feat(s3-stepfunctions): removed CloudTrail dependency after new S3 feature (#529)

* enabled eventbridge in bucket creation

* updated README

* empty commit

* updated README and readded deploy CloudTrail

* fixed eslint errors

* updated README doc by removing properties and improvinng notes

* updated README and enabled eventbridge in bucket test

* enabled eventbridge in bucket for pre-existing tests

* updated pre-existing-bucket test

Author: mickychetta

Diff for: source/patterns/@aws-solutions-constructs/aws-s3-step-function/README.md

@@ -22,7 +22,9 @@
 
 This AWS Solutions Construct implements an Amazon S3 bucket connected to an AWS Step Function.
 
-*Note - This construct uses Amazon EventBridge (Amazon CloudWatch Events) to trigger AWS Step Functions. EventBridge is more flexible, but triggering Step Functions with S3 Event Notifications has less latency and is more cost effective. If cost and/or latency is an issue, you should consider deploy aws-s3-lambda and aws-lambda-stepfunctions in place of this construct.*
+*Note - This constructs sends S3 Event Notification to EventBridge, then triggers AWS Step Functions State Machine executions from EventBridge.*
+
+*An alternative architecture can be built that triggers a Lambda function from S3 Event notifications using aws-s3-lambda and aws-lambda-stepfunctions. Channelling the S3 events through Lambda is less flexible than EventBridge, but is more cost effective and has lower latency.*
 
 Here is a minimal deployable pattern definition in Typescript:
 
@@ -55,12 +57,12 @@ _Parameters_
 
 | **Name**     | **Type**        | **Description** |
 |:-------------|:----------------|-----------------|
-|existingBucketObj?|[`s3.IBucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.IBucket.html)|Existing instance of S3 Bucket object. If this is provided, then also providing bucketProps is an error. |
+|existingBucketObj?|[`s3.IBucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.IBucket.html)|Existing instance of S3 Bucket object. The existing bucket must have [EventBridge enabled](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications-eventbridge.html) for this to work. If this is provided, then also providing bucketProps is an error. |
 |bucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.BucketProps.html)|Optional user provided props to override the default props for the S3 Bucket.|
 |stateMachineProps|[`sfn.StateMachineProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-stepfunctions.StateMachineProps.html)|User provided props to override the default props for sfn.StateMachine|
 |eventRuleProps?|[`events.RuleProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-events.RuleProps.html)|Optional user provided eventRuleProps to override the defaults|
-|deployCloudTrail?|`boolean`|Whether to deploy a Trail in AWS CloudTrail to log API events in Amazon S3. Defaults to `true`.|
-|createCloudWatchAlarms|`boolean`|Whether to create recommended CloudWatch alarms|
+|deployCloudTrail?|`boolean`|Whether to deploy a Trail in AWS CloudTrail to log API events in Amazon S3. Defaults to `true`. <span style="color:red">**This is now deprecated and ignored because the construct no longer needs CloudTrail since it uses S3 Event Notifications**</span>.|
+|createCloudWatchAlarms|`boolean`|Whether to create recommended CloudWatch alarms.|
 |logGroupProps?|[`logs.LogGroupProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-logs.LogGroupProps.html)|User provided props to override the default props for for the CloudWatchLogs LogGroup.|
 |loggingBucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.BucketProps.html)|Optional user provided props to override the default props for the S3 Logging Bucket.|
 |logS3AccessLogs?| boolean|Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true|
@@ -71,18 +73,22 @@ _Parameters_
 |:-------------|:----------------|-----------------|
 |stateMachine|[`sfn.StateMachine`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-stepfunctions.StateMachine.html)|Returns an instance of sfn.StateMachine created by the construct|
 |stateMachineLogGroup|[`logs.ILogGroup`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-logs.ILogGroup.html)|Returns an instance of the ILogGroup created by the construct for StateMachine|
-|cloudwatchAlarms?|[`cloudwatch.Alarm[]`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudwatch.Alarm.html)|Returns a list of cloudwatch.Alarm created by the construct|
+|cloudwatchAlarms?|[`cloudwatch.Alarm[]`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudwatch.Alarm.html)|Returns a list of cloudwatch.Alarm created by the construct.|
 |s3Bucket?|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html)|Returns an instance of the s3.Bucket created by the construct|
 |s3LoggingBucket?|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html)|Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket.|
-|cloudtrail|[`cloudtrail.Trail`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudtrail.Trail.html)|Returns an instance of the cloudtrail.Trail created by the construct|
-|cloudtrailBucket|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html)|Returns an instance of the s3.Bucket created by the construct for CloudTrail|
-|cloudtrailLoggingBucket|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html)|Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary CloudTrail bucket.|
 |s3BucketInterface|[`s3.IBucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.IBucket.html)|Returns an instance of s3.IBucket created by the construct.|
+
+*Note - with the release of Enable EventBridge for Amazon S3, AWS CloudTrail is no longer required to implement this construct. Because of this, the following properties have been removed:*
+- cloudtrail
+- cloudtrailBucket
+- cloudtrailLoggingBucket
+
 ## Default settings
 
