@jaypie/constructs 1.2.47 → 1.2.49

package/dist/cjs/JaypieDistribution.d.ts

@@ -42,6 +42,30 @@ export interface JaypieWafConfig {
      * }
      */
     managedRuleOverrides?: Record<string, wafv2.CfnWebACL.RuleActionOverrideProperty[]>;
+    /**
+     * Optional scope-down statements per managed rule group. When supplied,
+     * the managed rule group only evaluates requests that match the
+     * scope-down statement. Key is the managed rule group name; value is a
+     * `CfnWebACL.StatementProperty`.
+     *
+     * @example
+     * // Only run AWSManagedRulesCommonRuleSet for non-/chat paths
+     * managedRuleScopeDowns: {
+     *   AWSManagedRulesCommonRuleSet: {
+     *     notStatement: {
+     *       statement: {
+     *         byteMatchStatement: {
+     *           fieldToMatch: { uriPath: {} },
+     *           positionalConstraint: "STARTS_WITH",
+     *           searchString: "/chat",
+     *           textTransformations: [{ priority: 0, type: "NONE" }],
+     *         },
+     *       },
+     *     },
+     *   },
+     * }
+     */
+    managedRuleScopeDowns?: Record<string, wafv2.CfnWebACL.StatementProperty>;
     /**
      * Managed rule group names to apply
      * @default ["AWSManagedRulesCommonRuleSet", "AWSManagedRulesKnownBadInputsRuleSet"]

package/dist/cjs/JaypieHostedZone.d.ts

@@ -46,6 +46,15 @@ interface JaypieHostedZoneProps {
      * Each record will be created as a JaypieDnsRecord construct
      */
     records?: JaypieHostedZoneRecordProps[];
+    /**
+     * Control the CloudWatch Logs resource policy that grants Route53 permission
+     * to write query logs. Defaults to `true`, which ensures a single
+     * stack-level wildcard policy covering every `/aws/route53/*` log group.
+     * Set to `false` to skip creating a managed policy (useful when an
+     * account-wide policy is provisioned externally).
+     * @default true
+     */
+    queryLoggingPolicy?: boolean;
 }
 export declare class JaypieHostedZone extends Construct {
     readonly hostedZone: IHostedZone;

package/dist/cjs/helpers/ensureRoute53QueryLoggingPolicy.d.ts

@@ -0,0 +1,12 @@
+import { CfnResourcePolicy } from "aws-cdk-lib/aws-logs";
+import { Construct } from "constructs";
+/**
+ * Create (or return the existing) stack-level CloudWatch Logs resource policy
+ * that grants Route53 permission to write query logs to any `/aws/route53/*`
+ * log group in the stack's account and region.
+ *
+ * Consolidates what would otherwise be one `AWS::Logs::ResourcePolicy` per
+ * hosted zone into a single wildcard policy, keeping the stack well clear of
+ * the 10-resource-policy-per-region account quota.
+ */
+export declare function ensureRoute53QueryLoggingPolicy(scope: Construct): CfnResourcePolicy;

package/dist/cjs/helpers/index.d.ts

@@ -5,6 +5,7 @@ export { constructTagger } from "./constructTagger";
 export { envHostname, HostConfig } from "./envHostname";
 export { extendDatadogRole, ExtendDatadogRoleOptions, } from "./extendDatadogRole";
 export { clearAllCertificateCaches, clearCertificateCache, resolveCertificate, ResolveCertificateOptions, } from "./resolveCertificate";
+export { ensureRoute53QueryLoggingPolicy } from "./ensureRoute53QueryLoggingPolicy";
 export { isEnv, isProductionEnv, isSandboxEnv } from "./isEnv";
 export { isValidHostname } from "./isValidHostname";
 export { isValidSubdomain } from "./isValidSubdomain";

package/dist/cjs/index.cjs

@@ -11,12 +11,12 @@ var datadogCdkConstructsV2 = require('datadog-cdk-constructs-v2');
 var errors = require('@jaypie/errors');
 var awsIam = require('aws-cdk-lib/aws-iam');
 var acm = require('aws-cdk-lib/aws-certificatemanager');
+var logs = require('aws-cdk-lib/aws-logs');
 var lambda = require('aws-cdk-lib/aws-lambda');
 var logDestinations = require('aws-cdk-lib/aws-logs-destinations');
 var s3n = require('aws-cdk-lib/aws-s3-notifications');
 var sqs = require('aws-cdk-lib/aws-sqs');
 var lambdaEventSources = require('aws-cdk-lib/aws-lambda-event-sources');
-var logs = require('aws-cdk-lib/aws-logs');
 var awsEvents = require('aws-cdk-lib/aws-events');
 var awsEventsTargets = require('aws-cdk-lib/aws-events-targets');
 var cloudfront = require('aws-cdk-lib/aws-cloudfront');
@@ -57,12 +57,12 @@ var route53__namespace = /*#__PURE__*/_interopNamespaceDefault(route53);
 var route53Targets__namespace = /*#__PURE__*/_interopNamespaceDefault(route53Targets);
 var secretsmanager__namespace = /*#__PURE__*/_interopNamespaceDefault(secretsmanager);
 var acm__namespace = /*#__PURE__*/_interopNamespaceDefault(acm);
+var logs__namespace = /*#__PURE__*/_interopNamespaceDefault(logs);
 var lambda__namespace = /*#__PURE__*/_interopNamespaceDefault(lambda);
 var logDestinations__namespace = /*#__PURE__*/_interopNamespaceDefault(logDestinations);
 var s3n__namespace = /*#__PURE__*/_interopNamespaceDefault(s3n);
 var sqs__namespace = /*#__PURE__*/_interopNamespaceDefault(sqs);
 var lambdaEventSources__namespace = /*#__PURE__*/_interopNamespaceDefault(lambdaEventSources);
-var logs__namespace = /*#__PURE__*/_interopNamespaceDefault(logs);
 var cloudfront__namespace = /*#__PURE__*/_interopNamespaceDefault(cloudfront);
 var origins__namespace = /*#__PURE__*/_interopNamespaceDefault(origins);
 var wafv2__namespace = /*#__PURE__*/_interopNamespaceDefault(wafv2);
@@ -587,6 +587,40 @@ function clearAllCertificateCaches() {
     // but stacks going out of scope will be garbage collected anyway
 }
 
