feat(lambda): avail function log group in the CDK #5878
Conversation
The lambda function's log group is now available for use in the CDK app so it can be used further to create subscription filters, metric filters, etc. or in any other way that a regular log group may be used. The implementation uses an underlying CustomResource to guarantee the existence of this log group as part of the CloudFormation stack. A new property called `exposeLogGroup` to enable this, so that existing stacks that have a Lambda function don't change significantly by automatically getting this CustomResource, as well as, users who are not interested in this log group can opt out. closes #3838
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
There was a problem hiding this comment.
Two notes:
- Feels like there is something we can do to lazily create the
LogRetentionin caselogGroupis accessed instead of "polluting" the API withexposeLogGroup, which feels a bit hacky. - What was the rational for implementing
ILogGroupbyLogRetentioninstead of justlogs.LogGroup.fromLogGroupArn(). Feels like it would have saved a lot code duplication from the logs module.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
You are correct. That is simpler. I was struggling a bit to get that right. Turns out the solution is quite nifty.
I was hoping to give more power to the user to control this, but you're right. Switched this around. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
@rix0rrr - done! |
| const logretention = new LogRetention(this, 'LogRetention', { | ||
| logGroupName: `/aws/lambda/${this.functionName}`, | ||
| retention: logs.RetentionDays.INFINITE, | ||
| }); |
There was a problem hiding this comment.
Do we even need this? Can't we just fromAttributes the LogGroup?
I feel like setting INFINITE retention here may not be the right thing to do... People may have manually changed the retention to something else before they went through this code path, and they probably don't expect you'll be resetting it to Expire: NEVER when they just access the logGroup property...
Now obviously, you could have the problem that the LogGroup will not exist in the service before the function has been invoked at least once (if you don't create it yourself)... In such case, it'd be better to have a custom handler that just creates the log group if missing, but leaves the configured retention if it already exists...
There was a problem hiding this comment.
Do we even need this? Can't we just fromAttributes the LogGroup?
We need it because the log group might not exist. Take a look at LogRetention if you haven't already and you'll get the idea.
Now obviously, you could have the problem that the LogGroup will not exist in the service before the function has been invoked at least once (if you don't create it yourself)... In such case, it'd be better to have a custom handler that just creates the log group if missing, but leaves the configured retention if it already exists...
LogRetention does exactly that.
they probably don't expect you'll be resetting it to Expire: NEVER when they just access the logGroup property...
Good point. Let me look into that.
There was a problem hiding this comment.
they probably don't expect you'll be resetting it to Expire: NEVER when they just access the logGroup property...
Good point. Let me look into that.
Wait a second. They shouldn't have set the retention policy of the function out of band; they should use the logRetention property here. If they did set it out of band, it's expected that a stack deployment may reset it, right?
There was a problem hiding this comment.
That's not what Vanilla CloudFormation would do for you... I don't have a problem if you'll be resetting aggressively and consider you have to change it through here, but this should be mentioned in the documentation at the very least!
There was a problem hiding this comment.
Maybe the correct solution is to make the retention property optional and have the custom resource do nothing if the property is unset and the group already exists?
On the other hand, I don't think this is going to come up a lot. Who really precreates Lambda Function Log Groups AND subsequently uses CDK to manage their Lambdas? With generated names? Plus, the reset will only happen on the first deployment, because afterwards none of the resource properties will have changed so CFN is never going to touch this custom resource ever again.
There was a problem hiding this comment.
My concern is more towards the fact that a getter should be side-effects free, as it's only observing state. There are possible side-effects here, which isn't something you'd expect (and hence check for).
If your lambda logs stuff out that you are not allowed to keep for longer than X for some reason... You may suddenly be in violation of law without knowing it...
An alternative way to go here would be to always create a (regular) LogGroup, and use an auto-generated physical name (instead of ever leaving it out to CloudFormation to decide).
There was a problem hiding this comment.
An alternative way to go here would be to always create a (regular) LogGroup, and use an auto-generated physical name (instead of ever leaving it out to CloudFormation to decide).
I'm not sure I follow your alternative here.
However, reminding you that the lambda service decides that the log group must be /aws/lambda/<function-name> and we have no control over it.
If your lambda logs stuff out that you are not allowed to keep for longer than X for some reason... You may suddenly be in violation of law without knowing it...
You're right, but if you need to comply with the law, you should be setting the logRetention property which will do the correct thing for you. By not managing an AWS resource that is regulated lawfully in you IaaC is already bad.
However, your philosophical point is well taken.
I've updated the README with more documentation on this. Does that satisfy, or do you feel strongly that I change the logic?
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request is now being automatically merged. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request is now being automatically merged. |
Commit Message
The lambda function's log group is now available for use in the CDK app
so it can be used further to create subscription filters, metric
filters, etc. or in any other way that a regular log group may be used.
The implementation uses an underlying CustomResource to guarantee the
existence of this log group as part of the CloudFormation stack.
However, the custom resource is only created either when the
logRetentionproperty is set or whenlogGroupgetter is called. Thisprevents existing stacks that use Lambda function to get the custom
resource and can be opted into.
closes #3838
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license