Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_logs.DataProtectionPolicy: policy keywords start with lower case and that's why are not visible under aws web console #33408

Closed
1 task
raveenplgithub opened this issue Feb 12, 2025 · 3 comments · Fixed by #33462
Closed
1 task

aws_logs.DataProtectionPolicy: policy keywords start with lower case and that's why are not visible under aws web console #33408

raveenplgithub opened this issue Feb 12, 2025 · 3 comments · Fixed by #33462
Labels
@aws-cdk/aws-logs Related to Amazon CloudWatch Logs bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@raveenplgithub
Copy link

Describe the bug

Policy created by aws cdk is not visible under "Log group custom data identifier" section. When I modify the policy manually on web console so that every keyword starts with upper case then it becomes visible.

Below code I use to create a log group with data protenction policy enabled:

        data_protection_policy = aws_logs.DataProtectionPolicy(
            name="data_protection_policy",
            identifiers=[
                aws_logs.CustomDataIdentifier(
                    "A",
                    '"A*",
                ),
                aws_logs.CustomDataIdentifier(
                    "B",
                    '"B*,
                ),
                aws_logs.CustomDataIdentifier(
                    "C",
                    '"C*',
                ),
            ],
        )
        log_group = aws_logs.LogGroup(
            self,
            "somegroupname",
            log_group_name=_resource_suffix,
            retention=retention,
            data_protection_policy=data_protection_policy,
        )

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Policy should be visible on the web console.

Current Behavior

Policy is not visible on the web console.

Reproduction Steps

See description.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.167.1

Framework Version

No response

Node.js Version

20.13.1

OS

Ubuntu

Language

Python

Language Version

No response

Other information

No response
@raveenplgithub raveenplgithub added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 12, 2025
@github-actions github-actions bot added the @aws-cdk/aws-logs Related to Amazon CloudWatch Logs label Feb 12, 2025
@raveenplgithub raveenplgithub changed the title aws_logs.DataProtectionPolicy: policy keywords starts with lower case and are not visible under aws web console aws_logs.DataProtectionPolicy: policy keywords start with lower case and that's why are not visible under aws web console Feb 12, 2025
@ashishdhingra ashishdhingra self-assigned this Feb 12, 2025
@ashishdhingra ashishdhingra added p2 needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Feb 12, 2025
@ashishdhingra
Copy link
Contributor

Reproducible using below CDK code:

import * as cdk from 'aws-cdk-lib';
import * as logs from 'aws-cdk-lib/aws-logs';

export class CdktestStackNew extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const logGroupDestination = new logs.LogGroup(this, 'LogGroupLambdaAudit', {
      logGroupName: 'auditDestinationForCDK',
    });
    
    const dataProtectionPolicy = new logs.DataProtectionPolicy({
      name: 'data_protection_policy',
      description: 'policy description',
      identifiers: [
        new logs.CustomDataIdentifier('A', '"A*'),
        new logs.CustomDataIdentifier('B', '"B*'),
        new logs.CustomDataIdentifier('C', '"C*'),
        new logs.CustomDataIdentifier('EmployeeId', 'EmployeeId-\\d{9}')],
      logGroupAuditDestination: logGroupDestination,
    });
    
    new logs.LogGroup(this, 'LogGroupLambda', {
      logGroupName: 'cdkIntegLogGroup',
      dataProtectionPolicy: dataProtectionPolicy,
    });
  }
}

This synthesizes into below CloudFormation template:

Resources:
  LogGroupLambdaAuditF8F47F46:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: auditDestinationForCDK
      RetentionInDays: 731
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
    Metadata:
      aws:cdk:path: CdktestStackNew/LogGroupLambdaAudit/Resource
  LogGroupLambdaAC756C5B:
    Type: AWS::Logs::LogGroup
    Properties:
      DataProtectionPolicy:
        name: data_protection_policy
        description: policy description
        version: "2021-06-01"
        configuration:
          customDataIdentifier:
            - name: A
              regex: '"A*'
            - name: B
              regex: '"B*'
            - name: C
              regex: '"C*'
            - name: EmployeeId
              regex: EmployeeId-\d{9}
        statement:
          - sid: audit-statement-cdk
            dataIdentifier:
              - A
              - B
              - C
              - EmployeeId
            operation:
              audit:
                findingsDestination:
                  cloudWatchLogs:
                    logGroup:
                      Ref: LogGroupLambdaAuditF8F47F46
          - sid: redact-statement-cdk
            dataIdentifier:
              - A
              - B
              - C
              - EmployeeId
            operation:
              deidentify:
                maskConfig: {}
      LogGroupName: cdkIntegLogGroup
      RetentionInDays: 731
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
    Metadata:
      aws:cdk:path: CdktestStackNew/LogGroupLambda/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/zPSMzS30DNUTCwv1k1OydbNyUzSqw4uSUzO1kksL47PyU8v1qv2yU93L8ovLdBxTsuDsWtrdfLyU1L1sor1ywwt9IwM9EwUs4ozM3WLSvNKMnNT9YIgNABcSxHUYQAAAA==
    Metadata:
      aws:cdk:path: CdktestStackNew/CDKMetadata/Default
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]

Deploying it using cdk deploy creates cdkIntegLogGroup with the following data protection policy:

{
  "configuration": {
    "customDataIdentifier": [
      {
        "regex": "\"A*",
        "name": "A"
      },
      {
        "regex": "\"B*",
        "name": "B"
      },
      {
        "regex": "\"C*",
        "name": "C"
      },
      {
        "regex": "EmployeeId-\\d{9}",
        "name": "EmployeeId"
      }
    ]
  },
  "name": "data_protection_policy",
  "statement": [
    {
      "dataIdentifier": [
        "A",
        "B",
        "C",
        "EmployeeId"
      ],
      "operation": {
        "audit": {
          "findingsDestination": {
            "cloudWatchLogs": {
              "logGroup": "auditDestinationForCDK"
            }
          }
        }
      },
      "sid": "audit-statement-cdk"
    },
    {
      "dataIdentifier": [
        "A",
        "B",
        "C",
        "EmployeeId"
      ],
      "operation": {
        "deidentify": {
          "maskConfig": {}
        }
      },
      "sid": "redact-statement-cdk"
    }
  ],
  "description": "policy description",
  "version": "2021-06-01"
}

If we observe the casing of the various element names, it follows Camel case. This is different from what is mentioned at Understanding data protection policies where it follows pascal case. Manually changing to use the correct casing via AWS console, makes the issue go away.

Looks like in CDK library, it uses incorrect casing here.

@raveenplgithub Thanks for the report. If possible, free to contribute PR to fix the issue.

@ashishdhingra ashishdhingra added effort/small Small work item – less than a day of effort and removed needs-reproduction This issue needs reproduction. labels Feb 12, 2025
@ashishdhingra ashishdhingra removed their assignment Feb 12, 2025
@ashishdhingra ashishdhingra added p1 and removed p2 labels Feb 12, 2025
@phuhung273 phuhung273 mentioned this issue Feb 15, 2025
Merged
1 task
@mergify mergify bot closed this as completed in #33462 Feb 19, 2025
@mergify mergify bot closed this as completed in 0379878 Feb 19, 2025
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

1 similar comment
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 19, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-logs Related to Amazon CloudWatch Logs bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(logs): DataProtectionPolicy template key must be PascalCase phuhung273/aws-cdk
2 participants
@ashishdhingra @raveenplgithub