Es log group fix (#86)

* removed generated files from tracking, updated gitignore

* Revert "removed generated files from tracking, updated gitignore"

This reverts commit a4620a4.

* added update of es logs post-stack creation

Co-authored-by: George Price <gwprice@amazon.com>

Author: GWP

deployment/custom-deployment/bin/stack-variables-to-client.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+source .env
+
+#STACK
+
+echo "==update %%CLIENT_APP_BUCKET%% in stack with $2=="
+replace="s/%%CLIENT_APP_BUCKET%%/$ClientAppBucketName/g"
+sed -i -e $replace ./lib/cdk-textract-client-stack.js
+
+echo "==update Elastic Search Cluster ($ElasticSearchCluster) with log streams to Log Groups: $ElasticSearchSearchLogGroup and $ElasticSearchIndexLogGroup"
+INDEX_LOG_ARN=$(aws logs describe-log-groups --log-group-name $ElasticSearchIndexLogGroup | jq -r '.logGroups[0].arn')
+SEARCH_LOG_ARN=$(aws logs describe-log-groups --log-group-name $ElasticSearchSearchLogGroup | jq -r '.logGroups[0].arn')
+
+echo "==adding permissions to ES service role first for creating log stream"
+aws logs put-resource-policy --policy-name es-to-log-stream --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "ElasticSearchLogsToCloudWatchLogs", "Effect": "Allow", "Principal": { "Service": [ "es.amazonaws.com" ] }, "Action":["logs:PutLogEvents", "logs:CreateLogStream", "logs:DeleteLogStream"], "Resource": "*" } ] }'
+
+echo "==Log Groups are $INDEX_LOG_ARN and $SEARCH_LOG_ARN"
+aws es update-elasticsearch-domain-config --domain-name $ElasticSearchCluster --log-publishing-options '{"INDEX_SLOW_LOGS": { "CloudWatchLogsLogGroupArn": "'"$INDEX_LOG_ARN"'", "Enabled": true }, "SEARCH_SLOW_LOGS": { "CloudWatchLogsLogGroupArn": "'"$SEARCH_LOG_ARN"'", "Enabled": true } }'
+
+

deployment/custom-deployment/bin/update-es-logs-and-client-stack-vars.sh

@@ -170,6 +170,10 @@ Resources:
               commands:
                 - echo "This buildspec is based on image - aws/codebuild/amazonlinux2-x86_64-standard:2.0"
                 - node --version
+                - echo "Installing jq package"
+                - wget -O jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
+                - chmod +x ./jq
+                - cp jq /usr/bin
                 - npm install -g cdk@1.18.0
                 - cdk --version
                 - npm install -g typescript
@@ -541,9 +545,11 @@ Resources:
                         "Action": [
                           "logs:CreateLogGroup",
                           "logs:CreateLogStream",
+                          "logs:DeleteLogStream",
                           "logs:PutLogEvents",
                           "logs:Describe*",
-                          "logs:PutRetentionPolicy"
+                          "logs:PutRetentionPolicy",
+                          "logs:PutResourcePolicy"
                         ]
                     },
                     {
@@ -672,7 +678,8 @@ Resources:
                           "es:CreateElasticsearchServiceRole",
                           "es:DeleteElasticsearchDomain",
                           "es:DeleteElasticsearchServiceRole",
-                          "es:List*"
+                          "es:List*",
+                          "es:UpdateElasticsearchDomainConfig"
                         ]
                     },
                     {

deployment/document-understanding-solution.template

@@ -1,4 +1,3 @@
-
 /**********************************************************************************************************************
  *  Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.                                           *
  *                                                                                                                    *
@@ -118,6 +117,15 @@ const GetResources = new Promise((resolve, reject) => {
     resources.PdfGenLambda = stackDescriptionObj.find((x) =>
       /pdfgenerator/i.test(x.LogicalResourceId)
     ).PhysicalResourceId;
+    resources.ElasticSearchSearchLogGroup = stackDescriptionObj.find((x) =>
+      /ElasticSearchSearchLogGroup/i.test(x.LogicalResourceId)
+    ).PhysicalResourceId;
+    resources.ElasticSearchIndexLogGroup = stackDescriptionObj.find((x) =>
+      /ElasticSearchIndexLogGroup/i.test(x.LogicalResourceId)
+    ).PhysicalResourceId;
+    resources.ElasticSearchCluster = stackDescriptionObj.find((x) =>
+      /ElasticSearchCluster/i.test(x.LogicalResourceId)
+    ).PhysicalResourceId;
 
     resolve(resources);
   });
@@ -130,6 +138,6 @@ const setEnv = async () => {
     outputArray.push(`${key}=${data[key]}`);
   });
   fs.writeFileSync(".env", outputArray.join("\n"));
-  fs.appendFileSync(".env","\nisROMode="+isROMode);
+  fs.appendFileSync(".env", "\nisROMode=" + isROMode);
 };
 setEnv();

source/bin/pre-build.js

@@ -233,11 +233,19 @@ export class CdkTextractStack extends cdk.Stack {
       cloudfrontDocumentsBucketPolicyStatement
     );
 
