feat(logs): add grantRead function to LogGroup (#23280)

watany-dev · web-flow · commit 42ef50706f60 · 2023-01-19T02:47:09.000Z
fixes #21668 adding method `logGroup.grantRead` We refer to the following suspended PRs #22132 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-logs/README.md b/packages/@aws-cdk/aws-logs/README.md
@@ -71,6 +71,13 @@ const logGroup = new logs.LogGroup(this, 'LogGroup');
 logGroup.grantWrite(new iam.ServicePrincipal('es.amazonaws.com'));
 ```
 
+Similarily, read permissions can be granted to the log group as follows.
+
+```ts
+const logGroup = new logs.LogGroup(this, 'LogGroup');
+logGroup.grantRead(new iam.ServicePrincipal('es.amazonaws.com'));
+```
+
 Be aware that any ARNs or tokenized values passed to the resource policy will be converted into AWS Account IDs.
 This is because CloudWatch Logs Resource Policies do not accept ARNs as principals, but they do accept
 Account ID strings. Non-ARN principals, like Service principals or Any principals, are accepted by CloudWatch.
diff --git a/packages/@aws-cdk/aws-logs/lib/log-group.ts b/packages/@aws-cdk/aws-logs/lib/log-group.ts
@@ -69,6 +69,11 @@ export interface ILogGroup extends iam.IResourceWithPolicy {
    */
   grantWrite(grantee: iam.IGrantable): iam.Grant;
 
+  /**
+   * Give permissions to read from this log group and streams
+   */
+  grantRead(grantee: iam.IGrantable): iam.Grant;
+
   /**
    * Give the indicated permissions on this log group and all streams
    */
@@ -169,6 +174,19 @@ abstract class LogGroupBase extends Resource implements ILogGroup {
     return this.grant(grantee, 'logs:CreateLogStream', 'logs:PutLogEvents');
   }
 
+  /**
+   * Give permissions to read and filter events from this log group
+   */
+  public grantRead(grantee: iam.IGrantable) {
+    return this.grant(grantee,
+      'logs:FilterLogEvents',
+      'logs:GetLogEvents',
+      'logs:GetLogGroupFields',
+      'logs:DescribeLogGroups',
+      'logs:DescribeLogStreams',
+    );
+  }
+
   /**
    * Give the indicated permissions on this log group and all streams
    */
diff --git a/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/aws-cdk-loggroup-grantreads-integ.assets.json b/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/aws-cdk-loggroup-grantreads-integ.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "22.0.0",
+  "files": {
+    "f5ee43894e543af0834d9c1eaa47e8ac9913473f9a8fd8203c3743cad0db8b34": {
+      "source": {
+        "path": "aws-cdk-loggroup-grantreads-integ.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "f5ee43894e543af0834d9c1eaa47e8ac9913473f9a8fd8203c3743cad0db8b34.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/aws-cdk-loggroup-grantreads-integ.template.json b/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/aws-cdk-loggroup-grantreads-integ.template.json
@@ -0,0 +1,67 @@
+{
+ "Resources": {
+  "LogGroupF5B46931": {
+   "Type": "AWS::Logs::LogGroup",
+   "Properties": {
+    "RetentionInDays": 731
+   },
+   "UpdateReplacePolicy": "Retain",
+   "DeletionPolicy": "Retain"
+  },
+  "LogGroupPolicyResourcePolicy6FA18555": {
+   "Type": "AWS::Logs::ResourcePolicy",
+   "Properties": {
+    "PolicyDocument": {
+     "Fn::Join": [
+      "",
+      [
+       "{\"Statement\":[{\"Action\":[\"logs:FilterLogEvents\",\"logs:GetLogEvents\",\"logs:GetLogGroupFields\",\"logs:DescribeLogGroups\",\"logs:DescribeLogStreams\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"es.amazonaws.com\"},\"Resource\":\"",
+       {
+        "Fn::GetAtt": [
+         "LogGroupF5B46931",
+         "Arn"
+        ]
+       },
+       "\"}],\"Version\":\"2012-10-17\"}"
+      ]
+     ]
+    },
+    "PolicyName": "awscdkloggroupgrantreadsintegLogGroupPolicy974F6709"
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/cdk.out b/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/cdk.out
@@ -0,0 +1 @@
+{"version":"22.0.0"}
diff --git a/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/integ.json b/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/integ.json
@@ -0,0 +1,12 @@
+{
+  "version": "22.0.0",
+  "testCases": {
+    "loggroup-grantreads/DefaultTest": {
+      "stacks": [
+        "aws-cdk-loggroup-grantreads-integ"
+      ],
+      "assertionStack": "loggroup-grantreads/DefaultTest/DeployAssert",
+      "assertionStackName": "loggroupgrantreadsDefaultTestDeployAssert7C1C7FAA"
+    }
+  }
+}
diff --git a/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/loggroupgrantreadsDefaultTestDeployAssert7C1C7FAA.assets.json b/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/loggroupgrantreadsDefaultTestDeployAssert7C1C7FAA.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "22.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "loggroupgrantreadsDefaultTestDeployAssert7C1C7FAA.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/loggroupgrantreadsDefaultTestDeployAssert7C1C7FAA.template.json b/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/loggroupgrantreadsDefaultTestDeployAssert7C1C7FAA.template.json
@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/manifest.json b/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/manifest.json
@@ -0,0 +1,117 @@
+{
+  "version": "22.0.0",
+  "artifacts": {
+    "aws-cdk-loggroup-grantreads-integ.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "aws-cdk-loggroup-grantreads-integ.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "aws-cdk-loggroup-grantreads-integ": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "aws-cdk-loggroup-grantreads-integ.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f5ee43894e543af0834d9c1eaa47e8ac9913473f9a8fd8203c3743cad0db8b34.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "aws-cdk-loggroup-grantreads-integ.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "aws-cdk-loggroup-grantreads-integ.assets"
+      ],
+      "metadata": {
+        "/aws-cdk-loggroup-grantreads-integ/LogGroup/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "LogGroupF5B46931"
+          }
+        ],
+        "/aws-cdk-loggroup-grantreads-integ/LogGroup/Policy/ResourcePolicy": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "LogGroupPolicyResourcePolicy6FA18555"
+          }
+        ],
+        "/aws-cdk-loggroup-grantreads-integ/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/aws-cdk-loggroup-grantreads-integ/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "aws-cdk-loggroup-grantreads-integ"
+    },
+    "loggroupgrantreadsDefaultTestDeployAssert7C1C7FAA.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "loggroupgrantreadsDefaultTestDeployAssert7C1C7FAA.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "loggroupgrantreadsDefaultTestDeployAssert7C1C7FAA": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "loggroupgrantreadsDefaultTestDeployAssert7C1C7FAA.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "loggroupgrantreadsDefaultTestDeployAssert7C1C7FAA.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "loggroupgrantreadsDefaultTestDeployAssert7C1C7FAA.assets"
+      ],
+      "metadata": {
+        "/loggroup-grantreads/DefaultTest/DeployAssert/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/loggroup-grantreads/DefaultTest/DeployAssert/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "loggroup-grantreads/DefaultTest/DeployAssert"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
+    }
+  }
+}
diff --git a/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/tree.json b/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.js.snapshot/tree.json
diff --git a/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.ts b/packages/@aws-cdk/aws-logs/test/integ.loggroup-grantread.ts
diff --git a/packages/@aws-cdk/aws-logs/test/loggroup.test.ts b/packages/@aws-cdk/aws-logs/test/loggroup.test.ts
