@jaypie/constructs 1.2.48 → 1.2.50
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/JaypieHostedZone.d.ts +9 -0
- package/dist/cjs/helpers/ensureRoute53QueryLoggingPolicy.d.ts +12 -0
- package/dist/cjs/helpers/index.d.ts +1 -0
- package/dist/cjs/index.cjs +53 -12
- package/dist/cjs/index.cjs.map +1 -1
- package/dist/esm/JaypieHostedZone.d.ts +9 -0
- package/dist/esm/helpers/ensureRoute53QueryLoggingPolicy.d.ts +12 -0
- package/dist/esm/helpers/index.d.ts +1 -0
- package/dist/esm/index.js +53 -13
- package/dist/esm/index.js.map +1 -1
- package/package.json +1 -1
|
@@ -46,6 +46,15 @@ interface JaypieHostedZoneProps {
|
|
|
46
46
|
* Each record will be created as a JaypieDnsRecord construct
|
|
47
47
|
*/
|
|
48
48
|
records?: JaypieHostedZoneRecordProps[];
|
|
49
|
+
/**
|
|
50
|
+
* Control the CloudWatch Logs resource policy that grants Route53 permission
|
|
51
|
+
* to write query logs. Defaults to `true`, which ensures a single
|
|
52
|
+
* stack-level wildcard policy covering every `/aws/route53/*` log group.
|
|
53
|
+
* Set to `false` to skip creating a managed policy (useful when an
|
|
54
|
+
* account-wide policy is provisioned externally).
|
|
55
|
+
* @default true
|
|
56
|
+
*/
|
|
57
|
+
queryLoggingPolicy?: boolean;
|
|
49
58
|
}
|
|
50
59
|
export declare class JaypieHostedZone extends Construct {
|
|
51
60
|
readonly hostedZone: IHostedZone;
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { CfnResourcePolicy } from "aws-cdk-lib/aws-logs";
|
|
2
|
+
import { Construct } from "constructs";
|
|
3
|
+
/**
|
|
4
|
+
* Create (or return the existing) stack-level CloudWatch Logs resource policy
|
|
5
|
+
* that grants Route53 permission to write query logs to any `/aws/route53/*`
|
|
6
|
+
* log group in the stack's account and region.
|
|
7
|
+
*
|
|
8
|
+
* Consolidates what would otherwise be one `AWS::Logs::ResourcePolicy` per
|
|
9
|
+
* hosted zone into a single wildcard policy, keeping the stack well clear of
|
|
10
|
+
* the 10-resource-policy-per-region account quota.
|
|
11
|
+
*/
|
|
12
|
+
export declare function ensureRoute53QueryLoggingPolicy(scope: Construct): CfnResourcePolicy;
|
|
@@ -5,6 +5,7 @@ export { constructTagger } from "./constructTagger";
|
|
|
5
5
|
export { envHostname, HostConfig } from "./envHostname";
|
|
6
6
|
export { extendDatadogRole, ExtendDatadogRoleOptions, } from "./extendDatadogRole";
|
|
7
7
|
export { clearAllCertificateCaches, clearCertificateCache, resolveCertificate, ResolveCertificateOptions, } from "./resolveCertificate";
|
|
8
|
+
export { ensureRoute53QueryLoggingPolicy } from "./ensureRoute53QueryLoggingPolicy";
|
|
8
9
|
export { isEnv, isProductionEnv, isSandboxEnv } from "./isEnv";
|
|
9
10
|
export { isValidHostname } from "./isValidHostname";
|
|
10
11
|
export { isValidSubdomain } from "./isValidSubdomain";
|
package/dist/esm/index.js
CHANGED
|
@@ -12,14 +12,14 @@ import { DatadogLambda } from 'datadog-cdk-constructs-v2';
|
|
|
12
12
|
import { ConfigurationError } from '@jaypie/errors';
|
|
13
13
|
import { Role, PolicyStatement, Policy, FederatedPrincipal, Effect, ServicePrincipal, ManagedPolicy } from 'aws-cdk-lib/aws-iam';
|
|
14
14
|
import * as acm from 'aws-cdk-lib/aws-certificatemanager';
|
|
15
|
+
import * as logs from 'aws-cdk-lib/aws-logs';
|
|
16
|
+
import { CfnResourcePolicy, LogGroup, RetentionDays, FilterPattern } from 'aws-cdk-lib/aws-logs';
