@gradientedge/cdk-utils 5.7.0 → 5.10.0

package/dist/src/lib/common/stack.js

@@ -82,8 +82,10 @@ class CommonStack extends cdk.Stack {
      */
     determineExtraContexts() {
         const extraContexts = this.node.tryGetContext('extraContexts');
+        const debug = this.node.tryGetContext('debug');
         if (!extraContexts) {
-            console.info(`No additional contexts provided. Using default context properties from cdk.json`);
+            if (debug)
+                console.debug(`No additional contexts provided. Using default context properties from cdk.json`);
             return;
         }
         extraContexts.forEach((context) => {
@@ -93,7 +95,8 @@ class CommonStack extends cdk.Stack {
                 throw `Extra context properties unavailable in path:${extraContextPath}`;
             /* read the extra properties */
             const extraContextPropsBuffer = fs.readFileSync(extraContextPath);
-            console.info(`Adding additional contexts provided in ${extraContextPath}`);
+            if (debug)
+                console.debug(`Adding additional contexts provided in ${extraContextPath}`);
             /* parse as JSON properties */
             const extraContextProps = JSON.parse(extraContextPropsBuffer);
             /* set each of the property into the cdk node context */
@@ -111,18 +114,23 @@ class CommonStack extends cdk.Stack {
         const stage = this.node.tryGetContext('stage');
         const stageContextPath = this.node.tryGetContext('stageContextPath') || 'cdkEnv';
         const stageContextFilePath = `${appRoot.path}/${stageContextPath}/${stage}.json`;
+        const debug = this.node.tryGetContext('debug');
         if ((0, utils_1.isDevStage)(stage)) {
-            console.info(`Development stage. Using default stage context properties`);
+            if (debug)
+                console.debug(`Development stage. Using default stage context properties`);
         }
         /* alert default context usage when extra stage config is missing */
         if (!fs.existsSync(stageContextFilePath)) {
-            console.info(`Stage specific context properties unavailable in path:${stageContextFilePath}`);
-            console.info(`Using default stage context properties for ${stage} stage`);
+            if (debug)
+                console.debug(`Stage specific context properties unavailable in path:${stageContextFilePath}`);
+            if (debug)
+                console.debug(`Using default stage context properties for ${stage} stage`);
             return;
         }
         /* read the extra properties */
         const stageContextPropsBuffer = fs.readFileSync(stageContextFilePath);
-        console.info(`Adding additional stage contexts provided in ${stageContextFilePath}`);
+        if (debug)
+            console.debug(`Adding additional stage contexts provided in ${stageContextFilePath}`);
         /* parse as JSON properties */
         const stageContextProps = JSON.parse(stageContextPropsBuffer);
         /* set each of the property into the cdk node context */

package/dist/src/lib/construct/api-to-eventbridge-target/main.js

@@ -477,6 +477,10 @@ class ApiToEventBridgeTarget extends common_1.CommonConstruct {
             this.apiDestinedRestApi.api = apig.RestApi.fromRestApiId(this, `${this.id}-sns-rest-api`, cdk.Fn.importValue(this.props.api.importedRestApiRef));
             return;
         }
+        const accessLogGroup = this.logManager.createLogGroup(`${this.id}-sns-rest-api-access-log`, this, {
+            logGroupName: `/custom/api/${this.id}-destined-rest-api-access-${this.props.stage}`,
+            removalPolicy: cdk.RemovalPolicy.DESTROY,
+        });
         this.apiDestinedRestApi.api = new apig.RestApi(this, `${this.id}-sns-rest-api`, {
             ...{
                 defaultIntegration: this.apiDestinedRestApi.integration,
@@ -489,6 +493,8 @@ class ApiToEventBridgeTarget extends common_1.CommonConstruct {
                     loggingLevel: apig.MethodLoggingLevel.INFO,
                     metricsEnabled: true,
                     stageName: this.props.stage,
+                    accessLogDestination: new apig.LogGroupLogDestination(accessLogGroup),
+                    accessLogFormat: apig.AccessLogFormat.jsonWithStandardFields(),
                 },
                 endpointConfiguration: {
                     types: [apig.EndpointType.REGIONAL],

