fix(synthetics): generated role has incorrect permissions for cloudwatch logs (#18946)

kaizencc · web-flow · commit f8bb85fad8f6 · 2022-02-14T17:13:02.000Z
The generated role did not have the correct permissions to create cloudwatch logs, so even if the canary successfully deployed and ran, no cloudwatch streams were generated for the resource. This seems to be a long-standing bug in the synthetics module. What was missing was the region and account id, which should be the same region/account as the created canary. Fixes #18910. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-synthetics/lib/canary.ts b/packages/@aws-cdk/aws-synthetics/lib/canary.ts
@@ -290,7 +290,6 @@ export class Canary extends cdk.Resource {
    * Returns a default role for the canary
    */
   private createDefaultRole(prefix?: string): iam.IRole {
-    const { partition } = cdk.Stack.of(this);
     // Created role will need these policies to run the Canary.
     // https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-synthetics-canary.html#cfn-synthetics-canary-executionrolearn
     const policy = new iam.PolicyDocument({
@@ -313,7 +312,7 @@ export class Canary extends cdk.Resource {
           conditions: { StringEquals: { 'cloudwatch:namespace': 'CloudWatchSynthetics' } },
         }),
         new iam.PolicyStatement({
-          resources: [`arn:${partition}:logs:::*`],
+          resources: [this.logGroupArn()],
           actions: ['logs:CreateLogStream', 'logs:CreateLogGroup', 'logs:PutLogEvents'],
         }),
       ],
@@ -327,6 +326,15 @@ export class Canary extends cdk.Resource {
     });
   }
 
+  private logGroupArn() {
+    return cdk.Stack.of(this).formatArn({
+      service: 'logs',
+      resource: 'log-group',
+      arnFormat: cdk.ArnFormat.COLON_RESOURCE_NAME,
+      resourceName: '/aws/lambda/cwsyn-*',
+    });
+  }
+
   /**
    * Returns the code object taken in by the canary resource.
    */
diff --git a/packages/@aws-cdk/aws-synthetics/test/canary.test.ts b/packages/@aws-cdk/aws-synthetics/test/canary.test.ts
@@ -440,3 +440,98 @@ test('can specify custom test', () => {
     },
   });
 });
+
+test('Role policy generated as expected', () => {
+  // GIVEN
+  const stack = new Stack();
+
+  // WHEN
+  new synthetics.Canary(stack, 'Canary', {
+    test: synthetics.Test.custom({
+      handler: 'index.handler',
+      code: synthetics.Code.fromInline('/* Synthetics handler code */'),
+    }),
+    runtime: synthetics.Runtime.SYNTHETICS_NODEJS_PUPPETEER_3_3,
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', {
+    Policies: [{
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: 's3:ListAllMyBuckets',
+            Effect: 'Allow',
+            Resource: '*',
+          },
+          {
+            Action: 's3:GetBucketLocation',
+            Effect: 'Allow',
+            Resource: {
+              'Fn::GetAtt': [
+                'CanaryArtifactsBucket4A60D32B',
+                'Arn',
+              ],
+            },
+          },
+          {
+            Action: 's3:PutObject',
+            Effect: 'Allow',
+            Resource: {
+              'Fn::Join': [
+                '',
+                [
+                  {
+                    'Fn::GetAtt': [
+                      'CanaryArtifactsBucket4A60D32B',
+                      'Arn',
+                    ],
+                  },
+                  '/*',
+                ],
+              ],
+            },
+          },
+          {
+            Action: 'cloudwatch:PutMetricData',
+            Condition: {
+              StringEquals: {
+                'cloudwatch:namespace': 'CloudWatchSynthetics',
+              },
+            },
+            Effect: 'Allow',
+            Resource: '*',
+          },
+          {
+            Action: [
+              'logs:CreateLogStream',
+              'logs:CreateLogGroup',
+              'logs:PutLogEvents',
+            ],
+            Effect: 'Allow',
+            Resource: {
+              'Fn::Join': [
+                '',
+                [
+                  'arn:',
+                  {
+                    Ref: 'AWS::Partition',
+                  },
+                  ':logs:',
+                  {
+                    Ref: 'AWS::Region',
+                  },
+                  ':',
+                  {
+                    Ref: 'AWS::AccountId',
+                  },
+                  ':log-group:/aws/lambda/cwsyn-*',
+                ],
+              ],
+            },
+          },
+        ],
+      },
+    }],
+  });
+});
diff --git a/packages/@aws-cdk/aws-synthetics/test/integ.canary.expected.json b/packages/@aws-cdk/aws-synthetics/test/integ.canary.expected.json
@@ -82,7 +82,15 @@
                         {
                           "Ref": "AWS::Partition"
                         },
-                        ":logs:::*"
+                        ":logs:",
+                        {
+                          "Ref": "AWS::Region"
+                        },
+                        ":",
+                        {
+                          "Ref": "AWS::AccountId"
+                        },
+                        ":log-group:/aws/lambda/cwsyn-*"
                       ]
                     ]
                   }
@@ -269,7 +277,15 @@
                         {
                           "Ref": "AWS::Partition"
                         },
-                        ":logs:::*"
+                        ":logs:",
+                        {
+                          "Ref": "AWS::Region"
+                        },
+                        ":",
+                        {
+                          "Ref": "AWS::AccountId"
+                        },
+                        ":log-group:/aws/lambda/cwsyn-*"
                       ]
                     ]
                   }
@@ -490,7 +506,15 @@
                         {
                           "Ref": "AWS::Partition"
                         },
-                        ":logs:::*"
+                        ":logs:",
+                        {
+                          "Ref": "AWS::Region"
+                        },
+                        ":",
+                        {
+                          "Ref": "AWS::AccountId"
+                        },
+                        ":log-group:/aws/lambda/cwsyn-*"
                       ]
                     ]
                   }
@@ -711,7 +735,15 @@
                         {
                           "Ref": "AWS::Partition"
                         },
-                        ":logs:::*"
+                        ":logs:",
+                        {
+                          "Ref": "AWS::Region"
+                        },
+                        ":",
+                        {
+                          "Ref": "AWS::AccountId"
+                        },
+                        ":log-group:/aws/lambda/cwsyn-*"
                       ]
                     ]
                   }
@@ -932,7 +964,15 @@
                         {
                           "Ref": "AWS::Partition"
                         },
-                        ":logs:::*"
+                        ":logs:",
+                        {
+                          "Ref": "AWS::Region"
+                        },
+                        ":",
+                        {
+                          "Ref": "AWS::AccountId"
+                        },
+                        ":log-group:/aws/lambda/cwsyn-*"
                       ]
                     ]
                   }

