wip: store audit logs into a different table

Author: brunozoric

jest.config.base.js

@@ -180,6 +180,27 @@ const createDynaliteTables = (options = {}) => {
                     amount: 5
                 }),
                 data: options.data || []
+            },
+            {
+                TableName: process.env.DB_TABLE_AUDIT_LOGS,
+                KeySchema: [
+                    { AttributeName: "PK", KeyType: "HASH" },
+                    { AttributeName: "SK", KeyType: "RANGE" }
+                ],
+                AttributeDefinitions: [
+                    { AttributeName: "PK", AttributeType: "S" },
+                    { AttributeName: "SK", AttributeType: "S" },
+                    ...createGlobalSecondaryIndexesAttributeDefinitions(2)
+                ],
+                ProvisionedThroughput: { ReadCapacityUnits: 1, WriteCapacityUnits: 1 },
+                GlobalSecondaryIndexes: createGlobalSecondaryIndexes({
+                    amount: 2
+                }),
+                data: options.data || [],
+                ttl: {
+                    attributeName: "expiresAt",
+                    enabled: true
+                }
             }
         ],
         basePort: 8000

packages/api-audit-logs/__tests__/createAuditLog.test.ts

@@ -84,7 +84,7 @@ describe("create audit log", () => {
         const partitionKey = `#CME#wby-aco-${result!.id}`;
 
         const scanned = await client.scan({
-            TableName: process.env.DB_TABLE
+            TableName: process.env.DB_TABLE_AUDIT_LOGS
         });
 
         for (const item of scanned.Items || []) {
@@ -149,7 +149,7 @@ describe("create audit log", () => {
         const { id: partitionKey } = parseIdentifier(`${result!.id}`);
 
         const scanned = await client.scan({
-            TableName: process.env.DB_TABLE
+            TableName: process.env.DB_TABLE_AUDIT_LOGS
         });
 
         for (const item of scanned.Items || []) {

packages/cwp-template-aws/template/common/types/env/index.d.ts

@@ -2,14 +2,9 @@ declare namespace NodeJS {
     export interface ProcessEnv {
         NODE_ENV?: "test" | "prod" | "dev" | string;
         DB_TABLE?: string;
-        DB_TABLE_TENANCY?: string;
-        DB_TABLE_PRERENDERING_SERVICE?: string;
         DB_TABLE_ELASTICSEARCH?: string;
-        DB_TABLE_ADMIN_USERS?: string;
-        DB_TABLE_FILE_MANGER?: string;
-        DB_TABLE_HEADLESS_CMS?: string;
-        DB_PAGE_BUILDER?: string;
-        DB_TABLE_PAGE_BUILDER?: string;
+        DB_TABLE_LOG?: string;
+        DB_TABLE_AUDIT_LOGS?: string;
         ELASTICSEARCH_SHARED_INDEXES?: "true" | "false" | string;
         WEBINY_VERSION?: string;
         WEBINY_ENABLE_VERSION_HEADER?: "true" | "false" | string;

packages/pulumi-aws/src/apps/api/AuditLogsDynamo.ts

@@ -0,0 +1,72 @@
+import * as aws from "@pulumi/aws";
+import type { PulumiApp, PulumiAppModule } from "@webiny/pulumi";
+import { createAppModule } from "@webiny/pulumi";
+
+export type AuditLogsDynamo = PulumiAppModule<typeof AuditLogsDynamo>;
+
+export const AuditLogsDynamo = createAppModule({
+    name: "AuditLogsDynamoDb",
+    config(app: PulumiApp, params: { protect: boolean }) {
+        return app.addResource(aws.dynamodb.Table, {
+            name: "webiny-audit-logs",
+            config: {
+                attributes: [
+                    { name: "PK", type: "S" },
+                    { name: "SK", type: "S" },
+                    { name: "GSI1_PK", type: "S" },
+                    { name: "GSI1_SK", type: "S" },
+                    { name: "GSI2_PK", type: "S" },
+                    { name: "GSI2_SK", type: "S" },
+                    { name: "GSI3_PK", type: "S" },
+                    { name: "GSI3_SK", type: "S" },
+                    { name: "GSI4_PK", type: "S" },
+                    { name: "GSI4_SK", type: "S" },
+                    { name: "GSI5_PK", type: "S" },
+                    { name: "GSI5_SK", type: "S" }
+                ],
+                billingMode: "PAY_PER_REQUEST",
+                hashKey: "PK",
+                rangeKey: "SK",
+                globalSecondaryIndexes: [
+                    {
+                        name: "GSI1",
+                        hashKey: "GSI1_PK",
+                        rangeKey: "GSI1_SK",
+                        projectionType: "ALL"
+                    },
+                    {
+                        name: "GSI2",
+                        hashKey: "GSI2_PK",
+                        rangeKey: "GSI2_SK",
+                        projectionType: "ALL"
+                    },
+                    {
+                        name: "GSI3",
+                        hashKey: "GSI3_PK",
+                        rangeKey: "GSI3_SK",
+                        projectionType: "ALL"
+                    },
+                    {
+                        name: "GSI4",
+                        hashKey: "GSI4_PK",
+                        rangeKey: "GSI4_SK",
+                        projectionType: "ALL"
+                    },
+                    {
+                        name: "GSI5",
+                        hashKey: "GSI5_PK",
+                        rangeKey: "GSI5_SK",
+                        projectionType: "ALL"
+                    }
+                ],
+                ttl: {
+                    attributeName: "expiresAt",
+                    enabled: true
+                }
+            },
+            opts: {
+                protect: params.protect
+            }
+        });
+    }
+});

