diff --git a/modules/cloud_service_providers/aws_cloud/aws_cloud.install b/modules/cloud_service_providers/aws_cloud/aws_cloud.install index df053bc..88a5d7a 100644 --- a/modules/cloud_service_providers/aws_cloud/aws_cloud.install +++ b/modules/cloud_service_providers/aws_cloud/aws_cloud.install @@ -1258,6 +1258,27 @@ function aws_cloud_update_8173() { } /** + * Add fields about flow log to cloud_config. + */ +function aws_cloud_update_8174() { + // Add new fields. + aws_cloud_add_fields('cloud_config', 'aws_ec2', [ + 'field_log_destination_type', + 'field_log_destination', + 'field_log_group_name', + 'field_logs_permission_arn', + 'field_traffic_type', + ]); + + // Update entity cloud_config.aws_ec2. + $files = [ + 'core.entity_form_display.cloud_config.aws_ec2.default.yml', + 'core.entity_view_display.cloud_config.aws_ec2.default.yml', + ]; + cloud_update_yml_definitions($files, 'aws_cloud'); +} + +/** * Helper function to add fields to the entity type. * * @param string $entity_type diff --git a/modules/cloud_service_providers/aws_cloud/aws_cloud.module b/modules/cloud_service_providers/aws_cloud/aws_cloud.module index de9cbe4..9d0b0df 100644 --- a/modules/cloud_service_providers/aws_cloud/aws_cloud.module +++ b/modules/cloud_service_providers/aws_cloud/aws_cloud.module @@ -2257,6 +2257,36 @@ function aws_cloud_form_cloud_config_aws_ec2_form_common_alter(&$form, FormState 'fields' => [ 'field_system_vpc', ], + 'subfieldsets' => [ + [ + 'name' => 'flow_log', + 'title' => t('Flow Log'), + 'open' => TRUE, + 'fields' => [ + 'field_traffic_type', + 'field_log_destination_type', + ], + 'subfieldsets' => [ + [ + 'name' => 'cloud_watch_logs', + 'title' => t('CloudWatch Logs'), + 'open' => TRUE, + 'fields' => [ + 'field_log_group_name', + 'field_logs_permission_arn', + ], + ], + [ + 'name' => 's3_bucket', + 'title' => t('S3 Bucket'), + 'open' => TRUE, + 'fields' => [ + 'field_log_destination', + ], + ], + ], + ], + ], ], [ 'name' => 'api', @@ -3530,3 +3560,48 @@ function aws_cloud_views_bulk_form_submit(array $form, FormStateInterface $form_ ] ); } + +/** + * Set allowed values for the field_log_destination_type. + * + * @param \Drupal\field\Entity\FieldStorageConfig $definition + * The field definition. + * @param \Drupal\Core\Entity\ContentEntityInterface|null $entity + * The entity being created if applicable. + * @param bool $cacheable + * Boolean indicating if the results are cacheable. + * + * @return array + * An array of possible key and value options. + * + * @see options_allowed_values() + */ +function aws_cloud_log_destination_type_allowed_values_function(FieldStorageConfig $definition, ContentEntityInterface $entity = NULL, $cacheable) { + return [ + 'cloud-watch-logs' => t('CloudWatch Logs'), + 's3' => t('S3 bucket'), + ]; +} + +/** + * Set allowed values for the field_traffic_type. + * + * @param \Drupal\field\Entity\FieldStorageConfig $definition + * The field definition. + * @param \Drupal\Core\Entity\ContentEntityInterface|null $entity + * The entity being created if applicable. + * @param bool $cacheable + * Boolean indicating if the results are cacheable. + * + * @return array + * An array of possible key and value options. + * + * @see options_allowed_values() + */ +function aws_cloud_traffic_type_allowed_values_function(FieldStorageConfig $definition, ContentEntityInterface $entity = NULL, $cacheable) { + return [ + 'ACCEPT' => t('Accept'), + 'REJECT' => t('Reject'), + 'ALL' => t('All'), + ]; +} diff --git a/modules/cloud_service_providers/aws_cloud/config/install/core.entity_form_display.cloud_config.aws_ec2.default.yml b/modules/cloud_service_providers/aws_cloud/config/install/core.entity_form_display.cloud_config.aws_ec2.default.yml index cce467c..bc047bb 100644 --- a/modules/cloud_service_providers/aws_cloud/config/install/core.entity_form_display.cloud_config.aws_ec2.default.yml +++ b/modules/cloud_service_providers/aws_cloud/config/install/core.entity_form_display.cloud_config.aws_ec2.default.yml @@ -12,6 +12,10 @@ dependencies: - field.field.cloud_config.aws_ec2.field_description - field.field.cloud_config.aws_ec2.field_iam_role - field.field.cloud_config.aws_ec2.field_image_upload_url + - field.field.cloud_config.aws_ec2.field_log_destination + - field.field.cloud_config.aws_ec2.field_log_destination_type + - field.field.cloud_config.aws_ec2.field_log_group_name + - field.field.cloud_config.aws_ec2.field_logs_permission_arn - field.field.cloud_config.aws_ec2.field_region - field.field.cloud_config.aws_ec2.field_secret_key - field.field.cloud_config.aws_ec2.field_spreadsheet_pricing_url @@ -19,6 +23,7 @@ dependencies: - field.field.cloud_config.aws_ec2.field_switch_role_account_id - field.field.cloud_config.aws_ec2.field_switch_role_iam_role - field.field.cloud_config.aws_ec2.field_system_vpc + - field.field.cloud_config.aws_ec2.field_traffic_type - field.field.cloud_config.aws_ec2.field_use_instance_credentials - field.field.cloud_config.aws_ec2.field_x_509_certificate id: cloud_config.aws_ec2.default @@ -91,6 +96,36 @@ content: third_party_settings: { } type: options_select region: content + field_log_destination: + weight: 113 + settings: + size: 60 + placeholder: '' + third_party_settings: { } + type: string_textfield + region: content + field_log_destination_type: + weight: 109 + settings: { } + third_party_settings: { } + type: options_buttons + region: content + field_log_group_name: + weight: 111 + settings: + size: 60 + placeholder: '' + third_party_settings: { } + type: string_textfield + region: content + field_logs_permission_arn: + weight: 112 + settings: + size: 60 + placeholder: '' + third_party_settings: { } + type: string_textfield + region: content field_region: weight: 7 settings: { } @@ -134,6 +169,12 @@ content: third_party_settings: { } type: options_select region: content + field_traffic_type: + weight: 110 + settings: { } + third_party_settings: { } + type: options_select + region: content field_use_instance_credentials: weight: 103 settings: diff --git a/modules/cloud_service_providers/aws_cloud/config/install/core.entity_view_display.cloud_config.aws_ec2.default.yml b/modules/cloud_service_providers/aws_cloud/config/install/core.entity_view_display.cloud_config.aws_ec2.default.yml index f4ed82d..f2c9f94 100644 --- a/modules/cloud_service_providers/aws_cloud/config/install/core.entity_view_display.cloud_config.aws_ec2.default.yml +++ b/modules/cloud_service_providers/aws_cloud/config/install/core.entity_view_display.cloud_config.aws_ec2.default.yml @@ -12,6 +12,10 @@ dependencies: - field.field.cloud_config.aws_ec2.field_description - field.field.cloud_config.aws_ec2.field_iam_role - field.field.cloud_config.aws_ec2.field_image_upload_url + - field.field.cloud_config.aws_ec2.field_log_destination + - field.field.cloud_config.aws_ec2.field_log_destination_type + - field.field.cloud_config.aws_ec2.field_log_group_name + - field.field.cloud_config.aws_ec2.field_logs_permission_arn - field.field.cloud_config.aws_ec2.field_region - field.field.cloud_config.aws_ec2.field_secret_key - field.field.cloud_config.aws_ec2.field_spreadsheet_pricing_url @@ -19,6 +23,7 @@ dependencies: - field.field.cloud_config.aws_ec2.field_switch_role_account_id - field.field.cloud_config.aws_ec2.field_switch_role_iam_role - field.field.cloud_config.aws_ec2.field_system_vpc + - field.field.cloud_config.aws_ec2.field_traffic_type - field.field.cloud_config.aws_ec2.field_use_instance_credentials - field.field.cloud_config.aws_ec2.field_x_509_certificate module: @@ -99,6 +104,37 @@ content: third_party_settings: { } type: list_default region: content + field_log_destination: + weight: 110 + label: above + settings: + link_to_entity: false + third_party_settings: { } + type: string + region: content + field_log_destination_type: + weight: 106 + label: above + settings: { } + third_party_settings: { } + type: list_default + region: content + field_log_group_name: + weight: 108 + label: above + settings: + link_to_entity: false + third_party_settings: { } + type: string + region: content + field_logs_permission_arn: + weight: 109 + label: above + settings: + link_to_entity: false + third_party_settings: { } + type: string + region: content field_region: weight: 5 label: above @@ -155,6 +191,13 @@ content: third_party_settings: { } type: list_default region: content + field_traffic_type: + weight: 107 + label: above + settings: { } + third_party_settings: { } + type: list_default + region: content field_use_instance_credentials: weight: 13 label: above diff --git a/modules/cloud_service_providers/aws_cloud/config/install/field.field.cloud_config.aws_ec2.field_log_destination.yml b/modules/cloud_service_providers/aws_cloud/config/install/field.field.cloud_config.aws_ec2.field_log_destination.yml new file mode 100644 index 0000000..190ffe3 --- /dev/null +++ b/modules/cloud_service_providers/aws_cloud/config/install/field.field.cloud_config.aws_ec2.field_log_destination.yml @@ -0,0 +1,18 @@ +langcode: en +status: true +dependencies: + config: + - cloud.cloud_config_type.aws_ec2 + - field.storage.cloud_config.field_log_destination +id: cloud_config.aws_ec2.field_log_destination +field_name: field_log_destination +entity_type: cloud_config +bundle: aws_ec2 +label: 'S3 Bucket ARN' +description: 'Specifies the destination to which the flow log data is to be published.' +required: false +translatable: false +default_value: { } +default_value_callback: '' +settings: { } +field_type: string diff --git a/modules/cloud_service_providers/aws_cloud/config/install/field.field.cloud_config.aws_ec2.field_log_destination_type.yml b/modules/cloud_service_providers/aws_cloud/config/install/field.field.cloud_config.aws_ec2.field_log_destination_type.yml new file mode 100644 index 0000000..9f7bfaf --- /dev/null +++ b/modules/cloud_service_providers/aws_cloud/config/install/field.field.cloud_config.aws_ec2.field_log_destination_type.yml @@ -0,0 +1,22 @@ +langcode: en +status: true +dependencies: + config: + - cloud.cloud_config_type.aws_ec2 + - field.storage.cloud_config.field_log_destination_type + module: + - options +id: cloud_config.aws_ec2.field_log_destination_type +field_name: field_log_destination_type +entity_type: cloud_config +bundle: aws_ec2 +label: 'Destination Type' +description: 'Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.' +required: true +translatable: false +default_value: + - + value: cloud-watch-logs +default_value_callback: '' +settings: { } +field_type: list_string diff --git a/modules/cloud_service_providers/aws_cloud/config/install/field.field.cloud_config.aws_ec2.field_log_group_name.yml b/modules/cloud_service_providers/aws_cloud/config/install/field.field.cloud_config.aws_ec2.field_log_group_name.yml new file mode 100644 index 0000000..327aceb --- /dev/null +++ b/modules/cloud_service_providers/aws_cloud/config/install/field.field.cloud_config.aws_ec2.field_log_group_name.yml @@ -0,0 +1,18 @@ +langcode: en +status: true +dependencies: + config: + - cloud.cloud_config_type.aws_ec2 + - field.storage.cloud_config.field_log_group_name +id: cloud_config.aws_ec2.field_log_group_name +field_name: field_log_group_name +entity_type: cloud_config +bundle: aws_ec2 +label: 'Destination Log Group' +description: 'The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs.' +required: false +translatable: false +default_value: { } +default_value_callback: '' +settings: { } +field_type: string diff --git a/modules/cloud_service_providers/aws_cloud/config/install/field.field.cloud_config.aws_ec2.field_logs_permission_arn.yml b/modules/cloud_service_providers/aws_cloud/config/install/field.field.cloud_config.aws_ec2.field_logs_permission_arn.yml new file mode 100644 index 0000000..265fa2d --- /dev/null +++ b/modules/cloud_service_providers/aws_cloud/config/install/field.field.cloud_config.aws_ec2.field_logs_permission_arn.yml @@ -0,0 +1,18 @@ +langcode: en +status: true +dependencies: + config: + - cloud.cloud_config_type.aws_ec2 + - field.storage.cloud_config.field_logs_permission_arn +id: cloud_config.aws_ec2.field_logs_permission_arn +field_name: field_logs_permission_arn +entity_type: cloud_config +bundle: aws_ec2 +label: 'CloudWatch Logs IAM Role' +description: 'The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account.' +required: false +translatable: false +default_value: { } +default_value_callback: '' +settings: { } +field_type: string diff --git a/modules/cloud_service_providers/aws_cloud/config/install/field.field.cloud_config.aws_ec2.field_traffic_type.yml b/modules/cloud_service_providers/aws_cloud/config/install/field.field.cloud_config.aws_ec2.field_traffic_type.yml new file mode 100644 index 0000000..a76b9cd --- /dev/null +++ b/modules/cloud_service_providers/aws_cloud/config/install/field.field.cloud_config.aws_ec2.field_traffic_type.yml @@ -0,0 +1,22 @@ +langcode: en +status: true +dependencies: + config: + - cloud.cloud_config_type.aws_ec2 + - field.storage.cloud_config.field_traffic_type + module: + - options +id: cloud_config.aws_ec2.field_traffic_type +field_name: field_traffic_type +entity_type: cloud_config +bundle: aws_ec2 +label: 'Traffic Type' +description: 'The type of traffic to log.' +required: true +translatable: false +default_value: + - + value: ALL +default_value_callback: '' +settings: { } +field_type: list_string diff --git a/modules/cloud_service_providers/aws_cloud/config/install/field.storage.cloud_config.field_log_destination.yml b/modules/cloud_service_providers/aws_cloud/config/install/field.storage.cloud_config.field_log_destination.yml new file mode 100644 index 0000000..f4820ce --- /dev/null +++ b/modules/cloud_service_providers/aws_cloud/config/install/field.storage.cloud_config.field_log_destination.yml @@ -0,0 +1,20 @@ +langcode: en +status: true +dependencies: + module: + - cloud +id: cloud_config.field_log_destination +field_name: field_log_destination +entity_type: cloud_config +type: string +settings: + max_length: 255 + is_ascii: false + case_sensitive: false +module: core +locked: false +cardinality: 1 +translatable: true +indexes: { } +persist_with_no_fields: false +custom_storage: false diff --git a/modules/cloud_service_providers/aws_cloud/config/install/field.storage.cloud_config.field_log_destination_type.yml b/modules/cloud_service_providers/aws_cloud/config/install/field.storage.cloud_config.field_log_destination_type.yml new file mode 100644 index 0000000..c4096d9 --- /dev/null +++ b/modules/cloud_service_providers/aws_cloud/config/install/field.storage.cloud_config.field_log_destination_type.yml @@ -0,0 +1,20 @@ +langcode: en +status: true +dependencies: + module: + - cloud + - options +id: cloud_config.field_log_destination_type +field_name: field_log_destination_type +entity_type: cloud_config +type: list_string +settings: + allowed_values: {} + allowed_values_function: 'aws_cloud_log_destination_type_allowed_values_function' +module: options +locked: false +cardinality: 1 +translatable: true +indexes: { } +persist_with_no_fields: false +custom_storage: false diff --git a/modules/cloud_service_providers/aws_cloud/config/install/field.storage.cloud_config.field_log_group_name.yml