|
|
15
17
|
import * as lambda from 'aws-cdk-lib/aws-lambda';
|
|
16
18
|
import * as logDestinations from 'aws-cdk-lib/aws-logs-destinations';
|
|
17
19
|
import * as s3n from 'aws-cdk-lib/aws-s3-notifications';
|
|
18
20
|
import { LambdaDestination } from 'aws-cdk-lib/aws-s3-notifications';
|
|
19
21
|
import * as sqs from 'aws-cdk-lib/aws-sqs';
|
|
20
22
|
import * as lambdaEventSources from 'aws-cdk-lib/aws-lambda-event-sources';
|
|
21
|
-
import * as logs from 'aws-cdk-lib/aws-logs';
|
|
22
|
-
import { LogGroup, RetentionDays, FilterPattern } from 'aws-cdk-lib/aws-logs';
|
|
23
23
|
import { Rule, RuleTargetInput } from 'aws-cdk-lib/aws-events';
|
|
24
24
|
import { LambdaFunction } from 'aws-cdk-lib/aws-events-targets';
|
|
25
25
|
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
|
|
@@ -551,6 +551,40 @@ function clearAllCertificateCaches() {
|
|
|
551
551
|
// but stacks going out of scope will be garbage collected anyway
|
|
552
552
|
}
|
|
553
553
|
|
|
554
|
+
const SINGLETON_ID = "JaypieRoute53QueryLoggingPolicy";
|
|
555
|
+
const ROUTE53_LOG_GROUP_PREFIX = "/aws/route53";
|
|
556
|
+
const ROUTE53_SERVICE_PRINCIPAL = "route53.amazonaws.com";
|
|
557
|
+
/**
|
|
558
|
+
* Create (or return the existing) stack-level CloudWatch Logs resource policy
|
|
559
|
+
* that grants Route53 permission to write query logs to any `/aws/route53/*`
|
|
560
|
+
* log group in the stack's account and region.
|
|
561
|
+
*
|
|
562
|
+
* Consolidates what would otherwise be one `AWS::Logs::ResourcePolicy` per
|
|
563
|
+
* hosted zone into a single wildcard policy, keeping the stack well clear of
|
|
564
|
+
* the 10-resource-policy-per-region account quota.
|
|
565
|
+
*/
|
|
566
|
+
function ensureRoute53QueryLoggingPolicy(scope) {
|
|
567
|
+
const stack = Stack.of(scope);
|
|
568
|
+
const existing = stack.node.tryFindChild(SINGLETON_ID);
|
|
569
|
+
if (existing)
|
|
570
|
+
return existing;
|
|
571
|
+
const policyDocument = {
|
|
572
|
+
Version: "2012-10-17",
|
|
573
|
+
Statement: [
|
|
574
|
+
{
|
|
575
|
+
Effect: "Allow",
|
|
576
|
+
Principal: { Service: ROUTE53_SERVICE_PRINCIPAL },
|
|
577
|
+
Action: ["logs:CreateLogStream", "logs:PutLogEvents"],
|
|
578
|
+
Resource: `arn:${stack.partition}:logs:${stack.region}:${stack.account}:log-group:${ROUTE53_LOG_GROUP_PREFIX}/*:*`,
|
|
579
|
+
},
|
|
580
|
+
],
|
|
581
|
+
};
|
|
582
|
+
return new CfnResourcePolicy(stack, SINGLETON_ID, {
|
|
583
|
+
policyName: `${stack.stackName}-Route53QueryLogging`,
|
|
584
|
+
policyDocument: JSON.stringify(policyDocument),
|
|
585
|
+
});
|
|
586
|
+
}
|
|
587
|
+
|
|
554
588
|
/**
|
|
555
589
|
* Check if the current environment matches the given environment
|
|
556
590
|
*/
|
|
@@ -911,12 +945,16 @@ function exportEnvName$1(name, env = process.env) {
|
|
|
911
945
|
}
|
|
912
946
|
class JaypieEnvSecret extends Construct {
|
|
913
947
|
constructor(scope, idOrEnvKey, props) {
|
|
914
|
-
//
|
|
915
|
-
//
|
|
916
|
-
//
|
|
948
|
+
// Shorthand detection: treat idOrEnvKey as envKey when envKey prop is
|
|
949
|
+
// not set and idOrEnvKey either looks like a SCREAMING_SNAKE_CASE env
|
|
950
|
+
// var name or is already present in process.env. Convention-based
|
|
951
|
+
// detection ensures missing env vars still go through envKey validation
|
|
952
|
+
// instead of silently creating an empty secret.
