From eeb24605c1ca72db3529064fb257271223e16799 Mon Sep 17 00:00:00 2001 From: Leo Singer Date: Mon, 5 Aug 2024 19:44:17 -0400 Subject: [PATCH] Record OpenSearch error logs MCP asked us to do this for compliance purposes. --- index.ts | 14 ++++++++++++++ service.ts | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/index.ts b/index.ts index b737005..93e3e8f 100644 --- a/index.ts +++ b/index.ts @@ -61,6 +61,19 @@ async function executeSearchRequests(cwd: string) { } } +function addTransforms( + cloudformation: { Transform?: string[] | string }, + ...transforms: string[] +) { + if (cloudformation.Transform === undefined) { + cloudformation.Transform = transforms + } else if (typeof cloudformation.Transform === 'string') { + cloudformation.Transform = [cloudformation.Transform, ...transforms] + } else { + cloudformation.Transform.push(...transforms) + } +} + export const deploy = { // @ts-expect-error: The Architect plugins API has no type definitions. start({ cloudformation, inventory, arc, stage }) { @@ -74,6 +87,7 @@ export const deploy = { resources = serverlessCloudformationResources(collectionName) } Object.assign(cloudformation.Resources, resources) + addTransforms(cloudformation, 'AWS::LanguageExtensions') return cloudformation }, // @ts-expect-error: The Architect plugins API has no type definitions. diff --git a/service.ts b/service.ts index effe98a..d9d4ddd 100644 --- a/service.ts +++ b/service.ts @@ -36,8 +36,38 @@ export function cloudformationResources({ } return { + OpenSearchLogGroup: { + Type: 'AWS::Logs::LogGroup', + Properties: { + LogGroupName: { + 'Fn::Sub': + '/aws/OpenSearchService/stacks/${AWS::StackName}/application-logs', + }, + }, + }, + OpenSearchLogPolicy: { + Type: 'AWS::Logs::ResourcePolicy', + Properties: { + PolicyName: { 'Fn::Sub': '${AWS::StackName}-OpenSearchLogPolicy' }, + PolicyDocument: { + 'Fn::ToJsonString': { + Version: '2012-10-17', + Statement: [ + { + Sid: '', + Effect: 'Allow', + Principal: { Service: 'es.amazonaws.com' }, + Action: ['logs:PutLogEvents', 'logs:CreateLogStream'], + Resource: { 'Fn::GetAtt': ['OpenSearchLogGroup', 'Arn'] }, + }, + ], + }, + }, + }, + }, OpenSearchServiceDomain: { Type: 'AWS::OpenSearchService::Domain', + DependsOn: 'OpenSearchLogPolicy', Properties: { AccessPolicies: { Version: '2012-10-17', @@ -67,6 +97,14 @@ export function cloudformationResources({ EBSOptions: { EBSEnabled: true, VolumeSize }, EncryptionAtRestOptions: { Enabled: true }, IPAddressType: 'dualstack', + LogPublishingOptions: { + ES_APPLICATION_LOGS: { + CloudWatchLogsLogGroupArn: { + 'Fn::GetAtt': ['OpenSearchLogGroup', 'Arn'], + }, + Enabled: true, + }, + }, NodeToNodeEncryptionOptions: { Enabled: true }, }, },