feat(events-targets): add toggle to opt out of resource policy creation for targeted log group #32242
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
effort/medium
github-actions
bot
added
the
beginning-contributor
aws-cdk-automation
previously requested changes
Nov 22, 2024
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
added
the
pr/needs-community-review
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue # (if applicable)
Closes #31404.
Reason for this change
When a CloudWatch LogGroup is set as the target of an EventBridge rule, a custom resource creates a Log Resource Policy to establish trust so that EventBridge can write messages to CloudWatch. However, there is a strict limit of 10 CloudWatch Log Resource Policies per account per region. This therefore limits the amount of EventBridge rules an account can have writing to CloudWatch.
Description of changes
The optional property
createLogGroupResourcePolicyhas been added to theLogGroupPropsinterface. When omitted or set totrue, the Resource Policy is created just as the functionality exists today. When set tofalse, the Resource Policy is not created. The trust between EventBridge and CloudWatch must be established manually.Description of how you validated changes
Unit tests have been added and are passing. Existing integration tests are passing.
Code was also linked to an existing project, where the new property was toggled on and off. When on, the CloudWatch LogGroup Resource Policy was created, and messages sent to EventBridge were making it to the LogGroup. When off, the CloudWatch LogGroup Resource Policy was NOT created, but a custom Resource Policy still allowed messages sent to the EventBridge to end up in the LogGroup.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license