Generating Safe Physical Resource Names (and the /aws/vendedlogs/ prefix)

[biffgaut]

Working with Step Functions recently, we ran into a big problem trying to preface the name of our Log Group with /aws/vendedlogs/. When Step Functions writes to a CloudWatch Log Group, that Log Group needs to be included in a Resource Policy, which can only be 5k characters long. When we launched an tore down our stack during development, we were constantly blowing out the size of the Resource Policy. After several unsuccessful attempts to address the problem, we have finally come up what we believe is a robust solution, so I'm writing it up here so anyone hitting this issue in the future can solve it faster.

The problem stemmed from trying to take control of the physical name of the Log Group, which is very tricky. In nearly every situation, it's best to allow CloudFormation to determine physical names. We were not able to find any CDK that generated physical names (functions like UniqueId() are intended to create Logical IDs). But to ensure the name starts with /aws/vendedlogs/, we had no choice but to create a physical name ourselves. The challenge is that a physical name needs to be constant over the lifetime of a stack instance, but different when a separate instance of the stack is created. We tried adding a random extension to the physical name, but that led to the name changing when the stack updated. We tried a constant name similar to UniqueID(), but that didn't change between stack instances - so when we launched, destroyed and launched a stack retained resources (like a Log Group) encountered a name collision.

Our solution was to include the CloudFormation Pseudo Variable AWS::StackId in the physical name of the resource. The stack ID is a full arn, so we extract the trailing characters (which appear to be a GUID) and append that to a name that otherwise remains constant. CloudFormation ensures that the Stack ID is constant within the lifetime of a stack, but is different for every instance of a stack. Here is our code that sets up the CloudFormation template to extract the Stack ID GUID:

  const uniqueStackIdPart = cdk.Fn.select(2, cdk.Fn.split('/', `${cdk.Aws.STACK_ID}`));

You can see this code in context of our function, GeneratePhysicalName(), here in our codebase.

I hope this writeup helps save someone else the trouble we went through.

[bestickley]

Thank you, @biffgaut! This was very helpful to me. I was looking for something a bit shorter so I'm using this:

    /**
     * Given stack id: "arn:aws:cloudformation:us-east-1:905418358903:stack/lh-stickb-idp/4bf74be0-e880-11ee-aea9-0affc6185b25",
     * returns "4bf74be0"
     */
    const uniqueStackIdPart = Fn.select(
      0,
      Fn.split("-", Fn.select(2, Fn.split("/", `${Aws.STACK_ID}`)))
    );

[biffgaut]

That should work - the STACK_ID is the key part to make it unique to the stack but consistent in the stack.