custom resources: Generated step function generates finding due to missing logging #27283
Labels
@aws-cdk/aws-lambda
Related to AWS Lambda
bug
This issue is a bug.
effort/medium
Medium work item – several days of effort
p2
Comments
rv2673
added
bug
|
Yes we should add logging here by default unless disabled. Before it is supported, you can work it around with const provider = new cr.Provider(this, 'Provider', {
onEventHandler,
isCompleteHandler,
});
const logGroup = new LogGroup(this, 'LogGroup');
const waiterStateMachine = provider.node.tryFindChild('waiter-state-machine') as Construct
const cfnstateMachine = waiterStateMachine.node.tryFindChild('Resource') as CfnResource
cfnstateMachine.addPropertyOverride('LoggingConfiguration', {
'CloudWatchLogsLogGroup': {
'LogGroupArn': logGroup.logGroupArn,
}
}) |
pahud
added
p2
effort/medium
|
This was referenced Jan 14, 2024
Merged
mergify bot
pushed a commit
that referenced
this issue
Apr 19, 2024
… in CompleteHandler (#28706) This PR fixes the case that `StateMachine` generated for `CompleteHandler` in `Provider` cannot set logging. The default log group name of the state machine automatically created by the `Provider` with `isCompleteHandler` should start with `/aws/vendedlogs/states`. Otherwise, each time the state machine is created, the log resource policy size increases. https://docs.aws.amazon.com/step-functions/latest/dg/bp-cwl.html Closes #27283 Fixes #28577 #28744 Related PR #27310(reverted by #28699), #28587 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
This was referenced May 23, 2024
This was referenced Jun 22, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
When custom resources with provider framework has a completedHandler function it generates a aws step function for polling for completion with a configured interval and total timeout.
This generated step function however has no logging configuration. Which causes the StepFunctions.1 rule from the AWS Foundational Security Best Practices (FSBP) standard set to be triggered.
This is due to the missing logging configuration. The provider construct however also does not provide any option to configure this logging.
Expected Behavior
The provider construct adds logging by default following the foundational best practice and/or allows this to be configured.
Current Behavior
The provider construct does not add logging configuration on step function nor does it allow for it to be configured through construct props.
Reproduction Steps
Enable StepFunctions.1 rule.
Create stack with custom resource with both evenHandler and isCompleteHandler to trigger generation of state machine.
Deploy generated template
This template should triggger the rule due to missing logging configuration
Possible Solution
Additional Information/Context
No response
CDK CLI Version
2.96.0
Framework Version
No response
Node.js Version
18
OS
Ubuntu 20.04
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: