Skip to content

Commit

Permalink
fix(synthetics): generated role has incorrect permissions for cloudwa…
Browse files Browse the repository at this point in the history 
…tch logs (#18946)

The generated role did not have the correct permissions to create cloudwatch logs, so even if the canary successfully deployed and ran, no cloudwatch streams were generated for the resource. This seems to be a long-standing bug in the synthetics module. What was missing was the region and account id, which should be the same region/account as the created canary.

Fixes #18910.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@kaizencc
kaizencc authored Feb 14, 2022
1 parent 072e1b9 commit f8bb85f
Show file tree
Hide file tree
Showing 3 changed files with 150 additions and 7 deletions.
12 changes: 10 additions & 2 deletions packages/@aws-cdk/aws-synthetics/lib/canary.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,6 @@ export class Canary extends cdk.Resource {
* Returns a default role for the canary
*/
private createDefaultRole(prefix?: string): iam.IRole {
const { partition } = cdk.Stack.of(this);
// Created role will need these policies to run the Canary.
// https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-synthetics-canary.html#cfn-synthetics-canary-executionrolearn
const policy = new iam.PolicyDocument({
Expand All @@ -313,7 +312,7 @@ export class Canary extends cdk.Resource {
conditions: { StringEquals: { 'cloudwatch:namespace': 'CloudWatchSynthetics' } },
}),
new iam.PolicyStatement({
resources: [`arn:${partition}:logs:::*`],
resources: [this.logGroupArn()],
actions: ['logs:CreateLogStream', 'logs:CreateLogGroup', 'logs:PutLogEvents'],
}),
],
Expand All @@ -327,6 +326,15 @@ export class Canary extends cdk.Resource {
});
}

private logGroupArn() {
return cdk.Stack.of(this).formatArn({
service: 'logs',
resource: 'log-group',
arnFormat: cdk.ArnFormat.COLON_RESOURCE_NAME,
resourceName: '/aws/lambda/cwsyn-*',
});
}

/**
* Returns the code object taken in by the canary resource.
*/
Expand Down
95 changes: 95 additions & 0 deletions packages/@aws-cdk/aws-synthetics/test/canary.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -440,3 +440,98 @@ test('can specify custom test', () => {
},
});
});

test('Role policy generated as expected', () => {
// GIVEN
const stack = new Stack();

// WHEN
new synthetics.Canary(stack, 'Canary', {
test: synthetics.Test.custom({
handler: 'index.handler',
code: synthetics.Code.fromInline('/* Synthetics handler code */'),
}),
runtime: synthetics.Runtime.SYNTHETICS_NODEJS_PUPPETEER_3_3,
});

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', {
Policies: [{
PolicyDocument: {
Statement: [
{
Action: 's3:ListAllMyBuckets',
Effect: 'Allow',
Resource: '*',
},
{
Action: 's3:GetBucketLocation',
Effect: 'Allow',
Resource: {
'Fn::GetAtt': [
'CanaryArtifactsBucket4A60D32B',
'Arn',
],
},
},
{
Action: 's3:PutObject',
Effect: 'Allow',
Resource: {
'Fn::Join': [
'',
[
{
'Fn::GetAtt': [
'CanaryArtifactsBucket4A60D32B',
'Arn',
],
},
'/*',
],
],
},
},
{
Action: 'cloudwatch:PutMetricData',
Condition: {
StringEquals: {
'cloudwatch:namespace': 'CloudWatchSynthetics',
},
},
Effect: 'Allow',
Resource: '*',
},
{
Action: [
'logs:CreateLogStream',
'logs:CreateLogGroup',
'logs:PutLogEvents',
],
Effect: 'Allow',
Resource: {
'Fn::Join': [
'',
[
'arn:',
{
Ref: 'AWS::Partition',
},
':logs:',
{
Ref: 'AWS::Region',
},
':',
{
Ref: 'AWS::AccountId',
},
':log-group:/aws/lambda/cwsyn-*',
],
],
},
},
],
},
}],
});
});
50 changes: 45 additions & 5 deletions packages/@aws-cdk/aws-synthetics/test/integ.canary.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,15 @@
{
"Ref": "AWS::Partition"
},
":logs:::*"
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/lambda/cwsyn-*"
]
]
}
Expand Down Expand Up @@ -269,7 +277,15 @@
{
"Ref": "AWS::Partition"
},
":logs:::*"
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/lambda/cwsyn-*"
]
]
}
Expand Down Expand Up @@ -490,7 +506,15 @@
{
"Ref": "AWS::Partition"
},
":logs:::*"
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/lambda/cwsyn-*"
]
]
}
Expand Down Expand Up @@ -711,7 +735,15 @@
{
"Ref": "AWS::Partition"
},
":logs:::*"
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/lambda/cwsyn-*"
]
]
}
Expand Down Expand Up @@ -932,7 +964,15 @@
{
"Ref": "AWS::Partition"
},
":logs:::*"
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/lambda/cwsyn-*"
]
]
}
Expand Down

0 comments on commit f8bb85f

Please sign in to comment.