@jaypie/constructs 1.2.47 → 1.2.49

package/dist/esm/JaypieDistribution.d.ts

@@ -42,6 +42,30 @@ export interface JaypieWafConfig {
      * }
      */
     managedRuleOverrides?: Record<string, wafv2.CfnWebACL.RuleActionOverrideProperty[]>;
+    /**
+     * Optional scope-down statements per managed rule group. When supplied,
+     * the managed rule group only evaluates requests that match the
+     * scope-down statement. Key is the managed rule group name; value is a
+     * `CfnWebACL.StatementProperty`.
+     *
+     * @example
+     * // Only run AWSManagedRulesCommonRuleSet for non-/chat paths
+     * managedRuleScopeDowns: {
+     *   AWSManagedRulesCommonRuleSet: {
+     *     notStatement: {
+     *       statement: {
+     *         byteMatchStatement: {
+     *           fieldToMatch: { uriPath: {} },
+     *           positionalConstraint: "STARTS_WITH",
+     *           searchString: "/chat",
+     *           textTransformations: [{ priority: 0, type: "NONE" }],
+     *         },
+     *       },
+     *     },
+     *   },
+     * }
+     */
+    managedRuleScopeDowns?: Record<string, wafv2.CfnWebACL.StatementProperty>;
     /**
      * Managed rule group names to apply
      * @default ["AWSManagedRulesCommonRuleSet", "AWSManagedRulesKnownBadInputsRuleSet"]

package/dist/esm/JaypieHostedZone.d.ts

@@ -46,6 +46,15 @@ interface JaypieHostedZoneProps {
      * Each record will be created as a JaypieDnsRecord construct
      */
     records?: JaypieHostedZoneRecordProps[];
+    /**
+     * Control the CloudWatch Logs resource policy that grants Route53 permission
+     * to write query logs. Defaults to `true`, which ensures a single
+     * stack-level wildcard policy covering every `/aws/route53/*` log group.
+     * Set to `false` to skip creating a managed policy (useful when an
+     * account-wide policy is provisioned externally).
+     * @default true
+     */
+    queryLoggingPolicy?: boolean;
 }
 export declare class JaypieHostedZone extends Construct {
     readonly hostedZone: IHostedZone;

package/dist/esm/helpers/ensureRoute53QueryLoggingPolicy.d.ts

@@ -0,0 +1,12 @@
+import { CfnResourcePolicy } from "aws-cdk-lib/aws-logs";
+import { Construct } from "constructs";
+/**
+ * Create (or return the existing) stack-level CloudWatch Logs resource policy
+ * that grants Route53 permission to write query logs to any `/aws/route53/*`
+ * log group in the stack's account and region.
+ *
+ * Consolidates what would otherwise be one `AWS::Logs::ResourcePolicy` per
+ * hosted zone into a single wildcard policy, keeping the stack well clear of
+ * the 10-resource-policy-per-region account quota.
+ */
+export declare function ensureRoute53QueryLoggingPolicy(scope: Construct): CfnResourcePolicy;

package/dist/esm/helpers/index.d.ts

@@ -5,6 +5,7 @@ export { constructTagger } from "./constructTagger";
 export { envHostname, HostConfig } from "./envHostname";
 export { extendDatadogRole, ExtendDatadogRoleOptions, } from "./extendDatadogRole";
 export { clearAllCertificateCaches, clearCertificateCache, resolveCertificate, ResolveCertificateOptions, } from "./resolveCertificate";
+export { ensureRoute53QueryLoggingPolicy } from "./ensureRoute53QueryLoggingPolicy";
 export { isEnv, isProductionEnv, isSandboxEnv } from "./isEnv";
 export { isValidHostname } from "./isValidHostname";
 export { isValidSubdomain } from "./isValidSubdomain";

package/dist/esm/index.js

@@ -12,14 +12,14 @@ import { DatadogLambda } from 'datadog-cdk-constructs-v2';
 import { ConfigurationError } from '@jaypie/errors';
 import { Role, PolicyStatement, Policy, FederatedPrincipal, Effect, ServicePrincipal, ManagedPolicy } from 'aws-cdk-lib/aws-iam';
 import * as acm from 'aws-cdk-lib/aws-certificatemanager';
+import * as logs from 'aws-cdk-lib/aws-logs';
+import { CfnResourcePolicy, LogGroup, RetentionDays, FilterPattern } from 'aws-cdk-lib/aws-logs';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
 import * as logDestinations from 'aws-cdk-lib/aws-logs-destinations';
 import * as s3n from 'aws-cdk-lib/aws-s3-notifications';
 import { LambdaDestination } from 'aws-cdk-lib/aws-s3-notifications';
 import * as sqs from 'aws-cdk-lib/aws-sqs';
 import * as lambdaEventSources from 'aws-cdk-lib/aws-lambda-event-sources';
-import * as logs from 'aws-cdk-lib/aws-logs';
-import { LogGroup, RetentionDays, FilterPattern } from 'aws-cdk-lib/aws-logs';
 import { Rule, RuleTargetInput } from 'aws-cdk-lib/aws-events';
 import { LambdaFunction } from 'aws-cdk-lib/aws-events-targets';
 import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
@@ -551,6 +551,40 @@ function clearAllCertificateCaches() {
     // but stacks going out of scope will be garbage collected anyway
 }
 
