-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
elbv2: How to configure a connection log #30708
Comments
We need to simplify it with relevant document but this works for me in us-east-1 per the doc. export class DummyStack extends Stack {
readonly cluster: rds.DatabaseCluster;
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const connectionLogBucket = new s3.Bucket(this, 'ConnectionLogBucket', {
removalPolicy: RemovalPolicy.RETAIN_ON_UPDATE_OR_DELETE,
});
const logPrefix = 'MY_PREFIX';
const region = region_info.RegionInfo.get(this.region);
// create a bucket policy for this bucket
const accessPolicy = new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['s3:PutObject'],
resources: [`arn:aws:s3:::${connectionLogBucket.bucketName}/${logPrefix}/AWSLogs/${Aws.ACCOUNT_ID}/*`],
principals: [new iam.AccountPrincipal(region.elbv2Account) ],
});
connectionLogBucket.addToResourcePolicy(accessPolicy);
// create a dummy ALB
const alb = new elbv2.ApplicationLoadBalancer(this, 'ALB', { vpc: ec2.Vpc.fromLookup(this, 'Vpc', { isDefault: true }), internetFacing: true });
alb.setAttribute('connection_logs.s3.enabled', 'true');
alb.setAttribute('connection_logs.s3.bucket', connectionLogBucket.bucketName);
alb.setAttribute('connection_logs.s3.prefix', logPrefix);
alb.node.addDependency(connectionLogBucket);
}
} Let me know if it works for you. |
@pahud, this is really great, thank you! We're writing our stacks in Python, so my code below is a little different from your helpful example. alb_logs_bucket.add_to_resource_policy(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=['s3:PutObject'],
resources=[
f'arn:aws:s3:::{alb_logs_bucket.bucket_name}/access/AWSLogs/{self.account}/*',
f'arn:aws:s3:::{alb_logs_bucket.bucket_name}/connection/AWSLogs/{self.account}/*',
],
principals=[iam.AccountPrincipal(RegionInfo.get(self.region).elbv2_account)]
# principals=[iam.ServicePrincipal('logdelivery.elasticloadbalancing.amazonaws.com')]
)
) What I'm curious about is what is the difference between the |
@pahud I was unable to combine my Python conversion of your code the the CDK's built-in The following code works for me to setup both an
|
Thank you for your code sharing. Resolving this issue for now. Feel free to open a new one if it's still relevant. |
|
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Describe the issue
Application Load Balancer has a
connection log
feature (see doc) But the L2 construct doesn't seem to surface it. I tried to use a L1 "escape hatch" to enable it, but failed to do so.I didn't know if this was a doc issue or a feature request, or simply my missing something.
Links
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2-readme.html (which documents the "access log" feature, but not the "connection log" feature)
The text was updated successfully, but these errors were encountered: