added logS3AccessLogs and s3BucketInterface to s3-step-function

Author: mickychetta

source/patterns/@aws-solutions-constructs/aws-s3-step-function/README.md

@@ -63,6 +63,7 @@ _Parameters_
 |createCloudWatchAlarms|`boolean`|Whether to create recommended CloudWatch alarms|
 |logGroupProps?|[`logs.LogGroupProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-logs.LogGroupProps.html)|User provided props to override the default props for for the CloudWatchLogs LogGroup.|
 |loggingBucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.BucketProps.html)|Optional user provided props to override the default props for the S3 Logging Bucket.|
+|logS3AccessLogs?| boolean|Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true|
 
 ## Pattern Properties
 
@@ -76,7 +77,7 @@ _Parameters_
 |cloudtrail|[`cloudtrail.Trail`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudtrail.Trail.html)|Returns an instance of the cloudtrail.Trail created by the construct|
 |cloudtrailBucket|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html)|Returns an instance of the s3.Bucket created by the construct for CloudTrail|
 |cloudtrailLoggingBucket|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html)|Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary CloudTrail bucket.|
-
+|s3BucketInterface|[`s3.IBucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.IBucket.html)|Returns an instance of s3.IBucket created by the construct.|
 ## Default settings
 
 Out of the box implementation of the Construct without any override will set the following defaults:

source/patterns/@aws-solutions-constructs/aws-s3-step-function/lib/index.ts

@@ -48,7 +48,7 @@ export interface S3ToStepFunctionProps {
    *
    * @default - None
    */
-  readonly eventRuleProps?: events.RuleProps;
+  readonly eventRuleProps?: events.RuleProps,
   /**
    * Whether to deploy a Trail in AWS CloudTrail to log API events in Amazon S3
    *
@@ -66,13 +66,20 @@ export interface S3ToStepFunctionProps {
    *
    * @default - Default props are used
    */
-  readonly logGroupProps?: logs.LogGroupProps
+  readonly logGroupProps?: logs.LogGroupProps,
   /**
    * Optional user provided props to override the default props for the S3 Logging Bucket.
    *
    * @default - Default props are used
    */
-   readonly loggingBucketProps?: s3.BucketProps
+   readonly loggingBucketProps?: s3.BucketProps,
+  /**
+   * Whether to turn on Access Logs for the S3 bucket with the associated storage costs.
+   * Enabling Access Logging is a best practice.
+   *
+   * @default - true
+   */
+  readonly logS3AccessLogs?: boolean;
 }
 
 export class S3ToStepFunction extends Construct {
@@ -84,6 +91,7 @@ export class S3ToStepFunction extends Construct {
   public readonly cloudtrail?: cloudtrail.Trail;
   public readonly cloudtrailBucket?: s3.Bucket;
   public readonly cloudtrailLoggingBucket?: s3.Bucket;
+  public readonly s3BucketInterface: s3.IBucket;
 
   /**
    * @summary Constructs a new instance of the S3ToStepFunction class.
@@ -110,5 +118,6 @@ export class S3ToStepFunction extends Construct {
     this.cloudtrail = wrappedConstruct.cloudtrail;
     this.cloudtrailBucket = wrappedConstruct.cloudtrailBucket;
     this.cloudtrailLoggingBucket = wrappedConstruct.cloudtrailLoggingBucket;
+    this.s3BucketInterface = wrappedConstruct.s3BucketInterface;
   }
 }

source/patterns/@aws-solutions-constructs/aws-s3-step-function/test/integ.customLoggingBucket.expected.json

@@ -176,273 +176,13 @@
         }
       }
     },
-    "tests3stepfunctiontests3stepfunctionWCloudTrailS3LoggingBucket449D5AB7": {
-      "Type": "AWS::S3::Bucket",
-      "Properties": {
-        "AccessControl": "LogDeliveryWrite",
-        "BucketEncryption": {
-          "ServerSideEncryptionConfiguration": [
-            {
-              "ServerSideEncryptionByDefault": {
-                "SSEAlgorithm": "AES256"
-              }
-            }
-          ]
-        },
-        "PublicAccessBlockConfiguration": {
-          "BlockPublicAcls": true,
-          "BlockPublicPolicy": true,
-          "IgnorePublicAcls": true,
-          "RestrictPublicBuckets": true
-        },
-        "VersioningConfiguration": {
-          "Status": "Enabled"
-        }
-      },
-      "UpdateReplacePolicy": "Retain",
-      "DeletionPolicy": "Retain",
-      "Metadata": {
-        "cfn_nag": {
-          "rules_to_suppress": [
-            {
-              "id": "W35",
-              "reason": "This S3 bucket is used as the access logging bucket for another bucket"
-            }
-          ]
-        }
-      }
-    },
-    "tests3stepfunctiontests3stepfunctionWCloudTrailS3LoggingBucketPolicy7547A73F": {
-      "Type": "AWS::S3::BucketPolicy",
-      "Properties": {
-        "Bucket": {
-          "Ref": "tests3stepfunctiontests3stepfunctionWCloudTrailS3LoggingBucket449D5AB7"
-        },
-        "PolicyDocument": {
-          "Statement": [
-            {
-              "Action": "*",
-              "Condition": {
-                "Bool": {
-                  "aws:SecureTransport": "false"
-                }
-              },
-              "Effect": "Deny",
-              "Principal": {
-                "AWS": "*"
-              },
-              "Resource": [
-                {
-                  "Fn::Join": [
-                    "",
-                    [
-                      {
-                        "Fn::GetAtt": [
-                          "tests3stepfunctiontests3stepfunctionWCloudTrailS3LoggingBucket449D5AB7",
-                          "Arn"
-                        ]
-                      },
-                      "/*"
-                    ]
-                  ]
-                },
-                {
-                  "Fn::GetAtt": [
-                    "tests3stepfunctiontests3stepfunctionWCloudTrailS3LoggingBucket449D5AB7",
-                    "Arn"
-                  ]
-                }
-              ],
-              "Sid": "HttpsOnly"
-            }
-          ],
-          "Version": "2012-10-17"
-        }
-      }
-    },
-    "tests3stepfunctiontests3stepfunctionWCloudTrailS3Bucket24C50489": {
-      "Type": "AWS::S3::Bucket",
-      "Properties": {
-        "BucketEncryption": {
-          "ServerSideEncryptionConfiguration": [
-            {
-              "ServerSideEncryptionByDefault": {
-                "SSEAlgorithm": "AES256"
-              }
-            }
-          ]
-        },
-        "LifecycleConfiguration": {
-          "Rules": [
-            {
-              "NoncurrentVersionTransitions": [
-                {
-                  "StorageClass": "GLACIER",
-                  "TransitionInDays": 90
-                }
-              ],
-              "Status": "Enabled"
-            }
-          ]
-        },
-        "LoggingConfiguration": {
-          "DestinationBucketName": {
-            "Ref": "tests3stepfunctiontests3stepfunctionWCloudTrailS3LoggingBucket449D5AB7"
-          }
-        },
-        "PublicAccessBlockConfiguration": {
-          "BlockPublicAcls": true,
-          "BlockPublicPolicy": true,
-          "IgnorePublicAcls": true,
-          "RestrictPublicBuckets": true
-        },
-        "VersioningConfiguration": {
-          "Status": "Enabled"
-        }
-      },
-      "UpdateReplacePolicy": "Retain",
-      "DeletionPolicy": "Retain"
-    },
-    "tests3stepfunctiontests3stepfunctionWCloudTrailS3BucketPolicy9ACF9ADC": {
-      "Type": "AWS::S3::BucketPolicy",
-      "Properties": {
-        "Bucket": {
-          "Ref": "tests3stepfunctiontests3stepfunctionWCloudTrailS3Bucket24C50489"
-        },
-        "PolicyDocument": {
-          "Statement": [
-            {
-              "Action": "*",
-              "Condition": {
-                "Bool": {
-                  "aws:SecureTransport": "false"
-                }
-              },
-              "Effect": "Deny",
-              "Principal": {
-                "AWS": "*"