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,15 @@`
`82`	`82`	`{`
`83`	`83`	`"Ref": "AWS::Partition"`
`84`	`84`	`},`
`85`		`- ":logs:::*"`
	`85`	`+ ":logs:",`
	`86`	`+ {`
	`87`	`+ "Ref": "AWS::Region"`
	`88`	`+ },`
	`89`	`+ ":",`
	`90`	`+ {`
	`91`	`+ "Ref": "AWS::AccountId"`
	`92`	`+ },`
	`93`	`+ ":log-group:/aws/lambda/cwsyn-*"`
`86`	`94`	`]`
`87`	`95`	`]`
`88`	`96`	`}`
`@@ -269,7 +277,15 @@`
`269`	`277`	`{`
`270`	`278`	`"Ref": "AWS::Partition"`
`271`	`279`	`},`
`272`		`- ":logs:::*"`
	`280`	`+ ":logs:",`
	`281`	`+ {`
	`282`	`+ "Ref": "AWS::Region"`
	`283`	`+ },`
	`284`	`+ ":",`
	`285`	`+ {`
	`286`	`+ "Ref": "AWS::AccountId"`
	`287`	`+ },`
	`288`	`+ ":log-group:/aws/lambda/cwsyn-*"`
`273`	`289`	`]`
`274`	`290`	`]`
`275`	`291`	`}`
`@@ -490,7 +506,15 @@`
`490`	`506`	`{`
`491`	`507`	`"Ref": "AWS::Partition"`
`492`	`508`	`},`
`493`		`- ":logs:::*"`
	`509`	`+ ":logs:",`
	`510`	`+ {`
	`511`	`+ "Ref": "AWS::Region"`
	`512`	`+ },`
	`513`	`+ ":",`
	`514`	`+ {`
	`515`	`+ "Ref": "AWS::AccountId"`
	`516`	`+ },`
	`517`	`+ ":log-group:/aws/lambda/cwsyn-*"`
`494`	`518`	`]`
`495`	`519`	`]`
`496`	`520`	`}`
`@@ -711,7 +735,15 @@`
`711`	`735`	`{`
`712`	`736`	`"Ref": "AWS::Partition"`
`713`	`737`	`},`
`714`		`- ":logs:::*"`
	`738`	`+ ":logs:",`
	`739`	`+ {`
	`740`	`+ "Ref": "AWS::Region"`
	`741`	`+ },`
	`742`	`+ ":",`
	`743`	`+ {`
	`744`	`+ "Ref": "AWS::AccountId"`
	`745`	`+ },`
	`746`	`+ ":log-group:/aws/lambda/cwsyn-*"`
`715`	`747`	`]`
`716`	`748`	`]`
`717`	`749`	`}`
`@@ -932,7 +964,15 @@`
`932`	`964`	`{`
`933`	`965`	`"Ref": "AWS::Partition"`
`934`	`966`	`},`
`935`		`- ":logs:::*"`
	`967`	`+ ":logs:",`
	`968`	`+ {`
	`969`	`+ "Ref": "AWS::Region"`
	`970`	`+ },`
	`971`	`+ ":",`
	`972`	`+ {`
	`973`	`+ "Ref": "AWS::AccountId"`
	`974`	`+ },`
	`975`	`+ ":log-group:/aws/lambda/cwsyn-*"`
`936`	`976`	`]`
`937`	`977`	`]`
`938`	`978`	`}`