feat(neptune): enable cloudwatch logs exports

- introduce LogType and CloudwatchLogsExports for use in DatabaseClusterProps - introduce cloudwatchLogsExports prop to configure which log types should be exported to CloudWatch Logs and optionally set log retention - update tests and integ tests - update README related to aws#20248 closes aws#15888
humanzz · Sep 12, 2022 · a7cd6c1 · a7cd6c1
1 parent dc07f52
commit a7cd6c1
Show file tree

Hide file tree

Showing 16 changed files with 1,023 additions and 49 deletions.
diff --git a/packages/@aws-cdk/aws-neptune/README.md b/packages/@aws-cdk/aws-neptune/README.md
@@ -143,3 +143,36 @@ new neptune.DatabaseCluster(this, 'Cluster', {
   autoMinorVersionUpgrade: true,
 });
 ```
+
+## Logging
+
+Neptune supports various methods for monitoring performance and usage. One of those methods is logging
+
+1. Neptune provides logs e.g. audit logs which can be viewed or downloaded via the AWS Console. Audit logs can be enabled using the `neptune_enable_audit_log` parameter in `ClusterParameterGroup` or `ParameterGroup`
+2. Neptune provides the ability to export those logs to CloudWatch Logs
+
+```ts
+// Cluster parameter group with the neptune_enable_audit_log param set to 1
+const clusterParameterGroup = new neptune.ClusterParameterGroup(this, 'ClusterParams', {
+  description: 'Cluster parameter group',
+  parameters: {
+    neptune_enable_audit_log: '1'
+  },
+});
+
+const cluster = new neptune.DatabaseCluster(this, 'Database', {
+  vpc,
+  instanceType: neptune.InstanceType.R5_LARGE,
+  // Audit logs are enabled via the clusterParameterGroup
+  clusterParameterGroup,
+  // Optionally configuring audit logs to be exported to CloudWatch Logs
+  cloudwatchLogsExports: {
+    logTypes: [neptune.LogType.AUDIT],
+    logRetention: logs.RetentionDays.ONE_MONTH,
+  },
+});
+```
+
+For more information on monitoring, refer to https://docs.aws.amazon.com/neptune/latest/userguide/monitoring.html.
+For more information on audit logs, refer to https://docs.aws.amazon.com/neptune/latest/userguide/auditing.html.
+For more information on exporting logs to CloudWatch Logs, refer to https://docs.aws.amazon.com/neptune/latest/userguide/cloudwatch-logs.html.
diff --git a/packages/@aws-cdk/aws-neptune/lib/cluster.ts b/packages/@aws-cdk/aws-neptune/lib/cluster.ts
@@ -1,6 +1,7 @@
 import * as ec2 from '@aws-cdk/aws-ec2';
 import * as iam from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
+import * as logs from '@aws-cdk/aws-logs';
 import { Aws, Duration, IResource, Lazy, RemovalPolicy, Resource, Token } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { Endpoint } from './endpoint';
@@ -70,6 +71,45 @@ export class EngineVersion {
   public constructor(public readonly version: string) {}
 }
 
+/**
+ * Neptune log types that can be exported to CloudWatch logs
+ *
+ * @see https://docs.aws.amazon.com/neptune/latest/userguide/cloudwatch-logs.html
+ */
+export class LogType {
+  /**
+   * Audit logs
+   *
+   * @see @see https://docs.aws.amazon.com/neptune/latest/userguide/auditing.html
+   */
+  public static readonly AUDIT = new LogType('audit');
+
+  /**
+   * Constructor for specifying a custom log type
+   * @param value the log type
+   */
+  public constructor(public readonly value: string) {}
+}
+
+/**
+ * Configurations to control exporting Neptune logs to CloudWatch Logs
+ */
+export interface CloudwatchLogsExports {
+  /**
+   * Log types that will be exported to CloudWatch Logs
+   */
+  readonly logTypes: LogType[];
+
+  /**
+   * The number of days log events are kept in CloudWatch Logs. When updating
+   * this property, unsetting it doesn't remove the log retention policy. To
+   * remove the retention policy, set the value to `INFINITE`.
+   *
+   * @default logs.RetentionDays.INFINITE
