Merge pull request #5 from Samseppiol/master

Add bucket encryption and bucket access logging
theonestack · Mar 29, 2021 · 416442a · 416442a
2 parents 50b804a + 55abb1a
commit 416442a
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 0 deletions.
diff --git a/s3-cloudfront.cfhighlander.rb b/s3-cloudfront.cfhighlander.rb
@@ -6,6 +6,10 @@
     ComponentParam 'EnvironmentName', 'dev', isGlobal: true
     ComponentParam 'EnvironmentType', 'development', allowedValues: ['development','production'], isGlobal: true
     ComponentParam 'DnsDomain', isGlobal: true
+    if enable_s3_logging
+      ComponentParam 'LogFilePrefix', ''
+      ComponentParam 'AccessLogsBucket'
+    end
   end
 
   Component name: cloudfront_component_name, template: 'cloudfront@master.snapshot', render: Inline, config: @config do

diff --git a/s3-cloudfront.cfndsl.rb b/s3-cloudfront.cfndsl.rb
@@ -27,8 +27,18 @@
   end
 
 
+  bucket_encryption = external_parameters.fetch(:bucket_encryption, nil)
+  enable_s3_logging = external_parameters[:enable_s3_logging]
+
+  Condition(:SetLogFilePrefix, FnNot(FnEquals(Ref(:LogFilePrefix), ''))) if enable_s3_logging
+
   S3_Bucket('Bucket') do
     BucketName FnSub(external_parameters[:bucket_name])
+    LoggingConfiguration ({
+      DestinationBucketName: Ref(:AccessLogsBucket),
+      LogFilePrefix: FnIf(:SetLogFilePrefix, Ref(:LogFilePrefix), Ref('AWS::NoValue'))
+    }) if enable_s3_logging
+    BucketEncryption bucket_encryption unless bucket_encryption.nil?
   end
 
   S3_BucketPolicy("BucketPolicy") do

diff --git a/s3-cloudfront.config.yaml b/s3-cloudfront.config.yaml
@@ -1,4 +1,5 @@
 bucket_name: frontend.${EnvironmentName}.${DnsDomain}
+enable_s3_logging: false
 cloudfront_component_name: cloudfront
 # bucket_policy:
 #   OpsAccount:

diff --git a/tests/bucket_encryption.test.yaml b/tests/bucket_encryption.test.yaml
@@ -0,0 +1,13 @@
+test_metadata:
+  type: config
+  name: Bucket and encryption
+  description: Create bucket with encryption
+
+bucket_name: frontend.${EnvironmentName}.${DnsDomain}
+enable_s3_logging: true
+
+bucket_encryption:
+  ServerSideEncryptionConfiguration:
+    -
+      ServerSideEncryptionByDefault:
+        SSEAlgorithm: AES256