+const SINGLETON_ID = "JaypieRoute53QueryLoggingPolicy";
+const ROUTE53_LOG_GROUP_PREFIX = "/aws/route53";
+const ROUTE53_SERVICE_PRINCIPAL = "route53.amazonaws.com";
+/**
+ * Create (or return the existing) stack-level CloudWatch Logs resource policy
+ * that grants Route53 permission to write query logs to any `/aws/route53/*`
+ * log group in the stack's account and region.
+ *
+ * Consolidates what would otherwise be one `AWS::Logs::ResourcePolicy` per
+ * hosted zone into a single wildcard policy, keeping the stack well clear of
+ * the 10-resource-policy-per-region account quota.
+ */
+function ensureRoute53QueryLoggingPolicy(scope) {
+    const stack = Stack.of(scope);
+    const existing = stack.node.tryFindChild(SINGLETON_ID);
+    if (existing)
+        return existing;
+    const policyDocument = {
+        Version: "2012-10-17",
+        Statement: [
+            {
+                Effect: "Allow",
+                Principal: { Service: ROUTE53_SERVICE_PRINCIPAL },
+                Action: ["logs:CreateLogStream", "logs:PutLogEvents"],
+                Resource: `arn:${stack.partition}:logs:${stack.region}:${stack.account}:log-group:${ROUTE53_LOG_GROUP_PREFIX}/*:*`,
+            },
+        ],
+    };
+    return new CfnResourcePolicy(stack, SINGLETON_ID, {
+        policyName: `${stack.stackName}-Route53QueryLogging`,
+        policyDocument: JSON.stringify(policyDocument),
+    });
+}
+
 /**
  * Check if the current environment matches the given environment
  */
@@ -2619,12 +2653,13 @@ class JaypieDistribution extends Construct {
             }
             else {
                 // Create new WebACL
-                const { managedRuleOverrides, managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
+                const { managedRuleOverrides, managedRuleScopeDowns, managedRules = DEFAULT_MANAGED_RULES, rateLimitPerIp = DEFAULT_RATE_LIMIT, } = wafConfig;
                 let priority = 0;
                 const rules = [];
                 // Add managed rule groups
                 for (const ruleName of managedRules) {
                     const ruleActionOverrides = managedRuleOverrides?.[ruleName];
+                    const scopeDownStatement = managedRuleScopeDowns?.[ruleName];
                     rules.push({
                         name: ruleName,
                         priority: priority++,
@@ -2634,6 +2669,7 @@ class JaypieDistribution extends Construct {
                                 name: ruleName,
                                 vendorName: "AWS",
                                 ...(ruleActionOverrides && { ruleActionOverrides }),
+                                ...(scopeDownStatement && { scopeDownStatement }),
                             },
                         },
                         visibilityConfig: {
@@ -3306,9 +3342,6 @@ class JaypieGitHubDeployRole extends Construct {
     }
 }
 
-const SERVICE = {
-    ROUTE53: "route53.amazonaws.com",
-};
 /**
  * Check if a string is a valid hostname
  */
@@ -3374,8 +3407,13 @@ class JaypieHostedZone extends Construct {
         if (project) {
             cdk.Tags.of(this.logGroup).add(CDK$2.TAG.PROJECT, project);
         }
-        // Grant Route 53 permissions to write to the log group
-        this.logGroup.grantWrite(new ServicePrincipal(SERVICE.ROUTE53));
+        // Grant Route53 permission to write query logs via a single stack-level
+        // resource policy. Per-zone policies exhaust the CloudWatch Logs
+        // 10-policy-per-region account quota (issue #311).
+        const queryLoggingPolicy = props.queryLoggingPolicy ?? true;
+        if (queryLoggingPolicy) {
+            ensureRoute53QueryLoggingPolicy(this);
+        }
         // Add destination based on configuration
         if (destination !== false) {
             const lambdaDestination = destination === true
@@ -4821,5 +4859,5 @@ class JaypieWebSocketTable extends Construct {
     }
 }
 
-export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMigration, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, JaypieWebSocket, JaypieWebSocketLambda, JaypieWebSocketTable, addDatadogLayers, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
+export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMigration, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, JaypieWebSocket, JaypieWebSocketLambda, JaypieWebSocketTable, addDatadogLayers, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, ensureRoute53QueryLoggingPolicy, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
 //# sourceMappingURL=index.js.map