From f1be98c400a3d1f53ca0b33d9372dc23afc684ed Mon Sep 17 00:00:00 2001
From: peggles2 <peggles2@users.noreply.github.com>
Date: Thu, 7 Mar 2024 10:11:57 -0500
Subject: [PATCH] Eregcsc 2532 cloudfront distribution should have logging
 enabled (#1193)

* eregcsc-2532- cloudfront distrubution should have logging enabled
---
 .../templates/admin/base_site.html            |  2 +-
 solution/static-assets/serverless.yml         | 26 +++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/solution/backend/cmcs_regulations/templates/admin/base_site.html b/solution/backend/cmcs_regulations/templates/admin/base_site.html
index 4498c3cd68..8203fed054 100644
--- a/solution/backend/cmcs_regulations/templates/admin/base_site.html
+++ b/solution/backend/cmcs_regulations/templates/admin/base_site.html
@@ -40,4 +40,4 @@
       <a href="{% url 'oidc_authentication_init' %}?next={{ request.path }}">Log in</a>
     {% endif %}
   </div>
-{% endblock %}
\ No newline at end of file
+{% endblock %}
diff --git a/solution/static-assets/serverless.yml b/solution/static-assets/serverless.yml
index 1b50ac8aa4..94506fdd39 100644
--- a/solution/static-assets/serverless.yml
+++ b/solution/static-assets/serverless.yml
@@ -61,6 +61,28 @@ resources:
                 - GET
                 - HEAD
               MaxAge: 3000
+    CloudFrontLogsBucket:
+      Type: AWS::S3::Bucket
+      Properties:
+        BucketName: eregs-${self:custom.stage}-cloudfront-logs
+        OwnershipControls:
+          Rules:
+            - ObjectOwnership: BucketOwnerPreferred
+        VersioningConfiguration:
+          Status: Enabled
+        AccessControl: LogDeliveryWrite
+    CloudFrontLogsBucketPolicy:
+      Type: "AWS::S3::BucketPolicy"
+      Properties:
+        Bucket: !Ref CloudFrontLogsBucket
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+            - Effect: Allow
+              Principal:
+                Service: "delivery.logs.amazonaws.com"
+              Action: "s3:PutObject"
+              Resource: !Sub "arn:aws:s3:::${CloudFrontLogsBucket}/*"
 
     CloudFrontOriginAccessIdentity:
       Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
@@ -153,6 +175,10 @@ resources:
                   - ''
                   - - origin-access-identity/cloudfront/
                     - Ref: CloudFrontOriginAccessIdentity
+          Logging:
+            IncludeCookies: false
+            Bucket: eregs-${self:custom.stage}-cloudfront-logs.s3.amazonaws.com
+            Prefix: cf-logs/
           Enabled: true
           HttpVersion: 'http2'
           DefaultCacheBehavior: