npm - @jaypie/constructs - Versions diffs - 1.2.48 → 1.2.49 - Mend

@jaypie/constructs 1.2.48 → 1.2.49

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/cjs/JaypieHostedZone.d.ts +9 -0
package/dist/cjs/helpers/ensureRoute53QueryLoggingPolicy.d.ts +12 -0
package/dist/cjs/helpers/index.d.ts +1 -0
package/dist/cjs/index.cjs +44 -7
package/dist/cjs/index.cjs.map +1 -1
package/dist/esm/JaypieHostedZone.d.ts +9 -0
package/dist/esm/helpers/ensureRoute53QueryLoggingPolicy.d.ts +12 -0
package/dist/esm/helpers/index.d.ts +1 -0
package/dist/esm/index.js +44 -8
package/dist/esm/index.js.map +1 -1
package/package.json +1 -1

package/dist/cjs/JaypieHostedZone.d.ts CHANGED Viewed

@@ -46,6 +46,15 @@ interface JaypieHostedZoneProps {
      * Each record will be created as a JaypieDnsRecord construct
      */
     records?: JaypieHostedZoneRecordProps[];
+    /**
+     * Control the CloudWatch Logs resource policy that grants Route53 permission
+     * to write query logs. Defaults to `true`, which ensures a single
+     * stack-level wildcard policy covering every `/aws/route53/*` log group.
+     * Set to `false` to skip creating a managed policy (useful when an
+     * account-wide policy is provisioned externally).
+     * @default true
+     */
+    queryLoggingPolicy?: boolean;
 }
 export declare class JaypieHostedZone extends Construct {
     readonly hostedZone: IHostedZone;

package/dist/cjs/helpers/ensureRoute53QueryLoggingPolicy.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import { CfnResourcePolicy } from "aws-cdk-lib/aws-logs";
+import { Construct } from "constructs";
+/**
+ * Create (or return the existing) stack-level CloudWatch Logs resource policy
+ * that grants Route53 permission to write query logs to any `/aws/route53/*`
+ * log group in the stack's account and region.
+ *
+ * Consolidates what would otherwise be one `AWS::Logs::ResourcePolicy` per
+ * hosted zone into a single wildcard policy, keeping the stack well clear of
+ * the 10-resource-policy-per-region account quota.
+ */
+export declare function ensureRoute53QueryLoggingPolicy(scope: Construct): CfnResourcePolicy;

package/dist/cjs/helpers/index.d.ts CHANGED Viewed

@@ -5,6 +5,7 @@ export { constructTagger } from "./constructTagger";
 export { envHostname, HostConfig } from "./envHostname";
 export { extendDatadogRole, ExtendDatadogRoleOptions, } from "./extendDatadogRole";
 export { clearAllCertificateCaches, clearCertificateCache, resolveCertificate, ResolveCertificateOptions, } from "./resolveCertificate";
+export { ensureRoute53QueryLoggingPolicy } from "./ensureRoute53QueryLoggingPolicy";
 export { isEnv, isProductionEnv, isSandboxEnv } from "./isEnv";
 export { isValidHostname } from "./isValidHostname";
 export { isValidSubdomain } from "./isValidSubdomain";

