There are unused objects in the bucket that we can remove safely.

• athena-query-results - This folder is storing Athena Query Results generated when we transform CSV files into Parquet files. We don't have a reason to keep these results more than one day.
• partitioned-gz - This folder is storing raw gzip files generated by Cloudfront. We are storing this data in parquet so I can't find a reason to keep the raw data stored forever.

I would like to hear the opinion from other developers before opening a pull request.

CloudFrontAccessLogsBucket:
  Type: 'AWS::S3::Bucket'
  Properties:
    LifecycleConfiguration:
      Rules:
        - Id: ExpireAthenaQueryResults
          Prefix: athena-query-results/
          Status: Enabled
          ExpirationInDays: 1
        - Id: ExpirePartitionedGz
          Prefix: !Ref GzKeyPrefix
          Status: Enabled
          ExpirationInDays: 180
          Transitions:
            - TransitionInDays: 7
              StorageClass: GLACIER

Hi @steffeng ! And first, thanks a lot for this. I have had my eyes on deploying this for a while, I am glad to finally have the opportunity!

I have yet another question about using this for multiple distributions (FYI we have about 15 now, going to have about 30).

I checked #8 and #12, but this is different: I don't care about partitioning the data by distribution (like in #8), or group the entire S3 data structure under subfolders (like in #12).

According the the FAQ:

Q: How can I use the sample application for multiple Amazon CloudFront distributions?

Deploy another AWS CloudFormation stack

What about pointing multiple CF distributions to the same bucket's new/? Skimming the code, I did not see any obvious reason why it would be an issue, but the FAQ answer above makes it sound like the only way is to deploy another stack...

What am I missing? Will it work, or will it break something?

Since the host header isn't in the log file name, it would need to be part of the log bucket's prefix configured in CloudFront to keep the lambda stateless when converting new log objects to the partition format.

We have lots of sites, and would like to avoid the overhead of setting up a new stack for each one, and also have the flexibility to query multiple sites at once while still maintaining the cost/performance benefits of using partitions.

Hi,

I have implemented this stack and it is working well. However I dropped my old cloudfront logs into the new directory and it moved them into the partitioned-gz directory as expected however I am unsure what the best way to trigger the create/transformPartition lambdas is to process them into the partitioned-parquet directory. Only new data is being transformed into parquet format because those lambdas work based on the current date/time.

Any ideas welcome!

Currently, I am doing Day Partitioned Table where anything older than a day will insert into it. Now I would like to combine the view with Day Partitioned Table.

Here is what I am doing.

SELECT *, "$path" as file FROM ${database}.${partitioned_gz_table} WHERE (concat(year, month, day, hour) >= date_format(date_trunc('hour', ((current_timestamp - INTERVAL '15' MINUTE) - INTERVAL '1' HOUR)), '%Y%m%d%H')) UNION ALL SELECT *, "$path" as file FROM ${database}.${partitioned_parquet_table} WHERE (concat(year, month, day, hour) < date_format(date_trunc('hour', ((current_timestamp - INTERVAL '15' MINUTE) - INTERVAL '1' HOUR)), '%Y%m%d%H')) UNION ALL SELECT *, "$path" as file FROM ${database}.${day_partitioned_parquet_table} WHERE (concat(year, month, day) < date_format(date_trunc('day', ((current_timestamp - INTERVAL '15' MINUTE) - INTERVAL '1' DAY), '%Y%m%d))

I am not sure if my query is right for what I am trying to achieve. What is the best way to achieve this?

It would be nice to be able to deploy this solution on top of existing buckets, where the bucket-name as a parameter would drive the logical switch to create a new or use existing.

Is it possible to set this up to suppress the "partitioned_parquet" table at launch? I don't believe that I will be querying that table as what I need is in the "partitioned_gz" table.

Thank you for your help.

The access logs bucket does not pass these checks:
[S3.4] S3 buckets should have server-side encryption enabled
[S3.5] S3 buckets should require requests to use Secure Socket Layer

Would be good to see custom resource tags for cost tracking added in this template. What do you think?

What is the best way to upgrade to the latest version? I originally deployed it using the deploy button in the readme but I'd like to upgrade to the node18 version without losing any data.

I have multiple CloudFront distributions that I would like to use this for and would like to avoid having many Root S3 Buckets.

Is is possible to change a parameter so that all CloudFront logs went to a given bucket, like for example a root bucket named "cf-logs". Is it possible to make this change using the Management Console so that "cf-logs" is the root bucket and "myapp1" is a folder inside that bucket? For example:

/cf-logs/myapp1

I attempted to make this change by manipulating the template.yaml file on the following lines:

6 Instances of:
arn:${AWS::Partition}:s3:::${ResourcePrefix}-${AWS::AccountId}-cf-access-logs

2 instances of:
s3://${ResourcePrefix}-${AWS::AccountId}-cf-access-logs/athena-query-results

and 1 instance of:
BucketName: !Sub "${ResourcePrefix}-${AWS::AccountId}-cf-access-logs"

But unfortunately I'm getting errors when I make these changes.

Is there a way to do this using the Management Console so that I can have the log files go underneath a root bucket?

Thank you for your assistance. This repo is really great and does exactly what I need it to!

I created 2 cloudformation stacks for this a few years ago, and the schema fields that represent multiple words like requestip and hostheader are single words as typed here.

In December 2019, the fields were updated to use snake_case to conform to AWS Cloudfront specs:
c76192a

I created a 3rd stack for new product sites after this, and the schemas don't match. I have a service that runs queries to find bot crawl numbers, and I'm going to have to come up a way to construct the WHERE clauses to differ based on which database is accessed.

Is there a way to safely modify the older 2 stacks to the new snake_case field names?

Since the access log files are delivered to S3 asynchronously, a log file E271AZ5HG504X.2022-01-20-07.2bd0b06.gz may contents access log starts from 2022-01-20 08:00:00. If the log file is moved to partition year=2022/month=01/day=20/hour=07, is it possible that a sql with where clause where year='2022' and month='01' and day='20' and hour='08' may lost this part of data?

I set this up by launching the Stack as described.

When I look at the S3 buckets, comparing the Old CloudFront log files to the New CloudFront log files they look the same. What I mean by "look the same" is that they both are in the format: distribution-ID.YYYY-MM-DD-HH.unique-ID.gz

But when I look at the log streams going into CloudWatch I see this format:
2020/10/12/7063690b6a7f417293f736568409fc3e

In Lambda I noticed that "MoveNewAccessLogsFn" is not working. Below is an error I get when I attempt to test:

START RequestId: c16a8df6-2390-4533-aeb9-53e364cf3b1a Version: $LATEST
2020-10-12T22:00:20.488Z c16a8df6-2390-4533-aeb9-53e364cf3b1a ERROR Invoke Error {"errorType":"TypeError","errorMessage":"Cannot read property 'map' of undefined","stack":["TypeError: Cannot read property 'map' of undefined"," at Runtime.exports.handler (/var/task/moveAccessLogs.js:18:31)"," at Runtime.handleOnce (/var/runtime/Runtime.js:66:25)"]}
END RequestId: c16a8df6-2390-4533-aeb9-53e364cf3b1a
REPORT RequestId: c16a8df6-2390-4533-aeb9-53e364cf3b1a Duration: 39.03 ms Billed Duration: 100 ms Memory Size: 128 MB Max Memory Used: 83 MB Init Duration: 618.96 ms

Am I missing some permissions somewhere? How come I'm not seeing the log files in a year-month-day in S3?

Thanks in advance for your help.