From f0383d65c7cc8017c55ec9c9262d4a863bb63730 Mon Sep 17 00:00:00 2001 From: GZ Date: Wed, 6 Mar 2024 11:38:31 -0800 Subject: [PATCH] fix(events_targets): installing latest aws sdk fails in cn partition (#29374) ### Issue # (if applicable) Closes https://github.com/aws/aws-cdk/issues/29373 ### Reason for this change AWS Log Group event target by default installs the latest aws sdk for its custom resource and this would fail in `aws-cn` partition. This PR exposes the `installLatestAwsSdk` to the surface and allows users to optionally turn off `installLatestAwsSdk` for cloudwatch log events target. ### Description of changes Allow users to override the value, if unset default to true which is the same behaviour as current. ### Description of how you validated changes all tests pass. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-cdk-lib/aws-events-targets/README.md | 14 +++++++ .../lib/log-group-resource-policy.ts | 7 ++++ .../aws-events-targets/lib/log-group.ts | 9 +++++ .../test/logs/log-group.test.ts | 40 +++++++++++++++++++ 4 files changed, 70 insertions(+) diff --git a/packages/aws-cdk-lib/aws-events-targets/README.md b/packages/aws-cdk-lib/aws-events-targets/README.md index 781e257857cd4..41274bbe3b923 100644 --- a/packages/aws-cdk-lib/aws-events-targets/README.md +++ b/packages/aws-cdk-lib/aws-events-targets/README.md @@ -120,6 +120,20 @@ rule.addTarget(new targets.CloudWatchLogGroup(logGroup, { })); ``` +The cloudwatch log event target will create an AWS custom resource internally which will default +to set `installLatestAwsSdk` to `true`. This may be problematic for CN partition deployment. To +workaround this issue, set `installLatestAwsSdk` to `false`. + +```ts +import * as logs from 'aws-cdk-lib/aws-logs'; +declare const logGroup: logs.LogGroup; +declare const rule: events.Rule; + +rule.addTarget(new targets.CloudWatchLogGroup(logGroup, { + installLatestAwsSdk: false, +})); +``` + ## Start a CodeBuild build Use the `CodeBuildProject` target to trigger a CodeBuild project. diff --git a/packages/aws-cdk-lib/aws-events-targets/lib/log-group-resource-policy.ts b/packages/aws-cdk-lib/aws-events-targets/lib/log-group-resource-policy.ts index 85a38024b9706..710cd70b6e207 100644 --- a/packages/aws-cdk-lib/aws-events-targets/lib/log-group-resource-policy.ts +++ b/packages/aws-cdk-lib/aws-events-targets/lib/log-group-resource-policy.ts @@ -15,6 +15,12 @@ export interface LogGroupResourcePolicyProps { * The policy statements for the log group resource logs */ readonly policyStatements: [iam.PolicyStatement]; + /** + * Whether to install latest AWS SDK for the custom resource + * + * @default - install latest AWS SDK + */ + readonly installLatestAwsSdk?: boolean; } /** @@ -39,6 +45,7 @@ export class LogGroupResourcePolicy extends cr.AwsCustomResource { }, physicalResourceId: cr.PhysicalResourceId.of(id), }, + installLatestAwsSdk: props.installLatestAwsSdk, onDelete: { service: 'CloudWatchLogs', action: 'deleteResourcePolicy', diff --git a/packages/aws-cdk-lib/aws-events-targets/lib/log-group.ts b/packages/aws-cdk-lib/aws-events-targets/lib/log-group.ts index 42ad45dae5204..3f421bc31697d 100644 --- a/packages/aws-cdk-lib/aws-events-targets/lib/log-group.ts +++ b/packages/aws-cdk-lib/aws-events-targets/lib/log-group.ts @@ -78,6 +78,14 @@ export interface LogGroupProps extends TargetBaseProps { * @default - the entire EventBridge event */ readonly logEvent?: LogGroupTargetInput; + + /** + * Whether the custom resource created wll default to + * install latest AWS SDK + * + * @default - install latest AWS SDK + */ + readonly installLatestAwsSdk?: boolean; } /** @@ -109,6 +117,7 @@ export class CloudWatchLogGroup implements events.IRuleTarget { if (!this.logGroup.node.tryFindChild(resourcePolicyId)) { new LogGroupResourcePolicy(logGroupStack, resourcePolicyId, { + installLatestAwsSdk: this.props.installLatestAwsSdk, policyStatements: [new iam.PolicyStatement({ effect: iam.Effect.ALLOW, actions: ['logs:PutLogEvents', 'logs:CreateLogStream'], diff --git a/packages/aws-cdk-lib/aws-events-targets/test/logs/log-group.test.ts b/packages/aws-cdk-lib/aws-events-targets/test/logs/log-group.test.ts index 37021be8db1c8..f2670af087148 100644 --- a/packages/aws-cdk-lib/aws-events-targets/test/logs/log-group.test.ts +++ b/packages/aws-cdk-lib/aws-events-targets/test/logs/log-group.test.ts @@ -158,6 +158,46 @@ test('logEvent with defaults', () => { }); }); +test('can set install latest AWS SDK value to false', () => { + // GIVEN + const stack = new cdk.Stack(); + const logGroup = new logs.LogGroup(stack, 'MyLogGroup', { + logGroupName: '/aws/events/MyLogGroup', + }); + const rule1 = new events.Rule(stack, 'Rule', { + schedule: events.Schedule.rate(cdk.Duration.minutes(1)), + }); + + // WHEN + rule1.addTarget(new targets.CloudWatchLogGroup(logGroup, { + installLatestAwsSdk: false, + })); + + // THEN + Template.fromStack(stack).hasResourceProperties('Custom::CloudwatchLogResourcePolicy', { + InstallLatestAwsSdk: false, + }); +}); + +test('default install latest AWS SDK is true', () => { + // GIVEN + const stack = new cdk.Stack(); + const logGroup = new logs.LogGroup(stack, 'MyLogGroup', { + logGroupName: '/aws/events/MyLogGroup', + }); + const rule1 = new events.Rule(stack, 'Rule', { + schedule: events.Schedule.rate(cdk.Duration.minutes(1)), + }); + + // WHEN + rule1.addTarget(new targets.CloudWatchLogGroup(logGroup)); + + // THEN + Template.fromStack(stack).hasResourceProperties('Custom::CloudwatchLogResourcePolicy', { + InstallLatestAwsSdk: true, + }); +}); + test('can use logEvent', () => { // GIVEN const stack = new cdk.Stack();