 Out of the box implementation of the Construct without any override will set the following defaults:
 
 ### Amazon S3 Bucket
+* Enable EventBridge to send events from the S3 Bucket
 * Configure Access logging for S3 Bucket
 * Enable server-side encryption for S3 Bucket using AWS managed KMS Key
 * Enforce encryption of data in transit
@@ -91,8 +97,8 @@ Out of the box implementation of the Construct without any override will set the
 * Retain the S3 Bucket when deleting the CloudFormation stack
 * Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days
 
-### AWS CloudTrail
-* Configure a Trail in AWS CloudTrail to log API events in Amazon S3 related to the Bucket created by the Construct
+### AWS S3 Event Notification
+* Enable S3 to send events to EventBridge when an object is created.
 
 ### Amazon CloudWatch Events Rule
 * Grant least privilege permissions to CloudWatch Events to trigger the Lambda Function

Diff for: source/patterns/@aws-solutions-constructs/aws-s3-step-function/architecture.png

@@ -17,7 +17,6 @@ import { S3ToStepfunctions } from '@aws-solutions-constructs/aws-s3-stepfunction
 // Note: To ensure CDKv2 compatibility, keep the import statement for Construct separate
 import { Construct } from '@aws-cdk/core';
 import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
-import * as cloudtrail from '@aws-cdk/aws-cloudtrail';
 import * as events from '@aws-cdk/aws-events';
 import * as logs from '@aws-cdk/aws-logs';
 
@@ -88,9 +87,6 @@ export class S3ToStepFunction extends Construct {
   public readonly s3Bucket?: s3.Bucket;
   public readonly s3LoggingBucket?: s3.Bucket;
   public readonly cloudwatchAlarms?: cloudwatch.Alarm[];
-  public readonly cloudtrail?: cloudtrail.Trail;
-  public readonly cloudtrailBucket?: s3.Bucket;
-  public readonly cloudtrailLoggingBucket?: s3.Bucket;
   public readonly s3BucketInterface: s3.IBucket;
 
   /**
@@ -115,9 +111,6 @@ export class S3ToStepFunction extends Construct {
     this.s3Bucket = wrappedConstruct.s3Bucket;
     this.s3LoggingBucket = wrappedConstruct.s3LoggingBucket;
     this.cloudwatchAlarms = wrappedConstruct.cloudwatchAlarms;
-    this.cloudtrail = wrappedConstruct.cloudtrail;
-    this.cloudtrailBucket = wrappedConstruct.cloudtrailBucket;
-    this.cloudtrailLoggingBucket = wrappedConstruct.cloudtrailLoggingBucket;
     this.s3BucketInterface = wrappedConstruct.s3BucketInterface;
   }
 }

Diff for: source/patterns/@aws-solutions-constructs/aws-s3-step-function/lib/index.ts

@@ -115,6 +115,11 @@
             "Ref": "tests3stepfunctiontests3stepfunctionWS3LoggingBucketB716417C"
           }
         },
+        "NotificationConfiguration": {
+          "EventBridgeConfiguration": {
+            "EventBridgeEnabled": true
+          }
+        },
         "PublicAccessBlockConfiguration": {
           "BlockPublicAcls": true,
           "BlockPublicPolicy": true,
@@ -370,19 +375,11 @@
             "aws.s3"
           ],
           "detail-type": [
-            "AWS API Call via CloudTrail"
+            "Object Created"
           ],
           "detail": {
-            "eventSource": [
-              "s3.amazonaws.com"
-            ],
-            "eventName": [
-              "PutObject",
-              "CopyObject",
-              "CompleteMultipartUpload"
-            ],
-            "requestParameters": {
-              "bucketName": [
+            "bucket": {
+              "name": [
                 {
                   "Ref": "tests3stepfunctiontests3stepfunctionWS3Bucket9BE64924"
                 }

Diff for: source/patterns/@aws-solutions-constructs/aws-s3-step-function/test/integ.customLoggingBucket.expected.json

@@ -40,7 +40,6 @@ new S3ToStepFunction(stack, 'test-s3-step-function', {
   },
   logGroupProps: {
     removalPolicy: RemovalPolicy.DESTROY
-  },
-  deployCloudTrail: false
+  }
 });
 app.synth();

Diff for: source/patterns/@aws-solutions-constructs/aws-s3-step-function/test/integ.customLoggingBucket.ts

@@ -12,6 +12,11 @@
             }
           ]
         },
+        "NotificationConfiguration": {
+          "EventBridgeConfiguration": {
+            "EventBridgeEnabled": true
+          }
+        },
         "VersioningConfiguration": {
           "Status": "Enabled"
         }
@@ -231,19 +236,11 @@
             "aws.s3"
           ],
           "detail-type": [
-            "AWS API Call via CloudTrail"
+            "Object Created"
           ],
           "detail": {
-            "eventSource": [
-              "s3.amazonaws.com"
-            ],
-            "eventName": [
-              "PutObject",
-              "CopyObject",
-              "CompleteMultipartUpload"
-            ],
-            "requestParameters": {
-              "bucketName": [
+            "bucket": {
+              "name": [
                 {
                   "Ref": "existingScriptLocation845F3C51"
                 }

Diff for: source/patterns/@aws-solutions-constructs/aws-s3-step-function/test/integ.pre-existing-bucket.expected.json

@@ -23,19 +23,19 @@ const app = new App();
 const stack = new Stack(app, generateIntegStackName(__filename));
 
 const existingBucket = CreateScrapBucket(stack, {});
+const cfnBucket = existingBucket.node.defaultChild as s3.CfnBucket;
+cfnBucket.addPropertyOverride('NotificationConfiguration.EventBridgeConfiguration.EventBridgeEnabled', true);
 
-const mybucket: s3.IBucket = s3.Bucket.fromBucketName(stack, 'mybucket', existingBucket.bucketName);
 const startState = new stepfunctions.Pass(stack, 'StartState');
 
 const props: S3ToStepFunctionProps = {
-  existingBucketObj: mybucket,
+  existingBucketObj: existingBucket,
   stateMachineProps: {
     definition: startState
   },
   logGroupProps: {
     removalPolicy: RemovalPolicy.DESTROY
-  },
-  deployCloudTrail: false
+  }
 };
 
 new S3ToStepFunction(stack, 'test-s3-step-function-pre-existing-bucket-construct', props);

Diff for: source/patterns/@aws-solutions-constructs/aws-s3-step-function/test/integ.pre-existing-bucket.ts

