search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.71k stars 3.93k forks source link

(redshift): How to enable audit logging from redshift module #25755

Open flexelem opened 1 year ago

flexelem commented 1 year ago

Describe the bug

Hi there,

We are creating a redshift cluster from aws-cdk/aws-redshift-alpha module and can't see a way to enable audit logging. Even though we set enable_user_activity_logging to true aws console displays audit logging disabled. We want to forward logs to CloudWatch not S3 so loggingProperties doesn't solve this case as well. I also couldn't find the related property from CloudFormation reference

Here is the cdk code for creating a cluster and configuring the parameter group for it.

    // redshift single node "cluster"
    const redshiftCluster = new redshift.Cluster(this, 'Cluster', {
      masterUser: {
        masterUsername: 'foobar',
        encryptionKey: key,
      },
      vpc: props.vpc,
      vpcSubnets: {
        subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
      },
      publiclyAccessible: false,
      clusterType: redshift.ClusterType.SINGLE_NODE,
      nodeType: redshift.NodeType.DC2_LARGE,
      encrypted: true,
      enhancedVpcRouting: true,
      preferredMaintenanceWindow: 'Sat:23:45-Sun:00:45',
      // permissions
      defaultRole: role,
      roles: [role],
      // don't delete on accident when stack is deleted
      removalPolicy: cdk.RemovalPolicy.RETAIN,
    });

    // database parameters
    redshiftCluster.addToParameterGroup('enable_user_activity_logging', 'true');
    redshiftCluster.addToParameterGroup('require_ssl', 'true');

I am not sure if this is considered as a bug so please guide me.

Thanks!

Expected Behavior

There should be a proper way for enabling audit logs into CloudWatch from aws cdk

Current Behavior

There is no way of enabling audit logs into CloudWatch

Reproduction Steps

I shared the simple cdk code

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.81.0

Framework Version

No response

Node.js Version

18.0.0

OS

macos

Language

Typescript

Language Version

No response

Other information

No response

pahud commented 1 year ago

It looks like the cloudformation does not support it at this moment. I noticed we have a PFR already at https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1657 please +1 on that PFR to help the cloudformation team prioritize.