diff --git a/src/deployments/cdk/src/apps/phase-0.ts b/src/deployments/cdk/src/apps/phase-0.ts index 526456398..952aa2f9e 100644 --- a/src/deployments/cdk/src/apps/phase-0.ts +++ b/src/deployments/cdk/src/apps/phase-0.ts @@ -1,8 +1,5 @@ import * as cdk from '@aws-cdk/core'; import * as accessanalyzer from '@aws-cdk/aws-accessanalyzer'; -import * as iam from '@aws-cdk/aws-iam'; -import { LogGroup } from '@aws-accelerator/custom-resource-logs-log-group'; -import { LogResourcePolicy } from '@aws-accelerator/custom-resource-logs-resource-policy'; import { createName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator'; import * as outputKeys from '@aws-accelerator/common-outputs/src/stack-output'; import * as artifactsDeployment from '../deployments/artifacts'; @@ -15,14 +12,20 @@ import * as madDeployment from '../deployments/mad'; import * as secretsDeployment from '../deployments/secrets'; import * as guardDutyDeployment from '../deployments/guardduty'; import { PhaseInput } from './shared'; -import { DNS_LOGGING_LOG_GROUP_REGION } from '@aws-accelerator/common/src/util/constants'; -import { createR53LogGroupName } from '../common/r53-zones'; import * as accountWarming from '../deployments/account-warming'; import * as passwordPolicy from '../deployments/iam-password-policy'; import * as transitGateway from '../deployments/transit-gateway'; import { getAccountId } from '../utils/accounts'; import * as rsyslogDeployment from '../deployments/rsyslog'; -import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role'; + +/********************************************************** + * DO NOT DEPEND ON OUTPUTS IN PHASE 0 * + * SINCE WE ARE CREATING CENTRAL BUCKET IN PHASE-0 * + * AND FRESH INSTALL WILL FAIL SINCE WE WILL NOT HAVE ANY * + * OUTPUTS CREATED IN PHASE -1 * + * (EXCEPT) ACCOUNTWARMING SINCE WE DON'T NEED OUTPUTS * + * ACCOUNTWARMING IN FIRST RUN * + **********************************************************/ /** * This is the main entry point to deploy phase 0. @@ -175,56 +178,6 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte logBucket, }); - /** - * Code to create LogGroups required for DNS Logging - */ - const globalOptionsConfig = acceleratorConfig['global-options']; - const zonesConfig = globalOptionsConfig.zones; - const zonesAccountKey = zonesConfig.account; - - const zonesStack = accountStacks.getOrCreateAccountStack(zonesAccountKey, DNS_LOGGING_LOG_GROUP_REGION); - const logGroupLambdaRoleOutput = IamRoleOutputFinder.tryFindOneByName({ - outputs, - accountKey: zonesAccountKey, - roleKey: 'LogGroupRole', - }); - if (logGroupLambdaRoleOutput) { - const logGroups = zonesConfig.names.public.map(phz => { - const logGroupName = createR53LogGroupName({ - acceleratorPrefix: context.acceleratorPrefix, - domain: phz, - }); - return new LogGroup(zonesStack, `Route53HostedZoneLogGroup`, { - logGroupName, - roleArn: logGroupLambdaRoleOutput.roleArn, - }); - }); - - if (logGroups.length > 0) { - const wildcardLogGroupName = createR53LogGroupName({ - acceleratorPrefix: context.acceleratorPrefix, - domain: '*', - }); - - // Allow r53 services to write to the log group - const logGroupPolicy = new LogResourcePolicy(zonesStack, 'R53LogGroupPolicy', { - policyName: createName({ - name: 'query-logging-pol', - }), - policyStatements: [ - new iam.PolicyStatement({ - actions: ['logs:CreateLogStream', 'logs:PutLogEvents'], - principals: [new iam.ServicePrincipal('route53.amazonaws.com')], - resources: [`arn:aws:logs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:log-group:${wildcardLogGroupName}`], - }), - ], - }); - for (const logGroup of logGroups) { - logGroupPolicy.node.addDependency(logGroup); - } - } - } - // TODO Deprecate these outputs const logArchiveAccountKey = acceleratorConfig['global-options']['central-log-services'].account; const logArchiveStack = accountStacks.getOrCreateAccountStack(logArchiveAccountKey); diff --git a/src/deployments/cdk/src/apps/phase-1.ts b/src/deployments/cdk/src/apps/phase-1.ts index a9700ca46..c6ec78fee 100644 --- a/src/deployments/cdk/src/apps/phase-1.ts +++ b/src/deployments/cdk/src/apps/phase-1.ts @@ -18,7 +18,7 @@ import { InterfaceEndpoint } from '../common/interface-endpoints'; import { IamAssets } from '../common/iam-assets'; import { STS } from '@aws-accelerator/common/src/aws/sts'; import { S3 } from '@aws-accelerator/common/src/aws/s3'; -import { createRoleName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator'; +import { createRoleName, createName } from '@aws-accelerator/cdk-accelerator/src/core/accelerator-name-generator'; import { CentralBucketOutput, LogBucketOutput } from '../deployments/defaults/outputs'; import * as budget from '../deployments/billing/budget'; import * as certificates from '../deployments/certificates'; @@ -33,6 +33,11 @@ import { PhaseInput } from './shared'; import { getIamUserPasswordSecretValue } from '../deployments/iam'; import * as cwlCentralLoggingToS3 from '../deployments/central-services/central-logging-s3'; import * as vpcDeployment from '../deployments/vpc'; +import { DNS_LOGGING_LOG_GROUP_REGION } from '@aws-accelerator/common/src/util/constants'; +import { createR53LogGroupName } from '../common/r53-zones'; +import { LogGroup } from '@aws-accelerator/custom-resource-logs-log-group'; +import { LogResourcePolicy } from '@aws-accelerator/custom-resource-logs-resource-policy'; +import { IamRoleOutputFinder } from '@aws-accelerator/common-outputs/src/iam-role'; export interface IamPolicyArtifactsOutput { bucketArn: string; @@ -447,4 +452,54 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte config: acceleratorConfig, accounts, }); + + /** + * Code to create LogGroups required for DNS Logging + */ + const globalOptionsConfig = acceleratorConfig['global-options']; + const zonesConfig = globalOptionsConfig.zones; + const zonesAccountKey = zonesConfig.account; + + const zonesStack = accountStacks.getOrCreateAccountStack(zonesAccountKey, DNS_LOGGING_LOG_GROUP_REGION); + const logGroupLambdaRoleOutput = IamRoleOutputFinder.tryFindOneByName({ + outputs, + accountKey: zonesAccountKey, + roleKey: 'LogGroupRole', + }); + if (logGroupLambdaRoleOutput) { + const logGroups = zonesConfig.names.public.map(phz => { + const logGroupName = createR53LogGroupName({ + acceleratorPrefix: context.acceleratorPrefix, + domain: phz, + }); + return new LogGroup(zonesStack, `Route53HostedZoneLogGroup`, { + logGroupName, + roleArn: logGroupLambdaRoleOutput.roleArn, + }); + }); + + if (logGroups.length > 0) { + const wildcardLogGroupName = createR53LogGroupName({ + acceleratorPrefix: context.acceleratorPrefix, + domain: '*', + }); + + // Allow r53 services to write to the log group + const logGroupPolicy = new LogResourcePolicy(zonesStack, 'R53LogGroupPolicy', { + policyName: createName({ + name: 'query-logging-pol', + }), + policyStatements: [ + new iam.PolicyStatement({ + actions: ['logs:CreateLogStream', 'logs:PutLogEvents'], + principals: [new iam.ServicePrincipal('route53.amazonaws.com')], + resources: [`arn:aws:logs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:log-group:${wildcardLogGroupName}`], + }), + ], + }); + for (const logGroup of logGroups) { + logGroupPolicy.node.addDependency(logGroup); + } + } + } } diff --git a/src/deployments/cdk/test/apps/__snapshots__/unsupported-changed.spec.ts.snap b/src/deployments/cdk/test/apps/__snapshots__/unsupported-changed.spec.ts.snap index cc3586504..0a62225e7 100644 --- a/src/deployments/cdk/test/apps/__snapshots__/unsupported-changed.spec.ts.snap +++ b/src/deployments/cdk/test/apps/__snapshots__/unsupported-changed.spec.ts.snap @@ -534,8 +534,6 @@ exports[`there should not be any unsupported resource changes for AWS::Budgets:: exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase0 1`] = `Array []`; -exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase0UsEast1 1`] = `Array []`; - exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1 1`] = ` Array [ Object { @@ -610,6 +608,8 @@ exports[`there should not be any unsupported resource changes for AWS::Budgets:: exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; +exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1UsEast1 1`] = `Array []`; + exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; exports[`there should not be any unsupported resource changes for AWS::Budgets::Budget: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; @@ -809,8 +809,6 @@ exports[`there should not be any unsupported resource changes for AWS::Directory exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase0 1`] = `Array []`; -exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase0UsEast1 1`] = `Array []`; - exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1 1`] = `Array []`; exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; @@ -819,6 +817,8 @@ exports[`there should not be any unsupported resource changes for AWS::Directory exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; +exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1UsEast1 1`] = `Array []`; + exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; exports[`there should not be any unsupported resource changes for AWS::DirectoryService::MicrosoftAD: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; @@ -1072,8 +1072,6 @@ exports[`there should not be any unsupported resource changes for AWS::EC2::Inst exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase0 1`] = `Array []`; -exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase0UsEast1 