@@ -25,6 +25,11 @@
             }
           ]
         },
+        "NotificationConfiguration": {
+          "EventBridgeConfiguration": {
+            "EventBridgeEnabled": true
+          }
+        },
         "PublicAccessBlockConfiguration": {
           "BlockPublicAcls": true,
           "BlockPublicPolicy": true,
@@ -290,19 +295,11 @@
             "aws.s3"
           ],
           "detail-type": [
-            "AWS API Call via CloudTrail"
+            "Object Created"
           ],
           "detail": {
-            "eventSource": [
-              "s3.amazonaws.com"
-            ],
-            "eventName": [
-              "PutObject",
-              "CopyObject",
-              "CompleteMultipartUpload"
-            ],
-            "requestParameters": {
-              "bucketName": [
+            "bucket": {
+              "name": [
                 {
                   "Ref": "tests3stepfunctionconstructtests3stepfunctionconstructWS3Bucket474FE3A1"
                 }

Diff for: source/patterns/@aws-solutions-constructs/aws-s3-step-function/test/integ.s3-step-function-no-argument.expected.json

@@ -34,8 +34,7 @@ const props: S3ToStepFunctionProps = {
   logGroupProps: {
     removalPolicy: RemovalPolicy.DESTROY
   },
-  logS3AccessLogs: false,
-  deployCloudTrail: false
+  logS3AccessLogs: false
 };
 
 const construct = new S3ToStepFunction(stack, 'test-s3-step-function-construct', props);

Diff for: source/patterns/@aws-solutions-constructs/aws-s3-step-function/test/integ.s3-step-function-no-argument.ts

@@ -30,23 +30,6 @@ function deployNewStateMachine(stack: cdk.Stack) {
   return new S3ToStepFunction(stack, 'test-s3-step-function', props);
 }
 
-test('check deployCloudTrail = false', () => {
-  const stack = new cdk.Stack();
-
-  const startState = new sfn.Pass(stack, 'StartState');
-
-  const props: S3ToStepFunctionProps = {
-    stateMachineProps: {
-      definition: startState
-    },
-    deployCloudTrail: false
-  };
-
-  const construct = new S3ToStepFunction(stack, 'test-s3-step-function', props);
-
-  expect(construct.cloudtrail === undefined);
-});
-
 test('override eventRuleProps', () => {
   const stack = new cdk.Stack();
 
@@ -61,18 +44,10 @@ test('override eventRuleProps', () => {
     eventRuleProps: {
       eventPattern: {
         source: ['aws.s3'],
-        detailType: ['AWS API Call via CloudTrail'],
+        detailType: ['Object Created'],
         detail: {
-          eventSource: [
-            "s3.amazonaws.com"
-          ],
-          eventName: [
-            "GetObject"
-          ],
-          requestParameters: {
-            bucketName: [
-              mybucket.bucketName
-            ]
+          bucket: {
+            name: [mybucket.bucketName]
           }
         }
       }
@@ -87,20 +62,13 @@ test('override eventRuleProps', () => {
         "aws.s3"
       ],
       "detail-type": [
-        "AWS API Call via CloudTrail"
+        "Object Created"
       ],
       "detail": {
-        eventSource: [
-          "s3.amazonaws.com"
-        ],
-        eventName: [
-          "GetObject"
-        ],
-        requestParameters: {
-          bucketName: [
-            {
-              Ref: "mybucket160F8132"
-            }
+        bucket: {
+          name: [{
+            Ref: "mybucket160F8132"
+          }
           ]
         }
       }
@@ -128,15 +96,11 @@ test('check properties', () => {
 
   const construct: S3ToStepFunction = deployNewStateMachine(stack);
 
-  expect(construct.cloudtrail !== null);
   expect(construct.stateMachine !== null);
   expect(construct.s3Bucket !== null);
   expect(construct.cloudwatchAlarms !== null);
   expect(construct.stateMachineLogGroup !== null);
   expect(construct.s3LoggingBucket !== null);
-  expect(construct.cloudtrail !== null);
-  expect(construct.cloudtrailBucket !== null);
-  expect(construct.cloudtrailLoggingBucket !== null);
 });
 
 // --------------------------------------------------------------