package/dist/src/lib/manager/aws/iam-manager.d.ts

@@ -30,12 +30,14 @@ export declare class IamManager {
     /**
      * @summary Method to create iam statement to read secrets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForReadSecrets(scope: common.CommonConstruct): cdk.aws_iam.PolicyStatement;
+    statementForReadSecrets(scope: common.CommonConstruct, resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to put events
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPutEvents(): cdk.aws_iam.PolicyStatement;
+    statementForPutEvents(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to invoke lambda function
      * @param {string[]} resourceArns list of ARNs to allow access to
@@ -43,8 +45,9 @@ export declare class IamManager {
     statementForInvokeLambda(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to read app config
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForReadAnyAppConfig(): cdk.aws_iam.PolicyStatement;
+    statementForReadAnyAppConfig(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to list s3 buckets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
@@ -53,38 +56,45 @@ export declare class IamManager {
     statementForListBucket(scope: common.CommonConstruct, bucket: s3.IBucket): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to list all s3 buckets
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForListAllMyBuckets(): cdk.aws_iam.PolicyStatement;
+    statementForListAllMyBuckets(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to get s3 objects in buckets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
      * @param {s3.IBucket} bucket
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForGetAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket): cdk.aws_iam.PolicyStatement;
+    statementForGetAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to delete s3 objects in buckets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
      * @param {s3.IBucket} bucket
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForDeleteAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket): cdk.aws_iam.PolicyStatement;
+    statementForDeleteAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to write s3 objects in buckets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
      * @param {s3.IBucket} bucket
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPutAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket): cdk.aws_iam.PolicyStatement;
+    statementForPutAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to pass iam role
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPassRole(): cdk.aws_iam.PolicyStatement;
+    statementForPassRole(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to invalidate cloudfront cache
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForCloudfrontInvalidation(): cdk.aws_iam.PolicyStatement;
+    statementForCloudfrontInvalidation(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam policy to invalidate cloudfront cache
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    policyForCloudfrontInvalidation(): cdk.aws_iam.PolicyDocument;
+    policyForCloudfrontInvalidation(resourceArns?: string[]): cdk.aws_iam.PolicyDocument;
     /**
      * @summary Method to create iam role to invalidate cloudfront cache
      * @param {string} id scoped id of the resource
@@ -99,8 +109,9 @@ export declare class IamManager {
     statementForAssumeRole(scope: common.CommonConstruct, servicePrincipals: iam.ServicePrincipal[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to pass ecs role
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForEcsPassRole(): cdk.aws_iam.PolicyStatement;
+    statementForEcsPassRole(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to run ecs task
      * @param {common.CommonConstruct} scope scope in which this resource is defined
@@ -116,8 +127,9 @@ export declare class IamManager {
     statementForCreateLogStream(scope: common.CommonConstruct, logGroup: logs.CfnLogGroup): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to create any log stream
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForCreateAnyLogStream(): cdk.aws_iam.PolicyStatement;
+    statementForCreateAnyLogStream(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to write log events
      * @param {common.CommonConstruct} scope scope in which this resource is defined
@@ -126,12 +138,14 @@ export declare class IamManager {
     statementForPutLogEvent(scope: common.CommonConstruct, logGroup: logs.CfnLogGroup): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to write any log events
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPutAnyLogEvent(): cdk.aws_iam.PolicyStatement;
+    statementForPutAnyLogEvent(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement to read items from dynamodb table
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForReadTableItems(): cdk.aws_iam.PolicyStatement;
+    statementForReadTableItems(resourceArns?: string[]): cdk.aws_iam.PolicyStatement;
     /**
      * @summary Method to create iam statement for cloud trail
      * @param {string} id scoped id of the resource
@@ -174,7 +188,9 @@ export declare class IamManager {
      * @summary Method to create iam policy for sqs
      * @param {string} id scoped id of the resource
      * @param {common.CommonConstruct} scope scope in which this resource is defined
-     * @param {iam.ServicePrincipal} servicePrinicpal
+     * @param sqsQueue
+     * @param eventBridgeRule
+     * @param servicePrincipals
      */
     createPolicyForSqsEvent(id: string, scope: common.CommonConstruct, sqsQueue: sqs.Queue, eventBridgeRule: events.IRule, servicePrincipals?: iam.ServicePrincipal[]): cdk.aws_iam.PolicyDocument;
 }

