async function createCloudFrontLoggingBucket()

in source/custom-resource/index.ts [510:579]

• 50 lines of code
• 5 McCabe index (conditional complexity)

async function createCloudFrontLoggingBucket(requestProperties: CreateLoggingBucketRequestProperties) {
  const logBucketSuffix = createHash('md5').update(`${requestProperties.BucketSuffix}${moment.utc().valueOf()}`).digest('hex');
  const bucketName = `serverless-image-handler-logs-${logBucketSuffix.substring(0, 8)}`.toLowerCase();

  // the S3 bucket will be created in 'us-east-1' if the current region is in opt-in regions,
  // because CloudFront does not currently deliver access logs to opt-in region buckets
  const isOptInRegion = await checkRegionOptInStatus(AWS_REGION);
  const targetRegion = isOptInRegion ? 'us-east-1' : AWS_REGION;
  console.info(`The opt-in status of the '${AWS_REGION}' region is '${isOptInRegion ? 'opted-in' : 'opt-in-not-required'}'`);

  // create bucket
  try {
    const s3Client = new S3({ ...awsSdkOptions, apiVersion: '2006-03-01', region: targetRegion });

    const createBucketRequestParams: CreateBucketRequest = { Bucket: bucketName, ACL: 'log-delivery-write' };
    await s3Client.createBucket(createBucketRequestParams).promise();

    console.info(`Successfully created bucket '${bucketName}' in '${targetRegion}' region`);
  } catch (error) {
    console.error(`Could not create bucket '${bucketName}'`);
    console.error(error);

    throw error;
  }

  // add encryption to bucket
  console.info('Adding Encryption...');
  try {
    const putBucketEncryptionRequestParams: PutBucketEncryptionRequest = {
      Bucket: bucketName,
      ServerSideEncryptionConfiguration: { Rules: [{ ApplyServerSideEncryptionByDefault: { SSEAlgorithm: 'AES256' } }] }
    };

    await s3Client.putBucketEncryption(putBucketEncryptionRequestParams).promise();

    console.info(`Successfully enabled encryption on bucket '${bucketName}'`);
  } catch (error) {
    console.error(`Failed to add encryption to bucket '${bucketName}'`);
    console.error(error);

    throw error;
  }

  // add policy to bucket
  try {
    console.info('Adding policy...');

    const bucketPolicyStatement = {
      Resource: `arn:aws:s3:::${bucketName}/*`,
      Action: '*',
      Effect: 'Deny',
      Principal: '*',
      Sid: 'HttpsOnly',
      Condition: { Bool: { 'aws:SecureTransport': 'false' } }
    };
    const bucketPolicy = { Version: '2012-10-17', Statement: [bucketPolicyStatement] };
    const putBucketPolicyRequestParams: PutBucketPolicyRequest = { Bucket: bucketName, Policy: JSON.stringify(bucketPolicy) };

    await s3Client.putBucketPolicy(putBucketPolicyRequestParams).promise();

    console.info(`Successfully added policy added to bucket '${bucketName}'`);
  } catch (error) {
    console.error(`Failed to add policy to bucket '${bucketName}'`);
    console.error(error);

    throw error;
  }

  return { BucketName: bucketName, Region: targetRegion };
}