Merge pull request #481 from guardian/jw-fastly-logging

Provision a role for Fastly log shipping
guardian · Jun 11, 2024 · 8dfb247 · 8dfb247
2 parents 8a067b0 + 49e68f3
commit 8dfb247
Show file tree

Hide file tree

Showing 2 changed files with 115 additions and 2 deletions.
diff --git a/cdk/lib/__snapshots__/cdk-playground.test.ts.snap b/cdk/lib/__snapshots__/cdk-playground.test.ts.snap
@@ -25,6 +25,10 @@ Object {
       "GuHttpsApplicationListener",
       "GuCname",
       "GuCname",
+      "GuStringParameter",
+      "GuFastlyCustomerIdParameter",
+      "GuFastlyLogsIamRole",
+      "GuPutS3ObjectsPolicy",
       "GuApiLambda",
       "GuCertificate",
       "GuCname",
@@ -74,6 +78,18 @@ Object {
       "Description": "SSM parameter containing the S3 bucket name holding distribution artifacts",
       "Type": "AWS::SSM::Parameter::Value<String>",
     },
+    "FastlyBucket": Object {
+      "AllowedValues": Array [
+        "/PROD/playground/cdk-playground/fastly-logs-bucket",
+      ],
+      "Default": "/PROD/playground/cdk-playground/fastly-logs-bucket",
+      "Type": "AWS::SSM::Parameter::Value<String>",
+    },
+    "FastlyCustomerId": Object {
+      "Default": "/account/external/fastly/customer.id",
+      "Description": "SSM parameter containing the Fastly Customer ID. Can be obtained from https://manage.fastly.com/account/company by an admin",
+      "Type": "AWS::SSM::Parameter::Value<String>",
+    },
     "LoggingStreamName": Object {
       "Default": "/account/services/logging.stream.name",
       "Description": "SSM parameter containing the Name (not ARN) on the kinesis stream",
@@ -320,6 +336,91 @@ Object {
       },
       "Type": "AWS::IAM::Policy",
     },
+    "GuFastlyLogsIamRoleE2DAFAB3": Object {
+      "Properties": Object {
+        "AssumeRolePolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": "sts:AssumeRole",
+              "Condition": Object {
+                "StringEquals": Object {
+                  "sts:ExternalId": Object {
+                    "Ref": "FastlyCustomerId",
+                  },
+                },
+              },
+              "Effect": "Allow",
+              "Principal": Object {
+                "AWS": Object {
+                  "Fn::Join": Array [
+                    "",
+                    Array [
+                      "arn:",
+                      Object {
+                        "Ref": "AWS::Partition",
+                      },
+                      ":iam::717331877981:root",
+                    ],
+                  ],
+                },
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "Tags": Array [
+          Object {
+            "Key": "gu:cdk:version",
+            "Value": "TEST",
+          },
+          Object {
+            "Key": "gu:repo",
+            "Value": "guardian/cdk-playground",
+          },
+          Object {
+            "Key": "Stack",
+            "Value": "playground",
+          },
+          Object {
+            "Key": "Stage",
+            "Value": "PROD",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Role",
+    },
+    "GuFastlyLogsIamRolePolicy5BF3CDCA": Object {
+      "Properties": Object {
+        "PolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": "s3:PutObject",
+              "Effect": "Allow",
+              "Resource": Object {
+                "Fn::Join": Array [
+                  "",
+                  Array [
+                    "arn:aws:s3:::",
+                    Object {
+                      "Ref": "FastlyBucket",
+                    },
+                    "/*",
+                  ],
+                ],
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "GuFastlyLogsIamRolePolicy5BF3CDCA",
+        "Roles": Array [
+          Object {
+            "Ref": "GuFastlyLogsIamRoleE2DAFAB3",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
     "GuHttpsEgressSecurityGroupCdkplaygroundAF9827C8": Object {
       "Properties": Object {
         "GroupDescription": "Allow all outbound HTTPS traffic",

diff --git a/cdk/lib/cdk-playground.ts b/cdk/lib/cdk-playground.ts
@@ -1,9 +1,10 @@
 import { GuApiLambda, GuPlayApp } from '@guardian/cdk';
 import { AccessScope } from '@guardian/cdk/lib/constants/access';
 import { GuCertificate } from '@guardian/cdk/lib/constructs/acm';
-import type { GuStackProps } from '@guardian/cdk/lib/constructs/core';
-import { GuStack } from '@guardian/cdk/lib/constructs/core';
+import type {GuStackProps} from '@guardian/cdk/lib/constructs/core';
+import { GuStack, GuStringParameter } from '@guardian/cdk/lib/constructs/core';
 import { GuCname } from '@guardian/cdk/lib/constructs/dns';
+import { GuFastlyLogsIamRole } from "@guardian/cdk/lib/constructs/iam";
 import type { App } from 'aws-cdk-lib';
 import { Duration } from 'aws-cdk-lib';
 import { InstanceClass, InstanceSize, InstanceType } from 'aws-cdk-lib/aws-ec2';
@@ -66,6 +67,17 @@ export class CdkPlayground extends GuStack {
       resourceRecord: 'dualstack.guardian.map.fastly.net',
     });
 
+    // Similarly, we are creating this role to support log shipping from Fastly.
+    // It will also be removed once testing is complete.
+    const fastlyBucketParameterKey = `/${this.stage}/${this.stack}/${ec2App}/fastly-logs-bucket`
+    new GuFastlyLogsIamRole(this, {
+      bucketName: new GuStringParameter(this, 'FastlyBucket', {
+        fromSSM: true,
+        allowedValues: [fastlyBucketParameterKey],
+        default: fastlyBucketParameterKey,
+      }).valueAsString
+    });
+
 		const lambdaApp = 'cdk-playground-lambda';
 		const lambdaDomainName = 'cdk-playground-lambda.gutools.co.uk';