package/dist/src/lib/manager/aws/iam-manager.js

@@ -51,22 +51,26 @@ class IamManager {
     /**
      * @summary Method to create iam statement to read secrets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForReadSecrets(scope) {
+    statementForReadSecrets(scope, resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['secretsmanager:GetSecretValue'],
-            resources: [`arn:aws:secretsmanager:${cdk.Stack.of(scope).region}:${cdk.Stack.of(scope).account}:secret:*`],
+            resources: resourceArns ?? [
+                `arn:aws:secretsmanager:${cdk.Stack.of(scope).region}:${cdk.Stack.of(scope).account}:secret:*`,
+            ],
         });
     }
     /**
      * @summary Method to create iam statement to put events
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPutEvents() {
+    statementForPutEvents(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['events:PutEvents'],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
@@ -82,8 +86,9 @@ class IamManager {
     }
     /**
      * @summary Method to create iam statement to read app config
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForReadAnyAppConfig() {
+    statementForReadAnyAppConfig(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: [
@@ -100,7 +105,7 @@ class IamManager {
                 'appconfig:GetConfiguration',
                 'appconfig:ListDeployments',
             ],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
@@ -117,74 +122,81 @@ class IamManager {
     }
     /**
      * @summary Method to create iam statement to list all s3 buckets
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForListAllMyBuckets() {
+    statementForListAllMyBuckets(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['s3:ListAllMyBuckets'],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
      * @summary Method to create iam statement to get s3 objects in buckets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
      * @param {s3.IBucket} bucket
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForGetAnyS3Objects(scope, bucket) {
+    statementForGetAnyS3Objects(scope, bucket, resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['s3:GetObject', 's3:GetObjectAcl'],
-            resources: [bucket.arnForObjects(`*`)],
+            resources: resourceArns ?? [bucket.arnForObjects(`*`)],
         });
     }
     /**
      * @summary Method to create iam statement to delete s3 objects in buckets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
      * @param {s3.IBucket} bucket
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForDeleteAnyS3Objects(scope, bucket) {
+    statementForDeleteAnyS3Objects(scope, bucket, resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['s3:DeleteObject'],
-            resources: [bucket.arnForObjects(`*`)],
+            resources: resourceArns ?? [bucket.arnForObjects(`*`)],
         });
     }
     /**
      * @summary Method to create iam statement to write s3 objects in buckets
      * @param {common.CommonConstruct} scope scope in which this resource is defined
      * @param {s3.IBucket} bucket
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPutAnyS3Objects(scope, bucket) {
+    statementForPutAnyS3Objects(scope, bucket, resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['s3:PutObject', 's3:PutObjectAcl'],
-            resources: [bucket.arnForObjects(`*`)],
+            resources: resourceArns ?? [bucket.arnForObjects(`*`)],
         });
     }
     /**
      * @summary Method to create iam statement to pass iam role
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPassRole() {
+    statementForPassRole(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['iam:PassRole'],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
      * @summary Method to create iam statement to invalidate cloudfront cache
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForCloudfrontInvalidation() {
+    statementForCloudfrontInvalidation(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['cloudfront:GetInvalidation', 'cloudfront:CreateInvalidation'],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
      * @summary Method to create iam policy to invalidate cloudfront cache
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    policyForCloudfrontInvalidation() {
+    policyForCloudfrontInvalidation(resourceArns) {
         return new iam.PolicyDocument({
             statements: [
                 this.statementForCreateAnyLogStream(),
@@ -198,7 +210,7 @@ class IamManager {
                         'ecr:BatchCheckLayerAvailability',
                         'ecr:GetAuthorizationToken',
                     ],
-                    resources: ['*'],
+                    resources: resourceArns ?? ['*'],
