Skip to content

Commit 94f4c59

Browse files
supergillissupergillis
authored
Lookup ELB account using CDK region info (#442)
1 parent 90da978 commit 94f4c59

File tree

2 files changed

+11
-3
lines changed

2 files changed

+11
-3
lines changed

src/deployments/cdk/package.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -126,6 +126,7 @@
126126
"@aws-cdk/aws-stepfunctions": "1.66.0",
127127
"@aws-cdk/core": "1.66.0",
128128
"@aws-cdk/custom-resources": "1.66.0",
129+
"@aws-cdk/region-info": "1.66.0",
129130
"@types/cfn-response": "^1.0.3",
130131
"@types/semver": "^7.3.3",
131132
"colors": "1.4.0",

src/deployments/cdk/src/deployments/defaults/step-1.ts

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ import * as cdk from '@aws-cdk/core';
22
import * as iam from '@aws-cdk/aws-iam';
33
import * as kms from '@aws-cdk/aws-kms';
44
import * as s3 from '@aws-cdk/aws-s3';
5+
import { RegionInfo } from '@aws-cdk/region-info';
56
import { EbsDefaultEncryption } from '@aws-accelerator/custom-resource-ec2-ebs-default-encryption';
67
import { S3CopyFiles } from '@aws-accelerator/custom-resource-s3-copy-files';
78
import { S3PublicAccessBlock } from '@aws-accelerator/custom-resource-s3-public-access-block';
@@ -30,7 +31,7 @@ export interface DefaultsStep1Props {
3031
export interface DefaultsStep1Result {
3132
centralBucketCopy: s3.Bucket;
3233
centralLogBucket: s3.Bucket;
33-
aesLogBucket: s3.Bucket;
34+
aesLogBucket?: s3.Bucket;
3435
accountEbsEncryptionKeys: AccountRegionEbsEncryptionKeys;
3536
}
3637

@@ -293,6 +294,13 @@ function createAesLogBucket(props: DefaultsStep1Props) {
293294
const logAccountConfig = config['global-options']['central-log-services'];
294295
const logAccountStack = accountStacks.getOrCreateAccountStack(logAccountConfig.account);
295296

297+
const regionInfo = RegionInfo.get(logAccountStack.region);
298+
const elbv2Account = regionInfo?.elbv2Account;
299+
if (!elbv2Account) {
300+
console.warn(`Cannot enable access logging; don't know ELBv2 account for region ${logAccountConfig.region}`);
301+
return;
302+
}
303+
296304
const logBucket = new s3.Bucket(logAccountStack, 'AesBucket', {
297305
versioned: true,
298306
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
@@ -306,10 +314,9 @@ function createAesLogBucket(props: DefaultsStep1Props) {
306314

307315
accounts.map(a => logBucket.grantRead(new iam.AccountPrincipal(a.id)));
308316

309-
// TODO remove hard coded ELB ca-central-1 region account id
310317
logBucket.addToResourcePolicy(
311318
new iam.PolicyStatement({
312-
principals: [new iam.AccountPrincipal('985666609251')],
319+
principals: [new iam.AccountPrincipal(elbv2Account)],
313320
actions: ['s3:PutObject'],
314321
resources: [`${logBucket.bucketArn}/*`],
315322
}),

0 commit comments

Comments
 (0)