feat: LLMO-204 Provisioning API for cdn logs S3 bucket

Author: ctinp

docs/openapi/api.yaml

@@ -49,6 +49,8 @@ tags:
     description: APIs for scraping web pages
   - name: llmo
     description: LLMO (Large Language Model Optimizer) operations
+  - name: cdn-logs
+    description: APIs for CDN logs infrastructure
 
 paths:
   /audits/latest/{auditType}:
@@ -229,6 +231,8 @@ paths:
     $ref: './llmo-api.yaml#/llmo-customer-intent'
   /sites/{siteId}/llmo/customer-intent/{intentKey}:
     $ref: './llmo-api.yaml#/llmo-customer-intent-item'
+  /tools/cdn-logs/bucket:
+    $ref: './tools-api.yaml#/tools-cdn-logs-bucket'
 
 components:
   securitySchemes:

docs/openapi/schemas.yaml

@@ -3490,3 +3490,42 @@ LlmoConfig:
       description: The customer intent configuration containing key-value pairs
       $ref: '#/LlmoCustomerIntent'
   additionalProperties: false
+
+# CDN Logs Schemas
+CdnLogsBucketRequest:
+  type: object
+  required:
+    - org_id
+  properties:
+    org_id:
+      type: string
+      description: Organization identifier (alphanumeric, often ending with @AdobeOrg)
+      example: "123ABCDEF4567890XYZ@AdobeOrg"
+    org_name:
+      type: string
+      description: Organization name (optional)
+      example: "Adobe"
+
+CdnLogsBucketResponse:
+  type: object
+  properties:
+    message:
+      type: string
+      description: Success message describing what was created/retrieved
+      example: "Bucket 'cdn-logs-adobe123' created successfully with new credentials"
+    bucketName:
+      type: string
+      description: The S3 bucket name
+      example: "cdn-logs-adobe"
+    accessKey:
+      type: string
+      description: AWS access key for the bucket
+      example: "AKIAIOSFODNN7EXAMPLE"
+    secretKey:
+      type: string
+      description: AWS secret key for the bucket
+      example: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+    region:
+      type: string
+      description: AWS region where the bucket was created
+      example: "us-east-1"

docs/openapi/tools-api.yaml

@@ -362,3 +362,51 @@ file-download:
         $ref: './responses.yaml#/500'
     security:
       - scoped_api_key: [ ]
+
+cdn-logs-bucket:
+  put:
+    tags:
+      - cdn-logs
+      - tools
+    summary: Provision CDN logs S3 bucket
+    description: |
+      Provisions an S3 bucket for CDN logs with associated IAM credentials.
+      This endpoint requires admin access and follows an idempotent pattern:
+      
+      If the bucket does NOT exist: Creates a new S3 bucket with proper encryption, access controls, 
+      IAM policy, IAM user, and stores credentials in AWS Secrets Manager.
+      
+      If the bucket already exists: Retrieves the existing bucket and credentials without creating duplicates.
+      
+      This ensures that calling the endpoint multiple times with the same organization ID will not create 
+      duplicate resources, making it safe for automated provisioning workflows.
+      
+      AWS resources created include:
+      - S3 bucket with proper encryption and access controls
+      - IAM policy for bucket access
+      - IAM user with access keys
+      - Stored credentials in AWS Secrets Manager
+    operationId: provisionCdnLogsBucket
+    requestBody:
+      required: true
+      content:
+        application/json:
+          schema:
+            $ref: './schemas.yaml#/CdnLogsBucketRequest'
+    responses:
+      '200':
+        description: Bucket and credentials created/retrieved successfully
+        content:
+          application/json:
+            schema:
+              $ref: './schemas.yaml#/CdnLogsBucketResponse'
+      '400':
+        $ref: './responses.yaml#/400'
+      '401':
+        $ref: './responses.yaml#/401'
+      '403':
+        $ref: './responses.yaml#/403'
+      '500':
+        $ref: './responses.yaml#/500'
+    security:
+      - admin_key: []

package.json

@@ -83,6 +83,9 @@
     "@adobe/spacecat-shared-utils": "1.45.0",
     "@aws-sdk/client-s3": "3.864.0",
     "@aws-sdk/client-sfn": "3.864.0",
+    "@aws-sdk/client-ssm": "^3.x.x",
+    "@aws-sdk/client-iam": "^3.x.x",
+    "@aws-sdk/client-secrets-manager": "^3.x.x",
     "@aws-sdk/client-sqs": "3.864.0",
     "@aws-sdk/s3-request-presigner": "3.864.0",
     "@langchain/core": "0.3.68",