                 }),
             ],
         });
@@ -230,12 +242,13 @@ class IamManager {
     }
     /**
      * @summary Method to create iam statement to pass ecs role
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForEcsPassRole() {
+    statementForEcsPassRole(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['iam:PassRole'],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
             conditions: { StringLike: { 'iam:PassedToService': 'ecs-tasks.amazonaws.com' } },
         });
     }
@@ -270,12 +283,13 @@ class IamManager {
     }
     /**
      * @summary Method to create iam statement to create any log stream
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForCreateAnyLogStream() {
+    statementForCreateAnyLogStream(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['logs:CreateLogStream'],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
@@ -295,18 +309,20 @@ class IamManager {
     }
     /**
      * @summary Method to create iam statement to write any log events
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForPutAnyLogEvent() {
+    statementForPutAnyLogEvent(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: ['logs:PutLogEvents'],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
      * @summary Method to create iam statement to read items from dynamodb table
+     * @param {string[]} resourceArns list of ARNs to allow access to
      */
-    statementForReadTableItems() {
+    statementForReadTableItems(resourceArns) {
         return new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: [
@@ -318,7 +334,7 @@ class IamManager {
                 'dynamodb:Query',
                 'dynamodb:GetRecords',
             ],
-            resources: ['*'],
+            resources: resourceArns ?? ['*'],
         });
     }
     /**
@@ -434,10 +450,12 @@ class IamManager {
      * @summary Method to create iam policy for sqs
      * @param {string} id scoped id of the resource
      * @param {common.CommonConstruct} scope scope in which this resource is defined
-     * @param {iam.ServicePrincipal} servicePrinicpal
+     * @param sqsQueue
+     * @param eventBridgeRule
+     * @param servicePrincipals
      */
     createPolicyForSqsEvent(id, scope, sqsQueue, eventBridgeRule, servicePrincipals) {
-        const policy = new iam.PolicyDocument({
+        return new iam.PolicyDocument({
             statements: [
                 new iam.PolicyStatement({
                     actions: ['sqs:*'],
@@ -452,7 +470,6 @@ class IamManager {
                 }),
             ],
         });
-        return policy;
     }
 }
 exports.IamManager = IamManager;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gradientedge/cdk-utils",
-  "version": "5.7.0",
+  "version": "5.10.0",
   "description": "Utilities for AWS CDK provisioning",
   "main": "dist/index.js",
   "engines": {
@@ -46,11 +46,11 @@
   },
   "dependencies": {
     "@types/lodash": "^4.14.182",
-    "@types/node": "^17.0.42",
+    "@types/node": "^18.0.0",
     "app-root-path": "^3.0.0",
-    "aws-cdk-lib": "^2.27.0",
-    "aws-sdk": "^2.1153.0",
-    "constructs": "^10.1.39",
+    "aws-cdk-lib": "^2.28.1",
+    "aws-sdk": "^2.1158.0",
+    "constructs": "^10.1.42",
     "lodash": "^4.17.21",
     "moment": "^2.29.3",
     "nconf": "^0.12.0",
@@ -59,16 +59,16 @@
   },
   "devDependencies": {
     "@babel/plugin-proposal-class-properties": "^7.17.12",
-    "@types/jest": "^28.1.1",
-    "@typescript-eslint/eslint-plugin": "^5.28.0",
-    "@typescript-eslint/parser": "^5.28.0",
+    "@types/jest": "^28.1.2",
+    "@typescript-eslint/eslint-plugin": "^5.29.0",
+    "@typescript-eslint/parser": "^5.29.0",
     "aws-cdk": "*",
     "babel-eslint": "^10.1.0",
     "better-docs": "^2.7.2",
     "codecov": "^3.8.3",
     "commitizen": "^4.2.4",
     "dotenv": "^16.0.1",
-    "eslint": "^8.17.0",
+    "eslint": "^8.18.0",
     "eslint-config-prettier": "^8.5.0",
     "eslint-plugin-import": "^2.26.0",
     "husky": "^8.0.1",
@@ -78,20 +78,20 @@
     "jsdoc": "^3.6.10",
     "jsdoc-babel": "^0.5.0",
     "jsdoc-mermaid": "^1.0.0",
-    "lerna": "^5.1.2",
-    "prettier": "^2.7.0",
-    "prettier-plugin-organize-imports": "^2.3.4",
+    "lerna": "^5.1.4",
+    "prettier": "^2.7.1",
+    "prettier-plugin-organize-imports": "^3.0.0",
     "rimraf": "^3.0.2",
     "semantic-release": "^19.0.3",
     "ts-jest": "^28.0.5",
     "ts-node": "^10.8.1",
-    "typescript": "4.7.3"
+    "typescript": "4.7.4"
   },
   "optionalDependencies": {
     "@babel/core": "^7.18.5",
     "prop-types": "^15.8.1",
-    "react": "^18.1.0",
-    "react-dom": "^18.1.0"
+    "react": "^17.0.2",
+    "react-dom": "^17.0.2"
   },
   "config": {
     "commitizen": {

