Skip to content

Commit 2d9b5b0

Browse files
mergify[bot]mergify[bot]
authored
Merge branch 'main' into revert-21049-TheRealAmazonKendra/init-template-fix
2 parents da56be9 + dbede40 commit 2d9b5b0

19 files changed

Lines changed: 4699 additions & 2 deletions

File tree

packages/@aws-cdk/aws-ec2/README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1314,8 +1314,10 @@ vpc.addFlowLog('FlowLogS3', {
13141314
destination: ec2.FlowLogDestination.toS3()
13151315
});
13161316

1317+
// Only reject traffic and interval every minute.
13171318
vpc.addFlowLog('FlowLogCloudWatch', {
1318-
trafficType: ec2.FlowLogTrafficType.REJECT
1319+
trafficType: ec2.FlowLogTrafficType.REJECT,
1320+
maxAggregationInterval: FlowLogMaxAggregationInterval.ONE_MINUTE,
13191321
});
13201322
```
13211323

packages/@aws-cdk/aws-ec2/lib/vpc-flow-logs.ts

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -383,6 +383,24 @@ class CloudWatchLogsDestination extends FlowLogDestination {
383383
}
384384
}
385385

386+
/**
387+
* The maximum interval of time during which a flow of packets
388+
* is captured and aggregated into a flow log record.
389+
*
390+
*/
391+
export enum FlowLogMaxAggregationInterval {
392+
/**
393+
* 1 minute (60 seconds)
394+
*/
395+
ONE_MINUTE = 60,
396+
397+
/**
398+
* 10 minutes (600 seconds)
399+
*/
400+
TEN_MINUTES = 600,
401+
402+
}
403+
386404
/**
387405
* Options to add a flow log to a VPC
388406
*/
@@ -401,6 +419,14 @@ export interface FlowLogOptions {
401419
* @default FlowLogDestinationType.toCloudWatchLogs()
402420
*/
403421
readonly destination?: FlowLogDestination;
422+
423+
/**
424+
* The maximum interval of time during which a flow of packets is captured
425+
* and aggregated into a flow log record.
426+
*
427+
* @default FlowLogMaxAggregationInterval.TEN_MINUTES
428+
*/
429+
readonly maxAggregationInterval?: FlowLogMaxAggregationInterval;
404430
}
405431

406432
/**
@@ -501,6 +527,7 @@ export class FlowLog extends FlowLogBase {
501527
deliverLogsPermissionArn: this.iamRole ? this.iamRole.roleArn : undefined,
502528
logDestinationType: destinationConfig.logDestinationType,
503529
logGroupName: this.logGroup ? this.logGroup.logGroupName : undefined,
530+
maxAggregationInterval: props.maxAggregationInterval,
504531
resourceId: props.resourceType.resourceId,
505532
resourceType: props.resourceType.resourceType,
506533
trafficType: props.trafficType

packages/@aws-cdk/aws-ec2/test/integ.vpc-flow-logs-interval.ts

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
import { PolicyStatement, Effect, ServicePrincipal } from '@aws-cdk/aws-iam';
2+
import * as s3 from '@aws-cdk/aws-s3';
3+
import { App, RemovalPolicy, Stack, StackProps } from '@aws-cdk/core';
4+
import { IntegTest } from '@aws-cdk/integ-tests';
5+
import { FlowLog, FlowLogDestination, FlowLogResourceType, Vpc, FlowLogMaxAggregationInterval } from '../lib';
6+
7+
const app = new App();
8+
9+
10+
class TestStack extends Stack {
11+
constructor(scope: App, id: string, props?: StackProps) {
12+
super(scope, id, props);
13+
14+
const vpc = new Vpc(this, 'VPC');
15+
16+
new FlowLog(this, 'FlowLogsCW', {
17+
resourceType: FlowLogResourceType.fromVpc(vpc),
18+
maxAggregationInterval: FlowLogMaxAggregationInterval.TEN_MINUTES,
19+
});
20+
21+
vpc.addFlowLog('FlowLogsS3', {
22+
destination: FlowLogDestination.toS3(),
23+
maxAggregationInterval: FlowLogMaxAggregationInterval.ONE_MINUTE,
24+
});
25+
26+
const bucket = new s3.Bucket(this, 'Bucket', {
