From a4c752a6124b3cb2a078d4003bbfe90af2be8e50 Mon Sep 17 00:00:00 2001 From: epolon Date: Sun, 22 Nov 2020 14:44:59 +0200 Subject: [PATCH 1/5] added test --- .../@aws-cdk/aws-elasticsearch/test/domain.test.ts | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts b/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts index e4b8abf50e29d..85c76c11fa280 100644 --- a/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts +++ b/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts @@ -24,6 +24,17 @@ const readWriteActions = [ ...writeActions, ]; +test('log publishing keys do not exist if not configured', () => { + + new Domain(stack, 'Domain', { version: ElasticsearchVersion.V7_1 }); + + expect(stack).toHaveResource('AWS::Elasticsearch::Domain', { + LogPublishingOptions: {}, + }); + + +}); + test('minimal example renders correctly', () => { new Domain(stack, 'Domain', { version: ElasticsearchVersion.V7_1 }); From e72f0ef4623522fc9b56277699a41e0432c2057b Mon Sep 17 00:00:00 2001 From: epolon Date: Sun, 22 Nov 2020 15:57:42 +0200 Subject: [PATCH 2/5] tests --- .../@aws-cdk/aws-elasticsearch/lib/domain.ts | 39 ++++++---- .../aws-elasticsearch/test/domain.test.ts | 41 +---------- ...asticsearch.advancedsecurity.expected.json | 12 +--- .../test/integ.elasticsearch.expected.json | 71 +++++++++---------- ...sticsearch.unsignedbasicauth.expected.json | 16 +---- 5 files changed, 64 insertions(+), 115 deletions(-) diff --git a/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts b/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts index 4931bde8f4a1e..f937247783823 100644 --- a/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts +++ b/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts @@ -1419,6 +1419,30 @@ export class Domain extends DomainBase implements IDomain { }); } + const logPublishing: Record = {}; + + // https://github.com/aws/aws-cdk/issues/11223 + if (this.appLogGroup) { + logPublishing.ES_APPLICATION_LOGS = { + enabled: true, + cloudWatchLogsLogGroupArn: this.appLogGroup.logGroupArn, + }; + } + + if (this.slowSearchLogGroup) { + logPublishing.SEARCH_SLOW_LOGS = { + enabled: true, + cloudWatchLogsLogGroupArn: this.slowSearchLogGroup.logGroupArn, + }; + } + + if (this.slowIndexLogGroup) { + logPublishing.INDEX_SLOW_LOGS = { + enabled: true, + cloudWatchLogsLogGroupArn: this.slowIndexLogGroup.logGroupArn, + }; + } + // Create the domain this.domain = new CfnDomain(this, 'Resource', { domainName: this.physicalName, @@ -1451,20 +1475,7 @@ export class Domain extends DomainBase implements IDomain { : undefined, }, nodeToNodeEncryptionOptions: { enabled: nodeToNodeEncryptionEnabled }, - logPublishingOptions: { - ES_APPLICATION_LOGS: { - enabled: this.appLogGroup != null, - cloudWatchLogsLogGroupArn: this.appLogGroup?.logGroupArn, - }, - SEARCH_SLOW_LOGS: { - enabled: this.slowSearchLogGroup != null, - cloudWatchLogsLogGroupArn: this.slowSearchLogGroup?.logGroupArn, - }, - INDEX_SLOW_LOGS: { - enabled: this.slowIndexLogGroup != null, - cloudWatchLogsLogGroupArn: this.slowIndexLogGroup?.logGroupArn, - }, - }, + logPublishingOptions: logPublishing, cognitoOptions: { enabled: props.cognitoKibanaAuth != null, identityPoolId: props.cognitoKibanaAuth?.identityPoolId, diff --git a/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts b/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts index 85c76c11fa280..7409c63129143 100644 --- a/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts +++ b/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts @@ -24,17 +24,6 @@ const readWriteActions = [ ...writeActions, ]; -test('log publishing keys do not exist if not configured', () => { - - new Domain(stack, 'Domain', { version: ElasticsearchVersion.V7_1 }); - - expect(stack).toHaveResource('AWS::Elasticsearch::Domain', { - LogPublishingOptions: {}, - }); - - -}); - test('minimal example renders correctly', () => { new Domain(stack, 'Domain', { version: ElasticsearchVersion.V7_1 }); @@ -57,17 +46,7 @@ test('minimal example renders correctly', () => { EncryptionAtRestOptions: { Enabled: false, }, - LogPublishingOptions: { - ES_APPLICATION_LOGS: { - Enabled: false, - }, - SEARCH_SLOW_LOGS: { - Enabled: false, - }, - INDEX_SLOW_LOGS: { - Enabled: false, - }, - }, + LogPublishingOptions: {}, NodeToNodeEncryptionOptions: { Enabled: false, }, @@ -86,9 +65,6 @@ describe('log groups', () => { expect(stack).toHaveResourceLike('AWS::Elasticsearch::Domain', { LogPublishingOptions: { - ES_APPLICATION_LOGS: { - Enabled: false, - }, SEARCH_SLOW_LOGS: { CloudWatchLogsLogGroupArn: { 'Fn::GetAtt': [ @@ -98,9 +74,6 @@ describe('log groups', () => { }, Enabled: true, }, - INDEX_SLOW_LOGS: { - Enabled: false, - }, }, }); }); @@ -115,12 +88,6 @@ describe('log groups', () => { expect(stack).toHaveResourceLike('AWS::Elasticsearch::Domain', { LogPublishingOptions: { - ES_APPLICATION_LOGS: { - Enabled: false, - }, - SEARCH_SLOW_LOGS: { - Enabled: false, - }, INDEX_SLOW_LOGS: { CloudWatchLogsLogGroupArn: { 'Fn::GetAtt': [ @@ -153,12 +120,6 @@ describe('log groups', () => { }, Enabled: true, }, - SEARCH_SLOW_LOGS: { - Enabled: false, - }, - INDEX_SLOW_LOGS: { - Enabled: false, - }, }, }); }); diff --git a/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.advancedsecurity.expected.json b/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.advancedsecurity.expected.json index 5a5275e4c52a9..dac2d95d68b54 100644 --- a/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.advancedsecurity.expected.json +++ b/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.advancedsecurity.expected.json @@ -40,17 +40,7 @@ "EncryptionAtRestOptions": { "Enabled": true }, - "LogPublishingOptions": { - "ES_APPLICATION_LOGS": { - "Enabled": false - }, - "SEARCH_SLOW_LOGS": { - "Enabled": false - }, - "INDEX_SLOW_LOGS": { - "Enabled": false - } - }, + "LogPublishingOptions": {}, "NodeToNodeEncryptionOptions": { "Enabled": true } diff --git a/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.expected.json b/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.expected.json index 1956a13379bac..265b681da2cc8 100644 --- a/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.expected.json +++ b/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.expected.json @@ -1,5 +1,31 @@ { "Resources": { + "DomainESLogGroupPolicyCustomResourcePolicyB35C8E41": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "logs:PutResourcePolicy", + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "logs:DeleteResourcePolicy", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "DomainESLogGroupPolicyCustomResourcePolicyB35C8E41", + "Roles": [ + { + "Ref": "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2" + } + ] + } + }, "DomainESLogGroupPolicy5373A2E8": { "Type": "Custom::CloudwatchLogResourcePolicy", "Properties": { @@ -83,11 +109,11 @@ }, "InstallLatestAwsSdk": true }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete", "DependsOn": [ "DomainESLogGroupPolicyCustomResourcePolicyB35C8E41" - ] + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" }, "Domain66AC69E0": { "Type": "AWS::Elasticsearch::Domain", @@ -132,9 +158,6 @@ ] }, "Enabled": true - }, - "INDEX_SLOW_LOGS": { - "Enabled": false } }, "NodeToNodeEncryptionOptions": { @@ -193,32 +216,6 @@ ] } }, - "DomainESLogGroupPolicyCustomResourcePolicyB35C8E41": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "logs:PutResourcePolicy", - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "logs:DeleteResourcePolicy", - "Effect": "Allow", - "Resource": "*" - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "DomainESLogGroupPolicyCustomResourcePolicyB35C8E41", - "Roles": [ - { - "Ref": "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2" - } - ] - } - }, "AWS679f53fac002430cb0da5b7982bd22872D164C4C": { "Type": "AWS::Lambda::Function", "Properties": { @@ -276,10 +273,6 @@ } }, "Parameters": { - "AssetParametersb64b129569a5ac7a9abf88a18ac0b504d1fb1208872460476ed3fd435830eb94ArtifactHash782948FC": { - "Type":"String", - "Description":"Artifact hash for asset \"b64b129569a5ac7a9abf88a18ac0b504d1fb1208872460476ed3fd435830eb94\"" - }, "AssetParametersb64b129569a5ac7a9abf88a18ac0b504d1fb1208872460476ed3fd435830eb94S3Bucket38F1BB8E": { "Type": "String", "Description": "S3 bucket for asset \"b64b129569a5ac7a9abf88a18ac0b504d1fb1208872460476ed3fd435830eb94\"" @@ -287,6 +280,10 @@ "AssetParametersb64b129569a5ac7a9abf88a18ac0b504d1fb1208872460476ed3fd435830eb94S3VersionKeyCCDC67C0": { "Type": "String", "Description": "S3 key for asset version \"b64b129569a5ac7a9abf88a18ac0b504d1fb1208872460476ed3fd435830eb94\"" + }, + "AssetParametersb64b129569a5ac7a9abf88a18ac0b504d1fb1208872460476ed3fd435830eb94ArtifactHash782948FC": { + "Type": "String", + "Description": "Artifact hash for asset \"b64b129569a5ac7a9abf88a18ac0b504d1fb1208872460476ed3fd435830eb94\"" } } -} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.unsignedbasicauth.expected.json b/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.unsignedbasicauth.expected.json index 3791b985eddbe..b55ac9e14df69 100644 --- a/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.unsignedbasicauth.expected.json +++ b/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.unsignedbasicauth.expected.json @@ -4,8 +4,8 @@ "Type": "AWS::SecretsManager::Secret", "Properties": { "GenerateSecretString": { - "GenerateStringKey": "password", "ExcludeCharacters": "{}'\\*[]()`", + "GenerateStringKey": "password", "SecretStringTemplate": "{\"username\":\"admin\"}" } } @@ -54,17 +54,7 @@ "EncryptionAtRestOptions": { "Enabled": true }, - "LogPublishingOptions": { - "ES_APPLICATION_LOGS": { - "Enabled": false - }, - "SEARCH_SLOW_LOGS": { - "Enabled": false - }, - "INDEX_SLOW_LOGS": { - "Enabled": false - } - }, + "LogPublishingOptions": {}, "NodeToNodeEncryptionOptions": { "Enabled": true } @@ -294,4 +284,4 @@ "Description": "Artifact hash for asset \"b64b129569a5ac7a9abf88a18ac0b504d1fb1208872460476ed3fd435830eb94\"" } } -} +} \ No newline at end of file From 3529af87be642ca14aa4d192511b6af8abbfa68a Mon Sep 17 00:00:00 2001 From: epolon Date: Sun, 22 Nov 2020 16:00:59 +0200 Subject: [PATCH 3/5] remove comment --- packages/@aws-cdk/aws-elasticsearch/lib/domain.