feat(aws-kinesisfirehose-s3): added custom logging bucket props to ki…

…nesisfirehose-s3 (#478) * added custom logging bucket props to kinesisfirehose-s3 * added log bucket condition in input validation * Added logS3AccessLogs for enabling/disabling s3 logs * added cfn suppress rule for no logging * fix lint issue * redeploy stack for cfn nag suppress changes * added logS3AccessLogs property * refactored s3 bucket helper and improved tests * readded test for s3-bucket * moved test to s3 bucket helper test file
awslabs · Nov 3, 2021 · 6fab3e5 · 6fab3e5
1 parent 4100d58
commit 6fab3e5
Show file tree

Hide file tree

Showing 13 changed files with 1,066 additions and 62 deletions.
diff --git a/source/patterns/@aws-solutions-constructs/aws-kinesisfirehose-s3/README.md b/source/patterns/@aws-solutions-constructs/aws-kinesisfirehose-s3/README.md
@@ -50,6 +50,8 @@ _Parameters_
 |existingLoggingBucketObj?|[`s3.IBucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.IBucket.html)|Optional existing instance of logging S3 Bucket for the S3 Bucket created by the pattern.|
 |kinesisFirehoseProps?|[`kinesisfirehose.CfnDeliveryStreamProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-kinesisfirehose.CfnDeliveryStreamProps.html)\|`any`|Optional user provided props to override the default props for Kinesis Firehose Delivery Stream.|
 |logGroupProps?|[`logs.LogGroupProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-logs.LogGroupProps.html)|Optional user provided props to override the default props for for the CloudWatchLogs LogGroup.|
+|loggingBucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.BucketProps.html)|Optional user provided props to override the default props for the S3 Logging Bucket.|
+|logS3AccessLogs?| boolean|Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true|
 
 ## Pattern Properties
 

diff --git a/source/patterns/@aws-solutions-constructs/aws-kinesisfirehose-s3/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-kinesisfirehose-s3/lib/index.ts
@@ -56,6 +56,19 @@ export interface KinesisFirehoseToS3Props {
    * @default - Default props are used
    */
   readonly logGroupProps?: logs.LogGroupProps;
+  /**
+   * Optional user provided props to override the default props for the S3 Logging Bucket.
+   *
+   * @default - Default props are used
+   */
+  readonly loggingBucketProps?: s3.BucketProps;
+  /**
+   * Whether to turn on Access Logs for the S3 bucket with the associated storage costs.
+   * Enabling Access Logging is a best practice.
+   *
+   * @default - true
+   */
+  readonly logS3AccessLogs?: boolean;
 }
 
 export class KinesisFirehoseToS3 extends Construct {
@@ -64,6 +77,7 @@ export class KinesisFirehoseToS3 extends Construct {
   public readonly kinesisFirehoseRole: iam.Role;
   public readonly s3Bucket?: s3.Bucket;
   public readonly s3LoggingBucket?: s3.Bucket;
+  public readonly s3BucketInterface: s3.IBucket;
 
   /**
    * Constructs a new instance of the KinesisFirehoseToS3 class.
@@ -79,34 +93,27 @@ export class KinesisFirehoseToS3 extends Construct {
 
     let bucket: s3.IBucket;
 
-    if (props.existingBucketObj && props.bucketProps) {
-      throw new Error('Cannot specify both bucket properties and an existing bucket');
-    }
-
     // Setup S3 Bucket
     if (!props.existingBucketObj) {
-      let { bucketProps } = props;
+      let bucketProps = props.bucketProps ?? {};
+      bucketProps = props.existingLoggingBucketObj ?
+        overrideProps(bucketProps, { serverAccessLogsBucket: props.existingLoggingBucketObj }) :
+        bucketProps;
 
       // Setup logging S3 Bucket
-      if (props.existingLoggingBucketObj) {
-        if (!bucketProps) {
-          bucketProps = {};
-        }
-
-        bucketProps = overrideProps(bucketProps, {
-          serverAccessLogsBucket: props.existingLoggingBucketObj
-        });
-      }
-
       [this.s3Bucket, this.s3LoggingBucket] = defaults.buildS3Bucket(this, {
-        bucketProps
+        bucketProps,
+        loggingBucketProps: props.loggingBucketProps,
+        logS3AccessLogs: props.logS3AccessLogs,
       });
 
       bucket = this.s3Bucket;
     } else {
       bucket = props.existingBucketObj;
     }
 
+    this.s3BucketInterface = bucket;
+
     // Setup Cloudwatch Log group & stream for Kinesis Firehose
     this.kinesisFirehoseLogGroup = defaults.buildLogGroup(
       this,
@@ -166,8 +173,8 @@ export class KinesisFirehoseToS3 extends Construct {
     printWarning(`kinesisFirehoseProps: ${JSON.stringify(props.kinesisFirehoseProps, null, 2)}`);
     // if the client didn't explicity say it was a Kinesis client, then turn on encryption
     if (!props.kinesisFirehoseProps ||
-        !props.kinesisFirehoseProps.deliveryStreamType ||
-        props.kinesisFirehoseProps.deliveryStreamType !== 'KinesisStreamAsSource'
+      !props.kinesisFirehoseProps.deliveryStreamType ||
+      props.kinesisFirehoseProps.deliveryStreamType !== 'KinesisStreamAsSource'
     ) {
       defaultKinesisFirehoseProps = defaults.overrideProps(
         defaultKinesisFirehoseProps,