1`] = `Array []`; - exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1 1`] = `Array []`; exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; @@ -1082,6 +1080,8 @@ exports[`there should not be any unsupported resource changes for AWS::EC2::Inst exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; +exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1UsEast1 1`] = `Array []`; + exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; exports[`there should not be any unsupported resource changes for AWS::EC2::Instance: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; @@ -1205,8 +1205,6 @@ Array [ ] `; -exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase0UsEast1 1`] = `Array []`; - exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1 1`] = `Array []`; exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; @@ -1215,6 +1213,8 @@ exports[`there should not be any unsupported resource changes for AWS::EC2::Tran exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; +exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1UsEast1 1`] = `Array []`; + exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; exports[`there should not be any unsupported resource changes for AWS::EC2::TransitGateway: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; @@ -1334,8 +1334,6 @@ exports[`there should not be any unsupported resource changes for AWS::ElasticLo exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase0 1`] = `Array []`; -exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase0UsEast1 1`] = `Array []`; - exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1 1`] = `Array []`; exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; @@ -1344,6 +1342,8 @@ exports[`there should not be any unsupported resource changes for AWS::ElasticLo exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; +exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1UsEast1 1`] = `Array []`; + exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; exports[`there should not be any unsupported resource changes for AWS::ElasticLoadBalancingV2::LoadBalancer: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; @@ -1529,8 +1529,6 @@ exports[`there should not be any unsupported resource changes for AWS::S3::Bucke exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase0 1`] = `Array []`; -exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase0UsEast1 1`] = `Array []`; - exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1 1`] = ` Array [ Object { @@ -1549,6 +1547,8 @@ exports[`there should not be any unsupported resource changes for AWS::S3::Bucke exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; +exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1UsEast1 1`] = `Array []`; + exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; exports[`there should not be any unsupported resource changes for AWS::S3::Bucket: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; @@ -1724,8 +1724,6 @@ exports[`there should not be any unsupported resource changes for AWS::SecretsMa exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase0 1`] = `Array []`; -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase0UsEast1 1`] = `Array []`; - exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1 1`] = `Array []`; exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; @@ -1734,6 +1732,8 @@ exports[`there should not be any unsupported resource changes for AWS::SecretsMa exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1UsEast1 1`] = `Array []`; + exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; exports[`there should not be any unsupported resource changes for AWS::SecretsManager::ResourcePolicy: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`; @@ -1901,8 +1901,6 @@ exports[`there should not be any unsupported resource changes for AWS::SecretsMa exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase0 1`] = `Array []`; -exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase0UsEast1 1`] = `Array []`; - exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1 1`] = `Array []`; exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1Endpoint0CD50B8FF 1`] = `Array []`; @@ -1911,6 +1909,8 @@ exports[`there should not be any unsupported resource changes for AWS::SecretsMa exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1Endpoint125DF8CB0 1`] = `Array []`; +exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1UsEast1 1`] = `Array []`; + exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackCentralB4A762DD 1`] = `Array []`; exports[`there should not be any unsupported resource changes for AWS::SecretsManager::Secret: SharedNetworkPhase1VpcStackDev3F77197C 1`] = `Array []`;