feature(deadline): Enable logging for DocDB #37
Conversation
There was a problem hiding this comment.
We use CDK construct for DocumentDB so we only can fix it in our example.
I do not believe this statement. Anything that can be done in the application code can be done in the Repository. The ask, for the Repository, is to design an interface (similar to what Dave did for the ALB) that allows a customer to tell the Repository to enable audit logging when/if the Repository creates a DocDB database for the customer (i.e. if it's not being provided one).
Especially since the thinking is to remove the kitchen sink example from the repo once we have a solid set of official samples in place.
kozlove-aws
force-pushed
the
docdb_audit_log
branch
from
7d85cea to
a5bfbdb
Compare
| * For more information about audit logging in DocumentDB, see: https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html | ||
| * | ||
| */ | ||
| export class DocumentDbClusterWithLogs extends DatabaseCluster { |
There was a problem hiding this comment.
Ideally we should upstream these changes to the DatabaseCluster class in CDK so we can simply add a new property for the audit logging stuff (e.g. auditLogging?: AuditLoggingProps). If we are short on time though, this will have to do for now. Thoughts @ddneilson ?
kozlove-aws
force-pushed
the
docdb_audit_log
branch
3 times, most recently
from
70d30ca to
af7afdc
Compare
kozlove-aws
force-pushed
the
docdb_audit_log
branch
from
af7afdc to
cfbc11f
Compare
kozlove-aws
force-pushed
the
docdb_audit_log
branch
from
cfbc11f to
4321ca1
Compare
kozlove-aws
force-pushed
the
docdb_audit_log
branch
from
4321ca1 to
d0e1b92
Compare
kozlove-aws
changed the title
kozlove-aws
changed the title
kozlove-aws
force-pushed
the
docdb_audit_log
branch
from
d0e1b92 to
eafb89c
Compare
| expectCDK(stack).to(haveResourceLike('AWS::DocDB::DBInstance', { | ||
| AutoMinorVersionUpgrade: true, | ||
| })); | ||
| }); | ||
|
|
||
| test('audit log is disabled when it required', () => { |
There was a problem hiding this comment.
This test title is kind of awkward. Can we instead have it be something along the lines of
Disabling Audit logging removes parameters
There was a problem hiding this comment.
It is not actually remove parameters, it switching audit log off.
What about Disabling Audit logging does not enable audit logging?
There was a problem hiding this comment.
Compared to the default it is removing the parameters to switch of auditing.
But sure your naming should work.
kozlove-aws
force-pushed
the
docdb_audit_log
branch
from
62e5296 to
820a5a9
Compare
kozlove-aws
force-pushed
the
docdb_audit_log
branch
from
820a5a9 to
73ed0d6
Compare
This fix DocDB part of the issue discovered during the security audit
Was added class that can be used if customer want to switch audit log.
Description of how audit log can be enabled is here
In repository constructor was added
databaseAuditLoggingparameter and according to value of this parameter enable audit logging for DocDB cluster.Also was added example code in kitchen sink.
Was enabled parameter
audit_logsand addedaudittoenableCloudwatchLogsExportsconstruct option.Testing
Was deployed kitchen sink with this changes and checked that CloudWatch logs enabled
Checking CloudWatch that audit log group was created and messages appeared.