-              },
-              "Resource": [
-                {
-                  "Fn::Join": [
-                    "",
-                    [
-                      {
-                        "Fn::GetAtt": [
-                          "tests3stepfunctiontests3stepfunctionWCloudTrailS3Bucket24C50489",
-                          "Arn"
-                        ]
-                      },
-                      "/*"
-                    ]
-                  ]
-                },
-                {
-                  "Fn::GetAtt": [
-                    "tests3stepfunctiontests3stepfunctionWCloudTrailS3Bucket24C50489",
-                    "Arn"
-                  ]
-                }
-              ],
-              "Sid": "HttpsOnly"
-            },
-            {
-              "Action": "s3:GetBucketAcl",
-              "Effect": "Allow",
-              "Principal": {
-                "Service": "cloudtrail.amazonaws.com"
-              },
-              "Resource": {
-                "Fn::GetAtt": [
-                  "tests3stepfunctiontests3stepfunctionWCloudTrailS3Bucket24C50489",
-                  "Arn"
-                ]
-              }
-            },
-            {
-              "Action": "s3:PutObject",
-              "Condition": {
-                "StringEquals": {
-                  "s3:x-amz-acl": "bucket-owner-full-control"
-                }
-              },
-              "Effect": "Allow",
-              "Principal": {
-                "Service": "cloudtrail.amazonaws.com"
-              },
-              "Resource": {
-                "Fn::Join": [
-                  "",
-                  [
-                    {
-                      "Fn::GetAtt": [
-                        "tests3stepfunctiontests3stepfunctionWCloudTrailS3Bucket24C50489",
-                        "Arn"
-                      ]
-                    },
-                    "/AWSLogs/",
-                    {
-                      "Ref": "AWS::AccountId"
-                    },
-                    "/*"
-                  ]
-                ]
-              }
-            }
-          ],
-          "Version": "2012-10-17"
-        }
-      }
-    },
-    "tests3stepfunctiontests3stepfunctionWS3EventsTrailA0FDE626": {
-      "Type": "AWS::CloudTrail::Trail",
-      "Properties": {
-        "IsLogging": true,
-        "S3BucketName": {
-          "Ref": "tests3stepfunctiontests3stepfunctionWCloudTrailS3Bucket24C50489"
-        },
-        "EnableLogFileValidation": true,
-        "EventSelectors": [
-          {
-            "DataResources": [
-              {
-                "Type": "AWS::S3::Object",
-                "Values": [
-                  {
-                    "Fn::Join": [
-                      "",
-                      [
-                        {
-                          "Fn::GetAtt": [
-                            "tests3stepfunctiontests3stepfunctionWS3Bucket9BE64924",
-                            "Arn"
-                          ]
-                        },
-                        "/"
-                      ]
-                    ]
-                  }
-                ]
-              }
-            ],
-            "IncludeManagementEvents": false,
-            "ReadWriteType": "All"
-          }
-        ],
-        "IncludeGlobalServiceEvents": true,
-        "IsMultiRegionTrail": true
-      },
-      "DependsOn": [
-        "tests3stepfunctiontests3stepfunctionWCloudTrailS3BucketPolicy9ACF9ADC"
-      ]
-    },
     "tests3stepfunctiontests3stepfunctionWtests3stepfunctionWeventrulestepfunctionconstructStateMachineLogGroupE83EECDD": {
       "Type": "AWS::Logs::LogGroup",
       "Properties": {
         "LogGroupName": "/aws/vendedlogs/states/customloggingbuckettests3stepfunctionweventrulestepfunctionconstructstatemachinelog0a1bbb9b57e8"
       },
-      "UpdateReplacePolicy": "Retain",
-      "DeletionPolicy": "Retain",
+      "UpdateReplacePolicy": "Delete",
+      "DeletionPolicy": "Delete",
       "Metadata": {
         "cfn_nag": {
           "rules_to_suppress": [

source/patterns/@aws-solutions-constructs/aws-s3-step-function/test/integ.customLoggingBucket.ts

@@ -37,6 +37,10 @@ new S3ToStepFunction(stack, 'test-s3-step-function', {
     bucketName: 'custom-logging-bucket',
     encryption: BucketEncryption.S3_MANAGED,
     versioned: true
-  }
+  },
+  logGroupProps: {
+    removalPolicy: RemovalPolicy.DESTROY
+  },
+  deployCloudTrail: false
 });
 app.synth();