27+
removalPolicy: RemovalPolicy.DESTROY,
28+
autoDeleteObjects: true,
29+
});
30+
bucket.addToResourcePolicy(new PolicyStatement({
31+
effect: Effect.ALLOW,
32+
principals: [new ServicePrincipal('delivery.logs.amazonaws.com')],
33+
actions: ['s3:PutObject'],
34+
resources: [bucket.arnForObjects(`AWSLogs/${this.account}/*`)],
35+
conditions: {
36+
StringEquals: {
37+
's3:x-amz-acl': 'bucket-owner-full-control',
38+
'aws:SourceAccount': this.account,
39+
},
40+
ArnLike: {
41+
'aws:SourceArn': this.formatArn({
42+
service: 'logs',
43+
resource: '*',
44+
}),
45+
},
46+
},
47+
}));
48+
bucket.addToResourcePolicy(new PolicyStatement({
49+
effect: Effect.ALLOW,
50+
principals: [new ServicePrincipal('delivery.logs.amazonaws.com')],
51+
actions: ['s3:GetBucketAcl', 's3:ListBucket'],
52+
resources: [bucket.bucketArn],
53+
conditions: {
54+
StringEquals: {
55+
'aws:SourceAccount': this.account,
56+
},
57+
ArnLike: {
58+
'aws:SourceArn': this.formatArn({
59+
service: 'logs',
60+
resource: '*',
61+
}),
62+
},
63+
},
64+
}));
65+
66+
vpc.addFlowLog('FlowLogsS3KeyPrefix', {
67+
destination: FlowLogDestination.toS3(bucket, 'prefix/'),
68+
});
69+
}
70+
}
71+
72+
73+
new IntegTest(app, 'FlowLogs', {
74+
testCases: [
75+
new TestStack(app, 'FlowLogsTestStack'),
76+
],
77+
});
78+
79+
app.synth();

packages/@aws-cdk/aws-ec2/test/vpc-flow-logs-interval.integ.snapshot/FlowLogsDefaultTestDeployAssert6AFD1854.assets.json

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
{
2+
"version": "21.0.0",
3+
"files": {
4+
"21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
5+
"source": {
6+
"path": "FlowLogsDefaultTestDeployAssert6AFD1854.template.json",
7+
"packaging": "file"
8+
},
9+
"destinations": {
10+
"current_account-current_region": {
11+
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
12+
"objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
13+
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
14+
}
15+
}
16+
}
17+
},
18+
"dockerImages": {}
19+
}

packages/@aws-cdk/aws-ec2/test/vpc-flow-logs-interval.integ.snapshot/FlowLogsDefaultTestDeployAssert6AFD1854.template.json

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
{
2+
"Parameters": {
3+
"BootstrapVersion": {
4+
"Type": "AWS::SSM::Parameter::Value<String>",
5+
"Default": "/cdk-bootstrap/hnb659fds/version",
6+
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
7+
}
8+
},
9+
"Rules": {
10+
"CheckBootstrapVersion": {
11+
"Assertions": [
12+
{
13+
"Assert": {
14+
"Fn::Not": [
15+
{
16+
"Fn::Contains": [
17+
[
18+
"1",
19+
"2",
20+
"3",
21+
"4",
22+
"5"
23+
],
24+
{
25+
"Ref": "BootstrapVersion"
26+
}
27+
]
28+
}
29+
]
30+
},
31+
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
32+
}
33+
]
34+
}
35+
}
36+
}

packages/@aws-cdk/aws-ec2/test/vpc-flow-logs-interval.integ.snapshot/FlowLogsFeatureFlag.assets.json

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
{
2+
"version": "21.0.0",
3+
"files": {
4+
"69731f7ae982e377a617d06d1920c7fbeb360543d6b5f3da47406c123317a645": {
5+
"source": {
6+
"path": "FlowLogsFeatureFlag.template.json",
7+
"packaging": "file"
8+
},
9+
"destinations": {
10+
"current_account-current_region": {
11+
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
12+
"objectKey": "69731f7ae982e377a617d06d1920c7fbeb360543d6b5f3da47406c123317a645.json",
13+
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
14+
}
15+
}
16+
}
17+
},
18+
"dockerImages": {}
19+
}

0 commit comments

Comments
 (0)