@jaypie/constructs 1.2.48 → 1.2.49
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/JaypieHostedZone.d.ts +9 -0
- package/dist/cjs/helpers/ensureRoute53QueryLoggingPolicy.d.ts +12 -0
- package/dist/cjs/helpers/index.d.ts +1 -0
- package/dist/cjs/index.cjs +44 -7
- package/dist/cjs/index.cjs.map +1 -1
- package/dist/esm/JaypieHostedZone.d.ts +9 -0
- package/dist/esm/helpers/ensureRoute53QueryLoggingPolicy.d.ts +12 -0
- package/dist/esm/helpers/index.d.ts +1 -0
- package/dist/esm/index.js +44 -8
- package/dist/esm/index.js.map +1 -1
- package/package.json +1 -1
|
@@ -46,6 +46,15 @@ interface JaypieHostedZoneProps {
|
|
|
46
46
|
* Each record will be created as a JaypieDnsRecord construct
|
|
47
47
|
*/
|
|
48
48
|
records?: JaypieHostedZoneRecordProps[];
|
|
49
|
+
/**
|
|
50
|
+
* Control the CloudWatch Logs resource policy that grants Route53 permission
|
|
51
|
+
* to write query logs. Defaults to `true`, which ensures a single
|
|
52
|
+
* stack-level wildcard policy covering every `/aws/route53/*` log group.
|
|
53
|
+
* Set to `false` to skip creating a managed policy (useful when an
|
|
54
|
+
* account-wide policy is provisioned externally).
|
|
55
|
+
* @default true
|
|
56
|
+
*/
|
|
57
|
+
queryLoggingPolicy?: boolean;
|
|
49
58
|
}
|
|
50
59
|
export declare class JaypieHostedZone extends Construct {
|
|
51
60
|
readonly hostedZone: IHostedZone;
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { CfnResourcePolicy } from "aws-cdk-lib/aws-logs";
|
|
2
|
+
import { Construct } from "constructs";
|
|
3
|
+
/**
|
|
4
|
+
* Create (or return the existing) stack-level CloudWatch Logs resource policy
|
|
5
|
+
* that grants Route53 permission to write query logs to any `/aws/route53/*`
|
|
6
|
+
* log group in the stack's account and region.
|
|
7
|
+
*
|
|
8
|
+
* Consolidates what would otherwise be one `AWS::Logs::ResourcePolicy` per
|
|
9
|
+
* hosted zone into a single wildcard policy, keeping the stack well clear of
|
|
10
|
+
* the 10-resource-policy-per-region account quota.
|
|
11
|
+
*/
|
|
12
|
+
export declare function ensureRoute53QueryLoggingPolicy(scope: Construct): CfnResourcePolicy;
|
|
@@ -5,6 +5,7 @@ export { constructTagger } from "./constructTagger";
|
|
|
5
5
|
export { envHostname, HostConfig } from "./envHostname";
|
|
6
6
|
export { extendDatadogRole, ExtendDatadogRoleOptions, } from "./extendDatadogRole";
|
|
7
7
|
export { clearAllCertificateCaches, clearCertificateCache, resolveCertificate, ResolveCertificateOptions, } from "./resolveCertificate";
|
|
8
|
+
export { ensureRoute53QueryLoggingPolicy } from "./ensureRoute53QueryLoggingPolicy";
|
|
8
9
|
export { isEnv, isProductionEnv, isSandboxEnv } from "./isEnv";
|
|
9
10
|
export { isValidHostname } from "./isValidHostname";
|
|
10
11
|
export { isValidSubdomain } from "./isValidSubdomain";
|
package/dist/esm/index.js
CHANGED
|
@@ -12,14 +12,14 @@ import { DatadogLambda } from 'datadog-cdk-constructs-v2';
|
|
|
12
12
|
import { ConfigurationError } from '@jaypie/errors';
|
|
13
13
|
import { Role, PolicyStatement, Policy, FederatedPrincipal, Effect, ServicePrincipal, ManagedPolicy } from 'aws-cdk-lib/aws-iam';
|
|
14
14
|
import * as acm from 'aws-cdk-lib/aws-certificatemanager';
|
|
15
|
+
import * as logs from 'aws-cdk-lib/aws-logs';
|
|
16
|
+
import { CfnResourcePolicy, LogGroup, RetentionDays, FilterPattern } from 'aws-cdk-lib/aws-logs';
|
|
15
17
|
import * as lambda from 'aws-cdk-lib/aws-lambda';
|
|
16
18
|
import * as logDestinations from 'aws-cdk-lib/aws-logs-destinations';
|
|
17
19
|
import * as s3n from 'aws-cdk-lib/aws-s3-notifications';
|
|
18
20
|
import { LambdaDestination } from 'aws-cdk-lib/aws-s3-notifications';
|
|
19
21
|
import * as sqs from 'aws-cdk-lib/aws-sqs';
|
|
20
22
|
import * as lambdaEventSources from 'aws-cdk-lib/aws-lambda-event-sources';
|
|
21
|
-
import * as logs from 'aws-cdk-lib/aws-logs';
|
|
22
|
-
import { LogGroup, RetentionDays, FilterPattern } from 'aws-cdk-lib/aws-logs';
|
|
23
23
|
import { Rule, RuleTargetInput } from 'aws-cdk-lib/aws-events';
|
|
24
24
|
import { LambdaFunction } from 'aws-cdk-lib/aws-events-targets';
|
|
25
25
|
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
|
|
@@ -551,6 +551,40 @@ function clearAllCertificateCaches() {
|
|
|
551
551
|
// but stacks going out of scope will be garbage collected anyway
|
|
552
552
|
}
|
|
553
553
|
|
|
554
|
+
const SINGLETON_ID = "JaypieRoute53QueryLoggingPolicy";
|
|
555
|
+
const ROUTE53_LOG_GROUP_PREFIX = "/aws/route53";
|
|
556
|
+
const ROUTE53_SERVICE_PRINCIPAL = "route53.amazonaws.com";
|
|
557
|
+
/**
|
|
558
|
+
* Create (or return the existing) stack-level CloudWatch Logs resource policy
|
|
559
|
+
* that grants Route53 permission to write query logs to any `/aws/route53/*`
|
|
560
|
+
* log group in the stack's account and region.