-    const esLogGroup = new LogGroup(
+    const esSearchLogGroup = new LogGroup(
       this,
-      this.resourceName("ElasticSearchLogGroup"),
+      this.resourceName("ElasticSearchSearchLogGroup"),
       {
-        logGroupName: this.resourceName("ElasticSearchLogGroup"),
+        logGroupName: this.resourceName("ElasticSearchSearchLogGroup"),
+      }
+    );
+
+    const esIndexLogGroup = new LogGroup(
+      this,
+      this.resourceName("ElasticSearchIndexLogGroup"),
+      {
+        logGroupName: this.resourceName("ElasticSearchIndexLogGroup"),
       }
     );
 
@@ -272,18 +280,6 @@ export class CdkTextractStack extends cdk.Stack {
         }
       );
     } else {
-      const serviceLinkedRole = new cdk.CfnResource(
-        this,
-        this.resourceName("es-service-linked-role"),
-        {
-          type: "AWS::IAM::ServiceLinkedRole",
-          properties: {
-            AWSServiceName: "es.amazonaws.com",
-            Description: "Role for ES to access resources in my VPC",
-          },
-        }
-      );
-
       elasticSearch = new es.CfnDomain(
         this,
         this.resourceName("ElasticSearchCluster"),
@@ -310,20 +306,8 @@ export class CdkTextractStack extends cdk.Stack {
           nodeToNodeEncryptionOptions: {
             enabled: true,
           },
-          logPublishingOptions: {
-            INDEX_SLOW_LOGS: {
-              cloudWatchLogsLogGroupArn: esLogGroup.logGroupArn,
-              enabled: true,
-            },
-            SEARCH_SLOW_LOGS: {
-              cloudWatchLogsLogGroupArn: esLogGroup.logGroupArn,
-              enabled: true,
-            },
-          },
         }
       );
-
-      elasticSearch.node.addDependency(serviceLinkedRole);
     }
 
     const jobResultsKey = new kms.Key(

source/lib/cdk-textract-stack.ts

@@ -26,14 +26,14 @@
     "compile-ts-backend-stack": "tsc lib/cdk-textract-stack.ts --target es2018 --module commonjs --allowjs true",
     "compile-ts-client-stack": "tsc lib/cdk-textract-client-stack.ts --target es2018 --module commonjs --allowjs true",
     "deploy:backend": "ISCICD=$npm_package_cicd STACKNAME=$npm_package_stack_stackname AWS_REGION=$npm_package_stack_region USER_EMAIL=$npm_package_email cdk deploy --toolkit-stack-name DocumentUnderstandingCDKToolkit --require-approval never -v true",
-    "deploy:client": "yarn export && yarn update-client-stack-variables && AWS_REGION=$npm_package_stack_region STACKNAME=$npm_package_stack_stackname cdk deploy --toolkit-stack-name DocumentUnderstandingCDKToolkit --require-approval never -v true -a \"node bin/deploy-client-stack.js\"",
+    "deploy:client": "yarn export && yarn update-es-logs-and-stack-variables && AWS_REGION=$npm_package_stack_region STACKNAME=$npm_package_stack_stackname cdk deploy --toolkit-stack-name DocumentUnderstandingCDKToolkit --require-approval never -v true -a \"node bin/deploy-client-stack.js\"",
     "deploy:setup-user": "AWS_REGION=$npm_package_stack_region node bin/user-setup.js",
     "deploy:setup-samples": "AWS_REGION=$npm_package_stack_region bash ./bin/upload-samples.sh",
     "deploy-all": "yarn compile-ts-stacks && yarn bootstrap && yarn deploy:backend && yarn deploy:client && yarn deploy:setup-samples",
     "deploy": "yarn deploy-all && yarn update-pdf-lambda-code",
     "deploy:frontend": "yarn deploy:client && yarn deploy:setup-samples",
     "destroy": "STACKNAME=$npm_package_stack_stackname AWS_REGION=$npm_package_stack_region cdk destroy -v true -a \"node bin/deploy-client-stack.js\" && STACKNAME=$npm_package_stack_stackname AWS_REGION=$npm_package_stack_region USER_EMAIL=$npm_package_email cdk destroy -v true",
-    "update-client-stack-variables": "bash ../deployment/custom-deployment/bin/stack-variables-to-client.sh",
+    "update-es-logs-and-stack-variables": "bash ../deployment/custom-deployment/bin/update-es-logs-and-client-stack-vars.sh",
     "update-pdf-lambda-code": "bash ../deployment/custom-deployment/bin/update-pdf-lambda-code.sh",
     "dev": "next app",
     "build": "STACKNAME=$npm_package_stack_stackname AWS_REGION=$npm_package_stack_region yarn pre-build && next build app",
@@ -116,4 +116,4 @@
     "@aws-amplify/analytics": "1.2.16",
     "@aws-amplify/ui": "1.0.19"
   }
-}
+}