Skip to content

Commit

Permalink
Implement PR suggestions: create CustomDataIdentifier class, add Poli…
Browse files Browse the repository at this point in the history
…cyConfiguration interface
  • Loading branch information
Kevin Chiang authored and kchg committed Jan 3, 2024
1 parent 7f9e331 commit cd764a2
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 21 deletions.
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { IntegTest } from '@aws-cdk/integ-tests-alpha';
import { LogGroup, DataProtectionPolicy, DataIdentifier } from 'aws-cdk-lib/aws-logs';
import { LogGroup, DataProtectionPolicy, DataIdentifier, CustomDataIdentifier } from 'aws-cdk-lib/aws-logs';

class LogGroupIntegStack extends Stack {
constructor(scope: App, id: string, props?: StackProps) {
Expand All @@ -14,7 +14,7 @@ class LogGroupIntegStack extends Stack {
const dataProtectionPolicy = new DataProtectionPolicy({
name: 'policy-name',
description: 'policy description',
identifiers: [DataIdentifier.DRIVERSLICENSE_US, new DataIdentifier('EmailAddress'), new DataIdentifier('EmployeeId', 'EmployeeId-\\d{9}')],
identifiers: [DataIdentifier.DRIVERSLICENSE_US, new DataIdentifier('EmailAddress'), new CustomDataIdentifier('EmployeeId', 'EmployeeId-\\d{9}')],
logGroupAuditDestination: audit,
s3BucketAuditDestination: bucket,
});
Expand Down
2 changes: 1 addition & 1 deletion packages/aws-cdk-lib/aws-logs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -373,7 +373,7 @@ const dataProtectionPolicy = new logs.DataProtectionPolicy({
identifiers: [
logs.DataIdentifier.DRIVERSLICENSE_US, // managed data identifier
new logs.DataIdentifier('EmailAddress'), // forward compatibility for new managed data identifiers
new logs.DataIdentifier('EmployeeId', 'EmployeeId-\\d{9}')], // custom data identifier
new logs.CustomDataIdentifier('EmployeeId', 'EmployeeId-\\d{9}')], // custom data identifier
logGroupAuditDestination: logGroupDestination,
s3BucketAuditDestination: bucket,
deliveryStreamNameAuditDestination: deliveryStream.deliveryStreamName,
Expand Down
59 changes: 44 additions & 15 deletions packages/aws-cdk-lib/aws-logs/lib/data-protection-policy.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ export class DataProtectionPolicy {
const description = this.dataProtectionPolicyProps.description || 'cdk generated data protection policy';
const version = '2021-06-01';

const findingsDestination: FindingsDestination = {};
const findingsDestination: PolicyFindingsDestination = {};
if (this.dataProtectionPolicyProps.logGroupAuditDestination) {
findingsDestination.cloudWatchLogs = {
logGroup: this.dataProtectionPolicyProps.logGroupAuditDestination.logGroupName,
Expand All @@ -44,9 +44,9 @@ export class DataProtectionPolicy {
}

const identifiers: string[] = [];
const customDataIdentifiers: CustomDataIdentifier[] = [];
const customDataIdentifiers: PolicyCustomDataIdentifier[] = [];
for (let identifier of this.dataProtectionPolicyProps.identifiers) {
if (identifier.regex) {
if (identifier instanceof CustomDataIdentifier) {
identifiers.push(identifier.name);
customDataIdentifiers.push({
name: identifier.name,
Expand Down Expand Up @@ -84,32 +84,35 @@ export class DataProtectionPolicy {
},
];

const configuration = {
const configuration: PolicyConfiguration = {
customDataIdentifier: customDataIdentifiers,
};
return { name, description, version, configuration, statement };
}
}

interface CustomDataIdentifier {
interface PolicyConfiguration {
customDataIdentifier?: PolicyCustomDataIdentifier[];
}
interface PolicyCustomDataIdentifier {
name: string;
regex: string;
}
interface FindingsDestination {
cloudWatchLogs?: CloudWatchLogsDestination;
firehose?: FirehoseDestination;
s3?: S3Destination;
interface PolicyFindingsDestination {
cloudWatchLogs?: PolicyCloudWatchLogsDestination;
firehose?: PolicyFirehoseDestination;
s3?: PolicyS3Destination;
}

interface CloudWatchLogsDestination {
interface PolicyCloudWatchLogsDestination {
logGroup: string;
}

interface FirehoseDestination {
interface PolicyFirehoseDestination {
deliveryStream: string;
}

interface S3Destination {
interface PolicyS3Destination {
bucket: string;
}

Expand Down Expand Up @@ -166,7 +169,7 @@ export interface DataProtectionPolicyProps {
readonly description?: string;