b/modules/cloud_service_providers/aws_cloud/config/install/field.storage.cloud_config.field_log_group_name.yml new file mode 100644 index 0000000..8792833 --- /dev/null +++ b/modules/cloud_service_providers/aws_cloud/config/install/field.storage.cloud_config.field_log_group_name.yml @@ -0,0 +1,20 @@ +langcode: en +status: true +dependencies: + module: + - cloud +id: cloud_config.field_log_group_name +field_name: field_log_group_name +entity_type: cloud_config +type: string +settings: + max_length: 255 + is_ascii: false + case_sensitive: false +module: core +locked: false +cardinality: 1 +translatable: true +indexes: { } +persist_with_no_fields: false +custom_storage: false diff --git a/modules/cloud_service_providers/aws_cloud/config/install/field.storage.cloud_config.field_logs_permission_arn.yml b/modules/cloud_service_providers/aws_cloud/config/install/field.storage.cloud_config.field_logs_permission_arn.yml new file mode 100644 index 0000000..2c1b692 --- /dev/null +++ b/modules/cloud_service_providers/aws_cloud/config/install/field.storage.cloud_config.field_logs_permission_arn.yml @@ -0,0 +1,20 @@ +langcode: en +status: true +dependencies: + module: + - cloud +id: cloud_config.field_logs_permission_arn +field_name: field_logs_permission_arn +entity_type: cloud_config +type: string +settings: + max_length: 255 + is_ascii: false + case_sensitive: false +module: core +locked: false +cardinality: 1 +translatable: true +indexes: { } +persist_with_no_fields: false +custom_storage: false diff --git a/modules/cloud_service_providers/aws_cloud/config/install/field.storage.cloud_config.field_traffic_type.yml b/modules/cloud_service_providers/aws_cloud/config/install/field.storage.cloud_config.field_traffic_type.yml new file mode 100644 index 0000000..af09950 --- /dev/null +++ b/modules/cloud_service_providers/aws_cloud/config/install/field.storage.cloud_config.field_traffic_type.yml @@ -0,0 +1,20 @@ +langcode: en +status: true +dependencies: + module: + - cloud + - options +id: cloud_config.field_traffic_type +field_name: field_traffic_type +entity_type: cloud_config +type: list_string +settings: + allowed_values: {} + allowed_values_function: 'aws_cloud_traffic_type_allowed_values_function' +module: options +locked: false +cardinality: 1 +translatable: true +indexes: { } +persist_with_no_fields: false +custom_storage: false diff --git a/modules/cloud_service_providers/aws_cloud/src/Plugin/AwsCloudServerTemplatePlugin.php b/modules/cloud_service_providers/aws_cloud/src/Plugin/AwsCloudServerTemplatePlugin.php index d6258a8..41dd1fa 100644 --- a/modules/cloud_service_providers/aws_cloud/src/Plugin/AwsCloudServerTemplatePlugin.php +++ b/modules/cloud_service_providers/aws_cloud/src/Plugin/AwsCloudServerTemplatePlugin.php @@ -439,6 +439,8 @@ class AwsCloudServerTemplatePlugin extends PluginBase implements CloudServerTemp $vpc_id = $this->createVpc($cidr_block); } + $this->createFlowLog($vpc_id); + // Find the subnet owned by current user. $params['Filters'] = [ [ @@ -684,4 +686,55 @@ class AwsCloudServerTemplatePlugin extends PluginBase implements CloudServerTemp return TRUE; } + /** + * Connect a flow log. + * + * @param string $vpc_id + * The vpc ID. + */ + private function createFlowLog($vpc_id) { + // Check whether there is a flow log for the vpc. + $params['Filters'] = [ + [ + 'Name' => 'resource-id', + 'Values' => [$vpc_id], + ], + ]; + $result = $this->awsEc2Service->describeFlowLogs($params); + if (!empty($result['FlowLogs'])) { + return; + } + + // Create a new flow log. + $params = []; + $cloud_config = $this->cloudConfigPluginManager->loadConfigEntity(); + $params['ResourceType'] = 'VPC'; + $params['ResourceIds'] = [$vpc_id]; + $params['TrafficType'] = $cloud_config->field_traffic_type->value; + $params['LogDestinationType'] = $cloud_config->field_log_destination_type->value; + if ($params['LogDestinationType'] == 'cloud-watch-logs') { + $params['DeliverLogsPermissionArn'] = $cloud_config->field_logs_permission_arn->value; + $params['LogGroupName'] = $cloud_config->field_log_group_name->value; + + if (empty($params['DeliverLogsPermissionArn']) || empty($params['LogGroupName'])) { + $this->messenger->addWarning($this->t( + 'Failed to create a flow log because the "Destination Log Group" or "CloudWatch Logs IAM Role" were not set. Please set them in cloud config edit page.' + )); + return; + } + } + else { + $params['LogDestination'] = $cloud_config->field_log_destination->value; + + if (empty($params['LogDestination'])) { + $this->messenger->addWarning($this->t( + 'Failed to create a flow log because the "S3 Bucket ARN" was not set. Please set it in cloud config edit page.' + )); + return; + } + } + + $this->awsEc2Service->createFlowLogs($params); + } + } diff --git a/modules/cloud_service_providers/aws_cloud/src/Service/AwsEc2Service.php b/modules/cloud_service_providers/aws_cloud/src/Service/AwsEc2Service.php index 0bc0810..cf989d9 100644 --- a/modules/cloud_service_providers/aws_cloud/src/Service/AwsEc2Service.php +++ b/modules/cloud_service_providers/aws_cloud/src/Service/AwsEc2Service.php @@ -558,6 +558,15 @@ class AwsEc2Service implements AwsEc2ServiceInterface { /** * {@inheritdoc} */ + public function createFlowLogs(array $params = []) { + $params += $this->getDefaultParameters(); + $results = $this->execute('CreateFlowLogs', $params); + return $results; + } + + /** + * {@inheritdoc} + */ public function createVpcPeeringConnection(array $params = []) { $params += $this->getDefaultParameters(); $results = $this->execute('CreateVpcPeeringConnection', $params); @@ -585,6 +594,15 @@ class AwsEc2Service implements AwsEc2ServiceInterface { /** * {@inheritdoc} */ + public function describeFlowLogs(array $params = []) { + $params += $this->getDefaultParameters(); + $results = $this->execute('DescribeFlowLogs', $params); + return $results; + } + + /** + * {@inheritdoc} + */ public function createSecurityGroup(array $params = []) { $params += $this->getDefaultParameters(); $results = $this->execute('CreateSecurityGroup', $params); diff --git a/modules/cloud_service_providers/aws_cloud/src/Service/AwsEc2ServiceInterface.php b/modules/cloud_service_providers/aws_cloud/src/Service/AwsEc2ServiceInterface.php index af13348..2783150 100644 --- a/modules/cloud_service_providers/aws_cloud/src/Service/AwsEc2ServiceInterface.php +++ b/modules/cloud_service_providers/aws_cloud/src/Service/AwsEc2ServiceInterface.php @@ -235,6 +235,20 @@ interface AwsEc2ServiceInterface { public function createVpc(array $params = []); /** + * Calls the Ec2 API endpoint Create Flow logs. + * + * @param array $params + * Parameters array to send to API. + * + * @return array + * Array of FlowLog or NULL if there is an error. + * + * @throws \Drupal\aws_cloud\Service\AwsEc2ServiceException + * If the $params is empty or Ec2 Client is null. + */ + public function createFlowLogs(array $params = []); + + /** * Calls the Ec2 API endpoint Create Vpc Peering Connection. * * @param array $params @@ -277,6 +291,20 @@ interface AwsEc2ServiceInterface { public function describeVpcPeeringConnections(array $params = []); /** + * Calls the Ec2 API endpoint Describe Flow Logs. + * + * @param array $params + * Parameters array to send to API. + * + * @return array + * Array of FlowLog or NULL if there is an error. + * + * @throws \Drupal\aws_cloud\Service\AwsEc2ServiceException + * If the $params is empty or Ec2 Client is null. + */ + public function describeFlowLogs(array $params = []); + + /** * Calls the Ec2 API endpoint Create Security Group. * * @param array $params