Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lambda: apply data protection policy to generated log group #27598

Closed
2 tasks done
tactactactactac opened this issue Oct 18, 2023 · 2 comments
Closed
2 tasks done

lambda: apply data protection policy to generated log group #27598

tactactactactac opened this issue Oct 18, 2023 · 2 comments
Labels
@aws-cdk/aws-lambda Related to AWS Lambda closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@tactactactactac
Copy link

Describe the feature

Currently there is no idiomatic way to apply a data protection policy to a log group that is automatically generated for a lambda.

It can be done but the solution is hacky -> by creating a log group with the assumed name that the lambda will use before the lambda creates the group. The lambda will then "Adopt" the log group you've made manually.

I believe it would be best if data protection policies can be applied to lambda generated log groups out-of-the-box.

Use Case

I am attempting to create a data protection policy for my CDK applicatio, but it is not easy to apply a data protection policy to log groups generated by lambda.

If this feature was implemented it would be very easy and natural to apply a data protection policy to a log group generated by a lambda.

Proposed Solution

I don't exactly know why this feature does not already exist but my assumption is the lambda life-cycles do not allow it normally.

My proposed solution is that when you're configuring a new lambda with a log group you can just apply a data protection policy to the configuration.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.87.0

Environment details (OS name and version, etc.)

Mac, 13.5.2 (22G91)
@tactactactactac tactactactactac added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Oct 18, 2023
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Oct 18, 2023
@tactactactactac tactactactactac changed the title lambda: automatically apply data protection policy to generated log group lambda: apply data protection policy to generated log group Oct 18, 2023
@pahud
Copy link
Contributor

pahud commented Oct 20, 2023

I think it's possible. Can you share more about your data protection policy to log groups?

https://github.com/aws/aws-cdk/tree/main/packages/aws-cdk-lib/aws-lambda#log-group

aws-cdk/packages/aws-cdk-lib/aws-lambda/lib/function.ts

Lines 1091 to 1110 in 93904e8

/**
* The LogGroup where the Lambda function's logs are made available.
*
* If either `logRetention` is set or this property is called, a CloudFormation custom resource is added to the stack that
* pre-creates the log group as part of the stack deployment, if it already doesn't exist, and sets the correct log retention
* period (never expire, by default).
*
* Further, if the log group already exists and the `logRetention` is not set, the custom resource will reset the log retention
* to never expire even if it was configured with a different value.
*/
public get logGroup(): logs.ILogGroup {
if (!this._logGroup) {
const logRetention = new logs.LogRetention(this, 'LogRetention', {
logGroupName: `/aws/lambda/${this.functionName}`,
retention: logs.RetentionDays.INFINITE,
});
this._logGroup = logs.LogGroup.fromLogGroupArn(this, `${this.node.id}-LogGroup`, logRetention.logGroupArn);
}
return this._logGroup;
}

@pahud pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Oct 20, 2023
@github-actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Oct 22, 2023
@github-actions github-actions bot mentioned this issue Nov 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-lambda Related to AWS Lambda closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @tactactactactac