/**
* List of data protection identifiers, containing managed or custom data identfiers.
* List of data protection identifiers, containing managed or custom data identfiers (CustomDataIdentifier).
* Managed data identiers must be in the following list: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL-managed-data-identifiers.html
* Custom data identfiers must have a valid regex defined: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL-custom-data-identifiers.html
*
Expand Down Expand Up @@ -197,7 +200,6 @@ export interface DataProtectionPolicyProps {

/**
* A data protection identifier. If an identifier is supported but not in this class, it can be passed in the constructor instead.
* To create a custom data identifier, pass in a custom name and regex.
*/
export class DataIdentifier {
public static readonly ADDRESS = new DataIdentifier('Address');
Expand Down Expand Up @@ -299,9 +301,36 @@ export class DataIdentifier {
public static readonly VEHICLEIDENTIFICATIONNUMBER = new DataIdentifier('VehicleIdentificationNumber');
public static readonly ZIPCODE_US = new DataIdentifier('ZipCode-US');

constructor(public readonly name: string, public readonly regex?: string) { }
/**
* Create a managed data identifier not in the list of static members. This is used to maintain forward compatibility, in case a new managed identifier is supported but not updated in CDK yet.
* @param name - name of the identifier.
*/
constructor(public readonly name: string) { }

public toString(): string {
return this.name;
}
}

/**
* A custom data identifier. Include a custom data identifier name and regular expression in the JSON policy used to define the data protection policy.
* https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL-custom-data-identifiers.html
*/
export class CustomDataIdentifier extends DataIdentifier {
/**
* Create a custom data identfier
* @param name - the name of the custom data identifier. This cannot share the same name as a managed data identifier.
* @param regex - the regular expresssion to detect and mask log events for.
*/
constructor(public readonly name: string, public readonly regex: string) {
super(name);
}

/**
* String representation of a CustomDataIdentifier
* @returns the name and RegEx of the custom data identifier
*/
public toString(): string {
return `${this.name}: ${this.regex}`;
}
}
6 changes: 3 additions & 3 deletions packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import * as iam from '../../aws-iam';
import * as kms from '../../aws-kms';
import { Bucket } from '../../aws-s3';
import { App, CfnParameter, Fn, RemovalPolicy, Stack } from '../../core';
import { LogGroup, RetentionDays, LogGroupClass, DataProtectionPolicy, DataIdentifier, ILogGroup, ILogSubscriptionDestination, FilterPattern } from '../lib';
import { LogGroup, RetentionDays, LogGroupClass, DataProtectionPolicy, DataIdentifier, CustomDataIdentifier, ILogGroup, ILogSubscriptionDestination, FilterPattern } from '../lib';

describe('log group', () => {
test('set kms key when provided', () => {
Expand Down Expand Up @@ -787,7 +787,7 @@ describe('log group', () => {
const dataProtectionPolicy = new DataProtectionPolicy({
name: 'test-policy-name',
description: 'test description',
identifiers: [new DataIdentifier('EmployeeId', 'EmployeeId-\\d{9}')],
identifiers: [new CustomDataIdentifier('EmployeeId', 'EmployeeId-\\d{9}')],
});

// WHEN
Expand Down Expand Up @@ -847,7 +847,7 @@ describe('log group', () => {
const dataProtectionPolicy = new DataProtectionPolicy({
name: 'test-policy-name',
description: 'test description',
identifiers: [new DataIdentifier('EmployeeId', 'EmployeeId-\\d{9}'), DataIdentifier.EMAILADDRESS],
identifiers: [new CustomDataIdentifier('EmployeeId', 'EmployeeId-\\d{9}'), DataIdentifier.EMAILADDRESS],
});

// WHEN
Expand Down

0 comments on commit cd764a2

Please sign in to comment.