Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(logs): Cannot set log removalPolicy: destroy to more than one LogRetention resources #22755

Merged
merged 8 commits into from
Dec 5, 2022
Merged

fix(logs): Cannot set log removalPolicy: destroy to more than one LogRetention resources #22755

merged 8 commits into from
Dec 5, 2022

Conversation

tmokmss
Copy link
Contributor

@tmokmss tmokmss commented Nov 3, 2022

Currently the IAM policy for LogRetention custom resource Lambda function is set only when it is initialized. Because that lambda function is a singleton function, it is only initialized once and therefore the IAM policy to remove log groups is not configured properly.

e.g. given we create two LogRetention resources with removalPolicy: destroy, the resulting IAM policy has only statement for log group group1.

    new LogRetention(stack, 'MyLambda1', {
      logGroupName: 'group1',
      retention: RetentionDays.ONE_DAY,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
    });

    new LogRetention(stack, 'MyLambda2', {
      logGroupName: 'group2',
      retention: RetentionDays.ONE_DAY,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
    });

Also I removed logs:DeleteLogStream allow statement because I confirmed it is not required to remove a log group.

All Submissions:

Adding new Unconventional Dependencies:

  • This PR adds new unconventional dependencies following the process described here

New Features

  • Have you added the new feature to an integration test?
    • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Nov 3, 2022

@github-actions github-actions bot added the p2 label Nov 3, 2022
@aws-cdk-automation aws-cdk-automation requested a review from a team November 3, 2022 02:57
@github-actions github-actions bot added the valued-contributor [Pilot] contributed between 6-12 PRs to the CDK label Nov 3, 2022
aws-cdk-automation
aws-cdk-automation previously requested changes Nov 3, 2022
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

@TheRealAmazonKendra TheRealAmazonKendra self-assigned this Nov 3, 2022
@aws-cdk-automation aws-cdk-automation dismissed their stale review November 3, 2022 03:18

✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.

kaizencc
kaizencc previously requested changes Dec 1, 2022
View reviewed changes
Copy link
Contributor

@kaizencc kaizencc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @tmokmss! I have a few minor nits but otherwise this looks good.

packages/@aws-cdk/aws-logs/lib/log-retention.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-logs/lib/log-retention.ts Show resolved Hide resolved
packages/@aws-cdk/aws-logs/lib/log-retention.ts Show resolved Hide resolved
packages/@aws-cdk/aws-logs/test/log-retention.test.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-logs/test/log-retention.test.ts Outdated Show resolved Hide resolved
@mergify mergify bot dismissed kaizencc’s stale review December 3, 2022 15:19

Pull request has been modified.

@tmokmss
Copy link
Contributor Author

tmokmss commented Dec 3, 2022

Hi @kaizencc, thank you for the review! I addressed all of your comments :)

@kaizencc kaizencc added p1 and removed p2 labels Dec 5, 2022
kaizencc
kaizencc previously approved these changes Dec 5, 2022
View reviewed changes
Copy link
Contributor

@kaizencc kaizencc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @tmokmss!

@mergify
Copy link
Contributor

mergify bot commented Dec 5, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@kaizencc
Copy link
Contributor

kaizencc commented Dec 5, 2022

@Mergifyio refresh

@mergify
Copy link
Contributor

mergify bot commented Dec 5, 2022

refresh

✅ Pull request refreshed

@mergify mergify bot dismissed kaizencc’s stale review December 5, 2022 21:44

Pull request has been modified.

@mergify
Copy link
Contributor

mergify bot commented Dec 5, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 46c3204
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit fee2fa2 into aws:main Dec 5, 2022
@mergify
Copy link
Contributor

mergify bot commented Dec 5, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@tmokmss tmokmss deleted the fix_log_retention branch December 6, 2022 00:56
brennanho pushed a commit to brennanho/aws-cdk that referenced this pull request Dec 9, 2022
@tmokmss
fix(logs): Cannot set log removalPolicy: destroy to more than one L…
f4aeb45 
…ogRetention resources (aws#22755)

Currently the IAM policy for LogRetention custom resource Lambda function is set only when it is initialized. Because that lambda function is a singleton function, it is only initialized once and therefore the IAM policy to remove log groups is not configured properly.

e.g. given we create two LogRetention resources with `removalPolicy: destroy`, the resulting IAM policy has only statement for log group `group1`.

```ts
    new LogRetention(stack, 'MyLambda1', {
      logGroupName: 'group1',
      retention: RetentionDays.ONE_DAY,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
    });

    new LogRetention(stack, 'MyLambda2', {
      logGroupName: 'group2',
      retention: RetentionDays.ONE_DAY,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
    });
```

Also I removed `logs:DeleteLogStream` allow statement because I confirmed it is not required to remove a log group.

----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
brennanho pushed a commit to brennanho/aws-cdk that referenced this pull request Jan 20, 2023
@tmokmss
fix(logs): Cannot set log removalPolicy: destroy to more than one L…
1d2f4cd 
…ogRetention resources (aws#22755)

Currently the IAM policy for LogRetention custom resource Lambda function is set only when it is initialized. Because that lambda function is a singleton function, it is only initialized once and therefore the IAM policy to remove log groups is not configured properly.

e.g. given we create two LogRetention resources with `removalPolicy: destroy`, the resulting IAM policy has only statement for log group `group1`.

```ts
    new LogRetention(stack, 'MyLambda1', {
      logGroupName: 'group1',
      retention: RetentionDays.ONE_DAY,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
    });

    new LogRetention(stack, 'MyLambda2', {
      logGroupName: 'group2',
      retention: RetentionDays.ONE_DAY,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
    });
```

Also I removed `logs:DeleteLogStream` allow statement because I confirmed it is not required to remove a log group.

----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
brennanho pushed a commit to brennanho/aws-cdk that referenced this pull request Feb 22, 2023
@tmokmss
fix(logs): Cannot set log removalPolicy: destroy to more than one L…
0bc7d83 
…ogRetention resources (aws#22755)

Currently the IAM policy for LogRetention custom resource Lambda function is set only when it is initialized. Because that lambda function is a singleton function, it is only initialized once and therefore the IAM policy to remove log groups is not configured properly.

e.g. given we create two LogRetention resources with `removalPolicy: destroy`, the resulting IAM policy has only statement for log group `group1`.

```ts
    new LogRetention(stack, 'MyLambda1', {
      logGroupName: 'group1',
      retention: RetentionDays.ONE_DAY,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
    });

    new LogRetention(stack, 'MyLambda2', {
      logGroupName: 'group2',
      retention: RetentionDays.ONE_DAY,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
    });
```

Also I removed `logs:DeleteLogStream` allow statement because I confirmed it is not required to remove a log group.

----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaizencc kaizencc kaizencc approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees

@kaizencc kaizencc

Labels
p1 valued-contributor [Pilot] contributed between 6-12 PRs to the CDK
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tmokmss @kaizencc @aws-cdk-automation @TheRealAmazonKendra