Store audit log in DynamoDB (#118)

* create audit log

* reduce log retention days in prod

* add simple unit test

* replace audit log statements with dynamodb calls

* update to use enum for module names

* add audit log statements to linkry

* remove unused imports in linkry module

Author: devksingh4

cloudformation/iam.yml

@@ -106,6 +106,16 @@ Resources:
             Resource:
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-rate-limiter
 
+          - Sid: DynamoDBAuditLogTableAccess
+            Effect: Allow
+            Action:
+              - dynamodb:DescribeTable
+              - dynamodb:PutItem
+              - dynamodb:Query
+            Resource:
+              - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-audit-log
+              - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-audit-log/index/*
+
           - Sid: DynamoDBStreamAccess
             Effect: Allow
             Action:

cloudformation/logs.yml

@@ -21,3 +21,26 @@ Resources:
       LogGroupName:
         Fn::Sub: /aws/lambda/${LambdaFunctionName}-edge
       RetentionInDays: 7
+  AppAuditLog:
+    Type: "AWS::DynamoDB::Table"
+    DeletionPolicy: "Retain"
+    UpdateReplacePolicy: "Retain"
+    Properties:
+      BillingMode: "PAY_PER_REQUEST"
+      TableName: infra-core-api-audit-log
+      DeletionProtectionEnabled: true
+      PointInTimeRecoverySpecification:
+        PointInTimeRecoveryEnabled: true
+      AttributeDefinitions:
+        - AttributeName: module
+          AttributeType: S
+        - AttributeName: createdAt
+          AttributeType: N
+      KeySchema:
+        - AttributeName: module
+          KeyType: HASH
+        - AttributeName: createdAt
+          KeyType: RANGE
+      TimeToLiveSpecification:
+        AttributeName: expiresAt
+        Enabled: true

cloudformation/main.yml

@@ -48,7 +48,7 @@ Mappings:
       LogRetentionDays: 7
       SesDomain: "aws.qa.acmuiuc.org"
     prod:
-      LogRetentionDays: 365
+      LogRetentionDays: 90
       SesDomain: "acm.illinois.edu"
   ApiGwConfig:
     dev:

src/api/functions/auditLog.ts

@@ -0,0 +1,40 @@
+import { DynamoDBClient, PutItemCommand } from "@aws-sdk/client-dynamodb";
+import { marshall } from "@aws-sdk/util-dynamodb";
+import { genericConfig } from "common/config.js";
+import { Modules } from "common/modules.js";
+
+export type AuditLogEntry = {
+  module: Modules;
+  actor: string;
+  target: string;
+  requestId?: string;
+  message: string;
+};
+
+type AuditLogParams = {
+  dynamoClient?: DynamoDBClient;
+  entry: AuditLogEntry;
+};
+
+const RETENTION_DAYS = 365;
+
+export async function createAuditLogEntry({
+  dynamoClient,
+  entry,
+}: AuditLogParams) {
+  const baseNow = Date.now();
+  const timestamp = Math.floor(baseNow / 1000);
+  const expireAt =
+    timestamp + Math.floor((RETENTION_DAYS * 24 * 60 * 60 * 1000) / 1000);
+  if (!dynamoClient) {
+    dynamoClient = new DynamoDBClient({
+      region: genericConfig.AwsRegion,
+    });
+  }
+  const augmentedEntry = marshall({ ...entry, createdAt: timestamp, expireAt });
+  const command = new PutItemCommand({
+    TableName: genericConfig.AuditLogTable,
+    Item: augmentedEntry,
+  });
+  return dynamoClient.send(command);
+}

src/api/functions/mobileWallet.ts

@@ -17,6 +17,8 @@ import { promises as fs } from "fs";
 import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
 import { RunEnvironment } from "common/roles.js";
 import pino from "pino";
+import { createAuditLogEntry } from "./auditLog.js";
+import { Modules } from "common/modules.js";
 
