-
 exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1 1`] = `Array []`;
 
 exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`;
@@ -1911,6 +1909,8 @@ exports[`there should not be any unsupported resource changes for AWS::SecretsMa
 
 exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`;
 
+exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1UsEast1 1`] = `Array []`;
+
 exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`;
 
 exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`;