package/src/lib/common/stack.ts

@@ -66,9 +66,10 @@ export class CommonStack extends cdk.Stack {
    */
   protected determineExtraContexts() {
     const extraContexts = this.node.tryGetContext('extraContexts')
+    const debug = this.node.tryGetContext('debug')
 
     if (!extraContexts) {
-      console.info(`No additional contexts provided. Using default context properties from cdk.json`)
+      if (debug) console.debug(`No additional contexts provided. Using default context properties from cdk.json`)
       return
     }
 
@@ -80,7 +81,7 @@ export class CommonStack extends cdk.Stack {
 
       /* read the extra properties */
       const extraContextPropsBuffer = fs.readFileSync(extraContextPath)
-      console.info(`Adding additional contexts provided in ${extraContextPath}`)
+      if (debug) console.debug(`Adding additional contexts provided in ${extraContextPath}`)
 
       /* parse as JSON properties */
       const extraContextProps = JSON.parse(extraContextPropsBuffer)
@@ -101,21 +102,22 @@ export class CommonStack extends cdk.Stack {
     const stage = this.node.tryGetContext('stage')
     const stageContextPath = this.node.tryGetContext('stageContextPath') || 'cdkEnv'
     const stageContextFilePath = `${appRoot.path}/${stageContextPath}/${stage}.json`
+    const debug = this.node.tryGetContext('debug')
 
     if (isDevStage(stage)) {
-      console.info(`Development stage. Using default stage context properties`)
+      if (debug) console.debug(`Development stage. Using default stage context properties`)
     }
 
     /* alert default context usage when extra stage config is missing */
     if (!fs.existsSync(stageContextFilePath)) {
-      console.info(`Stage specific context properties unavailable in path:${stageContextFilePath}`)
-      console.info(`Using default stage context properties for ${stage} stage`)
+      if (debug) console.debug(`Stage specific context properties unavailable in path:${stageContextFilePath}`)
+      if (debug) console.debug(`Using default stage context properties for ${stage} stage`)
       return
     }
 
     /* read the extra properties */
     const stageContextPropsBuffer = fs.readFileSync(stageContextFilePath)
-    console.info(`Adding additional stage contexts provided in ${stageContextFilePath}`)
+    if (debug) console.debug(`Adding additional stage contexts provided in ${stageContextFilePath}`)
 
     /* parse as JSON properties */
     const stageContextProps = JSON.parse(stageContextPropsBuffer)

package/src/lib/construct/api-to-eventbridge-target/main.ts

@@ -532,6 +532,12 @@ export class ApiToEventBridgeTarget extends CommonConstruct {
       )
       return
     }
+
+    const accessLogGroup = this.logManager.createLogGroup(`${this.id}-sns-rest-api-access-log`, this, {
+      logGroupName: `/custom/api/${this.id}-destined-rest-api-access-${this.props.stage}`,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+    })
+
     this.apiDestinedRestApi.api = new apig.RestApi(this, `${this.id}-sns-rest-api`, {
       ...{
         defaultIntegration: this.apiDestinedRestApi.integration,
@@ -544,6 +550,8 @@ export class ApiToEventBridgeTarget extends CommonConstruct {
           loggingLevel: apig.MethodLoggingLevel.INFO,
           metricsEnabled: true,
           stageName: this.props.stage,
+          accessLogDestination: new apig.LogGroupLogDestination(accessLogGroup),
+          accessLogFormat: apig.AccessLogFormat.jsonWithStandardFields(),
         },
         endpointConfiguration: {
           types: [apig.EndpointType.REGIONAL],

package/src/lib/manager/aws/iam-manager.ts

@@ -32,23 +32,27 @@ export class IamManager {
   /**
    * @summary Method to create iam statement to read secrets
    * @param {common.CommonConstruct} scope scope in which this resource is defined
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForReadSecrets(scope: common.CommonConstruct) {
+  public statementForReadSecrets(scope: common.CommonConstruct, resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['secretsmanager:GetSecretValue'],
-      resources: [`arn:aws:secretsmanager:${cdk.Stack.of(scope).region}:${cdk.Stack.of(scope).account}:secret:*`],
+      resources: resourceArns ?? [
+        `arn:aws:secretsmanager:${cdk.Stack.of(scope).region}:${cdk.Stack.of(scope).account}:secret:*`,
+      ],
     })
   }
 
   /**
    * @summary Method to create iam statement to put events
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForPutEvents() {
+  public statementForPutEvents(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['events:PutEvents'],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
@@ -66,8 +70,9 @@ export class IamManager {
 
   /**
    * @summary Method to create iam statement to read app config
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForReadAnyAppConfig() {
+  public statementForReadAnyAppConfig(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: [
@@ -84,7 +89,7 @@ export class IamManager {
         'appconfig:GetConfiguration',
         'appconfig:ListDeployments',
       ],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
@@ -103,12 +108,13 @@ export class IamManager {
 
   /**
    * @summary Method to create iam statement to list all s3 buckets
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForListAllMyBuckets() {
+  public statementForListAllMyBuckets(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['s3:ListAllMyBuckets'],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
@@ -116,12 +122,13 @@ export class IamManager {
    * @summary Method to create iam statement to get s3 objects in buckets
    * @param {common.CommonConstruct} scope scope in which this resource is defined
    * @param {s3.IBucket} bucket
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForGetAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket) {
+  public statementForGetAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['s3:GetObject', 's3:GetObjectAcl'],
-      resources: [bucket.arnForObjects(`*`)],
+      resources: resourceArns ?? [bucket.arnForObjects(`*`)],
     })
   }
 
@@ -129,12 +136,13 @@ export class IamManager {
    * @summary Method to create iam statement to delete s3 objects in buckets
    * @param {common.CommonConstruct} scope scope in which this resource is defined
    * @param {s3.IBucket} bucket
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForDeleteAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket) {
+  public statementForDeleteAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['s3:DeleteObject'],
-      resources: [bucket.arnForObjects(`*`)],
+      resources: resourceArns ?? [bucket.arnForObjects(`*`)],
     })
   }
 