|
|
561
|
+
*
|
|
562
|
+
* Consolidates what would otherwise be one `AWS::Logs::ResourcePolicy` per
|
|
563
|
+
* hosted zone into a single wildcard policy, keeping the stack well clear of
|
|
564
|
+
* the 10-resource-policy-per-region account quota.
|
|
565
|
+
*/
|
|
566
|
+
function ensureRoute53QueryLoggingPolicy(scope) {
|
|
567
|
+
const stack = Stack.of(scope);
|
|
568
|
+
const existing = stack.node.tryFindChild(SINGLETON_ID);
|
|
569
|
+
if (existing)
|
|
570
|
+
return existing;
|
|
571
|
+
const policyDocument = {
|
|
572
|
+
Version: "2012-10-17",
|
|
573
|
+
Statement: [
|
|
574
|
+
{
|
|
575
|
+
Effect: "Allow",
|
|
576
|
+
Principal: { Service: ROUTE53_SERVICE_PRINCIPAL },
|
|
577
|
+
Action: ["logs:CreateLogStream", "logs:PutLogEvents"],
|
|
578
|
+
Resource: `arn:${stack.partition}:logs:${stack.region}:${stack.account}:log-group:${ROUTE53_LOG_GROUP_PREFIX}/*:*`,
|
|
579
|
+
},
|
|
580
|
+
],
|
|
581
|
+
};
|
|
582
|
+
return new CfnResourcePolicy(stack, SINGLETON_ID, {
|
|
583
|
+
policyName: `${stack.stackName}-Route53QueryLogging`,
|
|
584
|
+
policyDocument: JSON.stringify(policyDocument),
|
|
585
|
+
});
|
|
586
|
+
}
|
|
587
|
+
|
|
554
588
|
/**
|
|
555
589
|
* Check if the current environment matches the given environment
|
|
556
590
|
*/
|
|
@@ -3308,9 +3342,6 @@ class JaypieGitHubDeployRole extends Construct {
|
|
|
3308
3342
|
}
|
|
3309
3343
|
}
|
|
3310
3344
|
|
|
3311
|
-
const SERVICE = {
|
|
3312
|
-
ROUTE53: "route53.amazonaws.com",
|
|
3313
|
-
};
|
|
3314
3345
|
/**
|
|
3315
3346
|
* Check if a string is a valid hostname
|
|
3316
3347
|
*/
|
|
@@ -3376,8 +3407,13 @@ class JaypieHostedZone extends Construct {
|
|
|
3376
3407
|
if (project) {
|
|
3377
3408
|
cdk.Tags.of(this.logGroup).add(CDK$2.TAG.PROJECT, project);
|
|
3378
3409
|
}
|
|
3379
|
-
// Grant
|
|
3380
|
-
|
|
3410
|
+
// Grant Route53 permission to write query logs via a single stack-level
|
|
3411
|
+
// resource policy. Per-zone policies exhaust the CloudWatch Logs
|
|
3412
|
+
// 10-policy-per-region account quota (issue #311).
|
|
3413
|
+
const queryLoggingPolicy = props.queryLoggingPolicy ?? true;
|
|
3414
|
+
if (queryLoggingPolicy) {
|
|
3415
|
+
ensureRoute53QueryLoggingPolicy(this);
|
|
3416
|
+
}
|
|
3381
3417
|
// Add destination based on configuration
|
|
3382
3418
|
if (destination !== false) {
|
|
3383
3419
|
const lambdaDestination = destination === true
|
|
@@ -4823,5 +4859,5 @@ class JaypieWebSocketTable extends Construct {
|
|
|
4823
4859
|
}
|
|
4824
4860
|
}
|
|
4825
4861
|
|
|
4826
|
-
export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMigration, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, JaypieWebSocket, JaypieWebSocketLambda, JaypieWebSocketTable, addDatadogLayers, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
|
|
4862
|
+
export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMigration, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, JaypieWebSocket, JaypieWebSocketLambda, JaypieWebSocketTable, addDatadogLayers, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, ensureRoute53QueryLoggingPolicy, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
|
|
4827
4863
|
//# sourceMappingURL=index.js.map
|