package/dist/cjs/index.cjs CHANGED Viewed

@@ -11,12 +11,12 @@ var datadogCdkConstructsV2 = require('datadog-cdk-constructs-v2');
 var errors = require('@jaypie/errors');
 var awsIam = require('aws-cdk-lib/aws-iam');
 var acm = require('aws-cdk-lib/aws-certificatemanager');
+var logs = require('aws-cdk-lib/aws-logs');
 var lambda = require('aws-cdk-lib/aws-lambda');
 var logDestinations = require('aws-cdk-lib/aws-logs-destinations');
 var s3n = require('aws-cdk-lib/aws-s3-notifications');
 var sqs = require('aws-cdk-lib/aws-sqs');
 var lambdaEventSources = require('aws-cdk-lib/aws-lambda-event-sources');
-var logs = require('aws-cdk-lib/aws-logs');
 var awsEvents = require('aws-cdk-lib/aws-events');
 var awsEventsTargets = require('aws-cdk-lib/aws-events-targets');
 var cloudfront = require('aws-cdk-lib/aws-cloudfront');
@@ -57,12 +57,12 @@ var route53__namespace = /*#__PURE__*/_interopNamespaceDefault(route53);
 var route53Targets__namespace = /*#__PURE__*/_interopNamespaceDefault(route53Targets);
 var secretsmanager__namespace = /*#__PURE__*/_interopNamespaceDefault(secretsmanager);
 var acm__namespace = /*#__PURE__*/_interopNamespaceDefault(acm);
+var logs__namespace = /*#__PURE__*/_interopNamespaceDefault(logs);
 var lambda__namespace = /*#__PURE__*/_interopNamespaceDefault(lambda);
 var logDestinations__namespace = /*#__PURE__*/_interopNamespaceDefault(logDestinations);
 var s3n__namespace = /*#__PURE__*/_interopNamespaceDefault(s3n);
 var sqs__namespace = /*#__PURE__*/_interopNamespaceDefault(sqs);
 var lambdaEventSources__namespace = /*#__PURE__*/_interopNamespaceDefault(lambdaEventSources);
-var logs__namespace = /*#__PURE__*/_interopNamespaceDefault(logs);
 var cloudfront__namespace = /*#__PURE__*/_interopNamespaceDefault(cloudfront);
 var origins__namespace = /*#__PURE__*/_interopNamespaceDefault(origins);
 var wafv2__namespace = /*#__PURE__*/_interopNamespaceDefault(wafv2);
@@ -587,6 +587,40 @@ function clearAllCertificateCaches() {
     // but stacks going out of scope will be garbage collected anyway
 }
+const SINGLETON_ID = "JaypieRoute53QueryLoggingPolicy";
+const ROUTE53_LOG_GROUP_PREFIX = "/aws/route53";
+const ROUTE53_SERVICE_PRINCIPAL = "route53.amazonaws.com";
+/**
+ * Create (or return the existing) stack-level CloudWatch Logs resource policy
+ * that grants Route53 permission to write query logs to any `/aws/route53/*`
+ * log group in the stack's account and region.
+ *
+ * Consolidates what would otherwise be one `AWS::Logs::ResourcePolicy` per
+ * hosted zone into a single wildcard policy, keeping the stack well clear of
+ * the 10-resource-policy-per-region account quota.
+ */
+function ensureRoute53QueryLoggingPolicy(scope) {
+    const stack = cdk.Stack.of(scope);
+    const existing = stack.node.tryFindChild(SINGLETON_ID);
+    if (existing)
+        return existing;
+    const policyDocument = {
+        Version: "2012-10-17",
+        Statement: [
+            {
+                Effect: "Allow",
+                Principal: { Service: ROUTE53_SERVICE_PRINCIPAL },
+                Action: ["logs:CreateLogStream", "logs:PutLogEvents"],
+                Resource: `arn:${stack.partition}:logs:${stack.region}:${stack.account}:log-group:${ROUTE53_LOG_GROUP_PREFIX}/*:*`,
+            },
+        ],
+    };
+    return new logs.CfnResourcePolicy(stack, SINGLETON_ID, {
+        policyName: `${stack.stackName}-Route53QueryLogging`,
+        policyDocument: JSON.stringify(policyDocument),
+    });
+}
 /**
  * Check if the current environment matches the given environment
  */
@@ -3344,9 +3378,6 @@ class JaypieGitHubDeployRole extends constructs.Construct {
     }
 }
-const SERVICE = {
-    ROUTE53: "route53.amazonaws.com",
-};
 /**
  * Check if a string is a valid hostname
  */
@@ -3412,8 +3443,13 @@ class JaypieHostedZone extends constructs.Construct {
         if (project) {
             cdk__namespace.Tags.of(this.logGroup).add(CDK$2.TAG.PROJECT, project);
         }
-        // Grant Route 53 permissions to write to the log group
-        this.logGroup.grantWrite(new awsIam.ServicePrincipal(SERVICE.ROUTE53));
+        // Grant Route53 permission to write query logs via a single stack-level
+        // resource policy. Per-zone policies exhaust the CloudWatch Logs
+        // 10-policy-per-region account quota (issue #311).
+        const queryLoggingPolicy = props.queryLoggingPolicy ?? true;
+        if (queryLoggingPolicy) {
+            ensureRoute53QueryLoggingPolicy(this);
+        }
         // Add destination based on configuration
         if (destination !== false) {
             const lambdaDestination = destination === true
@@ -4901,6 +4937,7 @@ exports.clearSecretsCache = clearSecretsCache;
 exports.constructEnvName = constructEnvName;
 exports.constructStackName = constructStackName;
 exports.constructTagger = constructTagger;
+exports.ensureRoute53QueryLoggingPolicy = ensureRoute53QueryLoggingPolicy;
 exports.envHostname = envHostname;
 exports.extendDatadogRole = extendDatadogRole;
 exports.isEnv = isEnv;