|
|
953
|
+
const looksLikeEnvKey = /^[A-Z][A-Z0-9_]*$/.test(idOrEnvKey);
|
|
917
954
|
const treatAsEnvKey = (!props || props.envKey === undefined) &&
|
|
918
|
-
|
|
919
|
-
|
|
955
|
+
(looksLikeEnvKey ||
|
|
956
|
+
(typeof process.env[idOrEnvKey] === "string" &&
|
|
957
|
+
process.env[idOrEnvKey] !== ""));
|
|
920
958
|
const id = treatAsEnvKey ? `EnvSecret_${idOrEnvKey}` : idOrEnvKey;
|
|
921
959
|
super(scope, id);
|
|
922
960
|
const { consumer = checkEnvIsConsumer$1(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider$1(), removalPolicy, roleTag, vendorTag, value, } = props || {};
|
|
@@ -3308,9 +3346,6 @@ class JaypieGitHubDeployRole extends Construct {
|
|
|
3308
3346
|
}
|
|
3309
3347
|
}
|
|
3310
3348
|
|
|
3311
|
-
const SERVICE = {
|
|
3312
|
-
ROUTE53: "route53.amazonaws.com",
|
|
3313
|
-
};
|
|
3314
3349
|
/**
|
|
3315
3350
|
* Check if a string is a valid hostname
|
|
3316
3351
|
*/
|
|
@@ -3376,8 +3411,13 @@ class JaypieHostedZone extends Construct {
|
|
|
3376
3411
|
if (project) {
|
|
3377
3412
|
cdk.Tags.of(this.logGroup).add(CDK$2.TAG.PROJECT, project);
|
|
3378
3413
|
}
|
|
3379
|
-
// Grant
|
|
3380
|
-
|
|
3414
|
+
// Grant Route53 permission to write query logs via a single stack-level
|
|
3415
|
+
// resource policy. Per-zone policies exhaust the CloudWatch Logs
|
|
3416
|
+
// 10-policy-per-region account quota (issue #311).
|
|
3417
|
+
const queryLoggingPolicy = props.queryLoggingPolicy ?? true;
|
|
3418
|
+
if (queryLoggingPolicy) {
|
|
3419
|
+
ensureRoute53QueryLoggingPolicy(this);
|
|
3420
|
+
}
|
|
3381
3421
|
// Add destination based on configuration
|
|
3382
3422
|
if (destination !== false) {
|
|
3383
3423
|
const lambdaDestination = destination === true
|
|
@@ -4823,5 +4863,5 @@ class JaypieWebSocketTable extends Construct {
|
|
|
4823
4863
|
}
|
|
4824
4864
|
}
|
|
4825
4865
|
|
|
4826
|
-
export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMigration, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, JaypieWebSocket, JaypieWebSocketLambda, JaypieWebSocketTable, addDatadogLayers, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
|
|
4866
|
+
export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMigration, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, JaypieWebSocket, JaypieWebSocketLambda, JaypieWebSocketTable, addDatadogLayers, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, ensureRoute53QueryLoggingPolicy, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
|
|
4827
4867
|
//# sourceMappingURL=index.js.map
|