+   */
+  readonly logRetention?: logs.RetentionDays;
+}
+
 /**
  * Properties for a new database cluster
  */
@@ -242,6 +282,18 @@ export interface DatabaseClusterProps {
    * @default - false
    */
   readonly autoMinorVersionUpgrade?: boolean;
+
+  /**
+   * Configurations for exporting Neptune logs to CloudWatch Logs
+   *
+   * Exporting to CloudWatch Logs also requires enabling logging using parameter groups
+   *
+   * @see https://docs.aws.amazon.com/neptune/latest/userguide/cloudwatch-logs.html
+   * @see https://docs.aws.amazon.com/neptune/latest/userguide/auditing.html#auditing-enable
+   *
+   * @default - no logs are exported to CloudWatch logs
+   */
+  readonly cloudwatchLogsExports?: CloudwatchLogsExports;
 }
 
 /**
@@ -509,6 +561,8 @@ export class DatabaseCluster extends DatabaseClusterBase implements IDatabaseClu
       preferredMaintenanceWindow: props.preferredMaintenanceWindow,
       // Encryption
       kmsKeyId: props.kmsKey?.keyArn,
+      // CloudWatch Logs exports
+      enableCloudwatchLogsExports: props.cloudwatchLogsExports?.logTypes.map(logType => logType.value),
       storageEncrypted,
     });
 
@@ -523,6 +577,17 @@ export class DatabaseCluster extends DatabaseClusterBase implements IDatabaseClu
     this.clusterEndpoint = new Endpoint(cluster.attrEndpoint, port);
     this.clusterReadEndpoint = new Endpoint(cluster.attrReadEndpoint, port);
 
+    // Log retention
+    const retention = props.cloudwatchLogsExports?.logRetention;
+    if (retention) {
+      props.cloudwatchLogsExports?.logTypes.forEach(logType => {
+        new logs.LogRetention(this, `${logType}LogRetention`, {
+          logGroupName: `/aws/neptune/${this.clusterIdentifier}/${logType.value}`,
+          retention,
+        });
+      });
+    }
+
     // Create the instances
     const instanceCount = props.instances ?? DatabaseCluster.DEFAULT_NUM_INSTANCES;
     if (instanceCount < 1) {

diff --git a/packages/@aws-cdk/aws-neptune/package.json b/packages/@aws-cdk/aws-neptune/package.json
@@ -93,13 +93,15 @@
     "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/aws-kms": "0.0.0",
+    "@aws-cdk/aws-logs": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "constructs": "^10.0.0"
   },
   "peerDependencies": {
     "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/aws-kms": "0.0.0",
+    "@aws-cdk/aws-logs": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "constructs": "^10.0.0"
   },

diff --git a/packages/@aws-cdk/aws-neptune/rosetta/default.ts-fixture b/packages/@aws-cdk/aws-neptune/rosetta/default.ts-fixture
@@ -2,6 +2,7 @@ import { Duration, Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import * as iam from '@aws-cdk/aws-iam';
 import * as ec2 from '@aws-cdk/aws-ec2';
+import * as logs from '@aws-cdk/aws-logs';
 import * as neptune from '@aws-cdk/aws-neptune';
 
 class Fixture extends Stack {

diff --git a/...eptune/test/cluster.integ.snapshot/ClusterTestDefaultTestDeployAssert6A1BBA9D.assets.json b/...eptune/test/cluster.integ.snapshot/ClusterTestDefaultTestDeployAssert6A1BBA9D.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "ClusterTestDefaultTestDeployAssert6A1BBA9D.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...tune/test/cluster.integ.snapshot/ClusterTestDefaultTestDeployAssert6A1BBA9D.template.json b/...tune/test/cluster.integ.snapshot/ClusterTestDefaultTestDeployAssert6A1BBA9D.template.json
@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...napshot/asset.d01c24641c7d8cb6488393ffceaefff282370a9a522bf9d77b21da73fa257347/index.d.ts b/...napshot/asset.d01c24641c7d8cb6488393ffceaefff282370a9a522bf9d77b21da73fa257347/index.d.ts
@@ -0,0 +1 @@
+export declare function handler(event: AWSLambda.CloudFormationCustomResourceEvent, context: AWSLambda.Context): Promise<void>;