@@ -142,41 +150,45 @@ export class IamManager {
    * @summary Method to create iam statement to write s3 objects in buckets
    * @param {common.CommonConstruct} scope scope in which this resource is defined
    * @param {s3.IBucket} bucket
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForPutAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket) {
+  public statementForPutAnyS3Objects(scope: common.CommonConstruct, bucket: s3.IBucket, resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['s3:PutObject', 's3:PutObjectAcl'],
-      resources: [bucket.arnForObjects(`*`)],
+      resources: resourceArns ?? [bucket.arnForObjects(`*`)],
     })
   }
 
   /**
    * @summary Method to create iam statement to pass iam role
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForPassRole() {
+  public statementForPassRole(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['iam:PassRole'],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
   /**
    * @summary Method to create iam statement to invalidate cloudfront cache
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForCloudfrontInvalidation() {
+  public statementForCloudfrontInvalidation(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['cloudfront:GetInvalidation', 'cloudfront:CreateInvalidation'],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
   /**
    * @summary Method to create iam policy to invalidate cloudfront cache
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public policyForCloudfrontInvalidation() {
+  public policyForCloudfrontInvalidation(resourceArns?: string[]) {
     return new iam.PolicyDocument({
       statements: [
         this.statementForCreateAnyLogStream(),
@@ -190,7 +202,7 @@ export class IamManager {
             'ecr:BatchCheckLayerAvailability',
             'ecr:GetAuthorizationToken',
           ],
-          resources: ['*'],
+          resources: resourceArns ?? ['*'],
         }),
       ],
     })
@@ -225,12 +237,13 @@ export class IamManager {
 
   /**
    * @summary Method to create iam statement to pass ecs role
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForEcsPassRole() {
+  public statementForEcsPassRole(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['iam:PassRole'],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
       conditions: { StringLike: { 'iam:PassedToService': 'ecs-tasks.amazonaws.com' } },
     })
   }
@@ -270,12 +283,13 @@ export class IamManager {
 
   /**
    * @summary Method to create iam statement to create any log stream
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForCreateAnyLogStream() {
+  public statementForCreateAnyLogStream(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['logs:CreateLogStream'],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
@@ -299,19 +313,21 @@ export class IamManager {
 
   /**
    * @summary Method to create iam statement to write any log events
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForPutAnyLogEvent() {
+  public statementForPutAnyLogEvent(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['logs:PutLogEvents'],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
   /**
    * @summary Method to create iam statement to read items from dynamodb table
+   * @param {string[]} resourceArns list of ARNs to allow access to
    */
-  public statementForReadTableItems() {
+  public statementForReadTableItems(resourceArns?: string[]) {
     return new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: [
@@ -323,7 +339,7 @@ export class IamManager {
         'dynamodb:Query',
         'dynamodb:GetRecords',
       ],
-      resources: ['*'],
+      resources: resourceArns ?? ['*'],
     })
   }
 
@@ -483,7 +499,9 @@ export class IamManager {
    * @summary Method to create iam policy for sqs
    * @param {string} id scoped id of the resource
    * @param {common.CommonConstruct} scope scope in which this resource is defined
-   * @param {iam.ServicePrincipal} servicePrinicpal
+   * @param sqsQueue
+   * @param eventBridgeRule
+   * @param servicePrincipals
    */
   public createPolicyForSqsEvent(
     id: string,
@@ -492,7 +510,7 @@ export class IamManager {
     eventBridgeRule: events.IRule,
     servicePrincipals?: iam.ServicePrincipal[]
   ) {
-    const policy = new iam.PolicyDocument({
+    return new iam.PolicyDocument({
       statements: [
         new iam.PolicyStatement({
           actions: ['sqs:*'],
@@ -507,7 +525,5 @@ export class IamManager {
         }),
       ],
     })
-
-    return policy
   }
 }