Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-events-target: support adding CloudWatchLogGroup rule target without creation of new Resource Policy #31404

Open
1 of 2 tasks
gwaltneyluke opened this issue Sep 11, 2024 · 3 comments · May be fixed by #32242
Open
1 of 2 tasks

aws-events-target: support adding CloudWatchLogGroup rule target without creation of new Resource Policy #31404

gwaltneyluke opened this issue Sep 11, 2024 · 3 comments · May be fixed by #32242
Labels
@aws-cdk/aws-events-targets effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@gwaltneyluke
Copy link

Describe the feature

The user should be able to override the creation of a new CloudWatch Log Resource Policy when defining a Log Group as the target of an EventBridge rule.

Use Case

When a CloudWatch LogGroup is defined as the target of an EventBridge rule, CDK creates a CloudWatch Log Resource Policy in order to allow EventBridge to write events to CloudWatch. Since there is a hard limit of 10 CloudWatch Log Resource Policies per account per region, this is limiting the amount of EventBridge rules that can be logged to CloudWatch, especially considering one Resource Policy should be able to dictate access to EventBridge to write to several Log Groups.

Consider the following policies that were created by CDK:

{
    "policyName": "mycdkappEventsLogGroupPolicymycdkappRule1D26B095CB8287BF4",
    "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"events.amazonaws.com\"},\"Action\":[\"logs:PutLogEvents\",\"logs:CreateLogStream\"],\"Resource\":\"arn:aws:logs:us-east-1:*:log-group:/aws/events/rule-1-messages:*\"}]}",
    "lastUpdatedTime": 1725997880957
},
{
    "policyName": "mycdkappEventsLogGroupPolicymycdkappRule278393ACD2E613614",
    "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"events.amazonaws.com\"},\"Action\":[\"logs:PutLogEvents\",\"logs:CreateLogStream\"],\"Resource\":\"arn:aws:logs:us-east-1:*:log-group:/aws/events/rule-2-messages:*\"}]}",
    "lastUpdatedTime": 1725997881143
},
{
    "policyName": "mycdkappEventsLogGroupPolicymycdkappRule35B273849B4FB4310",
    "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"events.amazonaws.com\"},\"Action\":[\"logs:PutLogEvents\",\"logs:CreateLogStream\"],\"Resource\":\"arn:aws:logs:us-east-1:*:log-group:/aws/events/rule-3-messages:*\"}]}",
    "lastUpdatedTime": 1725997880890
}

These three CloudWatch Logs Resource Policies can be simplified and replaced by just one policy:

{
    "policyName": "TrustEventsToStoreLogEvents",
    "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"TrustEventsToStoreLogEvent\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"delivery.logs.amazonaws.com\",\"events.amazonaws.com\"]},\"Action\":[\"logs:CreateLogStream\",\"logs:PutLogEvents\"],\"Resource\":\"arn:aws:logs:us-east-1:*:log-group:/aws/events/*:*\"}]}",
    "lastUpdatedTime": 1721857860333
}

Proposed Solution

A property could be added to LogGroupProps interface (below) which allows the consumer to opt out of the Resource Policy creation.

aws-cdk/packages/aws-cdk-lib/aws-events-targets/lib/log-group.ts

Lines 62 to 89 in 1e20375

export interface LogGroupProps extends TargetBaseProps {
/**
* The event to send to the CloudWatch LogGroup
*
* This will be the event logged into the CloudWatch LogGroup
*
* @default - the entire EventBridge event
* @deprecated use logEvent instead
*/
readonly event?: events.RuleTargetInput;
/**
* The event to send to the CloudWatch LogGroup
*
* This will be the event logged into the CloudWatch LogGroup
*
* @default - the entire EventBridge event
*/
readonly logEvent?: LogGroupTargetInput;
/**
* Whether the custom resource created wll default to
* install latest AWS SDK
*
* @default - install latest AWS SDK
*/
readonly installLatestAwsSdk?: boolean;
}

Then in the if statement (below) which checks for the existence of the Resource Policy CDK is trying to create, a condition could be added to that check to see whether the new property is true or false.

aws-cdk/packages/aws-cdk-lib/aws-events-targets/lib/log-group.ts

Lines 118 to 128 in 1e20375

if (!this.logGroup.node.tryFindChild(resourcePolicyId)) {
new LogGroupResourcePolicy(logGroupStack, resourcePolicyId, {
installLatestAwsSdk: this.props.installLatestAwsSdk,
policyStatements: [new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['logs:PutLogEvents', 'logs:CreateLogStream'],
resources: [this.logGroup.logGroupArn],
principals: [new iam.ServicePrincipal('events.amazonaws.com')],
})],
});
}

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.157.0

Environment details (OS name and version, etc.)

macOS Ventura 13.4 (Intel processor)
@gwaltneyluke gwaltneyluke added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Sep 11, 2024
@gwaltneyluke gwaltneyluke changed the title aws-events-target: support adding CloudwatchLogGroup rule target without creation of new Resource Policy aws-events-target: support adding CloudWatchLogGroup rule target without creation of new Resource Policy Sep 11, 2024
@ashishdhingra ashishdhingra self-assigned this Sep 11, 2024
@ashishdhingra ashishdhingra added p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Sep 11, 2024
@rogerchi
Copy link
Contributor

Just ran into this today as well.

@frankpengau
Copy link
Contributor

frankpengau commented Sep 13, 2024
edited
Loading

I think @TheRealAmazonKendra might be looking into issues surrounding that, based off my issue raised from last time.

Ref: #30428

@ashishdhingra ashishdhingra added effort/medium Medium work item – several days of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Sep 13, 2024
@ashishdhingra
Copy link
Contributor

I think @TheRealAmazonKendra might be looking into issues surrounding that, based off my issue raised from last time.

Ref: #30428

@frankpengau Thanks for the reference. CloudWatch Logs quotas also specifies Up to 10 CloudWatch Logs resource policies per Region per account. This quota can't be changed..

@ashishdhingra ashishdhingra removed their assignment Sep 13, 2024
@github-actions github-actions bot mentioned this issue Sep 16, 2024
Closed
@gwaltneyluke gwaltneyluke linked a pull request Nov 22, 2024 that will close this issue
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-events-targets effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
4 participants
@rogerchi @gwaltneyluke @ashishdhingra @frankpengau