diff --git a/CHANGELOG.md b/CHANGELOG.md index 70cbde9..c326a20 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [2.0.2] - 2022-03-31 + +### Added + +- Enabled encryption in transit for the logging S3 bucket. + ## [2.0.1] - 2021-12-13 Version 2.0.1 supports upgrading from version 2.0.0 but not from version 1.3.0 and below @@ -58,14 +64,14 @@ Version 2.0.0 does not support upgrading from previous versions. - Added StartedBy tag to tasks for use by task listing functions - Modified all ECS task listing functions to support listing 1000 tasks - Modified TaskRunning lambda function to support being called multiple times from step functions -- Tests start simultaneously +- Tests start simultaneously - Added ecscontroller.py to container package - Added ecslistener.py to container package - TaskRunner lambda launches worker tasks first, then leader task once workers are running - Run tests concurrently - Removed disabling of submit buttons if there is a test running - Unbuffered bzt output and added test Id to CloudWatch logs for access to test specific logs -- Added support for Docker Hub login +- Added support for Docker Hub login - Added Secrets manager parameter to include secret containing Docker Hub credentials - Included more metrics - Added virtual users, failures, and successes to graph diff --git a/source/infrastructure/lib/common-resources.ts b/source/infrastructure/lib/common-resources.ts index 6925d4c..a4cca5e 100644 --- a/source/infrastructure/lib/common-resources.ts +++ b/source/infrastructure/lib/common-resources.ts @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0 import { Aws, CfnCondition, CfnCustomResource, CfnResource, Construct, CustomResource, Duration, RemovalPolicy, Stack, Tags } from '@aws-cdk/core'; import { BlockPublicAccess, Bucket, BucketAccessControl, BucketEncryption, IBucket } from '@aws-cdk/aws-s3'; -import { Effect, Policy, PolicyDocument, PolicyStatement, Role, ServicePrincipal } from '@aws-cdk/aws-iam'; +import { AnyPrincipal, Effect, Policy, PolicyDocument, PolicyStatement, Role, ServicePrincipal } from '@aws-cdk/aws-iam'; import { Code, Function as LambdaFunction, Runtime } from '@aws-cdk/aws-lambda'; /** @@ -77,14 +77,23 @@ export class CommonResourcesContruct extends Construct { }); Tags.of(this.s3LogsBucket).add('SolutionId', props.solutionId); + this.s3LogsBucket.addToResourcePolicy( + new PolicyStatement({ + actions: ['s3:*'], + conditions: { + Bool: { 'aws:SecureTransport': 'false' } + }, + effect: Effect.DENY, + principals: [new AnyPrincipal()], + resources: [this.s3LogsBucket.bucketArn, this.s3LogsBucket.arnForObjects('*')] + }) + ); + const s3LogsBucketResource = this.s3LogsBucket.node.defaultChild as CfnResource; s3LogsBucketResource.addMetadata('cfn_nag', { rules_to_suppress: [{ id: 'W35', reason: 'This is the logging bucket, it does not require logging.' - }, { - id: 'W51', - reason: 'Since the bucket does not allow the public access, it does not require to have bucket policy.' }] }) diff --git a/source/infrastructure/test/__snapshots__/common-resources.test.ts.snap b/source/infrastructure/test/__snapshots__/common-resources.test.ts.snap index 593e50a..120aa7e 100644 --- a/source/infrastructure/test/__snapshots__/common-resources.test.ts.snap +++ b/source/infrastructure/test/__snapshots__/common-resources.test.ts.snap @@ -191,10 +191,6 @@ Object { "id": "W35", "reason": "This is the logging bucket, it does not require logging.", }, - Object { - "id": "W51", - "reason": "Since the bucket does not allow the public access, it does not require to have bucket policy.", - }, ], }, }, @@ -225,6 +221,53 @@ Object { "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Retain", }, + "TestCommonResourcesLogsBucketPolicyAB18A08E": Object { + "Properties": Object { + "Bucket": Object { + "Ref": "TestCommonResourcesLogsBucket5B4DBD4F", + }, + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": "s3:*", + "Condition": Object { + "Bool": Object { + "aws:SecureTransport": "false", + }, + }, + "Effect": "Deny", + "Principal": Object { + "AWS": "*", + }, + "Resource": Array [ + Object { + "Fn::GetAtt": Array [ + "TestCommonResourcesLogsBucket5B4DBD4F", + "Arn", + ], + }, + Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Fn::GetAtt": Array [ + "TestCommonResourcesLogsBucket5B4DBD4F", + "Arn", + ], + }, + "/*", + ], + ], + }, + ], + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::S3::BucketPolicy", + }, "TestCommonResourcesUUIDFDB821D1": Object { "DeletionPolicy": "Delete", "Properties": Object { diff --git a/source/infrastructure/test/__snapshots__/distributed-load-testing-on-aws-stack.test.ts.snap b/source/infrastructure/test/__snapshots__/distributed-load-testing-on-aws-stack.test.ts.snap index e834ee3..086b5fe 100644 --- a/source/infrastructure/test/__snapshots__/distributed-load-testing-on-aws-stack.test.ts.snap +++ b/source/infrastructure/test/__snapshots__/distributed-load-testing-on-aws-stack.test.ts.snap @@ -1968,10 +1968,6 @@ Object { "id": "W35", "reason": "This is the logging bucket, it does not require logging.", }, - Object { - "id": "W51", - "reason": "Since the bucket does not allow the public access, it does not require to have bucket policy.", - }, ], }, }, @@ -2008,6 +2004,53 @@ Object { "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Retain", }, + "DLTCommonResourcesLogsBucketPolicyAA7FFB37": Object { + "Properties": Object { + "Bucket": Object { + "Ref": "DLTCommonResourcesLogsBucket48A2774D", + }, + "PolicyDocument": Object { + "Statement": Array [ + Object { + "Action": "s3:*", + "Condition": Object { + "Bool": Object { + "aws:SecureTransport": "false", + }, + }, + "Effect": "Deny", + "Principal": Object { + "AWS": "*", + }, + "Resource": Array [ + Object { + "Fn::GetAtt": Array [ + "DLTCommonResourcesLogsBucket48A2774D", + "Arn", + ], + }, + Object { + "Fn::Join": Array [ + "", + Array [ + Object { + "Fn::GetAtt": Array [ + "DLTCommonResourcesLogsBucket48A2774D", + "Arn", + ], + }, + "/*", + ], + ], + }, + ], + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::S3::BucketPolicy", + }, "DLTCommonResourcesUUID2FD025A2": Object { "DeletionPolicy": "Delete", "Properties": Object {