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts b/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts index f937247783823..f60477b61cf6b 100644 --- a/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts +++ b/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts @@ -1421,7 +1421,6 @@ export class Domain extends DomainBase implements IDomain { const logPublishing: Record = {}; - // https://github.com/aws/aws-cdk/issues/11223 if (this.appLogGroup) { logPublishing.ES_APPLICATION_LOGS = { enabled: true, From 8c07ba36e442af5a77d39f57ab410c15f50584c8 Mon Sep 17 00:00:00 2001 From: epolon Date: Mon, 11 Jan 2021 22:05:29 +0200 Subject: [PATCH 4/5] integ tests --- .../aws-elasticsearch/test/domain.test.ts | 45 ------------------- ...elasticsearch.custom-kms-key.expected.json | 8 +--- .../test/integ.elasticsearch.expected.json | 14 +----- 3 files changed, 2 insertions(+), 65 deletions(-) diff --git a/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts b/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts index 4894a879d921d..c0d4f8ce62559 100644 --- a/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts +++ b/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts @@ -175,12 +175,6 @@ describe('log groups', () => { }, Enabled: true, }, - SEARCH_SLOW_LOGS: { - Enabled: false, - }, - INDEX_SLOW_LOGS: { - Enabled: false, - }, }, }); }); @@ -212,15 +206,6 @@ describe('log groups', () => { }, Enabled: true, }, - ES_APPLICATION_LOGS: { - Enabled: false, - }, - SEARCH_SLOW_LOGS: { - Enabled: false, - }, - INDEX_SLOW_LOGS: { - Enabled: false, - }, }, }); }); @@ -360,12 +345,6 @@ describe('log groups', () => { expect(stack).toHaveResourceLike('AWS::Elasticsearch::Domain', { LogPublishingOptions: { - AUDIT_LOGS: { - Enabled: false, - }, - ES_APPLICATION_LOGS: { - Enabled: false, - }, SEARCH_SLOW_LOGS: { CloudWatchLogsLogGroupArn: { 'Fn::GetAtt': [ @@ -375,9 +354,6 @@ describe('log groups', () => { }, Enabled: true, }, - INDEX_SLOW_LOGS: { - Enabled: false, - }, }, }); }); @@ -395,15 +371,6 @@ describe('log groups', () => { expect(stack).toHaveResourceLike('AWS::Elasticsearch::Domain', { LogPublishingOptions: { - AUDIT_LOGS: { - Enabled: false, - }, - ES_APPLICATION_LOGS: { - Enabled: false, - }, - SEARCH_SLOW_LOGS: { - Enabled: false, - }, INDEX_SLOW_LOGS: { CloudWatchLogsLogGroupArn: { 'Fn::GetAtt': [ @@ -430,9 +397,6 @@ describe('log groups', () => { expect(stack).toHaveResourceLike('AWS::Elasticsearch::Domain', { LogPublishingOptions: { - AUDIT_LOGS: { - Enabled: false, - }, ES_APPLICATION_LOGS: { CloudWatchLogsLogGroupArn: { 'Fn::GetAtt': [ @@ -476,15 +440,6 @@ describe('log groups', () => { }, Enabled: true, }, - ES_APPLICATION_LOGS: { - Enabled: false, - }, - SEARCH_SLOW_LOGS: { - Enabled: false, - }, - INDEX_SLOW_LOGS: { - Enabled: false, - }, }, }); }); diff --git a/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.custom-kms-key.expected.json b/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.custom-kms-key.expected.json index f987bec734004..fafc653e73740 100644 --- a/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.custom-kms-key.expected.json +++ b/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.custom-kms-key.expected.json @@ -211,9 +211,6 @@ } }, "LogPublishingOptions": { - "AUDIT_LOGS": { - "Enabled": false - }, "ES_APPLICATION_LOGS": { "CloudWatchLogsLogGroupArn": { "Fn::GetAtt": [ @@ -231,9 +228,6 @@ ] }, "Enabled": true - }, - "INDEX_SLOW_LOGS": { - "Enabled": false } }, "NodeToNodeEncryptionOptions": { @@ -442,13 +436,13 @@ ] } }, - "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2", "Arn" ] }, + "Handler": "index.handler", "Runtime": "nodejs12.x", "Timeout": 120 }, diff --git a/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.expected.json b/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.expected.json index a6a6dd2b0d37f..6c782aee20cc9 100644 --- a/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.expected.json +++ b/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.expected.json @@ -157,9 +157,6 @@ "Enabled": true }, "LogPublishingOptions": { - "AUDIT_LOGS": { - "Enabled": false - }, "ES_APPLICATION_LOGS": { "CloudWatchLogsLogGroupArn": { "Fn::GetAtt": [ @@ -177,9 +174,6 @@ ] }, "Enabled": true - }, - "INDEX_SLOW_LOGS": { - "Enabled": false } }, "NodeToNodeEncryptionOptions": { @@ -358,13 +352,13 @@ ] } }, - "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2", "Arn" ] }, + "Handler": "index.handler", "Runtime": "nodejs12.x", "Timeout": 120 }, @@ -529,9 +523,6 @@ "Enabled": true }, "LogPublishingOptions": { - "AUDIT_LOGS": { - "Enabled": false - }, "ES_APPLICATION_LOGS": { "CloudWatchLogsLogGroupArn": { "Fn::GetAtt": [ @@ -549,9 +540,6 @@ ] }, "Enabled": true - }, - "INDEX_SLOW_LOGS": { - "Enabled": false } }, "NodeToNodeEncryptionOptions": { From 137a15bee0de1244797f02a29b95dc2d240b202c Mon Sep 17 00:00:00 2001 From: epolon Date: Tue, 12 Jan 2021 13:35:53 +0200 Subject: [PATCH 5/5] test for abstance of log properties as well --- .../aws-elasticsearch/test/domain.test.ts | 33 ++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts b/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts index c0d4f8ce62559..ff85a85e218f8 100644 --- a/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts +++ b/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts @@ -88,7 +88,12 @@ test('minimal example renders correctly', () => { EncryptionAtRestOptions: { Enabled: false, }, - LogPublishingOptions: {}, + LogPublishingOptions: { + AUDIT_LOGS: assert.ABSENT, + ES_APPLICATION_LOGS: assert.ABSENT, + SEARCH_SLOW_LOGS: assert.ABSENT, + INDEX_SLOW_LOGS: assert.ABSENT, + }, NodeToNodeEncryptionOptions: { Enabled: false, }, @@ -129,6 +134,9 @@ describe('log groups', () => { }, Enabled: true, }, + AUDIT_LOGS: assert.ABSENT, + ES_APPLICATION_LOGS: assert.ABSENT, + INDEX_SLOW_LOGS: assert.ABSENT, }, }); }); @@ -152,6 +160,9 @@ describe('log groups', () => { }, Enabled: true, }, + AUDIT_LOGS: assert.ABSENT, + ES_APPLICATION_LOGS: assert.ABSENT, + SEARCH_SLOW_LOGS: assert.ABSENT, }, }); }); @@ -175,6 +186,9 @@ describe('log groups', () => { }, Enabled: true, }, + AUDIT_LOGS: assert.ABSENT, + SEARCH_SLOW_LOGS: assert.ABSENT, + INDEX_SLOW_LOGS: assert.ABSENT, }, }); }); @@ -206,6 +220,9 @@ describe('log groups', () => { }, Enabled: true, }, + ES_APPLICATION_LOGS: assert.ABSENT, + SEARCH_SLOW_LOGS: assert.ABSENT, + INDEX_SLOW_LOGS: assert.ABSENT, }, }); }); @@ -256,6 +273,7 @@ describe('log groups', () => { }, Enabled: true, }, + AUDIT_LOGS: assert.ABSENT, }, }); expect(stack).toHaveResourceLike('AWS::Elasticsearch::Domain', { @@ -287,6 +305,7 @@ describe('log groups', () => { }, Enabled: true, }, + AUDIT_LOGS: assert.ABSENT, }, }); }); @@ -354,6 +373,9 @@ describe('log groups', () => { }, Enabled: true, }, + AUDIT_LOGS: assert.ABSENT, + ES_APPLICATION_LOGS: assert.ABSENT, + INDEX_SLOW_LOGS: assert.ABSENT, }, }); }); @@ -380,6 +402,9 @@ describe('log groups', () => { }, Enabled: true, }, + AUDIT_LOGS: assert.ABSENT, + ES_APPLICATION_LOGS: assert.ABSENT, + SEARCH_SLOW_LOGS: assert.ABSENT, }, }); }); @@ -406,6 +431,9 @@ describe('log groups', () => { }, Enabled: true, }, + AUDIT_LOGS: assert.ABSENT, + SEARCH_SLOW_LOGS: assert.ABSENT, + INDEX_SLOW_LOGS: assert.ABSENT, }, }); }); @@ -440,6 +468,9 @@ describe('log groups', () => { }, Enabled: true, }, + ES_APPLICATION_LOGS: assert.ABSENT, + SEARCH_SLOW_LOGS: assert.ABSENT, + INDEX_SLOW_LOGS: assert.ABSENT, }, }); });