 function trim(s: string) {
   return (s || "").replace(/^\s+|\s+$/g, "");
@@ -66,7 +68,6 @@ export async function issueAppleWalletMembershipCard(
     "base64",
   ).toString("utf-8");
   pass["passTypeIdentifier"] = environmentConfig["PasskitIdentifier"];
-
   const pkpass = new PKPass(
     {
       "icon.png": await fs.readFile(icon),
@@ -117,9 +118,13 @@ export async function issueAppleWalletMembershipCard(
   pkpass.backFields.push({ label: "Pass Created On", key: "iat", value: iat });
   pkpass.backFields.push({ label: "Membership ID", key: "id", value: email });
   const buffer = pkpass.getAsBuffer();
-  logger.info(
-    { type: "audit", module: "mobileWallet", actor: initiator, target: email },
-    "Created membership verification pass",
-  );
+  await createAuditLogEntry({
+    entry: {
+      module: Modules.MOBILE_WALLET,
+      actor: initiator,
+      target: email,
+      message: "Created membership verification pass",
+    },
+  });
   return buffer;
 }

src/api/routes/events.ts

@@ -30,6 +30,8 @@ import {
   deleteCacheCounter,
   getCacheCounter,
 } from "api/functions/cache.js";
+import { createAuditLogEntry } from "api/functions/auditLog.js";
+import { Modules } from "common/modules.js";
 
 const repeatOptions = ["weekly", "biweekly"] as const;
 export const CLIENT_HTTP_CACHE_POLICY = `public, max-age=${EVENT_CACHED_DURATION}, stale-while-revalidate=420, stale-if-error=3600`;
@@ -266,6 +268,10 @@ const eventsPlugin: FastifyPluginAsync = async (fastify, _options) => {
           }
           originalEvent = unmarshall(originalEvent);
         }
+        let verb = "created";
+        if (userProvidedId && userProvidedId === entryUUID) {
+          verb = "modified";
+        }
         const entry = {
           ...request.body,
           id: entryUUID,
@@ -281,10 +287,6 @@ const eventsPlugin: FastifyPluginAsync = async (fastify, _options) => {
             Item: marshall(entry),
           }),
         );
-        let verb = "created";
-        if (userProvidedId && userProvidedId === entryUUID) {
-          verb = "modified";
-        }
         try {
           if (request.body.featured && !request.body.repeats) {
             await updateDiscord(
@@ -332,19 +334,20 @@ const eventsPlugin: FastifyPluginAsync = async (fastify, _options) => {
           1,
           false,
         );
+        await createAuditLogEntry({
+          dynamoClient: fastify.dynamoClient,
+          entry: {
+            module: Modules.EVENTS,
+            actor: request.username,
+            target: entryUUID,
+            message: `${verb} event "${entryUUID}"`,
+            requestId: request.id,
+          },
+        });
         reply.status(201).send({
           id: entryUUID,
           resource: `/api/v1/events/${entryUUID}`,
         });
-        request.log.info(
-          {
-            type: "audit",
-            module: "events",
-            actor: request.username,
-            target: entryUUID,
-          },
-          `${verb} event "${entryUUID}"`,
-        );
       } catch (e: unknown) {
         if (e instanceof Error) {
           request.log.error("Failed to insert to DynamoDB: " + e.toString());
@@ -391,6 +394,16 @@ const eventsPlugin: FastifyPluginAsync = async (fastify, _options) => {
           id,
           resource: `/api/v1/events/${id}`,
         });
+        await createAuditLogEntry({
+          dynamoClient: fastify.dynamoClient,
+          entry: {
+            module: Modules.EVENTS,
+            actor: request.username,
+            target: id,
+            message: `Deleted event "${id}"`,
+            requestId: request.id,
+          },
+        });
       } catch (e: unknown) {
         if (e instanceof Error) {
           request.log.error("Failed to delete from DynamoDB: " + e.toString());
@@ -406,15 +419,6 @@ const eventsPlugin: FastifyPluginAsync = async (fastify, _options) => {
         1,
         false,
       );
-      request.log.info(
-        {
-          type: "audit",
-          module: "events",
-          actor: request.username,
-          target: id,
-        },
-        `deleted event "${id}"`,
-      );
     },
   );
   fastify.get<EventGetRequest>(