packages/pulumi-aws/src/apps/api/createApiPulumiApp.ts

@@ -31,6 +31,7 @@ import { attachSyncSystem } from "../syncSystem/api/index.js";
 import { getAwsAccountId } from "~/apps/awsUtils";
 import type { WithServiceManifest } from "~/utils/withServiceManifest.js";
 import { ApiScheduler } from "~/apps/api/ApiScheduler.js";
+import { AuditLogsDynamo } from "~/apps/api/AuditLogsDynamo.js";
 
 export type ApiPulumiApp = ReturnType<typeof createApiPulumiApp>;
 
@@ -47,6 +48,12 @@ export interface ApiOpenSearchConfig {
 }
 
 export interface CreateApiPulumiAppParams {
+    /**
+     * Secures against deleting database by accident.
+     * By default enabled in production environments.
+     */
+    protect?: PulumiAppParam<boolean>;
+
     /**
      * Enables ElasticSearch infrastructure.
      * Note that it requires also changes in application code.
@@ -151,6 +158,8 @@ export const createApiPulumiApp = (projectAppParams: CreateApiPulumiAppParams =
             const vpcEnabled = app.getParam(projectAppParams?.vpc) ?? isProduction;
             app.addModule(VpcConfig, { enabled: vpcEnabled });
 
+            const protect = app.getParam(projectAppParams.protect) ?? isProduction;
+
             // const pageBuilder = app.addModule(ApiPageBuilder, {
             //     env: {
             //         COGNITO_REGION: getEnvVariableAwsRegion(),
@@ -169,6 +178,10 @@ export const createApiPulumiApp = (projectAppParams: CreateApiPulumiAppParams =
             //     }
             // });
 
+            const auditLogsDynamo = app.addModule(AuditLogsDynamo, {
+                protect
+            });
+
             const apwScheduler = app.addModule(ApiApwScheduler, {
                 primaryDynamodbTableArn: core.primaryDynamodbTableArn,
 
@@ -177,6 +190,7 @@ export const createApiPulumiApp = (projectAppParams: CreateApiPulumiAppParams =
                     COGNITO_USER_POOL_ID: core.cognitoUserPoolId,
                     DB_TABLE: core.primaryDynamodbTableName,
                     DB_TABLE_LOG: core.logDynamodbTableName,
+                    DB_TABLE_AUDIT_LOGS: auditLogsDynamo.output.name,
                     S3_BUCKET: core.fileManagerBucketId
                 }
             });
@@ -187,6 +201,7 @@ export const createApiPulumiApp = (projectAppParams: CreateApiPulumiAppParams =
                     COGNITO_USER_POOL_ID: core.cognitoUserPoolId,
                     DB_TABLE: core.primaryDynamodbTableName,
                     DB_TABLE_LOG: core.logDynamodbTableName,
+                    DB_TABLE_AUDIT_LOGS: auditLogsDynamo.output.name,
                     DB_TABLE_ELASTICSEARCH: core.elasticsearchDynamodbTableName,
                     ELASTIC_SEARCH_ENDPOINT: core.elasticsearchDomainEndpoint,
 
@@ -286,6 +301,7 @@ export const createApiPulumiApp = (projectAppParams: CreateApiPulumiAppParams =
                 apwSchedulerEventRule: apwScheduler.eventRule.output.name,
                 apwSchedulerEventTargetId: apwScheduler.eventTarget.output.targetId,
                 dynamoDbTable: core.primaryDynamodbTableName,
+                auditLogsDynamoDbTable: auditLogsDynamo.output.name,
                 migrationLambdaArn: migration.function.output.arn,
                 graphqlLambdaName: graphql.functions.graphql.output.name,
                 graphqlLambdaRole: graphql.role.output.arn,

typings/env/index.d.ts

@@ -2,15 +2,9 @@ declare namespace NodeJS {
     export interface ProcessEnv {
         NODE_ENV?: "test" | "prod" | "dev" | string;
         DB_TABLE?: string;
-        DB_TABLE_TENANCY?: string;
-        DB_TABLE_PRERENDERING_SERVICE?: string;
         DB_TABLE_ELASTICSEARCH?: string;
-        DB_TABLE_ADMIN_USERS?: string;
-        DB_TABLE_FILE_MANGER?: string;
-        DB_TABLE_HEADLESS_CMS?: string;
-        DB_PAGE_BUILDER?: string;
-        DB_TABLE_PAGE_BUILDER?: string;
         DB_TABLE_LOG?: string;
+        DB_TABLE_AUDIT_LOGS?: string;
         ELASTICSEARCH_SHARED_INDEXES?: "true" | "false" | string;
         WEBINY_VERSION?: string;
         WEBINY_IS_PRE_529?: "true" | "false";