+const SINGLETON_ID = "JaypieRoute53QueryLoggingPolicy";
+const ROUTE53_LOG_GROUP_PREFIX = "/aws/route53";
+const ROUTE53_SERVICE_PRINCIPAL = "route53.amazonaws.com";
+/**
+ * Create (or return the existing) stack-level CloudWatch Logs resource policy
+ * that grants Route53 permission to write query logs to any `/aws/route53/*`
+ * log group in the stack's account and region.
+ *
+ * Consolidates what would otherwise be one `AWS::Logs::ResourcePolicy` per
+ * hosted zone into a single wildcard policy, keeping the stack well clear of
+ * the 10-resource-policy-per-region account quota.
+ */
+function ensureRoute53QueryLoggingPolicy(scope) {
+    const stack = cdk.Stack.of(scope);
+    const existing = stack.node.tryFindChild(SINGLETON_ID);
+    if (existing)
+        return existing;
+    const policyDocument = {
+        Version: "2012-10-17",
+        Statement: [
+            {
+                Effect: "Allow",
+                Principal: { Service: ROUTE53_SERVICE_PRINCIPAL },
+                Action: ["logs:CreateLogStream", "logs:PutLogEvents"],
+                Resource: `arn:${stack.partition}:logs:${stack.region}:${stack.account}:log-group:${ROUTE53_LOG_GROUP_PREFIX}/*:*`,
+            },
+        ],
+    };
+    return new logs.CfnResourcePolicy(stack, SINGLETON_ID, {
+        policyName: `${stack.stackName}-Route53QueryLogging`,
+        policyDocument: JSON.stringify(policyDocument),
+    });
+}
+
 /**
  * Check if the current environment matches the given environment
  */
@@ -2655,12 +2689,13 @@ class JaypieDistribution extends constructs.Construct {
             }
             else {
                 // Create new WebACL
-                const { managedRuleOverrides, managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
+                const { managedRuleOverrides, managedRuleScopeDowns, managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
                 let priority = 0;
                 const rules = [];
                 // Add managed rule groups
                 for (const ruleName of managedRules) {
                     const ruleActionOverrides = managedRuleOverrides?.[ruleName];
+                    const scopeDownStatement = managedRuleScopeDowns?.[ruleName];
                     rules.push({
                         name: ruleName,
                         priority: priority++,
@@ -2670,6 +2705,7 @@ class JaypieDistribution extends constructs.Construct {
                                 name: ruleName,
                                 vendorName: "AWS",
                                 ...(ruleActionOverrides && { ruleActionOverrides }),
+                                ...(scopeDownStatement && { scopeDownStatement }),
                             },
                         },
                         visibilityConfig: {
@@ -3342,9 +3378,6 @@ class JaypieGitHubDeployRole extends constructs.Construct {
     }
 }
 
-const SERVICE = {
-    ROUTE53: "route53.amazonaws.com",
-};
 /**
  * Check if a string is a valid hostname
  */
@@ -3410,8 +3443,13 @@ class JaypieHostedZone extends constructs.Construct {
         if (project) {
             cdk__namespace.Tags.of(this.logGroup).add(CDK$2.TAG.PROJECT, project);
         }
-        // Grant Route 53 permissions to write to the log group
-        this.logGroup.grantWrite(new awsIam.ServicePrincipal(SERVICE.ROUTE53));
+        // Grant Route53 permission to write query logs via a single stack-level
+        // resource policy. Per-zone policies exhaust the CloudWatch Logs
+        // 10-policy-per-region account quota (issue #311).
+        const queryLoggingPolicy = props.queryLoggingPolicy ?? true;
+        if (queryLoggingPolicy) {
+            ensureRoute53QueryLoggingPolicy(this);
+        }
         // Add destination based on configuration
         if (destination !== false) {
             const lambdaDestination = destination === true
@@ -4899,6 +4937,7 @@ exports.clearSecretsCache = clearSecretsCache;
 exports.constructEnvName = constructEnvName;
 exports.constructStackName = constructStackName;
 exports.constructTagger = constructTagger;
+exports.ensureRoute53QueryLoggingPolicy = ensureRoute53QueryLoggingPolicy;
 exports.envHostname = envHostname;
 exports.extendDatadogRole = extendDatadogRole;
 exports.isEnv = isEnv;